Privacy Officer (§164.530)
All covered entities, including Purdue, are required to appoint a privacy officer. The privacy officer is responsible for the development and implementation of the policies and procedures of the entity. The privacy officer is also responsible for overseeing the training affected members of Purdue’s workforce. The privacy officer must also ensure appropriate documentation of training, and must assess and recommend appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. The privacy officer will also be in charge of ensuring compliance with policies and procedures implemented by Purdue, and to handle all obligations relating to the complaint process described below.
Security Officer (§ 164.308)
Covered entities required to identify the security official who is responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule. The security officer is responsible for Purdue’s compliance with the HIPAA security rule.
Prohibition against Retaliation
Retaliation against individuals who exercise their rights under the HIPAA Privacy Regulations is absolutely prohibited, and Purdue will not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any such individual or any person who files a complaint, testifies or participates in investigation or compliance review, or opposes any act or practice made unlawful by the HIPAA Privacy Regulations.
Each covered entity must provide a process for individuals to make complaints about the covered entity’s compliance with the HIPAA Privacy Regulations. Purdue must adopt a process for individuals to complain about its policies and procedures, and any non-compliance with those policies or procedures, or the HIPAA Privacy Regulations. The process must include documentation of complaints received and their disposition, if any, and sanctions for any members of its workforce who fail to comply with the policies, procedures, or regulations.
Notice of Privacy Practices
It shall be the policy of Purdue University to require that all covered components provide a Notice of Privacy Practices for Healthcare Provider Components and for Health Plan Components in the forms developed and provided. The Notice of Privacy Practices shall be provided to any individual or employee who seeks the services or benefits provided by one or more of the covered components of Purdue University. Each Healthcare Provider Component shall obtain acknowledgements of receipt of the Notice from every patient of the Healthcare Provider Component. The Health Plan Components shall mail the Notice of Privacy Practices to each member by the compliance date. The Notices shall be posted on the Purdue website, and prominently posted at each primary entrance or service are for each covered component.
Permitted Uses & Disclosures
1. Treatment (§164.506)
The Privacy Regulations permit the receipt, use and disclosure of protected health information for healthcare treatment of an individual. The term "treatment" is defined in the regulations as the "provision, coordination, or management of healthcare and related services by one or more healthcare providers." It also includes consultation between healthcare providers and referrals between healthcare providers. Healthcare providers generally include doctors, nurses, hospitals, and other usual providers of medical or health services, and any person or organization who furnishes, bills, or is paid for healthcare in the normal course of business.
Covered components of the University do not need individual authorization for the receipt, use or disclosure of information necessary for treatment purposes. However, it is the policy of the University to disclose only that amount of information necessary for treatment purposes, or that amount of information which is requested by a healthcare provider.
Covered components may disclose protected health information for the treatment activities of other healthcare providers.
2. Payment (§164.506)
The Privacy Regulations also permit the receipt, use and disclosure of protected health information necessary to obtain payment for healthcare services provided to an individual. The term "payment" is also defined in the regulations. The definition includes those activities undertaken by a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and payment of benefits under the health plan, and activities of a healthcare provider to obtain payment or for healthcare services. Generally, all activities by a health plan or healthcare provider to obtain payment (including billing, claims management, collections payments, and working to obtain insurance reimbursement). The term also includes review of healthcare services to evaluate medical necessity, coverage under a health plan and justification of charges. The term also includes disclosure of certain specific protected health information to a consumer reporting agency relating to collection of premiums or reimbursement.
Covered components of the University do not need individual authorization for the receipt, use or disclosure of information necessary for their own "payment" activities (as defined) for health services or health insurance premiums or benefits. However, uses and disclosures of protected health information for payment is subject to the "minimum necessary rule" defined below. It is therefore the policy of Purdue University that covered components may only use and disclose that amount of information necessary to accomplish each payment activity, and access to protected health information shall be limited to those personnel who need access to accomplish payment activities.
Business Associate Agreements are required with any third party or entity to whom any covered components provide PHI for payment purposes.
Covered components of the University do not need individual authorization for the receipt, use or disclosure of information necessary for the "payment" activities (as defined) of other covered entities or healthcare providers.
3. Operations (§164.506)
The Privacy Regulations permit the receipt, use and disclosure of protected health information for healthcare operations. "Healthcare operations" is defined to include certain healthcare activities related to covered functions. Examples of these activities include: (1) quality assessment and improvement activities; (2) reviewing the competence or qualification of healthcare professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs for students, trainees, or practitioners in areas of healthcare learning; (3) underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; (4) conducting or arranging for medical review, legal services, and auditing functions; (5) business planning and development; and (6) business management and general administrative activities of the entity.
Covered components do not need individual authorization for receipt, use and disclosure of protected health information relating to their own healthcare operations (as defined). However, uses and disclosures of protected health information for payment is subject to the "minimum necessary rule" defined below. It is therefore the policy of Purdue University that covered components may only use and disclose that amount of information necessary to accomplish healthcare activities, and access to protected health information shall be limited to those personnel who need access to accomplish healthcare operations.
Covered components may only disclose protected health information without first obtaining individual authorization for the healthcare operations on another covered entity in certain very limited circumstances, if each entity has or had a relationship with the individual who is the subject of the protected health information being requested, and the protected health information pertains to that relationship. As a general rule, the covered component should obtain the written authorization of the individual.
Business Associate Agreements are required with any third party or entity to whom any covered components provide PHI for operation purposes.
4. Use and Disclosure Required by Law, Public Health or Judicial and Law Enforcement (§164.512)
Covered components are permitted to disclose protected health information without individual authorization when such uses are "Required by Law," for "Public Health," and for judicial or law enforcement. These terms are defined in the HIPAA Privacy Regulations.
A covered component may disclose specific protected health information in response to a court (or administrative tribunal) order. It may also disclose protected health information in response to a "subpoena, discovery request or other lawful process" but only if it receives "satisfactory assurance" that the party seeking protected health information has made reasonable efforts to either (1) provide written notice of the request to the individual; or (2) obtain a "qualified protective order." A "qualified protective order" is an order that prohibits the use of protected health information for any purpose other than the proceeding in which the order is issued and provides for the return or destruction of all copies of protected health information at the conclusion of the proceeding
5. PHI in employment records
Health information contained in employment records and held by Purdue in its role as an "employer" is not "protected health information" under the HIPAA Privacy Regulations. Therefore, although the typical precautions governing information in employee files must still be taken, the special rules and procedures required by the HIPAA Privacy Regulations and these Implementation Guidelines are not applicable to health information held in employment files. Examples of this type of information include: return to work notices, ADA requests, OSHA compliance records, worker's compensation records, sick leave records, FMLA requests, etc.
Minimum Necessary Requirement
Except as provided herein uses, disclosures, and requests, of protected health information, must be limited to the "minimum necessary to accomplish the intended purpose." The minimum necessary standard is not applicable to uses, disclosures or requests by a healthcare provider for "treatment" purposes. Only those employees who need access to protected health information to carry out their duties shall be permitted access to protected health information, and all protected health information shall be maintained in a secure environment to ensure limited access to protected health information and to avoid incidental disclosures of protected health information.
It shall be the policy of Purdue University to require students in clinical programs, nursing students and others who may need access to protected health information for educational purposes to sign a written assurance of confidentiality and protection of protected health information.
Authorizations and Restricted Uses or Disclosures
1. Authorizations (§164.508)
Except as expressly permitted herein, all other uses of protected health information shall require the written authorization of the individual who is the subject of the protected health information. Access to the Authorization to Use or Disclose is available here.
2. De-Identified Information and Limited Data Sets
De-identified information is not "protected health information" as defined in the HIPAA Privacy Regulation. Information is considered de-identified if the following identifying information is removed:
- Geographic subdivision smaller than a state including street address, city, county, precinct, zip code
- Any and all dates (except the year) to include birth date, encounter date, and date of death
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security number
- Medical record numbers
- Health plan beneficiary numbers and other identifying information
- Account numbers
- Certificate of license numbers
- Vehicle identifiers and serial numbers to include license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Full face photographic images and other comparable images
- Any other unique identifying number, characteristic or codes
The final privacy rule permits the use of a "limited data set" which is less restrictive than the de-identification requirements. With a limited data set, the patient's name, address, telephone number, social security numbers and other directly identifiable information are deleted, but other information may be provided. The limited data set can be disclosed for purposes of research, public health and healthcare operations, but the recipient must first sign a "data use agreement" which limits how the recipient may use the limited data set, ensures the security of the data and states that the recipient will not identify the information or use it to contact any individual.
As a general rule, individuals must be notified of any use of their protected health information for fundraising activities of the University, and the individual must be permitted to opt out of the requirement.
Except for very limited circumstances, the use or disclosure of protected health information by the University will require an individual authorization in advance of such use or disclosure.
5. Disclosures to and from Business Associates (§164.502)
Covered components may only provide protected health information to a business associate if Purdue University receives "satisfactory assurances that the business associate will appropriately safeguard the information." These satisfactory assurances must be contained in the form of a written agreement and the agreement should be in the attached forms, unless otherwise approved by legal counsel for Purdue. The requirements are specifically enumerated in the Privacy Rule, and any approved agreement must require that the business associate: (1) not use or disclose the protected health information except as permitted by the agreement or as required by law; (2) use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract; (3) report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware; (4) ensure that any agents to whom it provides information will agree to the same restrictions and conditions imposed on the business associate; (5) make certain information available to the covered entity to meet the covered entity's requirements; (6) make information available to the Department of Health and Human Services for purposes of determining the covered entity's compliance with the business associate requirements under the Privacy Rule.
Business associates must be identified and written contracts for any business associate who does not currently have a written agreement with the University must be in place by April 14, 2002. Those business associates with whom the University currently had a written contract in place on or before October 15, 2003, may execute a business associate agreement either upon the renewal or modification of that contract, or by April 14, 2003, whichever occurs first.
Business Associate Contracts
Before PHI can be disclosed to a "business associate", a covered entity must obtain satisfactory assurance that the business associate will appropriately safeguard the information. Typically this will require adding an addendum to the business associate contract. The business associate requirement does not apply to disclosures to a healthcare provider concerning the treatment of an individual. However, it does include persons such as: attorneys, accountants, billing and coding consultants, waste disposal and recycling companies, transcription services, billing companies, record storage and reproduction companies, temporary staffing agencies and software and hardware providers.
Group Health Plans
Purdue's group health plans are designated as "covered components" for purposes of compliance with HIPAA. Compliance must include amendment of plan documents, certification of the plan sponsor, and a designation of those employees who are permitted access to PHI held by the plan or the third party administrator. Business associate agreements must also be executed with all third party administrators, and other business associates who perform plan functions and need access to or use of PHI. A separate Notice of Privacy Practices governing the health plans shall be developed and distributed to covered employees in accordance with the HIPAA regulations.