Privacy Notice

Athletic Training at Iowa

education program

about our program

ats news

current events

ats services

services and locations

calendar of events

program events

conference presentations

conference topics

sports medicine symposium

symposium details

announcements

alumni newsletter

OSHA training

staff openings

Privacy Notice

This web page is currently under review. You can find pertinent privacy rule general information and frequently asked questions by accessing this web page: http://www.uiowa.edu/homepage/policy/HIPAA/index.html

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

NOTICE OF PRIVACY PRACTICES

Purpose: To define the required content of the University of Iowa’s Privacy Notice, applicable to covered units within the U of I not covered by UI Health Care

Policy: Under the provisions of the HIPAA Privacy Rule, an individual has a right to know the uses and disclosures of protected health information (PHI) that may be made by the University of Iowa College or unit providing health care. The individual also has a right to know what his or her responsibilities are with respect to PHI. The U of I is required to provide a notice of privacy practices to all patients as well as to individuals requesting a copy.

Procedure: The College or health care unit will:

· Provide the Notice of Privacy Practices at the first date of service to all patients

· Make a good faith effort to obtain a written acknowledgement of receipt of the notice

· Have the Privacy Notice visible in clinic and service locations

· Have the Privacy Notice available for student-athletes to take with them

Exceptions: in an emergency, if it is impossible or impractical to provide the notice, or if doing so would delay care, providing student-athlete care takes the highest priority.

Content of the Privacy Notice.

The U of I Health Care units will provide a Privacy Notice that is written in plain language and that contains the following elements:

· Header: The Privacy Notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

· Uses and disclosures: The Privacy Notice must contain:

o A description, including at least one example, of the types of uses and disclosures that are permitted to make for each of the following purposes: Treatment, Payment, and Health Care Operations**;

o A description of each of the other purposes for which disclosure of PHI is permitted or required without that student-athlete’s written authorization;

o A statement that other uses and disclosures will be made only with the student-athlete’s written authorization and that the student-athlete may revoke such authorization as provided by UI “Policy on Uses and Disclosures of Protected Health Information”;

o A statement that the patient may be contacted to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the patient

Individual rights

The Privacy Notice must contain a statement of the student-athlete’s rights with respect to PHI and a brief description of how the individual may exercise these rights as follows:

· The right to request restrictions on certain uses and disclosures of PHI as provided by University policy, “Restrictions on Use and Disclosure of Protected Health Information.”

· The right to receive confidential communications of PHI as provided by policy “Request for Confidential Communications.”

· The right to inspect and attain a copy of the student-athlete’s PHI as provided by policy “Access of Individuals to Protected Health Information in the Designated Record Set”.

· The right to request an amendment to PHI as provided by policy “Corrections and Amendments to Protected Health Information”.

· The right to receive an accounting of disclosures of PHI as provided by policy “Accounting of Disclosures”.

· The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice from UI upon request.

Covered entity’s duties.

The Privacy Notice must contain a statement that the University of Iowa:

· Is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI;

· Is required to abide by the terms of the notice currently in effect; and

· Reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised notice.

Complaints.

· The Privacy Notice must contain a statement that individuals may complain to the University of Iowa and to the Department of Health and Human Services if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint, and a statement that the individual will not be retaliated against for filing a complaint.

Contact.

· The Privacy Notice must contain the name, or title, and telephone number of a person or office to contact for further information.

Requirements for Electronic Notice

· The University of Iowa will provide an updated electronic version of the Privacy Notice on its website at http://www.uiowa.edu/homepage/policy/HIPAA/index.html.

· The notice may be provided to an individual by e-mail, if the requirements for communicating with the individual through email is in compliance with the HIPPA electronic Mail Policy.

· Provision of electronic notice will satisfy the provision requirements if receipt of the notice by the individual is documented.

· The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from the University of Iowa.

Documentation of Privacy Notice:

· The University of Iowa will document compliance with the Privacy Notice requirements by retaining copies of the Privacy Notices issued by UI Health Care.

· Those persons who register or admit patients will be responsible for distributing the Privacy Notice to all patients and documenting the receipt of the “Notice of Privacy Practices Acknowledgement Form” in the record. If a written acknowledgement was not obtained from the patient, must document the reason for the failure to obtain the written acknowledgement on the “Notice of Privacy Practices Acknowledgement Form”. Such reason for failure may be, for example, that the patient refused to sign after being requested to do so.

Revisions to the Privacy Notice.

· The Privacy Notice will be revised and made available whenever there is a material change to the uses or disclosures, the individual’s rights, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.

* Definition of Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium, including oral, written and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

** Treatment, Payment and Health Care Operations (TPO):

Treatment involves the administering, coordinating and management of health care services. Payment includes any activities undertaken to obtain premiums, determine or fulfill its responsibility for coverage and the provision of benefits or to obtain or provide reimbursement for the provision of health care. Health Care Operation includes general administrative and business functions, including audit, quality review, and financial management. Under the rules, “operations” also includes “the training of future health professionals”.

UNIVERSITY OF IOWA PRIVACY NOTICE

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

Our Legal Responsibility

As a health care provider, we are legally required to protect the privacy of your health information, and to provide you with this notice about our legal duties and privacy practices. This requirement applies to all clients served by units within the University of Iowa that provide health care to clients.

If you have any questions or want more information about this notice, please contact our Privacy Officer at the contact information listed below.

Your Protected Health Information (PHI)

Throughout this notice we will refer to your protected health information as PHI. Your PHI includes information that identifies you and describes the care and services you receive.

This notice applies to all of the records, both electronic and paper, about your care. It includes all information created by University of Iowa staff. This staff includes physicians, other health care professionals, students and other staff members.

This notice about privacy practices explains how, when, and why we use and share your PHI. It explains your rights and our responsibilities and tells you where to get additional information.

We may change the terms of this notice and our privacy policy in the future. Any changes will apply to your past, current, or future PHI. When we make an important change to our policies, we will change this notice and post a new notice on our Web site (www.uiowa.edu “privacy rule”). You may also request a copy of our current notice at any time from the University of Iowa HIPAA Privacy Officer, Office of the Provost, University of Iowa, Iowa City, Iowa 52242.

Uses of Protected Health Information

The unit at the University of Iowa where you receive services collects health information about you and stores it in a chart and may also store it on a computer. This is your medical record. The medical record is the property of the University of Iowa, but the information in the medical record belongs to you.

We use and disclose health information for many reasons. The following examples describe some of the categories of our uses and disclosures. Please note that not every use or disclosure in a category is listed.

· Treatment – We may use and disclose medical information about you to physicians, nurses, technicians, physicians in training, or other health care professionals who are involved in your care. Different health care professionals, such as pharmacists, lab technicians, and x-ray technicians, also may share information about you in order to coordinate your care.

· Health care operations – We may use and disclose your PHI as part of our routine operations. For example, we may use your PHI to evaluate the quality of health care services you received or to evaluate the performance of health care professionals who cared for you. We may also disclose information to physicians, nurses, technicians, medical, nursing and other health professional students, and other personnel as part of our educational mission.

· Appointment reminders and health-related benefits or services – We may use your PHI to provide appointment reminders or give you information about treatment alternatives or other health care services.

· Public health activities – We report information about births, deaths, and various diseases to governmental officials in charge of collecting that information. We provide coroners, medical examiners, and funeral directors information about an individual’s death.

· Law enforcement – We may disclose PHI to government agencies and law enforcement personnel when the law requires it. For example, we report about victims of abuse, neglect, or domestic violence, and gunshot victims, and when ordered to do so in judicial or administrative proceedings.

· Health oversight activities – We may disclose PHI to a health oversight agency for audits, investigations, inspections, and licensure, as authorized by law. For example we may disclose PHI to the Food and Drug Administration, state Medicaid fraud control, or the Health Human Service Office for Civil Rights.

· Research studies – We may disclose your PHI to help conduct research. Research may involve finding a cure for an illness or helping to determine how effective a treatment is. All research studies are subject to a specific approval process by a Privacy Board or Institutional Review Board. This process evaluates a proposed research study to determine that measures are in place to balance research needs with the need for the privacy of your health information. For some research activities you may be asked to participate in a study and if you agree, the researcher will be required to obtain your permission to use your PHI for that study.

· Organ donation – We may use your PHI to notify organ donation organizations, and to assist them in organ, eye, or tissue donation and transplants.

· Worker’s compensation purposes – We may disclose PHI at your employer’s request regarding a work-related injury.

· National security and intelligence activities – We may release PHI to authorized federal officials when required by law.

Uses and Disclosures for which You Have the Opportunity to Object

· Directory – listing your information in a directory of patients (such as an information desk for visitors)

· Fundraising – providing your information to University entities for purposes of sending you materials for fundraising purposes

· Disclosures to family, friends, or others – providing information that you are a patient

Except as described above, all other uses and disclosures of your PHI will require your authorization.

Your Rights Regarding PHI

You have the right to:

· Request Restrictions

You have the right to ask that we limit how we use and disclosure your PHI. We will consider your request, but we are not legally required to accept it. If we accept your request, we will put any limits in writing and follow them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make. To request a restriction, contact the Privacy Officer listed at the end of this notice.

· Request Confidential Communications

If we send notices or information to you, you have the right to ask that we send PHI to you at a different address. For example, you may wish to have appointment reminders and test results sent to a PO Box or a different address than your home address. We will accommodate reasonable requests. To make a request, contact any member of your health care team.

· Inspect and Copy

You have the right to inspect and obtain a copy of medical information that may be used to make decisions about your care. Usually this includes the medical record and billing records. To inspect and obtain a copy of medical information, you must submit your request in writing to either: the university department where you are receiving care or the Privacy Officer listed at the end of this notice.

We will make every effort to respond to your request within a reasonable period of time. You may be charged a fee to cover the costs of copying, mailing, or other supplies associated with your request.

· Disclosures

You have the right to obtain a list of instances in which we have disclosed your PHI. Your request must state a time period not longer than six years and your request may not include dates before April 14, 2003. The list will not include uses or disclosures made for treatment, payment or health care operations. In addition, the list will not include uses or disclosures that you have specifically authorized in writing. You must submit your request in writing to the Privacy Officer listed at the end of this notice.

· Amend

You have the right to request an amendment of your PHI if you think that information is inaccurate or incomplete in your medical record. You may request an amendment for as long as that record is maintained. You may submit a written request for an amendment to: Release of Information, for amendment to your medical record.

· Paper copy of this notice

You have the right to request a paper copy of this notice. You may pick up a copy at any check-in point or request that a copy be sent to you.

Revocation of Permission

If you provide us with permission to use or disclose medical information about you, you may revoke that permission at any time. You must make your request in writing to Release of Information. Contact information is listed at the end of this notice.

If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written revocation. We are unable to take back any disclosures previously made with your permission. Also, we are required to keep all records of the care that we provided to you.

Complaints and Questions

If you believe your privacy rights have been violated, you may file a complaint with the University of Iowa, or with the Office of Civil Rights. To file a complaint with University of Iowa, contact the University of Iowa Privacy Officer at the address and phone number listed below. You will not be penalized for filing a complaint and your care will not be compromised.

If you have questions about this notice, any complaints about our privacy practices, or you would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, Office of Civil Rights, please contact:

University of Iowa Privacy Officer

Office of the Provost, 111 JH

Iowa City, Iowa 52242

319-335-0292

This notice is in effect April 14, 2003.

H:Document/Policies/Uiprivacynotice04/22/03

UNIVERSITY OF IOWA

Privacy Notice Acknowledgment Form

By signing this form I acknowledge that I have received the University of Iowa Privacy Notice. I have the right to review the Privacy Notice prior to signing this acknowledgment form.

The University of Iowa has the right to change the Privacy Notice from time to time. The revised Privacy Notice will be posted within the clinical facilities, on the University of Athletic Training Iowa web site, and paper copies will be available at Athletic Training Rooms.

Student-Athlete Name:___________________________________ Date: ________

Signature of Student-Athlete

or Legal Representative: ________________________________________________

Relationship to the Student-Athlete: ______________________________________

This will be retained with the student-athlete record. Please return this form to the Athletic Training Room Office.

For failure to obtain acknowledgment, check the appropriate reason:

‰ Substantial communication barriers

‰ Refusal to sign

‰ Other _________________________________

Description:

_____________________________________________________________

Staff Signature: Date:

__________________________________ _________________

Department: Title:

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

Purpose: To define whether use or disclosure of Protected Health Information (PHI) is required, permitted, or subject to authorization requirements; to provide direction to staff regarding when patient authorization is required for use or disclosure of PHI; and to provide direction to staff regarding when PHI may be used or disclosed without patient authorization.

Policy: It is the policy of the University of Iowa that the confidentiality of Protected Health Information contained in records and collected pursuant to treatment will be protected to the fullest extent possible. To maintain this confidentiality, UI staff may not disseminate PHI unless it is pursuant to a valid request, a valid authorization or a legally recognized exception to this requirement.

Procedures

1. Required disclosures

· To a student-athlete who requests to see his or her own record or an accounting of disclosures.

· To the legal representative of a student-athlete who makes a request.

· To the Department of Health and Human Services for purposes of determining compliance with the Privacy Rule.

2. Permitted uses and disclosures

· For purposes of treatment, payment, operations (“operations” includes education)

· PHI will be available to students in educational programs for use within the Athletic Training Rooms where the records are maintained

· In accordance with a student-athlete’s authorization

· Incident to a permitted use or disclosure

· In specific instances defined in the Privacy Rule (below)

3. Permitted uses and disclosures requiring verbal agreement and opportunity to agree or object

· Facility directory, media, marketing

· Persons assisting in the student-athlete’s care

· Family members, close personal friends (patient assent)

4. Permitted uses and disclosures for which authorization is not required

· Required by law

· Public health activities

· Disclosures to health oversight agencies

· Release pursuant to court order, subpoena or other discovery request

· Required disclosures pertaining to victims of abuse, neglect or domestic violence

· Disclosures for law enforcement purposes

· Disclosures to avert threats to public health and safety and to support specialized government functions (military and security)

· Disclosures related to organ donation

· Disclosures related to workers compensation

Research is a critical mission of the University. Disclosure of PHI for research purposes is permitted in accordance with protocols administered by the Human Subjects Office.

Definitions:

Protected Health Information (PHI):

Use:

Use of PHI includes anything done with the information inside UIHC (i.e. sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information, 45 C.F.R. §164.501).

Disclosure:

Disclosure of PHI means anything done with the information outside the covered entity (i.e. release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information, 45 C.F.R. §164.501).

Health Oversight Agency:

Health Oversight Agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

Reference: 45 C.F.R. §164.512

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

HIPAA-PROTECTED RECORDS: DESIGNATED RECORD SET

Purpose: To define those records maintained outside of the UI Health Care units that are subject to the provisions of the HIPAA Privacy Rule.

Policy:

bullet All records containing Protected Health Information, regardless of location, are protected by the Privacy Rule.

bullet The following units are subject to the staff training and other requirements as elements of the University’s “hybrid entity”: Client records in these units are subject to the Privacy Rule.

bullet University of Iowa Staff Benefits Office

bullet College of Dentistry

bullet Employee Wellness

bullet Wendall Johnson Speech and Hearing Clinic

bullet Seashore Psychology Training Clinic

bullet Athletic Training Rooms

bullet All records contained in employee files or elsewhere that include PHI, health history or status or medical information about the employee.

bullet Employee-submitted material including consent or authorization forms, leave request reports, or related documentation.

Definition:

The “designated record set includes:”

bullet Medical records

bullet Billing records

bullet Enrollment, payment, claims adjudication records

bullet Case management records

References: 45 C.F.R. §164.501

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

ACCESS OF INDIVIDUALS TO PROTECTED HEALTH INFORMATION

Purpose: To define the process for responding to requests from student-athletes their PHI and to provide guidance to staff regarding their responsibilities when student-athletes request access to PHI.

Policy: Student-athletes have a right to inspect and copy PHI contained in their records.

Procedures:

1. Requests to inspect or receive copies of PHI

A student-athlete must make the request in writing using the Student-Athlete Request to Access Protected Health Information Form and submitting it to the Associate Director of Athletic Training or the HIPAA Privacy Officer.

2. Response

The Associate Director of Athletic Training or HIPAA Privacy Officer will contact the individual making the request within 30 days and arrange for inspection and/or copying.

The University reserves the right to deny access under the same circumstances outlined in Athletic Training Policy “Access of Individuals to Protected Health Information in the Designated Record Set.”

Reference: 45 C.F.R. §164.524

University of Iowa

Student-Athlete Request to Access Protected Health Information

Student-Athlete Name________________________ Date of Birth___/___/____

Date of Request___/___/____

I request that University of Iowa provide me with access to my personal health information as described below:

_____________________________________________________________

I request access to my personal health information covering the dates of ___/___/____ through ___/___/____.

Type of access requested:

q Copies of requested information (please specify the format you desire)

q Hard Copy

q Other____________________

I understand that University of Iowa may charge a fee for the costs of copying, mailing, preparing a summary or other supplies associated with my request.

Please contact me at the following telephone number to arrange inspection or copying:

Telephone number: ____________________

e-mail: ______________________________

hours preferred: _______________________

___________________________________________ ___/___/____

Signature of Student-Athlete or Student-Athlete’s Authorized Representative Date

If signed by the student-athlete’s Representative, please print the name and describe relationship to the student-athlete:

______________________________ _______________________

Print Name Relationship

You will receive a response within 30 days of the receipt of your request.

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

REQUEST FOR CONFIDENTIAL COMMUNICATIONS

Purpose: To define the process for responding to requests from student-athletes or their legal representatives to receive confidential communications of their Protected Health Information (PHI); to instruct staff on how to respond to requests from student-athletes or their legal representatives for confidential communications of their PHI.

Policy: It is the policy of the University of Iowa to accommodate requests from student-athletes or their legal representatives to receive communications of PHI by alternative means or at alternative locations. The provision of this communication may require an alternative address or other method of contact.

Procedures:

bullet Student-athletes or their legal representatives may request to receive communications of PHI by alternative means or at a different location by contacting the Associate Director of Athletic Training or a care provider.

bullet The request should be in writing in order to document to alternative method or location on the attached.

bullet The request may be denied if the student-athlete fails to specify an alternative address or means of contact.

bullet The alternative address/contact will be used until the student-athlete or the student-athlete’s legal representative advises the college or health care unit to return to the original designated address.

Reference: 45 C.F.R. §164.522

The University of Iowa

Privacy Rule

Request for Confidential Communications Regarding Medical Information

I wish to request that the communication about my health and medical care, which contains Protected Health Information, be communicated to me in the following manner: (check one):

_____ By telephone at my home number

______By telephone at another number

______By FAX at a number provided

______By mail at an address other than he one on the record

Please proved the information we will need to send the information to you at your preferred location (complete address, phone number, etc.:__________________

The University will not ask you the reason for your request and will accommodate all reasonable requests.

If you cannot be reached at the designated alternative location you specify, the University may use other means to contact you.

When you have completed this form, please give it to your health care provider or send it to: HIPAA Privacy Offices, C-43 GH, University of Iowa, Iowa City, Iowa

52242.

__________________________ ___________________

Signature Date

_________________________ ___________________

Staff member Title

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

DISCLOSURE OF PROTECTED HEALTH INFORMATION TO PERSONAL REPRESENTATIVES

Purpose: To define when and what protected health information (PHI) may be released to an individual’s personal representative.

Policy: The university unit in possession of PHI will treat the personal representative as the individual when using and disclosing the individual’s PHI EXCEPT

A “personal representative” is an individual who has authority by law (parent, legal guardian) or by authority from the individual receiving services to act in the place of that individual. This includes parents, legal guardians, persons with power of attorney and may also include the family or next of kin of a non-autonomous student-athlete who has no legally appointed surrogate. The authority of the personal representative is limited: the representative must be treated as the individual only to the extent that PHI is relevant to the matters on which the personal representative is authorized to represent the individual.

Procedures: What follows are guidelines in determining a student-athlete’s personal representative. Questions about whether or not a person is a personal representative of a patient should be directed to the University’s HIPAA Privacy Officer.

A. Adults and Emancipated Minors

If a person has authority by law to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to use and disclosure of PHI, that person will be treated as a personal representative. Once a minor is emancipated, a guardian or a parent cannot be recognized as a personal representative.

B. Children (under 18 years)

In general, parents will be the personal representatives of their children. In some cases, there will be a legal guardian or another individual who has been designated to act on behalf of a child. These individuals will be recognized as personal representatives.

Note: A minor does not require the consent of an adult and any consent to treatment for: testing and counseling for sexually transmitted diseases, treatment and rehabilitation for substance abuse, and limited reproductive issues. The minor will be treated as an individual and may provide authorization for release of their PHI.

C. Deceased Individuals

The personal representative will be an executor, administrator or other person designated to act on behalf of a deceased individual or the estate.

D. Exception

The UI may elect not to recognize an individual as a personal representative if there is reason to believe that:

· Deceased Individuals

If an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, UIHC will treat such person as a personal representative with respect to PHI relevant to such personal representative.

· Abuse, Neglect, Endangerment Situations

Elect not to recognize a person as the personal representative of an individual if Athletic Training Services has a reasonable belief that:

1. The individual has been or may be subjected to domestic violence, abuse, or neglect by a parent, guardian or personal representative; or

2. Treating such a person as the personal representative could endanger the individual; and

3. In the exercise of professional judgment it is not in the best interest of the individual to treat the person as the individual’s personal representative.

Definitions:

Protected Health Information (PHI):

References: 45 C.F.R. §164.502

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

VERIFICATION OF IDENTITY AND AUTHORITY OF PERSONS REQUESTING PROTECTED HEALTH INFORMATION

Purpose: To define guidelines and procedures that should be followed to verify the identity and authority of persons and entities requested Protected Health Information (PHI).

Policy: Protected Health Information (PHI) will be disclosed only to persons who are authorized to receive it. Appropriate statements or documents confirming the identity of the persons requesting PHI are required as a condition of disclosure.

Procedures:

bullet PHI will be disclosed as a customary part of providing student-athlete care, between and among individuals assisting in care and as part of the teaching mission of the University. This is permissible.

bullet Before PHI is released for purposes other than treatment, payment, or operations, there must be appropriate documentation or statements, which provide authorization for disclosure.

I. Verifying Public Officials or Request under Legal Authority

A. Staff may rely on any of the following to verify identity when the disclosures of PHI is to a public official or a person acting on behalf of the public official:

1. If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;

2. If the request is in writing, the request is on the appropriate government letterhead;

3. If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as a contract or services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official;

4. A written statement of legal authority under which the information is requested, or if a written statement would be impracticable, an oral statement of such legal authority; or

5. If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal, it is presumed to constitute legal authority.

II. Imminent threat to safety

If there is an imminent threat to safety, it is lawful to disclosure PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public if disclosure is made to a person reasonably able to prevent or lessen the threat. If these conditions are met, no further verification is needed.

III. Verification of an Individual

Individual will be given access to his/her PHI (under most circumstances). Staff will take reasonable steps to verify the identity of the individual making the request.

IV. Verification of a Personal Representative

Staff may require proper documentation of the personal representative’s legal authority; or may ask questions to determine that an adult acting for a young child has the requisite relationship to the child, if a personal representative is not known. Documentation of the statements/representatives should be noted in the record.

Definitions:

Protection Health Information (PHI):

Reference: 45 C.F.R. §164.514, 164.510(b)

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

Purpose: To define the process for responding to requests from student-athletes or their legal representation to restrict uses and disclosures of their Protected Health Information (PHI); to provide direction to staff on how to respond to requests for restrictions on uses and disclosures of their PHI.

Policy: Student-athletes and their legal representatives have the right to request restrictions on the uses and disclosures of PHI for: treatment, payment, health care operations, disclosures to a family member or other relative or close personal friend, or any other person identified by the student-athlete.

Procedure: A student-athlete or legal representative may request a restriction in writing on the attached form, directed to the Privacy Officer. A written response will be provided and all relevant documentation will be kept on file for 6 years.

Exceptions to restrictions include the following:

· The Office of DHHS,

· Where consent is not required for disclosure (required by law; public health; health oversight activities; abuse and neglect; law enforcement purposes; judicial and administrative proceedings; approved research; specialized government functions; organ donation; worker’s compensation).

· To health care providers for emergency treatment.

Termination of restrictions: Restrictions will be terminated when the student-athlete or legal representative asks that the restriction be ended. This request needs to be communicated to care provides and the HIPAA Privacy Officer.

Other restrictions: Student-athletes may request restrictions on the disclosure of PHI to family members, friends or others. Care providers are to exercise professional judgment in each instance and advise the student-athlete of their decision.

Reference: 45 CFR §164.522, §164.512

The University of Iowa

Privacy Rule

Request for Restricting Use or Disclosure of Protected Health Information

Instructions: Place a check or other mark in the space provided or indicate “not applicable” (N/A) to indicate which request applies

I wish to restrict the use or disclosure of my protected health information by The University of Iowa in the following manner:

I. I wish to restrict release of the following information (e.g. that I have had a particular treatment or diagnosis (to the extent this is permissible by law) ____________________________________

II. I wish to restrict the use and disclosure of protected health information in the following way:__________________________

III. I request that this restriction apply to the following individuals or entities: (identify the person or entities to whom you do not want information released):__________________________________

_____________________ ___________________ Signature Athletic Training Room

______________________

Date

Signature of Staff Member Title Date

Give this request to the Associate Director ATS or send it to the HIPAA Privacy Officer, C-43 GH, The University of Iowa, Iowa City, Iowa, 52242

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION

Purpose: To define the process for responding to requests from student-athletes or their legal representatives to receive an accounting of Protected Health Information (PHI) disclosures made by health care units of the University of Iowa; to provide direction to staff members regarding their responsibilities when a patient requests an accounting of disclosures of their PHI.

Policy: It is the policy of the University to provide, at the student-athlete’s request, an accounting of disclosures made of the student-athlete’s PHI. The accounting of disclosures may include up to six years prior to the date the accounting is requested and not prior to April 14, 2003. Disclosures made under the following circumstances are excluded from the accounting:

bullet Disclosures made for purposes of treatment, payment, and operations (including education of future health professionals);

bullet Disclosures to the student-athlete;

bullet Disclosures to people involved in the student-athlete’s care;

bullet Disclosures authorized by the student-athlete or the student-athlete’s legal representative;

bullet Disclosures authorized or required by law.

Procedures:

bullet A student-athlete must make the request for an accounting using the “Request for Accounting of Disclosures” form.

bullet These forms can be obtained from and submitted to the Associate Director of ATS or care provider.

bullet Request for Accounting forms are to be sent to the UI Privacy Officer.

bullet UIHC will retain for a period of six years copies of the request and a copy of the written accounting that was provided to the student-athlete.

bullet A student-athlete may authorize in writing that the accounting of disclosures be released to another individual or entity. The request must clearly identify all information required to carry out the request (name, address, phone number, etc.).

Providing the accounting.

bullet The UI Privacy Officer will provide the student-athlete with an accounting of disclosures within 60 days after receipt of the request.

bullet If the accounting cannot be completed within 60 days after receipt of the request, the student-athlete will receive a written statement of the reason for the delay and the expected completion date. The accounting must be provided to the student-athlete within 90 days.

bulletThe UI will provide the accounting to the individual at no charge for a request made once during any twelve-month period. A fee may be charged for any additional requests made during a twelve-month period as explained in the Privacy Notice and on the request form.

*Definition of Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium, including oral, written and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Reference: 45 C.F.R. §164.528

The University of Iowa

Privacy Rule

Request for Accounting of Disclosures

!. Student-athlete Information

Name______________________________________________

Date of Birth_________________________________________

Date of this Request___________________________________

Address____________________________________________

Address to which accounting should be sent if different from above:

_____________________________________________________

2. Request for Accounting of Disclosures and Dates Requested

I understand that I have the right to receive an accounting (or list) or certain disclosures of my protected health information made by The University of Iowa during the six (6) years before the date on which I request the accounting, but not prior to April 14, 2003. I hereby request an accounting of the disclosures of my protected health information that were made during the following time frames:

From:_________________(mo/date/yr) To_______________(mo/date/yr)

I understand that this accounting excludes disclosures related to treatment, payment, operations, disclosures authorized by me, and disclosures made pursuant to any legal requirement such as a mandatory report.

3. Response Time

I understand that the accounting I have requested will be provided to me within 60 days unless I am notified in writing that an extension of up to 30 days is required.

_______________________________________________

Signature

_______________________________________________

Date

When you have completed this form, give it to the Association Director of ATS or send it to the HIPAA Privacy Officer, C-43 GH, The University of Iowa, Iowa City, Iowa, 52242.

________________________________________________________________

Date Request received:_____________________________________________

Date Accounting sent:______________________________________________

Extension requested:________no_________yes . If yes, explain_____________

____________________________________________________

Individual notified in writing of extension (date and by whom)________________

_____________________________________________________

Name of staff member processing Request______________________________

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

CORRECTIONS AND AMENDMENTS TO RECORD

Purpose: To define the process for responding to requests from student-athletes and/or student-athlete’s representatives to correct or amend the Protected Health Information (PHI) in the record and to advise staff on how to respond to requests to correct or amend the record.

Policy: It is the policy of the University of Iowa to allow student-athletes or their legal representatives to request amendments to the PHI contained in the health record.

Procedure:

bullet If a student-athlete feels a correction should be made, the student-athlete should be referred to the principal health care provider.

bullet Care providers should exercise professional judgment and determine whether that correction or amendment is appropriate.

bullet If the care provider agrees with the amendment to the record, the change should be made.

bullet If the care provider does not agree with the request, believes it should denied, or does not wish to make the correction, the provider should ask the student-athlete to submit the request, in writing, on the “Request for Correction/Amendment” Form.

bullet This form should be submitted to the Associate Director of ATS who will work with the University Privacy Officer and others, as needed, to resolve the issue.

Response to Request for Amendment:

The Associate Director of ATS (or designee) must respond to requests for amendment no later than 60 days after receipt of the request. A one-time extension up to 30 days may be granted as long as the student-athlete or the legal representative is provided with a written statement of the reason for the delay.

bullet Denial of Amendment.

The student-athlete’s request for amendment may be denied if it is determined that the PHI or record created by the U of I unit is accurate and complete.

bullet A statement documenting the denial will be appended to the student-athlete’s medical record.

bullet Making the Amendment.

bullet If the amendment is accepted, the Associate Director of ATS (or designee) must make the amendment by designating the records that are affected and attaching or providing a link to the location of the amendment.

bullet The student-athlete or the legal representative must be informed in a timely manner that the amendment has been accepted and the names of persons with whom the amendment must be shared must be obtained.

bullet Reasonable efforts must be made to provide the amendment to persons identified by the student-athlete or their legal representative and/or persons who may have relied or could foreseeably rely on the information to the detriment of the student-athlete.

bullet Statement of Disagreement; Rebuttal statement.

bullet A student-athlete of their legal representative may submit a written statement disagreeing with the denial or a requested amendment.

bullet This statement may be limited in length.

bullet A rebuttal may be prepared to such a statement.

bullet Such statements will be appended to the record.

bullet Future Disclosures.

o If a statement of disagreement has been submitted, future disclosures will include the appended material, or if appropriate, an accurate summary of such information with any subsequent disclosure of PHI to which this disagreement relates.

o If no statement of disagreement has been submitted, future disclosures will include the student-athlete’s request for amendment and denial of such only if the student-athlete or their legal representative requests.

* Definition of Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium,

including oral, written and electronic. Individually identifiable health information relates to an

individual’s health status or condition, furnishing health services to an individual or paying or

administering health care benefits to an individual. Information is considered PHI where there

is a reasonable basis to believe the information can be used to identify an individual.

Reference: 45 C.F.R. §164.526, §164.524

The University of Iowa

Privacy Rule

Request to Amend Health Care Records

I wish to request that The University of Iowa correct or complete my medical and/or health care information in its records as follows:

A. Describe what information is incomplete or incorrect and what you believe should be changed. State what information you believe should be added and/or deleted:_____________________________________________

B. Describe the reason that supports your request. Attach copies of

documents that support your request, if applicable:___________

The University may deny your request for an amendment if it is not in writing or it does not include a reason to support the request. In addition, the University may deny your request to amend information that 1) was not created by the University of Iowa Athletic Training Service or health care unit; 2) is not part of the record maintained by the University of Iowa and its health care units.

______________________________ _______________________

Signature Address

______________________________

Date

______________________________

Athletic Training Room

Please give this form to the Associate Director of ATS or send it to the HIPAA Privacy Officer, 320 CMAB, The University of Iowa, Iowa City, Iowa 52242

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

PROTECTED HEALTH INFORMATION TRANSFERRED TO OTHER SYSTEMS

Purpose: To outline security safeguards that must be in place when PHI is transferred to other systems and devices.

Policy: Protected Health Information (PHI) transferred from university computers, systems or devices to other systems or devices are subject to the requirements of the Privacy Rule. The need for rigorous security provisions applies to all devices that contain PHI, regardless of device type, ownership, or the method of transfer.

Any individual or entity electing to download report data or transferring to a personal or hand-held computer is responsible for ensuring the security and privacy of PHI on the target system. Protection controls can include (but are not limited to) the use of strong passwords changed at regular intervals; the use and enforcement of system locks or session time-out controls; secure equipment storage; procedures for purging PHI from magnetic media prior to device release or reuse. This applies to PHI used in any device regardless of location or ownership.

Use of downloaded or transferred data is limited to the acceptable uses delineated in the Privacy Rule (treatment, payment, and operations, which include research and education); subject to the “minimum necessary” standard. The use of downloaded or transferred data for the purposes above does not grant the right to share the data with other individuals and/or entities or to subsequent transfers. Violations of these regulations can result in severe legal and financial penalties.

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Purposes: To define the guidelines and procedures necessary for the de-identification of Protected Health Information (PHI) contained in university records, to provide direction to staff regarding the use of de-identified PHI.

Policy: Protected Health Information is confidential, except when disclosure is authorized or compelled and the university has a duty to protect the privacy of records.

PHI can be de-identified by removing identifying characteristics. De-identified health information is no longer considered to be individually identifiable health information and the requirements of the Privacy Rule do not apply.

Procedure:

For PHI to be de-identified, one of the following must occur:

1) Statistical De-identification: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines the PHI is de-identified. This person must determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient, to identify an individual who is a subject of the information. This person must document the methods and results of the analysis that justify such determination. This process must be approved by the UI Privacy Officer.

2) Alternative Method of De-identification Prescribed by Privacy Rule:

a) De-identification requires the elimination not only of primary or obvious identifiers, such as name, address, date of birth, but also of secondary identifiers through which a user could deduce the individual’s identity. For PHI to be de-identified the following identifiers of the individual or of relatives, employers, or household member of the individual, must be removed:

1) Names

2) Address information smaller than a state, including street address, city, county, zip code (except if by combining all zip codes with the same initial three digits, there are more than 20,000 people)

3) Names of relatives and employers

4) All elements of dates (except year), including date of birth, date of medical or health care, date of death; all ages over 89 and all elements of dates including year indicative of such age except that such age elements may be aggregated into a single category of age 90 or older

5) Telephone numbers

6) Fax numbers

7) Email addresses

8) Social Security Number

9) Medical or other record number

10) Health beneficiary plan number

11) Account numbers

12) Certificate/License Number

13) Vehicle identifiers, including license plate numbers

14) Device ID and serial number

15) Uniform Resource Locator (URL)

16) Identifier Protocol (IP) addresses

17) Biometric identifiers, including finger and voice print

18) Full face photographic images and other comparable images

19) Any other unique identifying number characteristic, or code;

b) In addition, the university does not have actual knowledge that the information could be used alone of in combination with other information to identify an individual who is a subject of the information.

*Definitions:

Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Reference: 45 C.F.R. §164.514

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

BUSINESS ASSOCIATES

Purpose: To define the guidelines and procedures that must be followed for Business Associates* at the University of Iowa.

Policy: A Business Associate is a person or entity that provides certain functions, activities, or services on behalf of the University involving the use and/or disclosure of Protected Health Information (PHI)**. The University is required to take action if it becomes aware of a practice or pattern that constitute a violation of the policy protecting confidentiality of PHI.

Procedures:

bullet The University will identify its Business Associates and maintain a database of Business Associates.

Business Associate Contracting

bullet The University will enter into contracts, approved by the Business Officer, with Business Associates.

bullet Contracts between the University and Business Associates will be consistent with the requirements of the HIPAA Privacy Rule and will provide, at a minimum, that the Business Associate will:

bullet Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its agreement;

bullet Report to the UI any use or disclosure of PHI not provided for by its agreement of which the Business Associate became aware;

bullet Not use or further disclose PHI except as permitted by the agreement or required by law;

bullet Ensure that any agents, or sub-contractors, to whom it provides PHI received from, created by, or on behalf of UI, agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI;

bullet Make available PHI in accordance with UI policies and procedures;

bullet Make available internal records, documents, books or other items related to the use and disclosure of PHI received from or created on behalf of UI, available to DHHS upon request for audit or compliance purposes;

bullet At termination of the agreement, return or destroy all PHI received from or created on behalf of UI that the Business Associate maintains any form, and retain no copies. If return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return of the information infeasible.

Searches of Contract

bullet In the event that UI becomes aware of a pattern or practice of the Business Associate that constitutes a violation of the Business Associate’s obligations under its agreement, UI will take reasonable steps to end the violation.

bullet In the event that the Business Associate cannot or will not remedy the practice or pattern, UI may terminate the contract if feasible. Where termination is not feasible, the UI Privacy Officer will report the problem to appropriate authorities.

* “Business Associate” is a person or entity who, on behalf of a covered entity, 1) performs or assists in the performance of (a) a function of activity involving the use or disclosure of individually identifiable health information. Examples include claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or (b) Any other function or activity regulated the HIPAA Privacy Rule; or 2) provides, in a capacity other than as a member of the workforce, legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, financial, or other services to, for, or on the behalf of the covered entity, in which the covered entity participates and where the provision of the service involves the disclosure of individually identifiable protected health information.

**Definition of Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is reasonable basis to believe the information can be used to identify an individual.

References: 45 C.F.R. §§164.504, 164.524, 164.526, 164.528

BUSINESS ASSOCIATE AGREEMENT

This Agreement dated as of ________ ______________is made by and between University of Iowa (Hereinafter “Covered Entity”) and____ ____________, (Hereinafter “Business Associate”).

INTRODUCTION

This Agreement governs the terms and conditions under which Business Associate will access personal health information belonging to patient’s of Covered Entity in performing services for, or on behalf of, Covered Entity. Specifically, this agreement governs the terms and conditions under which Koch Brothers will provide microfilming services to the Department of Speech Pathology and Audiology.

1) DEFINITIONS

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103 and 164.501. For purposes of this section:

a) Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

b) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

c) Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

d) Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.501.

e) Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

2) OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees to:

a) Not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.

b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

d) Report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement.

e) Ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

f) In the event that the Business Associate maintains PHI in a designated records set, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.

g) In the event that the Business Associate maintains Protected Health Information in a designated records set, Business Associate agrees to make any amendment(s) to Protected Health Information in a designated record set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.

h) Make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. In the event such a request comes directly from the Secretary, Business Associate agrees to notify Covered Entity immediately of such request.

i) Document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.

j) Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.

3) PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information, as follows:

on behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

a) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

4) OBLIGATIONS OF COVERED ENTITY

Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.

5) PERMISSIBLE REQUESTS BY COVERED ENTITY

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

6) TERM AND TERMINATION

a) Term. The obligations set forth in this section shall be effective as of the date the first protected health information is released to Business Associate pursuant to this Agreement, and shall terminate only when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.

b) Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. Covered Entity may terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity.

c) Effect of Termination.

(i) Except as provided in paragraph (ii) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

(ii) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

d) Survival. The respective rights and obligations of Business Associate under this section shall survive the termination of this Agreement.

7) OWNERSHIP OF INFORMATION

8) RIGHT TO INJUNCTIVE RELIEF

Business Associate expressly acknowledges and agrees that the breach, or threatened breach, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered Entity may not have an adequate remedy at law. Therefore, Business Associate agrees that upon such breach, or threatened breach, Covered Entity will be entitled to seek injunctive relief to prevent Business Associate from commencing or continuing any action constituting such breach without having to post a bond or other security and without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to limit or abridge any other remedy available to Covered Entity at law or in equity.

9) MISCELLANEOUS

a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.

b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-191.

c) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.

University of Iowa

By:____________________

Andrew Ives, Business Manager

Date: ___________________

BUSINESS ASSOCIATE

By:________

Name:______

Title:_______

Date:___________________

BUSINESS ASSOCIATE ADDENDUM

In addendum to the [insert reference and date of Service Agreement], the parties agree to the following terms and conditions:

1) DEFINITIONS

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103 and 164.501. For purposes of this section:

a) Business Associate. “Business Associate” shall mean [insert the name of the Business Associate, ].

b) Covered Entity. “Covered Entity” shall mean Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

c) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

d) Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

e) Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.501.

f) Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

2) OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees to:

a) Not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.

b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

d) Report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement.

f) In the event that Business Associate maintains records in a designated records set, to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a designated record set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.

g) In the event that Business Associate maintains records in a designated records set, make any amendment(s) to Protected Health Information in a designated record set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.

3) PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

b) Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in [Insert Name of Services Agreement], provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

b) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

4) OBLIGATIONS OF COVERED ENTITY

Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.

5) PERMISSIBLE REQUESTS BY COVERED ENTITY

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

6) TERM AND TERMINATION

a) Term. The obligations set forth in this section shall be effective as of the date the first protected health information is released to Business Associate pursuant to this Addendum, and shall terminate only when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.

c) Effect of Termination

d) Survival. The respective rights and obligations of Business Associate under this section shall survive the termination of this Agreement.

7) OWNERSHIP OF INFORMATION

Covered Entity holds all right, title, and interest in and to the PHI and Business Associate does not hold and will not acquire by virtue of this Agreement or by virtue of providing goods or services to Covered Entity, any right, title, or interest in or to the PHI or any portion thereof. Except as specified in Paragraph ___above [delete if there is no provision allowing such requirements/right to compile reports, aggregate data, etc. Otherwise, include specific paragraph reference in this Addendum or in the Service Agreement that references that obligation of the BA specifically], or as otherwise agreed to in writing by the parties, Business Associate will have no right to compile and/or distribute statistical analyses and reports utilizing aggregated data derived from the PHI or any other health and medical data obtained from Covered Entity.

8) RIGHT TO INJUNCTIVE RELIEF

9) MISCELLANEOUS

a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.

c) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.

University of Iowa

By:________

University of Iowa

Date:___________________

BUSINESS ASSOCIATE

By:________

Name:______

Title:_______

Date:___________________

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

PRIVACY PROTECTION IN AREAS WITH PUBLIC ACCESS

Purpose: To define guidelines and procedures for areas in which student-athlete care is provided but there is also public access through tours, visitors, recruits, or limited access through job shadowing or other community or professional groups.

Policy: Patient confidentiality and dignity must be protected but the University, as a public teaching institution, must provide access to its facilities for educational and informational purposes.

Procedures:

bullet Formal tours are only allowed on special open house days designated for this purpose by the associate director

bullet Visitors or recruits and their family members (either in small groups or individually) should be guided by staff and kept away from student-athlete care when possible.

bullet Student tours or job shadow experiences should not include access to PHI.

bullet While groups or individuals are waiting to gain access to the athletic training rooms for tours, recruiting, or education, they should remain outside the athletic training room or in office space/conference areas and away from student-athlete care areas.

bullet Public access to the athletic training rooms for first aid purposes should be limited to appropriate and necessary emergency care and should avoid student-athlete care areas whenever possible.

bullet Whenever student-athletes are being treated, privacy and dignity should be observed among athletic training staff members to move student-athletes to appropriate treatment locations or to restrict access to the athletic training room.

bullet Access to patient information should be inadvertent or incidental.

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

VIOLATION OF PROVISIONS OF PRIVACY RULE

Purpose: To clarify that violations of the HIPAA Privacy Rule will subject University employees to disciplinary action.

Policy: The University of Iowa is committed to complying with the legal and ethical requirements that assure student-athlete confidentiality, specifically the treatment of all protected health information (PHI) in a manner consistent with the Privacy Rule. Violations of the Privacy Rule that results in the unauthorized release of PHI may result in disciplinary action.

Procedure: If a violation of the Privacy Rule, or of associated university, collegiate or other policies is reported or observed, it will be investigated in a manner consistent with applicable procedures for that unit and that employee.

The investigation, conclusions, and any subsequent disciplinary action will be managed by the college or department, in accordance with existing procedures.