PEPPERDINE UNIVERSITY
HIPAA Policies Procedures and Forms
Manual
Table of Contents
I. |
INTRODUCTION |
4 |
A. |
GENERAL POLICY |
4 |
B. |
SCOPE |
4 |
II. |
DEFINITIONS |
5 |
III. GENERAL POLICIES AND PROCEDURES |
9 |
A. AUTHORIZATION TO USE OR DISCLOSE PROTECTED HEALTH INFORMATION |
9 |
|
1. |
Policy |
9 |
|
2. |
Procedure |
9 |
|
3. |
Applicable Regulations |
10 |
B. |
BUSINESS ASSOCIATES |
10 |
|
1. |
Policy |
10 |
|
2. |
Procedure |
11 |
|
3. |
Applicable Regulations |
11 |
C. |
|
COMPLAINT |
11 |
|
1. |
Policy |
11 |
|
2. |
Procedure |
11 |
|
3. |
Applicable Regulations |
12 |
D. DE‐IDENTIFICATION OF PROTECTED HEALTH INFORMATION |
12 |
|
1. |
Policy |
12 |
|
2. |
Procedure |
12 |
|
3. |
Applicable Regulations |
13 |
E. LIMITED DATA SHEETS |
13 |
|
1. |
Policy |
13 |
|
2. |
Procedure |
14 |
|
3. |
Applicable Regulations |
14 |
F. MINIMUM NECESSARY USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION |
14 |
|
1. |
Policy |
15 |
|
2. |
Procedure |
15 |
|
3. |
Applicable Regulations |
16 |
G. NOTICE OF PRIVACY PRACTICES |
16 |
|
1. |
Policy |
16 |
|
2. |
Procedure |
16 |
|
3. |
Applicable Regulation |
17 |
H. PRIVACY OFFICIAL, SECURITY OFFICER, AND PRIVACY COORDINATORS |
17 |
|
1. |
Privacy Official |
17 |
|
2. |
Security Official |
18 |
|
3. |
Privacy Coordinators |
18 |
|
4. |
Applicable Regulation |
20 |
I. |
RECORDS RETENTION |
20 |
|
1. |
Policy |
20 |
|
2. |
Procedure |
20 |
|
3. |
Applicable Regulation |
21 |
J. |
RESEARCH |
21 |
|
1. |
Policy |
21 |
|
2. |
Procedure |
21 |
|
3. |
Applicable Regulations |
23 |
May 16, 2012 |
2 |
K. RIGHT TO REQUEST ACCESS TO PROTECTED HEALTH INFORMATION |
23 |
1. |
Policy |
23 |
2. |
Procedure |
23 |
3. |
Applicable Regulation |
26 |
L. RIGHT TO REQUEST AN ACCOUNTING OF DISCLOSURES |
26 |
1. |
Policy |
26 |
2. |
Procedure |
27 |
3. |
Applicable Regulation |
28 |
M. RIGHT TO REQUEST AN AMENDMENT TO PROTECTED HEALTH INFORMATION |
28 |
1. |
Policy |
28 |
2. |
Procedure |
28 |
3. |
Applicable Regulation |
30 |
N. RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION |
30 |
1. |
Policy |
30 |
2. |
Procedure |
30 |
3. |
Applicable Regulation |
30 |
O.RIGHT TO REQUEST RESTRICTIONS ON THE USE AND DISCLOSURE OF PROTECTED HEALTH
INFORMATION |
31 |
1. |
Policy |
31 |
2. |
Procedure |
31 |
3. |
Applicable Regulation |
31 |
P. SAFEGUARDING PROTECTED HEALTH INFORMATION |
31 |
1. |
Policy |
31 |
2. |
Procedure |
32 |
3. |
Applicable Regulation |
32 |
Q. TRAINING |
32 |
1. |
Policy |
32 |
2. |
Procedure |
33 |
3. |
Applicable Regulation |
33 |
HIPAA SAMPLE FORMS [SEE FOLLOWING PAGES] |
34 |
A. ACCOUNTING FOR DISCLOSURES OF PROTECTED HEALTH INFORMATION |
35 |
B. AUTHORIZATION TO USE/DISCLOSE PROTECTED HEALTH INFORMATION (HIPAA) |
36 |
C. BUSINESS ASSOCIATE AGREEMENT |
38 |
D. DENIAL OF REQUEST FOR AN AMENDMENT |
44 |
E. DENIAL OF REQUEST FOR ACCESS |
45 |
F. |
PRIVACY COMPLAINT |
46 |
G. REQUEST FOR ACCESS TO PROTECTED HEALTH INFORMATION |
47 |
H. REQUEST FOR ACCOUNTING OF DISCLOSURES |
48 |
I. REQUEST FOR AMENDMENT TO PROTECTED HEALTH INFORMATION |
49 |
I.Introduction
A. General Policy
Pepperdine University is committed to protecting the privacy of individual health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations promulgated there under. These policies and procedures apply to protected health information created, acquired, or maintained by the designated covered components of the University after April 14, 2003. The statements in this Manual represent the University’s general operating policies and procedures. For further details regarding these policies and procedures see 45 C.F.R. Parts 160 and 164.
B. Scope
Pepperdine University is a hybrid entity as defined in 45 C.F.R. §164.103 and includes both covered and non‐covered components. These policies and procedures apply only to the University’s designated covered components, which include:
•Student Health Center;
•Athletic Training Center;
•Student Counseling;
•Pepperdine Psychology and Education Clinic;
•Pepperdine Community Counseling Center;
•Pepperdine Jerry B.H. Union Rescue Clinic; and
•Center for Human Resources, Benefits Department.
Certain administrative and/or support offices may also be designated as covered components.
The designated covered components may not share protected health information with the non‐covered components of the University, unless specifically permitted by the privacy regulations. It is the responsibility of each designated covered component to assure that their employees, students, volunteers, etc. comply with these policies and procedures. A designated covered component may develop and incorporate additional policies and procedures if doing so is necessary and appropriate to comply with more stringent state laws.1 However, a designated covered component may not delete sections of these policies and procedures without first consulting the Privacy Official or the Security Official.
1HIPAA ensures a federal standard (a “floor”) of privacy protections. State privacy laws may be more stringent than the HIPAA privacy rule. In those cases, the more stringent state law will apply.
II.Definitions
Business Associate means a person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business Associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity. A member of a covered entity’s workforce is not one of its business associates. A covered entity may be a business associate of another covered entity. 45 C.F.R. § 160.103.
Covered Entity means a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard. 45 C.F.R. § 160.103.
Covered Functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. 45 C.F.R. § 160.103.
Designated Covered Components (or Covered Components) means a component or combination of components designated by the University, which is a Hybrid Entity. The designated covered components of the University are listed in Section I.B. of this Manual.
Designated Record Set means a group of records maintained by or for a covered entity that includes medical and billing records about individuals, or a group of records that are used in whole or in part by or for the covered entity to make decisions about individuals. 45 C.F.R. § 164.501.
Direct Treatment Relationship means a treatment relationship between an individual and a healthcare provider that is not an indirect treatment relationship. 45 C.F.R. § 164.501.
Disclosure means the release, transfer, access to, or divulging of information in any other manner outside the entity holding the information. 45 C.F.R. § 160.103.
Electronic Media means electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media.
Transmission media includes, for example, the Internet (wide‐open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial‐up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper via facsimile, and of voice via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission. 45 C.F.R. § 160.103.
HHS stands for the Department of Health and Human Services.
Health Care means care, services, or supplies related to the health of an individual, including (1) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, services, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. 45 C.F.R. § 160.103.
Health Care Clearinghouse means a public or private entity, including a billing service, re‐pricing company, community health management information system or community health information system, and “value‐added” networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. 45 C.F.R. § 160.103.
Health Care Operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) conducting quality assessment and improvement activities, population‐based activities, and related functions that do not include treatment; (2) reviewing the competence of qualifications of health care professionals, evaluating practitioner, provider, and health plan performance, conducting training programs where students learn to practice or improve their skills as health care providers, training of professionals that are not health care providers, accreditation, certification, licensing, or credentialing activities; (3) underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or benefits; (4) conducting or arranging for medical review, legal services, and auditing functions; (5) business planning and development, and (6) business management and general administrative activities of the entity. 45 C.F.R. § 164.501.
Health Care Provider means a provider of services (as defined in section 1861 (u) of the Act, 42 U.S.C. § 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. § 1395x(s)), and any other person or
organization who furnishes, bills, or is paid for health care in the normal course of business. 45 C.F.R. § 160.103.
Health Information means any information whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present for future payment for the provision of health care to an individual. 45 C.F.R. § 160.103.
Health Plan means, with certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. § 300gg‐91(a)(2)). 45 C.F.R. § 160.103.
Hybrid Entity means a single legal entity that is a covered entity, performs business activities that include both covered and non‐covered functions, and designates its health care components as provided in the Privacy Rule. 45 C.F.R. § 164.103.
Indirect Treatment Relationship means a relationship between an individual and a health care provider in which (1) the health care provider delivers health care to the individual based on the orders of another health care provider; and (2) the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual. 45 C.F.R. § 164.501.
Individually Identifiable Health Information means information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care of an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 160.103.
Person means any natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private. 45 C.F.R. § 160.103.
Protected Health Information (or PHI) means individually identifiable information transmitted or maintained in electronic media (ePHI), or transmitted or maintained in any form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. 45 C.F.R. § § 164.501, 160.103.
Psychotherapy Notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical records. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. 45 C.F.R § 164.501.
Research means a systematic investigation, including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge. 45 C.F.R. § 164.501.
Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care provider relating to a patient; or the referral of a patient for health care from one health care provider to another 45 C.F.R. § 164.501.
Secretary means the Secretary of the U.S. Department of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated. 45 C.F.R. § 160.103.
Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information. 45 C.F.R. § 160.103.
Violation or violate means, as the context may require, failure to comply with an administrative simplification provision.
Workforce means employees, volunteers, trainees, or other persons whose conduct in the performance of work for a covered entity is under the direct control of such entity, whether or not they are paid by the covered entity. 45 C.F.R. § 160.103.
III.General Policies and Procedures
A.Authorization to Use or Disclose Protected Health Information
1.Policy
Pepperdine University will obtain an individual’s authorization to use or disclose protected health information in accordance with HIPAA and its regulations. Generally, designated covered components do not need to obtain an individual’s authorization when using and disclosing protected health information for routine purposes (e.g. treatment, payment, or health care operations), or for other limited purposes, as described in Pepperdine University’s Notice of Privacy Practices. Otherwise, designated covered components must obtain an individual’s valid authorization for the use or disclosure of protected health information.
2.Procedure
Authorization Form
A Sample Authorization may be found on page 36 of this Manual.
The authorization shall be written in plain language and shall contain the following information:
O A description of the PHI to be used/disclosed that identifies the information in a specific and meaningful fashion;
O A description of each purpose of the requested use or disclosure, for example, the statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
O The name of the person or organization authorized to disclose the PHI;
O The name of the person or organization authorized to receive the PHI;
O A statement that the individual has the right to revoke the authorization in writing;
O A statement listing the exceptions to an individual’s right to revoke;
O A statement that information used or disclosed pursuant to the authorization may be subject to re‐disclosure by the recipient and no longer protected;
O A statement that the individual may refuse to sign the authorization;
O A statement that the covered component will not condition treatment, payment, enrollment or eligibility for benefits in a health plan, based on the individual providing authorization for the requested use or disclosure;
O An expiration date (or expiration event); and
OThe signature of the individual and date (or the signature of an individual’s personal representative).
The University must provide the individual with a signed copy of the authorization.
Psychotherapy Notes
The University will obtain an individual’s authorization to use or disclose psychotherapy notes, except in the circumstances listed below.
The University does not need to obtain an individual’s authorization to use or disclose psychotherapy notes:
O To carry out treatment, payment, or health care operations; O For use by the originator of the psychotherapy notes for
treatment;
O For use or disclosure by the designated covered component for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in counseling;
O For use or disclosure by the covered entity to defend itself in a legal action or proceeding brought by the individual; and
O For other limited uses and disclosures as described in 45 C.F.R. § 508(a)(2).
Revocation of Authorization
An individual may revoke an authorization at any time, provided that the revocation is in writing.
If the University has already taken action in reliance on the authorization, the University will stop providing the protected health information based on the revoked authorization with a reasonable period of time.
Documentation
The University must document and retain any signed authorization under this section.
3.Applicable Regulations
45 C.F.R. §§ 164.508, 164.512.
B. Business Associates
1. Policy
From time to time, covered components may share protected health information with external parties, known as business associates. Protected health information generally may only be shared with business associates pursuant to a valid Business Associate Agreement. A Business Associate Agreement can be in the form of a written amendment to an existing agreement.