Privacy and Confidentiality of Individually Identifiable Health Care Information under HIPAA

University Policy: 
605
.2

I. Introduction

  1. This policy addresses the University of North Carolina at Charlotte's obligations to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying privacy regulations, which require the University's health care components to protect against unauthorized use or disclosure of individually identifiable health information (specifically "protected health information" or "PHI").
  2. PHI under HIPAA excludes individually identifiable health information in education records, including student health records, covered by the Family Educational Rights and Privacy Act (FERPA) as amended (20 USC 1232g),  and records described at 20 USC 1232g(a)(4)(B)(iv). FERPA guidance is provided by the University's FERPA Policy (University Policy 402). Records protected by FERPA will be protected and disclosed as mandated by FERPA and University policy. It is the goal of the University, however, to apply HIPAA regulations and practices so long as such application does not result in a violation of FERPA.

II. Policy Statement

A. UNC Charlotte recognizes the applicability of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and its regulations to certain sectors of the University.

Under HIPAA, UNC Charlotte may elect to be a Hybrid Entity with identified Health Care Components that are subject to HIPAA, and non-covered components that are not. This Policy identifies the Health Care Components subject to HIPAA's privacy, security, breach notification, and enforcement provisions.

As an entity containing subdivisions and components that act as health care providers and create receive, maintain and transmit ePHI, the University is considered a Hybrid Entity and, as such, has designated certain health care components to be “Covered Entities.”

B. Protected health information under HIPAA excludes individually identifiable health information in education records, including student health records, covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 USC 1232g and records described at 20 USC 1232g(a)(4)(B)(iv). FERPA guidance is provided by the University's FERPA Policy (University Policy 402). Records protected by FERPA will be protected and disclosed as mandated by FERPA and University policy. It is the goal of the University, however, to apply HIPAA regulations and practices so long as such application does not result in a violation of FERPA.

C. To use or disclose PHI for any purpose other than treatment, payment, or health care operations, a covered component must obtain a signed and dated specific authorization (on a form approved by the University's HIPAA Privacy Officer) from the patient or authorized representative, unless authorization is waived or not required under HIPAA.

D. Any release of information for purposes other than treatment, payment, or health care operations without a signed authorization must be reviewed and approved by the Privacy Officer, or designee, except (1) where the release is to the individual patient, (2) where delay in seeking such approval would impair response to a health or safety emergency, or (3) where such release is permitted by rules of the covered health care component.

III. Definitions

A. Authorization: Written authorization from the patient or to use or disclose protected health information is required, except for the following purposes:

  1. treatment payment or health care operations;
  2. research purposes when an authorization is approved by an Institutional Review Board (IRB);
  3. judicial and administrative proceedings; limited law enforcement proceedings;
  4. investigations of abuse or neglect;
  5. identification of a deceased person or the cause of death;
  6. activities related to national defense.

B. Business Associate: A person or entity that is not a part of the University's workforce, which performs certain functions, activities, or services for the University's covered health care components involving the use and/or disclosure of PHI.

C. Covered Entity:  (1) A health plan; (2) a health care clearinghouse; and/or a health care provider who transmits protected health information in an electronic format in connection with a HIPAA-covered transaction.

D. Covered Health Care Components: Those units that are health care providers that engage in HIPAA electronic transactions. The University's covered health care components are its Student Health Services Center, the Christine F. Price Center for Counseling and Psychological Services (CAPS) and any University research component that creates, receives, transmits, or maintains ePHI. The following functional units that provide support services to this covered component are also included:

  1. Internal Audit Office
  2. Office of Legal Affairs
  3. Office of OneIT
  4. Office of the Bursar
  5. Accounts Payable Office
  6. Insurance Office
  7. The University's HIPAA Privacy Officer and HIPAA Security Officer
  8. Other functional units that may be designated by the HIPAA Security Officer in cooperation with the Office of Legal Affairs.

E. Covered Transactions:  The transmission of information between two parties to carry out financial or administrative activities related to health care. The following types of transmission are considered covered transmissions:

  1. Health care claims for reimbursement purposes.
  2. Health care payment and remittance data.
  3. Coordination of benefits information.
  4. Health care claim status.
  5. Health plan enrollment and disenrollment information.
  6. Eligibility for health plan benefit information.
  7.  Referral certification and treatment authorization information.
  8. Health care claims attachments.
  9. Other transactions that the Secretary of the U.S. Department of Health and Human Services may prescribe by regulation.

F. De-identified PHI: Health information that cannot be identified to the individual patient. For PHI to be considered de-identified, the following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
    1. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    2. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
    3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  3. Telephone numbers
  4. Vehicle identifiers and serial numbers, including license plate numbers
  5. Fax numbers
  6. Medical device identifiers and serial numbers
  7. Email addresses
  8. Web Universal Resource Locators (URLs)
  9. Social security numbers
  10. Internet Protocol (IP) addresses
  11. Medical record numbers
  12. Biometric identifiers, including finger and voice prints
  13. Health plan beneficiary numbers
  14. Full-face photographs and any comparable images
  15. Account numbers
  16. Certificate/license numbers
  17. Any other unique identifying number, characteristic, or code

G. Designated Record Set: Records that are the medical and billing records used in part or in whole to make decisions about the patient, except for psychotherapy notes and other records which under the law may not be accessed by the patient.

H. Health Care Operations: Health care operations are the functions necessary for the support of treatment or payment. These functions include, but are not limited to, conducting quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals, business planning and development, business management, and general administrative activities of a covered health care component.

I. HIPAA Privacy Officer and HIPAA Security Officer: Unless otherwise designated by the University, the Chief Compliance Officer shall hold the titles of HIPAA Privacy Officer and the Chief Information Security Officer (CISO) shall hold the title of HIPAA Security Officer.

J. Payment: For the purposes of this policy, payment includes the activities undertaken to obtain reimbursement, including insurance for the provision of health care.

K. Protected Health Information (PHI): PHI is health information, including demographic information, created or received by the University's health components that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify any individual. PHI does not include education records subject to FERPA or de-identified PHI.

L. Treatment: For the purposes of this policy, treatment is the provision, coordination, or management of health care and related services by health care providers, the referral of a patient from one provider to another, or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual.

IV. Operating Procedures

  1. Notice of Privacy Practices. The University's covered health care components shall provide to each patient, no later than the date of the first service delivery, a Notice of Privacy Practices containing a description of (a) the uses and disclosures of PHI that may be made by a covered health care component of the University, (b) the covered component's duties with regard to PHI, and (c) the rights afforded to patients. The Notice of Privacy Practices must be posted by each covered component and made available to patients on request.
  2. Generally Permitted Uses and Disclosures of PHI (other than for treatment, payment and health care operations).
    1. De-identified PHI. De-identified PHI may be used or disclosed without consent or authorization as long as no means of re-identification is disclosed. Release of de-identified PHI by a covered health care component of the University must receive the prior approval of the University's HIPAA Privacy Officer.
    2. Marketing. The use or disclosure of PHI for marketing purposes (communication intended to encourage the purchase or use of products or services) requires an authorization, except for face-to-face communications with the individual patient by the covered health care component (a) to describe health-related products or services that are provided by or included in a plan of benefits; (b) for treatment of the patient; or (c) for case management or care coordination or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.
    3. Business Associates. PHI may be used and disclosed to a business associate of a covered component provided the business associate has signed and is in compliance with a Business Associate Agreement in a form approved by the University's HIPAA Privacy Officer.
    4. Research. Use or disclosure of PHI for University research purposes generally requires the permission of the patient(s). Such permission must be in the form of an authorization as defined above. Use or disclosure is permitted without authorization if the University's institutional review board (IRB) grants a waiver of the authorization.
  1. Consent or Authorization Not Required under HIPAA. The disclosures without consent or authorization that are permitted by HIPAA are set forth below. To the extent that North Carolina law is more stringent or provides greater privacy protection, North Carolina law will apply.
  1. Disclosures required by law. PHI may be disclosed to the extent required by law.
  2. Public Health Activities. PHI may be used and disclosed to a public health authority that is authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability, including public health issues, vital records, child or adult abuse or neglect, adverse food or drug events, and investigations of work-related illnesses or injuries as required by law.
  3. Victims of Abuse, Neglect or Domestic Violence. PHI may be used or disclosed to a government authority that is investigating a report of abuse, neglect, or domestic violence to the extent disclosure is required or permitted by law.
  4. Health Oversight Activities. With certain exceptions, PHI may be used or disclosed to a health oversight agency for oversight activities authorized by law, including audits, civil, administrative, or criminal investigations or proceedings, inspections, licensure, or disciplinary actions.
  5. Judicial and Administrative Proceedings. PHI may be disclosed in the course of a judicial or administrative proceeding in response to a valid court order.
  6. Law enforcement purposes. PHI may be disclosed for law enforcement purposes under certain conditions.
  7. Decedents. PHI regarding decedents may be disclosed to coroners, medical examiners, and funeral directors if necessary to carry out their duties.
  8. Serious Threats to Health or Safety. PHI may be used or disclosed under certain circumstances if a covered component believes in good faith that the use or disclosure is necessary to protect a person or the public from serious harm.
  9. Specialized Government functions. PHI may be used or disclosed for specialized government functions such as military and veterans' activities, security and intelligence activities, protective services for officials, medical suitability, and correctional institutions and other law enforcement custodial situations.
  10. Workers Compensation. PHI may be used or disclosed to the extent required to comply with workers' compensation laws and similar programs.
  1. Revocation of Authorization. Under any circumstances other than those listed above, written authorization will be obtained before use or disclosure of patient's PHI. This authorization may be subsequently revoked by the patient in writing. Upon receipt of such revocation, a covered health care component of the University will not disclose the patient's PHI, except for disclosures that were in process prior to the receipt of the revocation.

V. Minimum Necessary Standard.

Covered health care components must limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure except (1) disclosures to or requests by a health care provider for treatment purposes; (2) disclosures to the individual patient; (3) uses and disclosures with authorization; or (4) uses and disclosures for research with IRB waiver of authorization.

VI. Patient Rights.

  1. Right to Receive a Notice of Privacy Practices. No later than the date of the first delivery of health care services, a patient has the right to receive a Notice of Privacy Practices containing a description of (a) the uses and disclosures of PHI that may be made by a covered health care component of the University, (b) the covered component's duties with regard to PHI, and (c) the rights afforded to patients. The Notice of Privacy Practices is provided by the applicable covered health care component.
  2. Right to Access PHI. A patient has a right to inspect and receive a copy of their PHI that is used to make decisions about the patient for as long as the University maintains the information, except for information specifically exempted from disclosure to the patient by HIPAA. A patient must make a request for such access to the applicable covered health care component.
  3. Right to Request an Amendment of PHI. A patient has a right to request an amendment of PHI contained in designated records sets. A covered health care component is not required to grant the request for amendment and may deny the request under specified circumstances.
  4. Right to an Accounting of Disclosures. A patient has the general right to receive an accounting of disclosures of PHI in the six years prior to the request. A patient must make a request for a list of disclosures to the applicable covered health care component.
    1. Right to Request Restrictions on release of PHI.
    2. A patient has a right to request restrictions on the uses and disclosures of PHI to carry out treatment, payment, or health care operations, and restriction on disclosures made to an individual's family, friends, or relatives. The covered health care component is not required to agree to the requested restriction. However, if the covered health care component does agree, it must abide by the restriction except in emergencies and in situations where use or disclosure is permitted by HIPAA without authorization.
    3. An agreed-upon restriction may be terminated by the patient or by the covered health care component provided that the termination is effective only for PHI created or received after the date of termination.
    4. Restrictions that are agreed to and terminations of agreed-upon restrictions must be documented in writing and retained by the covered health care component for a period of six years from the date of the creation of the termination or restriction or from the date it was last in effect, whichever is later.
    5. F. Right to Receive Confidential Communication. A patient has the right to request how and where to be contacted to receive PHI. This request must be made in writing, and it must state the address at which the PHI is to be received and explain whether the request will interfere with the patient's chosen method of payment. The covered health care component will accommodate all reasonable requests. Requests may be made by contacting the University's Privacy Officer.
  5. Right to File a Complaint. If a patient is concerned that a covered health care component of the University has violated any of the patient's privacy rights, or if a patient disagrees with a decision that is made about access to their PHI, the patient may contact the University's Privacy Officer. The patient may also file a written complaint to the Director, Office for Civil Rights of the U.S. Department of Health and Human Services. There will be no intimidation, threat, coercion, discrimination, or retaliation against any individual for filing a complaint or for exercising any of the above-listed rights.

VII. Physical and Electronic Security of PHI

HIPAA requires physical and electronic security to maintain the privacy of PHI in all forms, including oral, written, and electronic. Covered health care components shall ensure the physical and electronic security of all PHI.

VIII. Breaches of Privacy and Security

  1. Breaches of privacy of PHI are to be reported immediately to the University's Privacy Officer. Breaches of security are to be reported according to procedures set forth in University Policy 311.5, Personal Information Security Breach Notification Procedures.
  2. Covered health care components must mitigate, to the extent practicable, any known harmful effects of the use or disclosure of PHI in violation of this policy or the requirements of HIPAA.
  3. Any University employee or contractor who is in violation of this policy is subject to disciplinary action up to and including discharge in accordance with applicable University policies and procedures. Individuals may also be subject to civil and criminal penalties under HIPAA.
Revision History: 
  • Initially Approved by the Chancellor April 7, 2003
  • Revised effective January 11, 2007
  • Revised March 18, 2020
  • Updated July 19, 2021

Authority: Chancellor

Responsible Offices: Student Affairs and Academic Affairs

Related Resources: