These policies and procedures were created to help UWM comply with the privacy and security regulations established pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of 2009.
The primary purpose of HIPAA’s privacy and security regulations is to protect the confidentiality of Protected Health Information which is generated or maintained by entities covered by HIPAA in the course of providing health care services.
“Protected Health Information” (or “PHI”) is defined under HIPAA as information relating to (1) the past, present, or future physical or mental health condition of an individual, (2) the provision of health care to an individual, or (3) the past, present, or future payment for the provision of health care to an individual.
These policies are intended to be a summary of the HIPAA privacy and security regulations. The policies are not intended to serve as a substitute for the regulations. For any questions regarding interpretation of these policies, the regulations must be consulted (45 C.F.R. parts 160 and 164).
B. UWM Departments Covered by these Policies and Procedures (UWM’s Health Care Component)
(45 C.F.R. § 164.103, 105)
UWM is a “Hybrid Entity” under HIPAA. This means that UWM’s business activities include both covered and non-covered functions, and that UWM has designated those departments or units that properly form its “Health Care Component” for the purpose of HIPAA coverage.
UWM has designated as its Health Care Component those department or units (a unit for this purpose is any definable business operation at UWM; for example, a school or college, an academic or administrative department or sub-department, a center, clinic, or sub-clinic, or laboratory), that meet the following criteria:
- The unit furnishes, bills or is paid for Health Care in the normal course of business.
- “Health Care” means care, services, or supplies related to the health of an individual, and includes: preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body, and the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- The unit transmits any PHI (see definition above) in Electronic Form in connection with a Transaction.
- “Electronic Form” means via the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of transportable electronic storage media (memory devices, hard drives, memory disks or cards).
- “Transmission” means the transmission of information between two parties to carry out financial or administrative activities relating to health care, including:
- Health care claims or equivalent encounter information;
- Health care payment and remittance advice;
- Coordination of benefits;
- Health care claim status;
- Enrollment or disenrollment in a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certification and authorization;
- First report of injury; and
- Health claims attachments.
UWM departments or units that meet the above definition are designated as part of UWM’s Health Care Component and are referred to herein as “Provider Units”. In addition, other UWM departments or units that provide administrative services to Provider Units and in doing so, access a Provider Unit’s PHI, are also designated as part of UWM’s Health Care Component and are referred to herein as “Administrative Units”.
Both the Provider Units and the Administrative Units are collectively referred to as “Covered Departments” under these policies and must comply with all of the policies and procedures outlined in this manual.
The following Covered Departments are considered part of UWM’s Health Care Component for the purposes of HIPAA:
- Provider Units:
- UWM Audiology Clinic (College of Health Sciences)1
- Institute for Urban Health Partnerships (College of Nursing)
- Administrative Units
- Privacy Officers for Covered Departments (See current List of UWM’s Privacy Officers.)
- UITS Selected Support Staff (Division of Finance & Administrative Affairs)
- Other (Non-UITS) IT personnel serving Covered Departments
- Accounts Payable
- Accounts Receivable
- Office of Legal Affairs (Division of Finance & Administrative Affairs)
- Risk Management (Division of Finance & Administrative Affairs)
1The UWM Audiology Clinic is part of an organized health care arrangement with the Center for Communication, Hearing and Deafness (CCHD) to provide services under the name Community Audiology Services.
C. Designation and Responsibilities of Privacy Officers
(45 C.F.R. § 164.530(a))
The Dean or Division Head of each school, college, or division in which there are Covered Departments shall designate one or more Privacy Officers. The Privacy Officers shall be responsible for ensuring, in cooperation with the Office of Legal Affairs, that these policies and procedures are implemented by the Covered Departments under their responsibility. (See the current List of UWM’s Privacy Officers.)
Privacy Officers are responsible for ensuring that their Covered Departments are adequately informed about the policies in this manual and are complying with them. The duties and responsibilities of each Privacy Officer (with respect to the Covered Department(s) assigned to that Privacy Officer) include:
- Monitoring the Covered Department(s) to ensure that it meets the criteria provided above and is appropriately designated as part of UWM’s Health Care Component under these policies (see Section B above);
- Ensuring that each existing and new employee within Covered Departments complete online HIPAA training at the time of hire and then no less than once every 2 years (Privacy Officers may establish a requirement for more frequent training depending on the need of the Covered Department);
- Ensuring that Covered Departments are working with the Security Officer and his or her designees to comply with security regulations (see Section D below);
- Monitoring Covered Departments to ensure that they have adopted safeguards to protect patient information (see Section E below);
- Monitoring Covered Departments to ensure that they are properly using the Notice of Privacy Practices and Authorization to disclose patient information, including for any research purposes (see Sections F and H below);
- Monitoring Covered Departments to ensure that they are properly disclosing information when an Authorization is not required (see Section G below);
- Monitoring Covered Departments to ensure that they are properly maintaining an Accounting of Disclosures (see Section K below);
- Responding to patient requests for (a) restrictions on the use of Protected Health Information; (b) confidential communications; (c) inspecting and copying records; (d) amendments of records; (e) accountings of disclosures; and (f) complaints (see Section L below);
- Monitoring Covered Departments to ensure that they have properly obtained Business Associate Agreements with appropriate contractors (see Section M below);
- Maintaining any documentation regarding sanctions that have been applied by administration for an individual’s failure to comply with these policies and procedures (see Section O below);
- Initiating proper procedures in the event of any suspected breach of confidential PHI (see Section N below); and
- Maintaining other documentation of compliance with these policies and procedures (see Section P below).
D. Designation and Responsibilities of Security Officer
(45 C.F.R. § 164.308(a)(2))
UWM’s Chief Information Officer shall serve as the Security Officer for the purposes of HIPAA. The Security Officer shall be responsible for oversight of the security regulations and shall cooperate with Privacy Officers and/or Covered Departments’ designated security staff to ensure that security regulations are implemented by Covered Departments. Specifically, The Security Officer shall work with Privacy Officers and other staff of Covered Departments to:
- Ensure the confidentiality, integrity, and availability of all Electronic PHI created, received, maintained, or transmitted by the Covered Departments;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of Electronic PHI;
- Protect against any reasonably anticipated uses or disclosures of Electronic PHI that are not permitted or required under HIPAA; and
- Ensure compliance with the security regulations by the Covered Departments.
“Electronic PHI” is PHI that is stored or transmitted by electronic media. Electronic PHI includes PHI that is stored on hard drives or portable memory media (disks and CDs) as well as PHI that is transmitted by e-mail or the internet. Electronic PHI does not cover conventional faxes or voicemail.
The above responsibilities will be accomplished, in part, by the provision of “Security Guidelines” for use by Covered Departments.
E. General Safeguards to Protect PHI
- Minimum Necessary Rule (45 C.F.R. §§ 164.502(b), 164.514(d); 42 U.S.C. § 17935(b))
- General Rule
Covered Departments must make reasonable efforts to limit the use and disclosure of Protected Health Information to the minimum extent necessary to accomplish the use or disclosure’s intended purpose.Until additional guidance is issued by the Secretary of Health and Human Services, Covered Departments should use a Limited Data Set (as defined in Section J), if practicable to accomplish the intended purpose of the use or disclosure. If a Limited Data Set is not practicable, the Covered Departments may still rely on the general minimum necessary rule.Covered Departments must make their own determination as to what constitutes the minimum amount of information necessary for the intended purpose of any use or disclosure, and may not independently rely on the determination of the requestor.
This “minimum necessary rule” shall not apply to the use and disclosure of PHI:
- For treatment purposes;
- For information requested by the patient to whom it belongs;
- For information requested pursuant to a valid authorization;
- For disclosures made to the Secretary of the Department of Health and Human Services for HIPAA compliance and enforcement;
- For uses and disclosures required by law or for compliance with HIPAA.
- Access by Employees
Each Covered Department shall designate those employees who need access to Protected Health Information to carry out their duties and shall designate the level of access needed by each such employee.
- Access by Students
The access granted to students must be determined on a case-by-case basis depending on the nature of the educational activity. The level of a particular student’s access shall be determined by and monitored by his or her advisor or relevant instructor.
- Protocols Related to the Minimum Necessary Rule
Covered Departments shall develop their own individual protocols with regard to implementation of the minimum necessary standard.
- General Rule
- Other Safeguards
Covered Departments are responsible for developing and establishing safeguards to protect the confidentiality of Protected Health Information. These should include appropriate administrative, technical, and physical safeguards to reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of this policy.At a minimum, Covered Departments should comply with the following:
- Oral Communications
Covered Department staff must exercise due care to avoid unnecessary disclosures of Protected Health Information through oral communications.
- Telephone Messages
Telephone messages and appointment reminders may be left on answering machines and voice mail systems, unless the patient has requested an alternative means of communication. Telephone messages should never be left that include particularly sensitive health information, such as medical test results.
Prior to sending a fax containing Protected Health Information, the sender should contact the recipient to verify the fax number and notify the recipient of the transmission, and the sender should confirm immediately after that the transmission was received. All faxes of Protected Health Information should be accompanied by a cover sheet that includes a confidentiality notice.Sensitive health information should not be transmitted by fax, except if deemed to be necessary under the circumstances, such as in an emergency situation or in response to an immediate need by a governmental agency.The Covered Department’s fax machines must be located in secure areas not readily accessible to visitors and patients. Incoming faxes should not be left sitting on or near the machine
Prior to sending an e-mail containing Protected Health Information, the sender should verify the e-mail address of the recipient. All e-mails of Protected Health Information should contain a prominent confidentiality notice.Sensitive health information should not be transmitted by e-mail, except if deemed to be necessary under the circumstances, such as in an emergency situation or in response to an immediate need by a governmental agency.Prior to communicating with patients by e-mail, Covered Departments should obtain permission from the patient. (See UWM’s recommended Permission to Use E-mail.)
- Sign In Sheets
Sign in sheets should not contain information about the patient’s condition.Covered Departments that primarily see and treat patients with mental health, substance abuse, communicable diseases, or other sensitive health conditions should structure sign in sheets in a manner so that subsequent signers cannot identify the previous signers
- Paper Records
Paper records, including medical charts, should be stored or filed in such a way to avoid access by unauthorized personnel. Paper records should be secured/locked when the office is unattended. Original records should not be removed from the Covered Department’s premises unless necessary to provide care or treatment or as required by law.
- Destruction Standards
Protected Health Information must be discarded in a manner that protects the confidentiality of that information. Paper and other printed materials should be destroyed or shredded.
- Computer/Work Stations
Computer monitors must be positioned away from common areas to prevent unauthorized access or observation. The screens on unattended computers must be returned to the main menu or use a password protected screen saver.
Covered Departments are encouraged to adopt policies and procedures that are stricter than the parameters set forth above, in order to maximize the protection of Protected Health Information in light of the Covered Department’s unique circumstances and practices.
- Oral Communications
F. Notice of Privacy Practices
(45 C.F.R. § 164.520)
Covered Departments must give all patients a Notice of Privacy Practices (see UWM’s recommended Notice of Privacy Practices). If a Covered Department wishes to modify the recommended Notice of Privacy Practices, it should consult with the Office of Legal Affairs on any substantive changes.
- Acknowledgement of Receipt
Covered Departments must make a good faith effort to obtain a written acknowledgement that patients have received a copy of the Notice of Privacy Practices prior to receiving health care services. (See UWM’s recommended Acknowledgement of Receipt).
- Methods of Transmission
The Notice of Privacy Practices may be mailed to the patient prior to, or handed to the patient at the first appointment after, April 14, 2003. If a paper copy of the Notice is given to the patient, the patient should complete the paper Acknowledgement of Receipt.
The Notice may also be sent via e-mail if the patient has agreed to electronic notices. (See UWM’s recommended Permission to Use E-mail). If the Notice is delivered by e-mail, no Acknowledgment of Receipt is required so long as the patient has completed the Permission to Use E-mail.
A current version of the Notice of Privacy Practices must be posted at all treatment sites of Covered Departments, in clear and prominent locations, at all times.
- Emergency Situations
In the event of an emergency, the Notice of Privacy Practices must be given to the patient as soon as reasonably practicable, and an Acknowledgement of Receipt is not required.
- When Unable to Obtain Acknowledgement
If a Covered Department cannot obtain an Acknowledgement of Receipt in a non-emergency situation, it must document its efforts to obtain the Acknowledgement of Receipt and the reason for its inability to obtain the Acknowledgement. The efforts should be documented in the space provided at the bottom of the Acknowledgement of Receipt.
- Revisions to Notice of Privacy Practices
If a Covered Department revises the Notice of Privacy Practices, the revised Notice need not be sent to patients who have already signed an Acknowledgement of Receipt. A revised Notice of Privacy Practices must be posted on the Covered Department’s web site and a paper copy must be provided to patients upon request.
G. Uses and Disclosures of Protected Health Information that Do Not Require the Patient’s Written Authorization
Many routine uses and disclosures of Protected Health Information do not require the patient’s written authorization. HIPAA establishes two such categories of uses and disclosures: uses and disclosures that do not require health care providers to inform the patient of the use or disclosure, and uses and disclosures that require health care providers to inform the patient of the use or disclosure and give the patient an opportunity to refuse to allow such use or disclosure.
- Uses and Disclosures that Do Not Require Providers to Inform the Patient of Such Uses and Disclosures (45 C.F.R. §§ 164.506, 512)
- for treatment purposes;
- to obtain payment;
- for health care operations (e.g., quality control or appointment notifications); when required by law (e.g., to report abuse or neglect);
- for public health activities (e.g., workplace safety monitoring or disease control);
- for health oversight activities (e.g., provider licensing review);
- for activities related to the patient’s death;
- to avert a threat to health or safety;
- for specific government functions (e.g., disclosures to correctional facilities or government benefit programs); or
- to government authorities for workers’ compensation purposes.
In addition, there are certain limited circumstances in which PHI can be disclosed for research purposes without the patient’s notification, but such disclosure first requires the approval of UWM’s Institutional Review Board or a special privacy board approved by UWM.
Covered Departments can use demographic information and dates of service to send fundraising communications without patient authorization provided this is indicated in the Notice of Privacy Practices and both the communication and the Notice of Privacy Practices includes clear and conspicuous information about how a person can opt-out of receiving such communications and the Covered Department makes reasonable efforts to comply.
The disclosures listed above are explained in greater detail in the Notice of Privacy Practices.
- Uses and Disclosures that Require Providers to Give the Patient an Opportunity to Object to Such Uses or Disclosures (45 C.F.R. § 164.510)
There are two specific uses and disclosures that require providers to give the patient an opportunity to object to such use or disclosure before the patient’s health information is used or disclosed:
- Patient Directories.
Providers may maintain patient directories in which they disclose a patient’s name, location and general health condition to callers or visitors who ask for the patient by name. These directories also may include a patient’s religious affiliation so that providers may share it with clergy. Before a patient’s name is added to such a directory, the patient must be informed and given the opportunity to object to such a listing.
- To Those Involved in the Patient’s Care.
Health care providers may share with a patient’s friends, family or others involved in the patient’s care information related to that patient’s location or general condition. Similarly, if applicable, providers may release PHI to disaster relief organizations. Prior to such disclosure, the provider must inform the patient that the disclosure might occur, and the patient must have an opportunity to object.
- Patient Directories.
H. Authorization for Use or Disclosure of PHI
(45 C.F.R. § 164.508)
HIPAA requires that Covered Departments obtain patient authorization in writing for any use or disclosure of Protected Health Information, other than those described in Section G above, where authorization is not required. Uses or disclosures requiring written authorization often fall into one of five categories: uses or disclosures related to marketing, uses or disclosures in connection with the sale of Protected Health Information, uses or disclosures related to research, the use or disclosure of psychotherapy notes, and miscellaneous disclosures requested by the patient.
(See UWM’s recommended Authorization Form and Authorization Form for Research. These forms, as appropriate, may be used for all patient records except for psychotherapy notes.) The authorization must be signed by the patient before any use or disclosure of Protected Health Information requiring such authorization can occur. A copy of the Authorization must be provided to the patient.
All marketing communications require prior authorization unless they are made in the course of treatment, made face-to-face between the Covered Department and the individual patient, or involve the Covered Department’s distribution of a promotional gift of nominal value. However, even if a communication falls within one of these exceptions, if a Covered Department is paid (directly or indirectly) by an outside entity to send a communication to a patient, the Covered Department is deemed to be marketing unless the communication concerns a currently prescribed drug and the payment received is “reasonable in amount” (as determined with reference to HIPAA regulations). A Covered Department is also deemed to be marketing if it engages with an outside entity by agreeing to promote that entity’s services to its patients (regardless of payment), and if it does not do so in the course of treatment, in a face-to-face context, or via a promotional gift of nominal value. In such instances, it must obtain prior authorization from the patients to whom it intends to market. If the Covered Department receives payment in exchange for such marketing, the authorization form must disclose that fact. Promotional information about the Covered Department’s own practices is not considered marketing under HIPAA.
- Sale of Protected Health Information
All sales of Protected Health Information, for direct or indirect payment, require patient authorization unless they are made for public health activities as described in the Privacy Rule, in connection with research (provided the price charged reflects the cost of preparation and transmittal of data), for treatment of the individual, in connection with a Business Associate Agreement, or to provide an individual with a copy of his/her own records. Any such patient authorization must specifically state that the Covered Department is receiving remuneration for the Protected Health Information.
Patient authorization must be obtained if a Covered Department wishes to use or allow use of a patient’s Protected Health Information in research studies, unless the Department has received explicit permission to forego an authorization by UWM’s Institutional Review Board (IRB) or by a special board authorized by UWM to handle privacy matters.For the purposes of research, the recommended Authorization Form for the Use and Disclosure of PHI for Research Purposes may be used, or, with approval from the IRB, the same information may be incorporated into an informed consent form developed by the department administering the study.
- Psychotherapy Notes
Unless psychotherapy notes are used by their originator for treatment, used in the provider’s own training program, or disclosed pursuant to a court order, use or disclosure of psychotherapy notes requires a separate authorization. Psychotherapy notes are notes recorded by a mental health care professional that document or analyze the contents of a private or group counseling session. They do not include documentation of medication administered to the patient or of the frequency of counseling sessions. (See UWM’s recommended Authorization Form for the Use and Disclosure of Psychotherapy Notes.)
- Miscellaneous Disclosures
At the patient’s request, PHI may be disclosed to another person or entity, after the patient signs a valid authorization.
I. De-identification of PHI
(45 C.F.R. 164.502(d), 164.514(a)-(c))
- Use of De-identified PHICovered Departments may use PHI to create de-identified information without patient authorization. Covered Departments may also disclose PHI to a Business Associate for the purpose of creating de-identified information without patient authorization.De-identified information is not PHI and may be used or disclosed without patient consent.
- Requirements for De-identificationPHI may be considered de-identified if all of the following identifiers are removed for the patient, relatives, employers, or household members of the patient:
- Geographic subdivisions smaller than a state (i.e. county, town or city, street address, and zip code) (except that the initial 3 digits of a zip code may be disclosed where the area covered by those 3 digits contains more than 20,000 people);
- All elements of dates except year for dates that are directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note that ages may be aggregated into a single category of age 90 or older);
- Phone numbers;
- Fax numbers;
- Email addresses;
- Social security number;
- Medical record number;
- Health plan beneficiary number;
- Account number;
- Certificate/license number;
- Vehicle identifiers and serial numbers;
- Device identifiers and serial numbers;
- Internet protocol addresses;
- Biometric identifiers (e.g. fingerprints, DNA);
- Full face photographic and any comparable images;
- Any other unique identifying number, characteristic, or code; and
- Any other information about which the Covered Department has actual knowledge that it could be used alone or in combination with other information to identify the individual.
PHI may also be considered de-identified if a person with appropriate expertise in statistics and other relevant scientific principles and methods (1) determines that the risk is very small that the information could be used, alone or in combination, by an anticipated recipient to identify a patient who is the subject of the information; and (2) documents the methods and results of the analysis that justify the determination.
The Department of Health and Human Services (HHS) issued additional guidance on using the above methods for de-identifying Protected Health Information in its November 26, 2012 publication titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” which can found on HHS’s website and should be consulted as appropriate.
- Use of Codes to Allow Re-identificationA Covered Department may assign a code or other means of record identification to allow information de-identified to be re-identified by that unit provided that:
- The code or other means of record identification is not derived from or related to information about the patient and is not capable of being translated so as to identify the patient; and
- The Covered Department does not use or disclose the code for any purpose except re-identification.
Disclosure of a code is the same as disclosure of PHI. If de-identified information is re-identified, that information is PHI subject to all the protections of HIPAA.
J. Use and Disclosure of Limited Data Sets
(45 C.F.R. § 164.514(e))
- Use and Disclosure AllowedCovered Departments may use or disclose a “Limited Data Set” without patient consent for the purposes of research, public health, or health care operations, if the Covered Department first enters into a Data Use Agreement with the intended recipient of the Limited Data Set. (See UWM’s recommended Data Use Agreement.)
- Definition of “Limited Data Set”A “Limited Data Set” is PHI that excludes the following direct identifiers of the patient, or of relatives, employers, or household members of the patient:
- Postal address information, other than town or city, state, and zip code;
- Telephone numbers;
- Fax numbers
- E-mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Internet protocol address numbers;
- Biometric identifiers (e.g. fingerprints, DNA); and
- Full face photographic images and any comparable images
K. Accounting Disclosures of PHI
(45 C.F.R. § 164.528, 42 U.S.C. § 17935)
Covered Departments and Business Associates have an obligation to maintain (and patients have the right to request, pursuant to Section L. 5. below) an “accounting of disclosures,” which is a listing of certain disclosures of a patient’s health information made by the Covered Department or its Business Associates to anyone outside of that Department since April 14, 2003, or during the preceding 6 years, which ever period is shorter.
1. Disclosures Included in an Accounting
The following disclosures must be included in an accounting:
- Disclosures for research that were not made pursuant to a patient authorization as described in Section G of this Manual (e.g., a disclosure made for a study in which the need for individual authorizations was waived by a UWM privacy board);
- Disclosures made for health oversight activities, such as those made to licensing or accreditation boards;
- Certain types of disclosures made to government agencies (for example, disclosures made to Milwaukee County or the Department of Health and Human Services for accountings or disclosures made to government authorities concerning abuse or child welfare);
- Disclosures made for law enforcement purposes (for instance, disclosures regarding evidence of a crime);
- Disclosures made for judicial or administrative hearings (e.g., a disclosure made pursuant to a subpoena);
- Uses and disclosures regarding decedents, including uses and disclosures for donation purposes or to funeral directors;
- Unlawful and/or unauthorized disclosures; and
- Where the Covered Department uses electronic health records, disclosures made to carry out treatment, payment and health care operations, but only during the preceding 3 years.
2. Disclosures Excluded from an Accounting
The following disclosures should not be included in an accounting:
- Disclosures made to carry out treatment, payment and health care operations, but only if the Covered Department does NOT use electronic health records;
- Disclosures made to the patient;
- Disclosures made pursuant to a patient authorization as described in Section G of this manual;
- Disclosures made for national security or intelligence purposes;
- Disclosures made to correctional institutions or law enforcement officials about a person in their custody;
- Disclosures for the Covered Department’s directory or other notification purposes;
- Disclosures made for the creation of a Limited Data Set (see Section J above); or
- Disclosures that are incidental to otherwise permissible disclosures.
3. Accounting Methodology
The accounting for each disclosure (other than a disclosure involving a research study utilizing data from more than 50 patients) must include:
- The date of the disclosure;
- The name of the entity or person who received the PHI and, if known, the address of that entity or person;
- A brief description of the information disclosed; and
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for that disclosure.
If the Covered Department has made multiple disclosures to the same person or entity for a single purpose, the accounting may, with respect to those disclosures, provide:
- The information required above;
- The frequency or number of disclosures made during the accounting period; and
- The date of the last such disclosure during the accounting period.
The Office of Legal Affairs recommends that Covered Departments track those disclosures that might be included in an accounting. (See UWM’s recommended Accounting of Disclosures Log.)
4. Accounting Methodology for Research Studies Encompassing More than 50 Patients
If the patient information was disclosed pursuant to a study using health information of more than 50 patients, the accounting requirement can be met by providing individuals with the following information:
- The name of the research study;
- A plain-language description of the research;
- A brief description of the type of PHI used;
- The time period during which the disclosures occurred for the research study;
- The name, address and telephone number of the entity sponsoring the research, if applicable; and
- The name, address and telephone number of the researcher.
If the study in question used health information from 50 or fewer patients, it must be documented using the methodology outlined in paragraph 2 above.
L. Patient Rights
1. Requesting Restrictions on the Use of PHI (45 C.F.R. § 164.522(a), 42 U.S.C. § 17935)
Patients of Covered Departments may request restrictions on the use and disclosure of their Protected Health Information:
- To carry out treatment, payment or health care operations;
- To people involved in the patient’s care or for notification purposes; and/or
- To health plans for the purposes of payment or health care operations, if the patient has paid in full for the related product or service.
a. Making the Request
Patients should make a request for restrictions in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request.
b. Response to the RequestThe Privacy Officer is not required, in the first two instances described above,to agree to such requests for a restriction on use or disclosures, and such requests should be granted only in rare instances where a restriction is necessary to protect the patient. If the request is granted, however, the Covered Department may not use or disclose Protected Health Information in violation of the request unless the information is needed for emergency treatment of the individual.
Note that a Covered Entity must agree to a request not to send PHI to a health plan for purposes of payment or health care operations if the individual has paid in full for the related product or service.
c. Timeliness of Denial
The Privacy Officer must notify the patient making the request of a denial of the request, in writing and with the reasons for the denial, prior to or at the time of his or her visit to the Covered Department.
d. Maintaining the Request for Restrictions in the Patient’s Records
Requests for restrictions must be maintained with the responses to such requests in the patient’s medical record for a minimum of six (6) years.
e. Terminating the Restriction
Once granted, a restriction may be terminated only if:
- The patient requests the termination in writing;
- The patient orally agrees to termination and this is documented in the patient’s medical record and communicated to the Privacy Officer; OR
- The patient is informed that the restriction is being terminated, in which case the termination will apply only to Protected Health Information created or received after notification of the termination.
2. Receiving Confidential Communications (45 C.F.R. § 164.522(b))
Patients of Covered Departments may request receipt of communications of Protected Health Information by alternate means or at alternate locations.
- Making the Request
Patients should make a request for alternate communications in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request.
- Response to the Request
The Privacy Officer and/or Covered Department must accommodate reasonable requests if the individual clearly states that the disclosure could endanger the individual, and the individual:
- Designates how payment will be handled (if applicable); and
- Specifies an alternate address or means of contact.
The patient may not be asked for an explanation or basis for the request.
- Maintaining the Request for Confidential Communications
Requests for confidential communications should be maintained with the responses to such requests in the patient’s medical record for a minimum of six (6) years.
3. Inspecting and Copying Records (45 C.F.R. § 164.524, 42 U.S.C. § 17935)
Patients of Covered Departments have the right to inspect and obtain a copy of their Protected Health Information.
- Making the Request
Patients should make a request to inspect and/or obtain a copy of their Protected Health Information in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request.
- Records Format
In the event that a Covered Department uses or maintains a copy of the requested information electronically, it must be provided in the electronic form or format requested if it is readily producible. If it is not readily producible, the Covered Department must offer to produce it in at least one readable electronic format as agreed to by the Covered Department and the individual. The patient may also direct the Privacy Officer to transmit a copy of the information in electronic format to any other entity or person, provided that the request is clear and specific.
- Verification of Identity
The Privacy Officer must obtain verification of the requestor’s identity before granting access to the record.
A patient’s request for access must be acted upon as soon as reasonably possible, but in no event more than thirty (30) days after the Privacy Officer receives the request. A one-time thirty (30) day extension is available if the Covered Entity provides written notice of the extension to the patient /requesting party and the notice contains an explanation of the reason for delay and expected date of completion.
A Covered Department may charge a fee for the actual and direct costs of locating and copying the records. The charges should be consistent with the fees established under UWM’s Policy on Public Records Access, S-45.In the event that the information is provided upon request in electronic format, the fee shall not be greater than the Covered Department’s labor costs in responding to the request.
A patient may be denied access under the following limited circumstances, in writing, upon prior approval by the Office of Legal Affairs:
- Legal Information
The information was compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding.
- Inmate Information
A copy of the information has been requested by an inmate and providing a copy would jeopardize the health or safety of the patient, other inmates, or persons at the inmate’s correctional institution.
The information was created or obtained in the course of research that includes treatment, the research is still in progress, the patient agreed to the denial of access when consenting to participate in the research, and the patient has been informed that the right of access will be reinstated upon completion of the research.
- Information from Other Source
The information was obtained from someone other than a health care provider under a promise of confidentiality and access would likely reveal the source of the information.
- Endangerment to Health or Safety
Providing access to the information to the patient or the patient’s personal representative is reasonably likely to endanger the health or safety of the patient or another person.
- Reference to Another Person
The information refers to another person and access is reasonably likely to cause substantial harm to the other person.
- Psychotherapy Notes
The information consists of psychotherapy notes and the patient has not obtained either (a) written approval of the access by the patient’s treating professional; or (b) a court order authorizing access.
- Legal Information
- Review of Denial for Certain Reasons
A patient has the right to request a review of a denial based on subparagraphs (5) and (6) above. The Privacy Officer should contact the Office of Legal Affairs to discuss the arrangements for such a review.
- Maintaining the Request for Inspection or Copying
Requests for inspection or copying should be maintained with the responses to such requests in the patient’s medical record for a minimum of six (6) years.
4. Amending Records (45 C.F.R. § 164.526)
Patients of Covered Departments may request an amendment of their Protected Health Information maintained by a Covered Department.
- Making the Request
Patients should make a request for an amendment of their Protected Health Information in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request.
- Verification of Identity
The Privacy Officer must obtain verification of the requestor’s identity before considering an amendment to the record.
A patient’s request for an amendment must be acted upon as soon as reasonably possible, but in no event more than sixty (60) days after the Privacy Officer receives the request.
- Responding to the Request
The Privacy Officer may respond to the request by:
- Accepting the Amendment
If the amendment is accepted, in whole or in part, the Privacy Officer and/or Covered Department must:
- Make the accepted amendment;
- Inform the patient in writing that the amendment or partial amendment is accepted;
- Obtain the patient’s identification of relevant persons with whom the Covered Department needs to share the amendment (i.e. persons or Business Associates that have the Protected Health Information that is the subject of the amendment) and agreement that the Covered Department may do so; and
- Make reasonable efforts to so inform such persons.
- Denying the Amendment
If the amendment is denied, in whole or in part, the Privacy Officer and/or Covered Department must:
- Inform the patient in writing of the denial or partial denial, with reasons;
- Permit the patient to submit a written statement disagreeing with the denial; and
- If the patient has submitted a written statement disagreeing with the denial, append to the applicable record the request, the denial, and the patient’s response to the denial;
- If the patient has not submitted a written statement disagreeing with the denial, append to the applicable record the request and the denial only if the patient so requests.
- The Privacy Officer and/or Covered Department may also prepare a written rebuttal to the patient’s response to the denial, which then should also be appended to the record.
- Accepting the Amendment
- Maintaining the Request for Amendment in the Patient’s Records
Documentation of the amendment process as described above, must be maintained in the patient’s medical record for a minimum of six (6) years.
5. Requesting an Accounting of Disclosures (45 C.F.R. § 164.528, 42 U.S.C. § 17935)
Patients may request an accounting of disclosures, maintained pursuant to Section K above.
- Making the Request
Patients should make a request for an accounting in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request.
- Responding to the Request/Timeliness
The Privacy Officer must act on an individual’s request for an accounting no later than 60 days after the receipt of such a request in one of two ways:
- The Privacy Officer may provide the individual with the accounting requested; OR
- The Privacy Officer may exercise a one-time 30-day extension of the 60-day deadline, provided that within the initial 60 days the individual is provided with a written statement of the reasons for the delay and the date by which the accounting will be provided.
Privacy Officers must include, in the accounting provided, either the disclosures made by Business Associates of the Covered Department or a list of the Covered Department’s Business Associates and contact information, so that the individual may make a request for an accounting directly to those Business Associates.
The Privacy Officer must provide the first accounting to a particular individual within any 12-month period without charge. For any further request in a 12-month period, the Privacy Officer may charge a reasonable, cost-based fee, but only if the Privacy Officer informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request in advance to avoid or reduce the fee.
- Retention of Accountings Submitted to Patients
The Privacy Officer must retain copies of any accountings submitted to an individual patient pursuant to an accounting request.
6. Complaints (45 C.F.R. § 164.530(d))
Any individual who believes the rights granted by these policies and procedures, the HIPAA privacy regulations, or by any other state or federal law concerning confidentiality or privacy have been violated may file a complaint regarding the alleged privacy violation.
Privacy-related complaints must be forwarded to the Covered Department’s Privacy Officer. (See UWM’s recommended Complaint Report Form.)The Privacy Officer shall investigate all complaints received. The Privacy Officer shall make a recommendation for a response and corrective action, if applicable, to the Dean or Division Head of the school, college, or division in which the Covered Department is located, with a copy to the Office of Legal Affairs. The Dean shall make a decision on any corrective action with respect to the Covered Department’s procedures and practices. If the Dean believes that the circumstances warrant discipline of an employee, the Dean shall follow the applicable disciplinary processes for that employee.
The Privacy Officer shall document the complaint, the investigation, and any responsive or corrective action.
- Response to the Complainant
The Privacy Officer shall provide a written response to the complainant within 30 days from the date of his or her receipt of the complaint, describing briefly the factual findings, and if applicable, the extent of corrective action.The Privacy Officer shall not disclose any recommendations regarding disciplinary action to the complainant.
If the complainant is not the patient who is the subject of the Protected Health Information at issue, the Privacy Officer will not disclose any Protected Health Information to the complainant.
- Retention of Documentation
All documentation regarding complaint and the response, including any sanctions applied or corrective action, must be retained for at least 6 years.
7. Non-waiver of Rights (45 C.F.R. §164.530(h))
A Covered Department may not require individuals to waive the rights listed above for any reason, including as a condition to the provision of treatment.
M. Use of Business Associate Agreements
(45 C.F.R. §§ 164.502(e), 164.504(e)(1); 42 U.S.C. § 17931)
1. Covered Departments
When a Covered Department engages in a business relationship with an outside entity or a non-Covered Department at UWM and that relationship results in the disclosure of PHI from the Covered Department to the outside entity or non-Covered Department, the outside entity or non-Covered Department is a Business Associate. Generally, the Covered Department must ensure that any Business Associate enters into a Business Associate Agreement. The Business Associate Agreement is designed to ensure that the outside entity or non-Covered Department adequately safeguards any Protected Health Information that it might receive from the Covered Department. Covered Departments should contact UWM’s Office of Legal Affairs for a copy of UWM’s form Business Associate Agreement.
There are a number of exceptions to the general rule, however. Business Associate Agreements are not required in the following situations:
- When the use or disclosure of Protected Health Information is made specifically for the purpose of treating an individual.
- If the Covered Department makes a referral to another physician or sends patient information to a laboratory that is processing medical test results, a Business Associate Agreement is not required.
- When the disclosure is to a public benefit program such as Medicare or Medicaid or made to a government agency that administers such programs (e.g., the Department of Health and Human Services) or a government agency that collects Protected Health Information in order to determine eligibility for enrollment (for instance, the Social Security Administration).
- When those with professional functions that do not involve the use of Protected Health Information might have inadvertent contact with such information or act as a conduit for the information.
For example, office servicepersons such as plumbers, electricians and photocopy repair agents as well as transporters of Protected Health Information (e.g., the U.S. Post Office, UPS, or Ameritech) are not Business Associates.
- When the disclosure is to financial institutions retained by the Covered Department to conduct activities related to the payment of funds (such as processing transactions by debit or credit card or clearing checks).
- When the disclosure is to a researcher for research purposes, as long as the rules governing the use of Protected Health Information in research are met.
Examples of potential Business Associates include:
- An independent consultant who performs utilization review services for a Covered Department.
- A health care clearinghouse that translates a claim from a non-standard to a standard format and forwards the processed transaction to a payer.
- A consultant hired to review the accuracy of a Covered Department’s billing and coding practices.
In each of these cases, contact with Protected Health Information is central to the outside entity’s duties.
Each Covered Department is responsible for determining which outside entities or departments from whom it received services or with which it has a business relationship are Business Associates, and to ensure that a Business Associate Agreement is entered into with that entity or department. If a Covered Department has any questions about this determination, it should contact the Office of Legal Affairs.
2. Non-Covered UWM Departments
When a non-Covered UWM Department engages in a business relationship with an outside entity covered by HIPAA or a Covered Department at UWM, and that relationship results in the disclosure of PHI to the non-Covered UWM Department, the non-Covered UWM Department is a Business Associate and will be asked to execute a Business Associate Agreement.
The HITECH act of 2009 makes most provisions of the HIPAA Security Rule and many provisions of the Privacy Rule directly applicable to Business Associates. Business Associates are subject to the same criminal and civil enforcement and penalties as Covered Departments.
Among other things, Business Associates:
- Must notify the Covered Department or covered entity of any breach;
- Are required to terminate Business Associate Agreements for material violations of the contract by the Covered Department or covered entity;
- May be required to account directly for disclosures it makes on behalf of the Covered Department or covered entity.
Before entering into a Business Associate Agreement, all non-Covered UWM Departments must contact the Office of Legal Affairs for guidance.
N. Breach Notification Requirements
(45 C.F.R. § 164.400-414; 42 U.S.C. § 17932)
1. Definition of “Breach”
The HITECH act of 2009 established new requirements for notifying patients when their PHI has been “breached.”
For the purposes of HITECH, a “breach” occurs when there has been an acquisition, access, use or disclosure of PHI that compromises the security or privacy of the information. An improper use or disclosure is presumed to be a breach unless a Covered Department of Business Associate demonstrates a low probability that the PHI has been compromised by performing a risk assessment. Depending on the circumstances, a “breach” may trigger notifications to the individuals whose information was breached, the news media, the federal government and, in the case of a breach by a Business Associate, the Covered Entity that is the other party to the Business Associate Agreement.
The requirements for notification are complicated and depend greatly on the circumstances of the “breach.” Therefore, for the purposes of this policy, an institutional review of the circumstances is required whenever an individual who is working in or for a Covered Department or Business Associate suspects that there has been an impermissible acquisition, access, use or disclosure of PHI that comprises the security or privacy of the information.
2. What to Do in the Event of Potential Breach
Any individual working in or for a Covered Department or a Business Associate who suspects that there has been an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA shall immediately and simultaneously report the circumstances of the suspected breach to the individual’s supervisor and the Privacy Officer for the Covered Department
The Privacy Officer should immediately gather any available facts about the incident and report the incident to UWM’s Information Security Office.
The report should include all of the following information, to the extent immediately available:
- A brief description of what happened, including the date of the breach and discovery of the breach;
- Who impermissibly used the information and/or to whom the information was impermissibly disclosed;
- A description of the types of and amount of unsecured PHI involved in the breach;
- Whether the PHI was secured by encryption, destruction, or other means;
- Whether any intermediate steps were taken to mitigate an impermissible use or disclosure;
- Whether the impermissibly disclosed PHI was returned prior to being accessed for an improper purpose; and
- If the PHI was provided to UWM under a Business Associate Agreement, a copy of the Business Associate Agreement.
UWM’s information Security Office will follow UWM’s Information Incident Response Procedure. If a further investigation is required, the presumption is that the Privacy Officer will play a significant role in conducting or assisting with the investigation under the direction of UWM officials detailed in the above mentioned procedure. UWM will determine whether notification is required and, if so, the specifics of the required notification, pursuant to this procedure.
O. Sanctions for Failure to Comply
(45 C.F.R. § 160.530(e))
Individuals who violate the provisions in this policy may be subject to sanctions, as described below.
An employee who violates this policy may be subject to discipline. The nature of such discipline will be determined by the employee’s classification and the applicable disciplinary policies and procedures.
A student who violates this policy may be subject to appropriate sanctions under either the Academic Disciplinary Procedures (found at Wisconsin Administrative Code Ch. UWS 14) or Nonacademic Disciplinary Procedures (found at Wisconsin Administrative Code Ch. UWS 17). These sanctions may include a decreased grade, a written reprimand, suspension, or expulsion.
A volunteer who violates this policy may be subject to appropriate sanctions, including dismissal as a volunteer.
4. Business Associates
A Business Associate that materially breaches a Business Associate Agreement may be subject to sanctions, including contractual damages or termination of the business relationship.
Any sanction imposed as a result of an individual’s violation of this policy must be documented. The documentation must be retained for six years in the individual’s personnel file. In addition, documentation of the sanction should be forwarded to the applicable Privacy Officer, who shall maintain it in a confidential file.
P. Retaliation and Intimidation Are Prohibited
(45 C.F.R. § 164.530(g))
It is a violation of this policy for a Covered Department or UWM to intimidate, threaten, coerce, discriminate against, or take any retaliatory action against:
1. Any individual for exercising a right or participating in a process provided for in this policy or in the privacy or security regulations under HIPAA.
2. Any individual who:
- Files a complaint with the Secretary of the Department of Health and Human Services as permitted by the privacy or security regulations;
- Testifies, assists, or participates in an investigation, compliance review, proceeding, or hearing conducted by a government enforcement agency; or
- Opposes any act or practice made unlawful by the privacy or security regulations under HIPAA, provided that the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of Protected Health Information in violation of the privacy or security regulations under HIPAA or this policy.
Any individual who believes that a form of retaliation or intimidation is occurring or has occurred should report the incident to the Privacy Officer. The Privacy Officer will treat such a report as a Complaint under Section I. 6. above and investigate it accordingly
Q. Retention of Documentation
(45 C.F.R. § 154.530(j), 42 U.S.C. § 17932)
The Privacy Officer for each Covered Department shall retain, for at least 6 years, the following documents:
- Copies of any standard forms used by the Department, including notices of privacy practices, authorizations, consents, etc.;
- All patient requests for access or amendment to medical records or accounting of disclosures;
- Forms, correspondence and all other documentation related to complaints;
- Processes for, and content of, workforce training with respect to HIPAA; and
- Complete reports regarding suspected breaches of PHI and the outcome of any related investigations, including any completed notifications.
R. Changes to the Policy
(45 C.F.R. §154.530(j))
UWM will change the Policies and Procedures for the Protection of Patient Health Information and its recommended forms, including the model Notice of Privacy Practices, as necessary and appropriate to comply with changes in the law or to accommodate changes in UWM’s structure or operation. All such changes will be made under the review of the Privacy Officers, the Security Officer, and the Office of Legal Affairs.
- Accounting of Disclosures Log: PDF , Word
- Acknowledgement of Receipt of Notice of Privacy Practices: PDF , Word
- Application for IRB Waiver of Authorization or Altered Authorization under the HIPAA Privacy Rule: PDF , Word
- Authorization Form for the Use and Disclosure of PHI: PDF , Word
- Authorization Form for the Use and Disclosure of Psychotherapy Notes: PDF , Word
- Attachment to the Authorization Form for the Use and Disclosure of Psychotherapy Notes: PDF , Word
- Certification for Research on the PHI of Decedents: PDF , Word
- Complaint Report Form: PDF , Word
- Data Use Agreement for Disclosures of Limited Data Sets: PDF , Word
- List of Privacy Officers: Webpage , PDF , Word
- Notice of Privacy Practices: PDF , Word
- Permission to Use E-mail: PDF , Word
- Use of PHI in Activities Preparatory to Research Certification: PDF , Word
- Authorization Form for the Use and Disclosure of PHI for Research Purposes: PDF , Word