MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. HIPAA: Use and Disclosure of Protected Health Information

Transcription

1 Page 1 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin Applies t: faculty staff students student emplyees visitrs cntractrs clinicians Effective Date f This Revisin: Nvember 27, 2012 Cntact fr Mre Infrmatin: HIPAA Chief Privacy Officer Assciate Dean/Administratin & Finance Cllege f Medicine Bard Plicy Administrative Plicy Prcedure Guideline PURPOSE: The Health Insurance Prtability and Accuntability Act f 1996 (HIPAA) granted certain rights t patients/clients/emplyees regarding their prtected health infrmatin (PHI). This plicy has been drafted t assist CMU t cmply with the law and t guide CMU staff in assisting patients/clients/emplyees t exercise their rights. DEFINITIONS: The terms used in this plicy have the same meaning as thse terms in the Health Insurance Prtability and Accuntability Act f 1996, Public Law and the regulatins at 45 CFR Parts 160, 162, and 164. Minimum Necessary is nt defined in the Privacy Rule, but is a term used t describe the amunt f PHI needed t perfrm a particular task r functin. Business Assciate: A business assciate is a persn (ther than a member f CMU s wrkfrce) r entity that arranges, perfrms r assists in the perfrmance f functins r activities invlving the use r disclsure f PHI. Such functins include: claims prcessing r administratin; data analysis, prcessing r administratin utilizatin review quality assurance billing benefit management any ther functin r activity regulated by the Privacy Rules A business assciates als includes a persn r entity that prvides the fllwing types f services, if the services invlve the disclsure f PHI: legal actuarial accunting Authrity: M. Ra, President Histry: ; Indexed as: HIPAA:Use and Disclsure f Prtected Health Infrmatin; HIPAA: Prtected Health Infrmatin: HIPAA: Disclsure f Prtected Health Infrmatin

2 Page 2 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin cnsulting data aggregatin management administrative accreditatin financial services sftware and technlgy supprt Designated Recrd Set: Designated recrd set means the enrllment, payment, claims adjudicatin and ther recrds that are maintained by health care prviders r the Health Plan but excluding enrllment infrmatin fund in CMU s emplyment recrds. It includes Health Plan recrds that are maintained n behalf f the Health Plan by a third party that perfrms services fr the Health Plan and medical recrds that CMU s health care prviders receive frm ther health care prviders. It als includes Health Plan recrds r medical prvider recrds that may be used, in whle r in part, by r fr the Health Plan t make decisins abut an individual. Fr purpses f this definitin, recrd means any item, cllectin, r gruping f infrmatin that includes PHI and is maintained, cllected, used, r disseminated by r fr the Health Plan r ne f CMU s health care prviders. The Designated recrd set des nt include recrds that are created by students r fr the assessment f students. Recrds created by students r fr the assessment f students are educatin recrds subject t FERPA, but are nt part f the Designated recrd set and are nt subject t HIPAA. De-identified Infrmatin: Infrmatin qualifies as de-identified infrmatin nly if it des nt identify an individual and there is n reasnable basis t believe that the infrmatin can be used t identify an individual. PHI can becme de-identified in tw ways: prfessinal statistical analysis has determined that the risk is very small that the infrmatin culd be used, alne r in cmbinatin with ther reasnably available infrmatin, by an anticipated recipient t identify an individual wh is the subject f the infrmatin; r the fllwing identifiers f the individual r f relatives, emplyers, r husehld members f the individual, are remved and CMU des nt have actual knwledge that the infrmatin culd be used alne r in cmbinatin with ther infrmatin t identify an individual wh is a subject f the infrmatin: Names; All gegraphic subdivisins smaller than a State, including street address, city, cunty, precinct, zip cde, and their equivalent gecdes, except fr the initial three digits f a zip cde if, accrding t the current publicly available data frm the Bureau f the Census: The gegraphic unit frmed by cmbining all zip cdes with the same three initial digits cntains mre than 20,000 peple; and ( 2 ) The initial three digits f a zip cde fr all such gegraphic units cntaining 20,000 r fewer peple is changed t 000. All elements f dates (except year) fr dates directly related t an individual, including birth date, admissin date, discharge date, date f death; and all ages ver 89 and all

3 Page 3 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin elements f dates (including year) indicative f such age, except that such ages and elements may be aggregated int a single categry f age 90 r lder; Telephne numbers; Fax numbers; Electrnic mail addresses; Scial security numbers; Medical recrd numbers; Health plan beneficiary numbers; Accunt numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resurce Lcatrs (URLs); Internet Prtcl (IP) address numbers; Bimetric identifiers, including finger and vice prints; Full face phtgraphic images and any cmparable images; and Any ther unique identifying number, characteristic, r cde, except as permitted by paragraph (c) f this sectin Disclsure: Disclsure f PHI means the release, transfer, prvisin f access t, r divulging in any ther manner f individually identifiable health infrmatin t persns nt emplyed by r wrking within the Hybrid Entity. Health Care Operatins: Health care peratins means any f the fllwing activities t the extent that they are related t Health Plan administratin r the prvisin f health care: evaluating Health Plan perfrmance underwriting, premium rating, and ther activities relating t the creatin, renewal, r replacement f a cntract f health insurance r health benefits ceding, securing, r placing a cntract fr reinsurance f risk relating t claims fr health care (including stp-lss insurance and excess f lss insurance) cnducting quality assessment and imprvement activities cnducting r arranging fr medical review, legal services, and auditing functins business planning and develpment business management and general administrative activities

4 Page 4 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin cnducting quality assessment and imprvement activities, ppulatin-based activities relating t imprving health r reducing health care csts, and case management and care crdinatin reviewing the cmpetence r qualificatins f health care prfessinals, evaluating prvider perfrmance, training health care and nn-health care prfessinals, accreditatin, certificatin, licensing, r credentialing activities Limited Data Set: A Limited Data Set is PHI that has had mst identifiers f the individual, r f relatives, emplyers, r husehld members remved frm it. A Limited Data Set is similar t Deidentified Infrmatin (see abve), except that a Limited Data Set may include city, state and zip cde infrmatin and any dates related t an individual. Limited Data Set is further defined at 45 C.F.R (e). Minimum Necessary: The Privacy Rules require that when PHI is used r disclsed, CMU must make reasnable effrts t limit the use r disclsure t the minimum amunt necessary t accmplish the intended purpse f the use, disclsure r request. Fr example, if smene asks fr an individual s Health Plan recrds in rder t perfrm a functin n behalf f the Health Plan, but the recrds include mre infrmatin than is really needed fr that functin, CMU shuld nly disclse the infrmatin needed (and nt the entire recrd). Payment: Payment means activities undertaken t btain Health Plan premiums, insurance cpayments fr health care prviders, r t determine r fulfill the Health Plan s respnsibility fr cverage and prvisin f benefits, r t btain r prvide reimbursement fr the prvisin f health care. Payment includes: determinatins f eligibility r cverage, including crdinatin f benefits r the determinatin f cst sharing amunts adjudicatin r subrgatin f health benefit claims risk adjusting amunts due based n enrllee health status and demgraphic characteristics billing, claims management, cllectin activities, btaining payment under a cntract fr reinsurance (including stp-lss insurance and excess f lss insurance), and related health care data prcessing review f health care services fr purpses f determining cverage Use: Use f PHI means the sharing, emplyment, applicatin, utilizatin, examinatin r analysis f individually identifiable health infrmatin by any persn wrking fr, in cnnectin with, r within CMU s Human Resurces Department, The Carls Center fr Clinical Care and Educatin, the Cllege f Health Prfessins, University Health Services, Student Accunt Services & University Billing, Internal Audit, the Office f General Cunsel, Faculty Persnnel Services, Risk Management, Infrmatin Technlgy r by a business assciate. Wrkfrce/Emplyee: CMU s wrkfrce includes any individual wh wrks directly under the cntrl f CMU, whether r nt they are paid by CMU. This includes nt nly emplyees, but als vlunteers, trainees, interns/externs, wrkers emplyed by a temprary agency, and independent cntractrs. Whenever these plicies and prcedures discuss CMU s bligatin t prtect PHI, the discussin is intended t include anyne wh is a member f CMU s wrkfrce. The term emplyee, when used in these plices and prcedures, means any member f CMU s wrkfrce. POLICY: CMU shall take reasnable steps t limit the uses, disclsures f, and requests fr PHI t the minimum necessary t accmplish the intended purpse.

5 Page 5 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin CMU shall maintain plicies and prcedures that identify persns r classes f persns within CMU and its business assciates wh need access t PHI t carry ut their jb duties, and the purpses fr which PHI may be used. The minimum necessary prvisins cntained in this plicy and prcedure d nt apply t the fllwing: a. Disclsures t r requests by a health care prvider fr treatment purpses b. Uses and disclsures t the patient/client/emplyee wh is the subject f the infrmatin c. Uses r disclsures made pursuant t an authrizatin prvided by a patient/client/emplyee d. Uses r disclsures required fr cmpliance with the standardized HIPAA transactins e. Disclsures t the Department f Health and Human Services (HHS) when disclsure f infrmatin is required under the rule fr enfrcement purpses 1 f. Uses r disclsures that are required by ther law h. Uses r disclsures that are required fr cmpliance with the Privacy Rules These plicies and prcedures are fr CMU internal uses and disclsures. Uses and disclsures by third party administratrs and/r service prviders are gverned by that party s business assciate agreement with CMU and its wn internal plicies and prcedures. PROCEDURE: 1.0 Use f PHI by CMU Units. CMU recgnizes that a number f persns and grups f persns need access t sme level f PHI t carry ut their jb duties. The Privacy Officer fr each unit f the Hybrid Entity shall maintain a list f the classificatins f persnnel (including student clinicians/interns and vlunteers) apprved t have rutine access t PHI in the perfrmance f their duties ( Authrized Emplyees ). These Authrized Emplyees may use and disclse PHI t perfrm their jb functins, and they may disclse PHI t ther Authrized Emplyees wh perfrm r supprt Health Plan administratin functins r prvide health care. Such uses and disclsures, hwever, must be limited t the minimum necessary t perfrm r supprt their jb functins. Rutine uses and disclsures must be made in accrdance with these plicies and prcedures. Nn-rutine uses and disclsures must be apprved by the apprpriate Privacy Officer. Student Accunt Services & University Billing: Emplyees in this unit f the university may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, this ffice may handle billing and cllectins fr University Health Services r the Carls Center fr Clinical Care and Educatin, and The Psychlgical Training & Cnsultatin Center. The recrds t which this unit wuld have access are limited t thse related t billing and usually include nly persnally identifying infrmatin (name, identifying numbers, address, telephne number), amunt wed, date f service, general statement f service rendered, unit f University rendering service. All emplyees in Student Accunt Services & University Billing and student services advisrs may have access t thse recrds. 1 Authrity: Gerge E. Rss, President Histry: N Prir Histry Indexed as: HIPAA Minimum Necessary Use and Disclsure f Prtected Health Infrmatin; HIPAA Prtected Health Infrmatin; HIPAA Disclsure f Prtected Health Infrmatin

6 Page 6 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin Internal Audit: Emplyees in this unit f the university may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, if an emplyee r unit f the university is accused r suspected f vilating certain HIPAA and University plicies regarding the security and privacy f PHI, this ffice may be invlved in reviewing systems and safeguards, bth in rder t assess what ccurred in the past and t recmmend changes in the future. Als, this ffice may audit an area with PHI, such as Health Services r the Speech-Language Pathlgy and Audilgy Clinics, t determine, amng ther things, if HIPAA regulatins, as well as departmental r university plicies and prcedures, are being fllwed. In the prcess f cnducting these reviews, the ffice may have access t PHI n emplyees, clients r patients. The Directr and auditrs wuld have primary access t thse recrds needed t cnduct the review. The supprt staff in that ffice might have sme access t thse recrds in rder t assist (e.g., setting up and rganizing the file; putting the file away and retrieving it, preparing letters, typing witness ntes, etc.). General Cunsel: Emplyees in this unit f the university may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, the attrneys and legal assistant may be cnsulted abut the applicatin f HIPAA rules and University plicies t specific situatins where PHI must be disclsed t the attrneys r legal assistant in rder t btain legal advice. Emplyees may als handle PHI in rder t respnd t a subpena, a discvery request r a curt rder requesting PHI. Als, if a faculty member r staff is accused r suspected f vilating HIPAA and University plicies regarding PHI, this ffice wuld prvide advice in cnducting an investigatin and, if necessary, disciplining the emplyee. This ffice wuld be invlved in handling allegatins f vilatins f HIPAA by the University itself r its emplyees, if a cmplaint were filed with an utside administrative agency r curt. Emplyees may als prvide legal guidance t CMU Health Plans that may require access t PHI, such as issues relating t whether certain claims are cvered by the Plans. The supprt staff in that ffice might have access t thse recrds in rder t assist (e.g., setting up and rganizing the file, putting the file away and retrieving it, preparing crrespndence, typing ntes, etc.). Risk Management and Insurance: Emplyees in this unit f the university may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, the emplyees may be cnsulted abut specific situatins where PHI must be disclsed in rder t btain an accurate assessment f legal and financial risk t the University. Als, if a student, faculty member, staff r guest is injured n campus, this ffice wuld prvide advice in cnducting an investigatin and, if necessary, btaining medical care n behalf f the injured persn. This ffice wuld wrk with General Cunsel t determine the risk f litigatin and settlement strategy, if a cmplaint were filed with an utside administrative agency r curt. The supprt staff in that ffice might have access t thse recrds in rder t assist (e.g., setting up and rganizing the file, putting the file away and retrieving it, preparing crrespndence, typing ntes, etc.). Faculty Persnnel Services: Emplyees in this unit f the university may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, if a faculty member is accused r suspected f vilating HIPAA r University plicies regarding PHI, this ffice wuld be invlved in cnducting an investigatin and, if necessary, disciplining the emplyee. The Directr and Assistant Directrs f Faculty Persnnel Services wuld have primary access t thse recrds needed. The supprt staff in that ffice might have sme access t thse recrds in rder t assist (e.g., setting up and rganizing the file; putting the file away and retrieving it, preparing letters, typing witness ntes, etc.). Faculty Persnnel Services may als receive inquiries frm emplyees abut claims payment issues, but will refer thse requests t the Benefits and Wellness department. Benefits and Wellness: Emplyees in this unit f the university administer the self funded health plans, and they may have access t PHI f emplyees and their dependents t the extent necessary t fulfill their respnsibilities. Fr example, they handle requests frm emplyees relating t benefit claims, decide secnd-level claims appeals fr certain self-funded benefits

7 Page 7 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin prgrams, determine whether emplyees have met wellness prgram requirements, and receive detailed reprts frm third party administratrs fr Health Plan evaluatin and design purpses. Emplyees may als be invlved in investigating cmplaints r data breaches relating t the self-funded health plans. All emplyees f this unit will have access t PHI maintained by the unit. Emplyee Relatins, Human Resurces: Emplyees in this unit f the university may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, if an emplyee is accused r suspected f vilating HIPAA and University plicies regarding PHI, this ffice wuld be invlved in cnducting an investigatin and, if necessary, disciplining the emplyee. The Directr f Emplyee Relatins and HR Cnsultants wuld have primary access t thse recrds needed t cnduct the investigatin r discipline prcess. The supprt staff in that ffice might have sme access t thse recrds in rder t assist (e.g., setting up and rganizing the file; putting the file away and retrieving it, preparing letters, typing witness ntes, etc.). Emplyee Relatins als prvides technical supprt fr Benefits & Wellness IT Systems that use PHI, and may access PHI as reasnably necessary t prvide such supprt. University Health Services: University Health Services prvides clinical services t University students, faculty, staff and members f the lcal cmmunity. Its emplyees may have access t PHI t the extent necessary t fulfill their respnsibilities. Fr example, the receptinist will assist patients with insurance and appintments; physicians, nurses and ther health care prviders have access t the full medical recrd in rder t prvide treatment; labratry staff will have access t the labratry rder and reprt infrmatin. Specific access will be permitted fr each psitin as required t facilitate the treatment, payment and health care peratins f the department. as permitted by HIPAA. The Carls Center fr Clinical Care and Educatin: The Center prvides clinical services thrugh several specialty clinics. Currently included are the Speech-Language Pathlgy and Audilgy Clinics, the Driving Evaluatin and Educatin Research Center, the Fall and Balance Center, the Psychlgical Training and Cnsultatin Center and Physical Therapy Clinics. The Carls Center prvides centralized scheduling and billing and ther supprt services fr each f these specialty clinics thrugh the use f the Patient Care Management System (PCMS), and its emplyees may have access t PHI t the extent necessary t fulfill their respnsibilities The specialty clinics als prvide training fr students in the Cllege f Health Prfessins and the Cllege f Humanities and Scial and Behaviral Sciences, including supervised interactin f students with patients in clinical settings. Infrmatin Technlgy: The Infrmatin Technlgy unit f CMU prvides technical supprt fr infrmatin systems that maintain PHI n behalf f the health care cmpnents that make up the CMU Hybrid Entity. Emplyees f this Unit may access infrmatin as necessary t maintain the prper functinality f the relevant infrmatin systems. Emplyees may als access infrmatin as necessary t ensure the cnfidentiality, integrity and accessibility f PHI cnsistent with the HIPAA Security Rule; t investigate cmplaints, security incidents and suspected breaches; and as reasnably necessary t dcument and demnstrate cmpliance with HIPAA requirements. Business Assciates: The Business Assciates f units within the Hybrid Entity may have access t PHI as described in the Business Assciate Agreements. 2.0 Use, Disclsure and Requests fr entire medical recrd. CMU will nt use, disclse r request an entire medical recrd, except as allwed by 1.0 abve, except when the entire medical recrd is specifically justified as the amunt that is reasnably necessary t accmplish the purpse f the use, disclsure, r request. In general, few members f the CMU wrkfrce will have access t an entire clinical recrd.

8 Page 8 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin Physicians, physician assistants, nurse practitiners, health infrmatin specialists, licensed and unlicensed therapists, and student clinicians/interns will be authrized t review an entire clinical recrd. Such access will be limited t the recrds f patients/clients/emplyees with which the prfessinal has a current therapeutic relatinship r fr whm a prfessinal cnsultatin has been requested. Access t the entire clinical recrd f these patients/clients/emplyees has been determined t be critical t the cntinuity f the patient s/client s/emplyee s care as well as essential t diagnsis, treatment selectin and the health and safety f the patient/client/emplyee and thers. Supervisry staff f CMU health care prviders and student clinicians will als have full access t the entire medical recrd. This is necessary in rder t evaluate health care prvider/student clinician perfrmance and ensure that CMU health care cmpnents prvide health care cnsistent with cmmunity standards. 3.0 Rutine Disclsures f and Requests fr PHI. CMU recgnizes that the need fr infrmatin varies accrding t the duties perfrmed by the party btaining the infrmatin. Rutine disclsures and requests are thse that d nt require individual review r analysis by a Privacy Officer f the purpse and amunt f infrmatin necessary befre a disclsure/request may be made. Each unit f the CMU Hybrid Entity shall maintain a list f the classes f persns within the wrkfrce and the purpses fr which PHI is rutinely available t that class. The list shall be develped by taking int accunt the fllwing characteristics: The type f PHI t be used r disclsed, The types f persns wh will use r wh will receive the disclsure, The cnditins that will apply t the use r disclsure, and The purpse fr which the PHI will be used r disclsed. Wrkfrce members will be trained n minimum necessary requirements relating t these rutine uses and disclsures f PHI. 3.1 Rutine Uses and Disclsures by The Carls Center fr Clinical Care and Educatin. The fllwing are rutine uses and disclsures f PHI by Carls Center wrkfrce members: use f PHI by Clinical Supervisrs, Clinical Faculty, and Clinical Students fr purpses f treatment and training within the Carls Center and t crdinate care with ther health care prviders. dcumenting and management f patient files and insurance infrmatin fr recrd keeping, reimbursement, billing, cllectin activities, btaining insurance precertificatin, scheduling, archiving, and academic integrity purpses. cnducting quality assessment and imprvement activities, including utcmes evaluatin and develpment f clinical guidelines. reviewing the cmpetence r qualificatins f health care prfessinals, evaluating practitiner and prvider perfrmance, peer review, training prgrams, accreditatin, certificatin, licensing and credentialing activities.

9 Page 9 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin fr public health activities, fr wrkers cmpensatin and similar prgrams, and t crners, medical examiners and funeral directrs. arranging fr legal services and auditing functins, including fraud and abuse detectin and cmpliance prgrams business management and general administrative activities fr the Carls Center, business planning and develpment activities, fundraising fr the Carls Center, custmer service, and reslutin f internal grievances and cmplaints. infrmatin technlgy supprt within the Carls Center fr medical imaging sftware, electrnic medical recrds, electrnic clinical equipment, billing and scheduling systems, and similar systems using PHI. cmplying with HIPAA requirements. 3.2 Rutine Uses and Disclsures by University Health Services. The fllwing are rutine uses and disclsures f PHI by University Health Services wrkfrce members: use f PHI by clinical staff fr purpses f treatment within University Health Services and t crdinate care with ther health care prviders. dcumenting and management f patient files and insurance infrmatin fr recrd keeping, reimbursement, billing, cllectin activities, btaining insurance precertificatin, scheduling, archiving, and academic integrity purpses. cnducting quality assessment and imprvement activities, including utcmes evaluatin and develpment f clinical guidelines. reviewing the cmpetence r qualificatins f health care prfessinals, evaluating practitiner and prvider perfrmance, peer review, training prgrams, accreditatin, certificatin, licensing and credentialing activities. fr public health activities, fr wrkers cmpensatin and similar prgrams, and t crners, medical examiners and funeral directrs. arranging fr legal services and auditing functins, including fraud and abuse detectin and cmpliance prgrams business management and general administrative activities fr the Carls Center, business planning and develpment activities, fundraising fr University Health Services, custmer service, and reslutin f internal grievances and cmplaints. infrmatin technlgy supprt within University Health Services fr medical imaging sftware, electrnic medical recrds, electrnic clinical equipment, billing and scheduling systems, and similar systems using PHI. cmplying with HIPAA requirements 3.3 Rutine Uses and Disclsures by CMU self-funded health plan cmpnents f the Central Michigan University Flexible Benefits Plan.

10 Page 10 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin The Central Michigan University Flexible Benefits Plan is administered by the CMU Human Resurces Department, relying upn cntracts with insurers and third-party administratrs fr claims administratin. Fr the limited amunt f PHI that the Human Resurces Department handles, the fllwing are rutine uses and disclsures by Human Resurces Department wrkfrce members: assisting participants and beneficiaries with questins relating t health plan benefits, appeals and ther inquiries and related discussins with insurers and third-party administratrs. administratin f wellness prgram benefits, including the determinatin f whether individuals have met requirements t receive incentive benefits. making secnd-level appeals decisins fr the self-insured dental prgram respnding t requests frm Medicare Secndary Payer Cntractrs. wrking with legal cunsel relating t the administratin f the self-funded health plan cmpnents and HIPAA cmpliance issues. auditing functins relating t the peratin f the self-funded health plan cmpnents and HIPAA cmpliance issues. fr thse insurers/tpas wh prvide reprts cntaining individually identifiable health claims infrmatin, aggregating data t be used fr plan evaluatin, plan design, and setting emplyee cntributins and premiums. infrmatin technlgy supprt fr Human Resurces systems that use r stre PHI. cmplying with HIPAA requirements. 4.0 Nn Rutine disclsures and requests. All nn-rutine disclsures will be reviewed by the privacy fficer fr the unit f the Hybrid Entity that huses the infrmatin in rder t determine that the disclsure is permissible and cmplies with the minimum necessary standard, in accrdance with criteria cntained in sectin 5.0 belw. 5.0 Determining the Minimum Necessary Use and Disclsure Criteria. CMU s criteria fr evaluating whether a use r disclsure is limited t the minimum necessary t accmplish the intended purpses are: the type f PHI needed fr the particular use r disclsure whether disclsures and uses are t the persns r class f persns wh need access t the infrmatin t carry ut their jb duties whether the use is fr treatment, payment r health care peratins, r is made pursuant t a valid authrizatin by the individual, r therwise allwed under HIPAA whether the recipient has clearly stated the purpse fr the request, use r disclsure f the PHI and has the authrity/right t receive the requested infrmatin. Whether additinal privacy restrictins apply (such as FERPA)

11 Page 11 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin whether the task can be accmplished with less infrmatin whether, under the circumstances, the use r disclsure seems t be reasnably necessary and apprpriate the risk that the use r disclsure will result in an unauthrized use r disclsure f the PHI whether the use r disclsure is t anther unit within the CMU Hybrid Entity, r sme ther unit f CMU that is nt subject t these HIPAA plicies. whether CMU has agreed t an additinal restrictin n the use r disclsure f PHI that wuld be vilated by the use r disclsure If the disclsure will be t a third party authrized t receive PHI, CMU will use the same criteria as abve t determine whether the infrmatin t be disclsed is limited t the minimum necessary t accmplish the intended purpses. Examples f third parties include: a public fficial r agency fr a permitted disclsure f PHI fr legal r public plicy purpses a prfessinal wh is an emplyee f a unit within the CMU Hybrid Entity. a prfessinal r ther service prvider f CMU fr the purpse f prviding services t CMU that requires use f PHI, where the service prvider has entered int a valid HIPAA business assciate agreement with CMU; r a researcher with apprpriate dcumentatin frm an Institutinal Review Bard (IRB) r Privacy Bard 6.0 Mandatry Disclsures f PHI t Individuals and HHS 6.1 The Privacy Rules require CMU t disclse an individual s PHI when requested by the individual r, under certain circumstances, by HHS. CMU s plicy is t cperate with these requests and t disclse the PHI in accrdance with the Privacy Rules. 6.2 An individual (r the individual s persnal representative) may request a disclsure f his r her wn PHI. CMU will respnd t such requests by fllwing the prcedures set frth in Plicy Individual Rights. 6.3 CMU will respnd t a request frm an HHS fficial fr disclsure f PHI as fllws: verify the identity f the HHS fficial using the prcedures set frth in sectin 12.0 entitled Verifying the Identity f Thse Requesting PHI dcument the disclsure as required under the Privacy Rules dcumentatin requirements and as explained in this Plicy 7.0 Permitted Uses and Disclsures f PHI fr Legal and Public Plicy Purpses Frm time t time, CMU may receive requests frm curts, parties t litigatin, law enfrcement fficials, public health authrities, r varius ther gvernment agencies r fficials t use r disclse an individual s PHI. The Privacy Rules set frth guidelines under which CMU may use r disclse PHI in such circumstances. CMU s plicy is that CMU will respnd t such a request nly if the use r disclsure meets the fllwing cnditins:

12 Page 12 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin The Privacy Officer fr the unit receiving the request apprves the use r disclsure after cnsultatin with the Office f General Cunsel the disclsure cmplies with the minimum necessary standard r is specifically exempted frm the minimum necessary standard the disclsure falls within ne f the fllwing categries, and the specific requirements set frth in the Privacy Rules have been fllwed (45 CFR ): in respnse t an rder f a curt r an administrative tribunal in respnse t a subpena, discvery request, r ther lawful prcess that is nt accmpanied by an rder f a curt r administrative tribunal, prvided that there is an apprpriate prtective rder in place and, where medical recrds are invlved, the individual has waived his r her physician-patient privilege pursuant t prcess (such as a curt-rdered warrant r an administrative summns) and as therwise required by law t a law enfrcement fficial (1) abut an individual wh has died; (2) fr identificatin and lcatin purpses; (3) abut an individual wh is, r is suspected f being, a victim f a crime; r (4) abut an individual relating t a crime n CMU premises abut an individual that CMU reasnably believes is the victim f abuse, neglect, r dmestic vilence, t a gvernment authrity, including a scial service r prtective service agency, that is authrized by law t receive such infrmatin t apprpriate public health authrities fr public health activities t a health versight agency fr health versight activities t crners, medical examiners, and funeral directrs abut a deceased individual fr rgan, eye r tissue dnatin purpses fr certain research purpses, when the need fr an authrizatin has been waived r is therwise nt required in rder t avert a serius threat t health r safety abut armed frces persnnel t apprpriate military cmmand authrities fr natinal security and intelligence activities fr prtective services t the President f the United States and ther designated persns t crrectinal institutins and law enfrcement custdians in cnnectin with wrkers cmpensatin r ther similar prgrams established by law that prvide benefits fr wrk-related injuries r illness withut regard t fault if the disclsure is t a public fficial, verify the identity f the HHS fficial using the prcedures set frth in sectin 12.0 entitled Verifying the Identity f Thse Requesting PHI

13 Page 13 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin check state laws fr any additinal restrictins n the right t use r disclse PHI. If the Carls Center r University Health Services receives a subpena seeking infrmatin abut a patient, CMU will nt release the patient s medical recrds withut an accmpanying curt rder, administrative rder, r patient s waiver f the physician-patient privilege dcument the disclsure accrding t the Privacy Rules dcumentatin requirements, except that dcumentatin is nt required if the disclsure is fr: natinal security r intelligence purpses; r t crrectinal institutins r law enfrcement custdians 8.0 Uses and Disclsures f PHI with an Individual s Authrizatin 8.1 The Privacy Rules prvide that unless expressly authrized by the individual wh is the subject f the PHI (r the individual s persnal representative), any use r disclsure f that individual s PHI is prhibited unless it falls within ne f the categries fr which disclsure is permitted r required. An individual may, hwever, expressly authrize a use r disclsure f PHI fr any purpse. 8.2 CMU s plicy is that any use r disclsure made pursuant t an authrizatin will be made nly if CMU: (1) determines that the authrizatin is valid (as described belw); (2) verifies the identity f the individual wh signed the authrizatin as described in this Plicy; and (3) ensures that the use r disclsure is made cnsistent with the terms f the authrizatin. 8.3 An authrizatin is valid nly if it is written in plain language and cntains the fllwing required cre elements and statements: In rder t be valid, an authrizatin must cntain all f the fllwing cre elements: a specific and meaningful descriptin f the PHI t be used r disclsed the name r ther specific identificatin f the persn r class f persns authrized t use r disclse the PHI the name r a descriptin f the persn r class f persns t whm CMU may make the requested use r disclsure the purpse(s) f the requested use r disclsure. (If the individual initiates the authrizatin and des nt prvide a statement f purpse, the statement at the request f the individual is sufficient) a valid expiratin date (e.g., December 31, 2012) r expiratin event (e.g., terminatin frm the Health Plan, rejectin f an insurance applicatin, etc.) the signature f the individual and the date the authrizatin was signed. (If signed by the individual s persnal representative, a descriptin f the representative s authrity t act fr the individual must als be prvided) In rder t be valid, an authrizatin must cntain all f the fllwing statements: a statement f the individual s right t revke the authrizatin in writing, and either (1) a list f the exceptins t the right t revke and a descriptin f hw the individual may revke the authrizatin; r (2) a reference t the

14 Page 14 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin Ntice f Privacy Practices, if the Ntice lists the exceptins t the right t revke and prvides a descriptin f hw the individual may revke the authrizatin a statement infrming the individual that CMU may nt cnditin treatment, payment, enrllment r eligibility fr benefits n whether the individual signs the authrizatin; r the cnsequences t the individual if he r she refuses t sign the authrizatin when: the authrizatin is t be used t fr the Health Plan s eligibility r enrllment determinatins r fr its underwriting r risk rating determinatins, and the authrizatin is nt fr the use r disclsure f psychtherapy ntes; r a cvered entity will be prviding health care slely fr the purpse f creating PHI fr disclsure t a third party and the authrizatin is t allw the disclsure t the third party (e.g., a physician releasing the results f pre-emplyment drug testing t CMU) 8.4 If CMU is seeking the authrizatin frm the individual, CMU must prvide the individual with a cpy f the signed authrizatin. 8.5 An individual may revke an authrizatin at any time, althugh the revcatin will nt be effective t the extent that CMU has previusly used r disclsed infrmatin in reliance n the authrizatin. 8.6 A cpy f the authrizatin must be maintained as required under the Privacy Rules dcumentatin requirements as described in this Plicy. 9.0 Uses and Disclsures by Business Assciates 9.1 The Privacy Rules require that befre CMU may share PHI with utside service prviders, the utside service prviders must cntractually bligate themselves t prtect the PHI. CMU s plicy is that it will nt share PHI with a third party that perfrms services fr a Hybrid Entity unit until that third party has entered int an agreement in which the party agrees t apprpriately prtect PHI. 9.2 The Privacy Rules call these third parties that prvide services t r n behalf f the Hybrid Entity business assciates. A cpy f the business assciate agreement must be maintained accrding t the Privacy Rules dcumentatin requirements as described in this Plicy. 9.3 CMU may prvide PHI t a business assciate under the fllwing cnditins: CMU has verified that a valid business assciate cntract is in place the disclsure is cnsistent with the terms f the business assciate agreement the disclsure cmplies with the minimum necessary standard the disclsure is dcumented in accrdance with the Privacy Rules dcumentatin requirements if it is fr: public health activities, except disclsures t reprt child abuse r neglect judicial and administrative prceedings

15 Page 15 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin law enfrcement purpses adverting a serius threat t health r safety military and veterans activities, the Department f State s medical suitability determinatins, and gvernment prgrams prviding public benefits wrkers cmpensatin 9.4 If CMU learns that a business assciate has used r disclsed PHI in an unauthrized manner, CMU will take the fllwing steps: the Privacy Officer fr the unit that cntracted with the business assciate will prmptly ntify the business assciate in writing f the alleged unauthrized use r disclsure the Privacy Officer fr the unit that cntracted with the business assciate will telephne the business assciate t discuss the alleged unauthrized use r disclsure and t determine whether the unauthrized use r disclsure will cease if the business assciate des nt agree t stp the unauthrized use r disclsure, if CMU learns that the use r disclsure has nt stpped, r if the unauthrized use r disclsure is part f a pattern f cnduct in vilatin f the business assciate s agreement with CMU, then CMU will: terminate its relatinship with the business assciate; r if terminatin is nt pssible (fr example, because there is n ther entity in the area that can prvide the service), then CMU will reprt the business assciate t HHS the Chief Privacy Officer will dcument the knwn details f the unauthrized use r disclsure fr purpses f respnding t requests fr an accunting f disclsures if apprpriate, the Chief Privacy Officer will fllw the prcedures set frth in Mitigatin f Inadvertent Disclsures f PHI in Plicy 12-5 the Chief Privacy Officer will fllw the Breach Ntificatin Plicy cntained in Plicy Requests fr Disclsure f PHI frm Spuses, Family Members, and Friends 10.1 Generally, CMU s health care prviders will nt disclse an individual s PHI t third parties, except as required r permitted under the Privacy Rules r as expressly authrized by the individual. The individual units f the Hybrid Entity may, hwever, allw disclsures t family members and clse friends wh are invlved in the individual s care r payment fr the individual s care, and the Hybrid Entity may d s after the individual is aware that such disclsures may be made, has had an pprtunity t bject t the Hybrid Entity s making such disclsure and has failed t bject. If CMU is unable t ntify the individual f the disclsure t family members and clse friends, CMU may still disclse the infrmatin if the health care prfessinal determines that the disclsure is in the individual s best interest. Additinally, if a spuse, family member, r friend accmpanies an individual t his r her appintment with a health care prvider, and the individual des nt bject t the presence f the spuse, family member, r friend during the appintment, CMU will cnsider that the individual has cnsented t the

16 Page 16 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin health care prvider sharing the PHI with the spuse, family member, r friend during that appintment Fr requests by a spuse, family member r friend t access an individual s PHI in circumstances nt gverned by sectin 10.1, CMU will adhere t the fllwing prcedures: If a wrkfrce member receives a request fr a disclsure frm a persn claiming t be an individual s spuse, ther family member, clse friend, r persnal representative, the wrkfrce member must seek t verify that persn s identity as set frth sectin 12.0 f this Plicy Once the identity f the persn has been established, the wrkfrce member shuld check health plan r medical recrds t determine if this persn has been designated by the individual as being an authrized recipient f his r her PHI. If the persn is nt designated t receive the PHI, the wrkfrce member may nt make the disclsure except that either parent f a minr child may access the minr child s recrds absent a curt rder prhibiting such access If the wrkfrce member is unable t verify the identity r authrity f the persn, then n disclsure will be made unless the individual expressly authrizes it. If wrkfrce member is uncertain whether disclsure is apprpriate, the wrkfrce member shuld cntact the apprpriate Privacy Officer Uses and Disclsures f De-Identified Infrmatin 11.1 Under the Privacy Rules, health infrmatin frm which all individual identifiers have been remved is called de-identified infrmatin, and can be used and disclsed withut an individual s authrizatin. CMU s plicy is that infrmatin must be apprved by the apprpriate Privacy Officer as de-identified infrmatin befre it can be disclsed as such CMU will use and disclse de-identified infrmatin nly if the apprpriate Privacy Officer has verified that the infrmatin is in fact de-identified, as set frth in the definitins sectin f this Plicy. De-identified infrmatin is nt PHI, s nce the infrmatin has been apprved as de-identified infrmatin, CMU may freely use and disclse the de-identified infrmatin Verifying the Identity f Thse Requesting PHI 12.1 The Privacy Rules require that CMU verify the identity and authrity f persns r entities exercising their individual rights r therwise seeking access t PHI. CMU s plicy is t verify bth the identity f such persn r entity and the authrity f the persn r entity making the request (if the identity r authrity is nt knwn) CMU will disclse PHI in respnse t a request by the individual wh is the subject f the PHI by using the fllwing verificatin prcedures: If the individual making the request is nt knwn t the wrkfrce member, the wrkfrce member will take apprpriate steps t verify the identity f the individual which may include making a cpy f a valid pht identificatin issued by a gvernment agency. When the wrkfrce member has successfully verified the individual s identity, the wrkfrce member will fllw the applicable prcedures set frth in Plicy Individual Rights.

17 Page 17 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin If the individual requests PHI ver the telephne and the wrkfrce member is reasnably able t psitively identify the individual ver the telephne, the wrkfrce member may prvide the PHI as set frth in Plicy Individual Rights. If the wrkfrce member cannt identify the individual, the wrkfrce member will instruct the individual t make the request in persn, r direct the individual t send the request in writing If the request frm an individual riginates by the individual shuld be infrmed that it is CMU s plicy t prvide PHI requested by nly in paper frm and nly t the address n file. The individual may als be instructed t make the request in persn, r shuld be directed t send the request in writing if delivery t an alternate address is requested If the individual submits a written request fr PHI: cmpare the infrmatin in the written request with infrmatin in the individual s Health Plan r medical recrds. If the infrmatin des nt match, r if there is any dubt as t the identity f the persn making the request, cntact the apprpriate Privacy Officer determine whether the persn submitting the request has been designated in the Health Plan r medical recrd as an individual wh is authrized t receive the PHI. If the wrkfrce member determines that this is the case the request fr PHI will be granted n a case by case basis file a cpy f the request with the Health Plan r medical recrd f the individual whse recrds are being accessed, in accrdance with the dcumentatin requirements in this Plicy fllw the apprpriate prcedures set frth in Plicy Individual Rights 12.3 CMU will respnd t the request made by either parent seeking PHI f the parent s minr child using the fllwing verificatin prcedures: verify the identity f the persn making the request fllwing the prcedures abve fr respnding t a request by an individual verify the persn s relatinship with the child. The relatinship may be verified by cnfirming enrllment f the child as a dependent in the Health Plan, fr example generally, a nn-custdial parent will nt be denied access t recrds r infrmatin cncerning his r her minr child, unless prhibited by curt rder verify frm the Health Plan r medical recrds that the child is a minr verify frm the Health Plan r medical recrds that there is n restrictin in place, such as a curt rder prhibiting release f infrmatin t the parent fllw the apprpriate prcedures set frth in Plicy Individual Rights In certain circumstances, CMU is prhibited by Michigan law frm prviding the medical recrd f a minr t the minr s parents. If the minr child has been emancipated; has received prenatal r pregnancy related health care; has received treatment fr a venereal disease r HIV; r has received substance abuse related medical care, then CMU may nt disclse the medical recrd withut the minr s cnsent.

18 Page 18 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin Additinally, if a minr child has btained utpatient mental health services withut the cnsent r knwledge f the minr s parents, the minr s parents shall nt be infrmed f the services unless the mental health prfessinal treating the minr determines that there is a cmpelling need fr disclsure CMU will respnd t a request fr an individual s PHI made by a persnal representative f the individual using the fllwing verificatin prcedures: verify the identity f the persn making the request using the prcedures abve fr respnding t a request by an individual verify the persnal representative s authrity t access the individual s recrd: check the individual s file fr a cpy f a valid pwer f attrney, rder f curt, guardianship rder, r similar dcumentatin establishing the persnal representative s authrity. If there is a questin as t the scpe f authrity cnferred upn the individual, cntact the Privacy Officer t review the dcument if the file des nt have such dcumentatin: btain frm the persnal representative a cpy f a valid pwer f attrney, rder f curt, guardianship rder r similar dcumentatin establishing the authrity f the persnal representative. If there is a questin abut the validity r sufficiency f the dcument, r the scpe f authrity cnferred upn the persnal representative, cntact the apprpriate Privacy Officer t review the dcument verify that the persnal representative has nt been excluded frm receiving PHI by the dcumentatin in the individual s Health Plan r medical recrd file a cpy f the dcument in the individual s Health Plan r medical recrd accrding t the dcumentatin requirements in this Plicy fllw the apprpriate prcedures set frth in Plicy Individual Rights. A health care prvider r unit f the Hybrid Entity may elect nt t treat a persn as the persnal representative f an individual if the health care prvider r unit f the Hybrid Entity: has a reasnable belief that: the individual has been r may be subjected t dmestic vilence, abuse r neglect by such persn; r treating such persn as the persnal representative culd endanger the individual; and in the exercise f prfessinal judgment decides that it is nt in the best interest f the individual t treat the persn as the individual s persnal representative. In the event that a health care prvider r unit f the Hybrid Entity decides nt t treat a persn as a persnal representative, the health care prvider r unit shall dcument and retain a clear statement explaining the basis fr the decisin.

19 Page 19 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin 12.5 CMU will respnd t a request fr an individual s PHI made by a public fficial using the fllwing verificatin prcedures: verify that the request is fr ne f the purpses set frth abve in the sectins entitled Mandatry Disclsures f PHI t Individuals and HHS r Permitted Uses and Disclsures f PHI fr Legal and Public Plicy Purpses verify that the persn is a public fficial r acting n behalf f a gvernment agency: if the request is made in persn: ask t see an agency identificatin badge, fficial credentials, r ther prf f gvernment status make a cpy f the identificatin prvided, write n it the date f the request, and file it with the individual s Health Plan r medical recrd if the request is in writing: verify that the request is n apprpriate letterhead make a cpy f the writing and file it with the individual s Health Plan r medical recrd if the request is by a persn purprting t act n behalf f a public fficial: establish that the individual is acting n behalf f the public fficial, which may be established by ne f the fllwing dcuments: a written statement n apprpriate gvernment letterhead that the persn is acting under the gvernment s authrity a cntract fr services with the gvernment agency a memrandum f understanding with the gvernment agency a purchase rder with the gvernment agency make a cpy f the dcument and file it with the individual s Health Plan r medical recrd if there is any questin as t the persn s identity r affiliatin with the gvernment agency, cntact the apprpriate Privacy Officer verify that the persn is authrized t access the PHI: request a written statement setting frth the legal authrity under which the infrmatin is being requested if under the circumstances a written statement wuld be impracticable, btain an ral statement f such legal authrity (and dcument the ral statement) if the request is made pursuant t legal prcess, warrant, subpena, rder, r ther legal prcess issued by a grand jury r a judicial r administrative tribunal, cntact the apprpriate Privacy Officer

20 Page 20 f 23 HIPAA: Use and Disclsure f Prtected Health Infrmatin make a cpy f the dcument setting frth the legal authrity and file it with the individual s Health Plan r medical recrd fllw the applicable prcedures set frth abve in the sectins entitled Mandatry Disclsures f PHI t Individuals and HHS r Permitted Uses and Disclsures f PHI fr Legal and Public Plicy Purpses 13.0 Dcumentatin and Recrd Retentin Requirements 13.1 The Privacy Rules require CMU t maintain dcumentatin f its cmpliance with the Privacy Rules. CMU s plicy is t maintain the required dcumentatin fr the required retentin perid which is six years frm the date the dcument was made, r, if later, six years frm the date the dcuments was in effect The Chief Privacy Officer will maintain a cpy f the Plicies and Prcedures and the Ntice f Privacy Practices fr six years beynd the date the dcuments cease t be effective The Privacy Rules require that certain uses and disclsures be dcumented s that CMU can respnd t an individual s request fr an accunting f disclsures as utlined in Plicy Individual Rights Fr the disclsures that are subject t the right f an accunting (defined belw in Sectin ), each unit f the CMU Hybrid Entity will retain dcumentatin f the fllwing: the individual whse PHI was disclsed the date f the disclsure t the extent knwn, the name and address f the entity r persn wh received the PHI a brief descriptin f the PHI disclsed a brief statement f the purpse f the disclsure The fllwing disclsures f PHI must be dcumented fr purpses f an accunting: all unauthrized disclsures knwn t CMU disclsures t law enfrcement disclsures t HHS any disclsures required by law, including thse made: in respnse t the rder f a curt r an administratin tribunal in respnse t a subpena, discvery request, r ther lawful prcess that is nt accmpanied by an rder f a curt r administrative tribunal, prvided that there is an apprpriate prtective rder in place and, where medical recrds are invlved, the individual has waived his r her physician-patient privilege