|
Privacy Notice
This web page is currently under review. You can find pertinent privacy
rule general information and frequently asked questions by accessing
this web page:
http://www.uiowa.edu/homepage/policy/HIPAA/index.html
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
NOTICE OF PRIVACY PRACTICES
Purpose: To define the required content of the University of Iowa’s
Privacy Notice, applicable to covered units within the U of I not
covered by UI Health Care
Policy: Under the provisions of the HIPAA Privacy Rule, an individual
has a right to know the uses and disclosures of protected health
information (PHI) that may be made by the University of Iowa College or
unit providing health care. The individual also has a right to know what
his or her responsibilities are with respect to PHI. The U of I is
required to provide a notice of privacy practices to all patients as
well as to individuals requesting a copy.
Procedure: The College or health care unit will:
· Provide the Notice of Privacy Practices at the first date of
service to all patients
· Make a good faith effort to obtain a written acknowledgement of
receipt of the notice
· Have the Privacy Notice visible in clinic and service locations
· Have the Privacy Notice available for student-athletes to take
with them
Exceptions: in an emergency, if it is impossible or impractical to
provide the notice, or if doing so would delay care, providing
student-athlete care takes the highest priority.
Content of the Privacy Notice.
The U of I Health Care units will provide a Privacy Notice that is
written in plain language and that contains the following elements:
· Header: The Privacy Notice must contain the following statement
as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES
HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
· Uses and disclosures: The Privacy Notice must contain:
o A description, including at least one example, of the types of
uses and disclosures that are permitted to make for each of the
following purposes: Treatment, Payment, and Health Care Operations**;
o A description of each of the other purposes for which disclosure
of PHI is permitted or required without that student-athlete’s written
authorization;
o A statement that other uses and disclosures will be made only
with the student-athlete’s written authorization and that the
student-athlete may revoke such authorization as provided by UI “Policy
on Uses and Disclosures of Protected Health Information”;
o A statement that the patient may be contacted to provide
appointment reminders or information about treatment alternatives or
other health-related benefits and services that may be of interest to
the patient
Individual rights
The Privacy Notice must contain a statement of the student-athlete’s
rights with respect to PHI and a brief description of how the individual
may exercise these rights as follows:
· The right to request restrictions on certain uses and
disclosures of PHI as provided by University policy, “Restrictions on
Use and Disclosure of Protected Health Information.”
· The right to receive confidential communications of PHI as
provided by policy “Request for Confidential Communications.”
· The right to inspect and attain a copy of the student-athlete’s
PHI as provided by policy “Access of Individuals to Protected Health
Information in the Designated Record Set”.
· The right to request an amendment to PHI as provided by policy
“Corrections and Amendments to Protected Health Information”.
· The right to receive an accounting of disclosures of PHI as
provided by policy “Accounting of Disclosures”.
· The right of an individual, including an individual who has
agreed to receive the notice electronically, to obtain a paper copy of
the notice from UI upon request.
Covered entity’s duties.
The Privacy Notice must contain a statement that the
University of Iowa:
· Is required by law to maintain the privacy of PHI and to
provide individuals with notice of its legal duties and privacy
practices with respect to PHI;
· Is required to abide by the terms of the notice currently in
effect; and
· Reserves the right to change the terms of its notice and to
make the new notice provisions effective for all PHI that it maintains.
The statement must also describe how it will provide individuals with a
revised notice.
Complaints.
· The Privacy Notice must contain a statement that individuals
may complain to the University of Iowa and to the Department of Health
and Human Services if they believe their privacy rights have been
violated, a brief description of how the individual may file a
complaint, and a statement that the individual will not be retaliated
against for filing a complaint.
Contact.
· The Privacy Notice must contain the name, or title, and
telephone number of a person or office to contact for further
information.
Requirements for Electronic Notice
· The University of Iowa will provide an updated electronic
version of the Privacy Notice on its website at http://www.uiowa.edu/homepage/policy/HIPAA/index.html.
· The notice may be provided to an individual by e-mail, if the
requirements for communicating with the individual through email is in
compliance with the HIPPA electronic Mail Policy.
· Provision of electronic notice will satisfy the provision
requirements if receipt of the notice by the individual is documented.
· The individual who is the recipient of electronic notice
retains the right to obtain a paper copy of the notice from the
University of Iowa.
Documentation of Privacy Notice:
· The University of Iowa will document compliance with the
Privacy Notice requirements by retaining copies of the Privacy Notices
issued by UI Health Care.
· Those persons who register or admit patients will be
responsible for distributing the Privacy Notice to all patients and
documenting the receipt of the “Notice of Privacy Practices
Acknowledgement Form” in the record. If a written acknowledgement was
not obtained from the patient, must document the reason for the failure
to obtain the written acknowledgement on the “Notice of Privacy
Practices Acknowledgement Form”. Such reason for failure may be, for
example, that the patient refused to sign after being requested to do
so.
Revisions to the Privacy Notice.
· The Privacy Notice will be revised and made available whenever
there is a material change to the uses or disclosures, the individual’s
rights, or other privacy practices stated in the notice. Except when
required by law, a material change to any term of the notice may not be
implemented prior to the effective date of the notice in which such
material change is reflected.
*
Definition of Protected Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information is considered PHI where there is a reasonable basis to
believe the information can be used to identify an individual.
**
Treatment, Payment and Health Care Operations (TPO):
Treatment involves the administering, coordinating and management of
health care services. Payment includes any activities undertaken to
obtain premiums, determine or fulfill its responsibility for coverage
and the provision of benefits or to obtain or provide reimbursement for
the provision of health care. Health Care Operation includes general
administrative and business functions, including audit, quality review,
and financial management. Under the rules, “operations” also includes
“the training of future health professionals”.
UNIVERSITY OF IOWA PRIVACY NOTICE
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
Our Legal Responsibility
As a health care provider, we are legally required to
protect the privacy of your health information, and to provide you with
this notice about our legal duties and privacy practices. This
requirement applies to all clients served by units within the University
of Iowa that provide health care to clients.
If you have any questions or want more information about
this notice, please contact our Privacy Officer at the contact
information listed below.
Your Protected Health Information (PHI)
Throughout this notice we will refer to your protected
health information as PHI. Your PHI includes information that
identifies you and describes the care and services you receive.
This notice applies to all of the records, both electronic
and paper, about your care. It includes all information created by
University of Iowa staff. This staff includes physicians, other health
care professionals, students and other staff members.
This notice about privacy practices explains how, when, and
why we use and share your PHI. It explains your rights and our
responsibilities and tells you where to get additional information.
We may change the terms of this notice and our privacy
policy in the future. Any changes will apply to your past, current, or
future PHI. When we make an important change to our policies, we will
change this notice and post a new notice on our Web site (www.uiowa.edu
“privacy rule”). You may also request a copy of our current notice at
any time from the University of Iowa HIPAA Privacy Officer, Office of
the Provost, University of Iowa, Iowa City, Iowa 52242.
Uses of Protected Health Information
The unit at the University of Iowa where you receive
services collects health information about you and stores it in a chart
and may also store it on a computer. This is your medical record. The
medical record is the property of the University of Iowa, but the
information in the medical record belongs to you.
We use and disclose health information for many reasons.
The following examples describe some of the categories of our uses and
disclosures. Please note that not every use or disclosure in a category
is listed.
· Treatment – We may use and disclose medical
information about you to physicians, nurses, technicians, physicians in
training, or other health care professionals who are involved in your
care. Different health care professionals, such as pharmacists, lab
technicians, and x-ray technicians, also may share information about you
in order to coordinate your care.
· Health care operations – We may use and disclose
your PHI as part of our routine operations. For example, we may use
your PHI to evaluate the quality of health care services you received or
to evaluate the performance of health care professionals who cared for
you. We may also disclose information to physicians, nurses,
technicians, medical, nursing and other health professional students,
and other personnel as part of our educational mission.
· Appointment reminders and health-related benefits
or services – We may use your PHI to provide appointment reminders or
give you information about treatment alternatives or other health care
services.
· Public health activities – We report information
about births, deaths, and various diseases to governmental officials in
charge of collecting that information. We provide coroners, medical
examiners, and funeral directors information about an individual’s
death.
· Law enforcement – We may disclose PHI to
government agencies and law enforcement personnel when the law requires
it. For example, we report about victims of abuse, neglect, or domestic
violence, and gunshot victims, and when ordered to do so in judicial or
administrative proceedings.
· Health oversight activities – We may disclose PHI
to a health oversight agency for audits, investigations, inspections,
and licensure, as authorized by law. For example we may disclose PHI to
the Food and Drug Administration, state Medicaid fraud control, or the
Health Human Service Office for Civil Rights.
· Research studies – We may disclose your PHI to
help conduct research. Research may involve finding a cure for an
illness or helping to determine how effective a treatment is. All
research studies are subject to a specific approval process by a Privacy
Board or Institutional Review Board. This process evaluates a proposed
research study to determine that measures are in place to balance
research needs with the need for the privacy of your health
information. For some research activities you may be asked to
participate in a study and if you agree, the researcher will be required
to obtain your permission to use your PHI for that study.
· Organ donation – We may use your PHI to notify
organ donation organizations, and to assist them in organ, eye, or
tissue donation and transplants.
· Worker’s compensation purposes – We may disclose
PHI at your employer’s request regarding a work-related injury.
· National security and intelligence activities – We
may release PHI to authorized federal officials when required by law.
Uses and Disclosures for which You Have the Opportunity to Object
· Directory – listing your information in a
directory of patients (such as an information desk for visitors)
· Fundraising – providing your information to
University entities for purposes of sending you materials for
fundraising purposes
· Disclosures to family, friends, or others –
providing information that you are a patient
Except as described above, all other uses and disclosures of your PHI
will require your authorization.
Your Rights Regarding PHI
You have the right to:
· Request Restrictions
You have the right to ask that we limit how we use and disclosure your
PHI. We will consider your request, but we are not legally required to
accept it. If we accept your request, we will put any limits in writing
and follow them except in emergency situations. You may not limit the
uses and disclosures that we are legally required or allowed to make.
To request a restriction, contact the Privacy Officer listed at the end
of this notice.
· Request Confidential Communications
If
we send notices or information to you, you have the right to ask that we
send PHI to you at a different address. For example, you may wish to
have appointment reminders and test results sent to a PO Box or a
different address than your home address. We will accommodate
reasonable requests. To make a request, contact any member of your
health care team.
· Inspect and Copy
You have the right to inspect and obtain a copy of medical information
that may be used to make decisions about your care. Usually this
includes the medical record and billing records. To inspect and obtain
a copy of medical information, you must submit your request in writing
to either: the university department where you are receiving care or
the Privacy Officer listed at the end of this
notice.
We
will make every effort to respond to your request within a reasonable
period of time. You may be charged a fee to cover the costs of copying,
mailing, or other supplies associated with your request.
· Disclosures
You have the right to obtain a list of instances in which we have
disclosed your PHI. Your request must state a time period not longer
than six years and your request may not include dates before April 14,
2003. The list will not include uses or disclosures made for treatment,
payment or health care operations. In addition, the list will not
include uses or disclosures that you have specifically authorized in
writing. You must submit your request in writing to the Privacy Officer
listed at the end of this notice.
· Amend
You have the right to request an amendment of your PHI if you think that
information is inaccurate or incomplete in your medical record. You may
request an amendment for as long as that record is maintained. You may
submit a written request for an amendment to: Release of Information,
for amendment to your medical record.
· Paper copy of this notice
You have the right to request a paper copy of this notice. You may pick
up a copy at any check-in point or request that a copy be sent to you.
Revocation of Permission
If you provide us with permission to use or disclose medical
information about you, you may revoke that permission at any time. You
must make your request in writing to Release of Information. Contact
information is listed at the end of this notice.
If you revoke your permission, we will no longer use or
disclose medical information about you for the reasons covered by your
written revocation. We are unable to take back any disclosures
previously made with your permission. Also, we are required to keep all
records of the care that we provided to you.
Complaints and Questions
If you believe your privacy rights have been violated, you
may file a complaint with the University of Iowa, or with the Office of
Civil Rights. To file a complaint with University of Iowa, contact the
University of Iowa Privacy Officer at the address and phone number
listed below. You will not be penalized for filing a complaint and your
care will not be compromised.
If you have questions about this notice, any complaints
about our privacy practices, or you would like to know how to file a
complaint with the Secretary of the Department of Health and Human
Services, Office of Civil Rights, please contact:
University of Iowa Privacy Officer
Office of the Provost, 111 JH
Iowa City, Iowa 52242
319-335-0292
This notice is in effect April 14, 2003.
H:Document/Policies/Uiprivacynotice04/22/03
UNIVERSITY OF IOWA
Privacy Notice Acknowledgment Form
By
signing this form I acknowledge that I have received the University of
Iowa Privacy Notice. I have the right to review the Privacy Notice
prior to signing this acknowledgment form.
The University of Iowa has the right to change the Privacy Notice from
time to time. The revised Privacy Notice will be posted within the
clinical facilities, on the University of Athletic Training Iowa web
site, and paper copies will be available at Athletic Training Rooms.
Student-Athlete
Name:___________________________________ Date:
________
Signature of Student-Athlete
or
Legal Representative: ________________________________________________
Relationship to the Student-Athlete:
______________________________________
This will be retained with the student-athlete record. Please return
this form to the Athletic Training Room Office.
For failure to obtain acknowledgment, check the appropriate reason:
‰ Substantial communication barriers
‰ Refusal to sign
‰ Other _________________________________
Description:
_____________________________________________________________
Staff Signature: Date:
__________________________________ _________________
Department: Title:
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
Purpose: To define whether use or disclosure of Protected Health
Information (PHI) is required, permitted, or subject to authorization
requirements; to provide direction to staff regarding when patient
authorization is required for use or disclosure of PHI; and to provide
direction to staff regarding when PHI may be used or disclosed without
patient authorization.
Policy: It is the policy of the University of Iowa that the
confidentiality of Protected Health Information contained in records and
collected pursuant to treatment will be protected to the fullest extent
possible. To maintain this confidentiality, UI staff may not
disseminate PHI unless it is pursuant to a valid request, a valid
authorization or a legally recognized exception to this requirement.
Procedures
1. Required disclosures
· To a student-athlete who requests to see his or her own record
or an accounting of disclosures.
· To the legal representative of a student-athlete who makes a
request.
· To the Department of Health and Human Services for purposes of
determining compliance with the Privacy Rule.
2. Permitted uses and disclosures
· For purposes of treatment, payment, operations (“operations”
includes education)
· PHI will be available to students in educational programs for
use within the Athletic Training Rooms where the records are maintained
· In accordance with a student-athlete’s authorization
· Incident to a permitted use or disclosure
· In specific instances defined in the Privacy Rule (below)
3. Permitted uses and disclosures requiring verbal agreement and
opportunity to agree or object
· Facility directory, media, marketing
· Persons assisting in the student-athlete’s care
· Family members, close personal friends (patient assent)
4. Permitted uses and disclosures for which authorization is not
required
· Required by law
· Public health activities
· Disclosures to health oversight agencies
· Release pursuant to court order, subpoena or other discovery
request
· Required disclosures pertaining to victims of abuse, neglect or
domestic violence
· Disclosures for law enforcement purposes
· Disclosures to avert threats to public health and safety and to
support specialized government functions (military and security)
· Disclosures related to organ donation
· Disclosures related to workers compensation
Research is a critical mission of the University. Disclosure of PHI for
research purposes is permitted in accordance with protocols administered
by the Human Subjects Office.
Definitions:
Protected Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information is considered PHI where there is a reasonable basis to
believe the information can be used to identify an individual.
Use:
Use of PHI includes anything done with the information inside UIHC (i.e.
sharing, employment, application, utilization, examination, or analysis
of such information within an entity that maintains such information, 45
C.F.R. §164.501).
Disclosure:
Disclosure of PHI means anything done with the information outside the
covered entity (i.e. release, transfer, provision of access to, or
divulging in any other manner of information outside the entity holding
the information, 45 C.F.R. §164.501).
Health Oversight Agency:
Health Oversight Agency means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is authorized
by law to oversee the health care system (whether public or private) or
government programs in which health information is necessary to
determine eligibility or compliance, or to enforce civil rights laws for
which health information is relevant.
Reference: 45 C.F.R. §164.512
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
HIPAA-PROTECTED RECORDS: DESIGNATED RECORD SET
Purpose: To define those records maintained outside of the UI Health
Care units that are subject to the provisions of the HIPAA Privacy Rule.
Policy:
bullet All records containing Protected Health Information,
regardless of location, are protected by the Privacy Rule.
bullet The following units are subject to the staff training and
other requirements as elements of the University’s “hybrid entity”:
Client records in these units are subject to the Privacy Rule.
bullet University of Iowa Staff Benefits Office
bullet College of Dentistry
bullet Employee Wellness
bullet Wendall Johnson Speech and Hearing Clinic
bullet Seashore Psychology Training Clinic
bullet Athletic Training Rooms
bullet All records contained in employee files or elsewhere that
include PHI, health history or status or medical information about the
employee.
bullet Employee-submitted material including consent or authorization
forms, leave request reports, or related documentation.
Definition:
The “designated record set includes:”
bullet Medical records
bullet Billing records
bullet Enrollment, payment, claims adjudication records
bullet Case management records
References: 45 C.F.R. §164.501
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
ACCESS OF INDIVIDUALS TO PROTECTED HEALTH INFORMATION
Purpose: To define the process for responding to requests from
student-athletes their PHI and to provide guidance to staff regarding
their responsibilities when student-athletes request access to PHI.
Policy: Student-athletes have a right to inspect and copy PHI contained
in their records.
Procedures:
1. Requests to inspect or receive copies of PHI
A
student-athlete must make the request in writing using the
Student-Athlete Request to Access Protected Health Information Form and
submitting it to the Associate Director of Athletic Training or the
HIPAA Privacy Officer.
2. Response
The Associate Director of Athletic Training or HIPAA Privacy Officer
will contact the individual making the request within 30 days and
arrange for inspection and/or copying.
The University reserves the right to deny access under the same
circumstances outlined in Athletic Training Policy “Access of
Individuals to Protected Health Information in the Designated Record
Set.”
Reference: 45 C.F.R. §164.524
University of Iowa
Student-Athlete Request to Access Protected Health Information
Student-Athlete Name________________________ Date of Birth___/___/____
Date of Request___/___/____
I
request that University of Iowa provide me with access to my personal
health information as described below:
_____________________________________________________________
I
request access to my personal health information covering the dates of
___/___/____ through ___/___/____.
Type of access requested:
q Copies of requested information (please specify the format you
desire)
q Hard Copy
q Other____________________
I
understand that University of Iowa may charge a fee for the costs of
copying, mailing, preparing a summary or other supplies associated with
my request.
Please contact me at the following telephone number to arrange
inspection or copying:
Telephone number: ____________________
e-mail: ______________________________
hours preferred: _______________________
___________________________________________
___/___/____
Signature of Student-Athlete or Student-Athlete’s Authorized
Representative Date
If
signed by the student-athlete’s Representative, please print the name
and describe relationship to the student-athlete:
______________________________ _______________________
Print
Name
Relationship
You will receive a response within 30 days of the receipt of your
request.
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
REQUEST FOR CONFIDENTIAL COMMUNICATIONS
Purpose: To define the process for responding to requests from
student-athletes or their legal representatives to receive confidential
communications of their Protected Health Information (PHI); to instruct
staff on how to respond to requests from student-athletes or their legal
representatives for confidential communications of their PHI.
Policy: It is the policy of the University of Iowa to accommodate
requests from student-athletes or their legal representatives to receive
communications of PHI by alternative means or at alternative locations.
The provision of this communication may require an alternative address
or other method of contact.
Procedures:
bullet Student-athletes or their legal representatives may request to
receive communications of PHI by alternative means or at a different
location by contacting the Associate Director of Athletic Training or a
care provider.
bullet The request should be in writing in order to document to
alternative method or location on the attached.
bullet The request may be denied if the student-athlete fails to
specify an alternative address or means of contact.
bullet The alternative address/contact will be used until the
student-athlete or the student-athlete’s legal representative advises
the college or health care unit to return to the original designated
address.
Reference: 45 C.F.R. §164.522
The University of Iowa
Privacy Rule
Request for Confidential Communications Regarding Medical Information
I
wish to request that the communication about my health and medical care,
which contains Protected Health Information, be communicated to me in
the following manner: (check one):
_____ By telephone at my home number
______By telephone at another number
______By FAX at a number provided
______By mail at an address other than he one on
the record
Please proved the information we will need to send the information to
you at your preferred location (complete address, phone number,
etc.:__________________
The University will not ask you the reason for your request and will
accommodate all reasonable requests.
If
you cannot be reached at the designated alternative location you
specify, the University may use other means to contact you.
When you have completed this form, please give it to your health care
provider or send it to: HIPAA Privacy Offices, C-43 GH, University of
Iowa, Iowa City, Iowa
52242.
__________________________
___________________
Signature
Date
_________________________
___________________
Staff member
Title
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
DISCLOSURE OF PROTECTED HEALTH INFORMATION TO PERSONAL REPRESENTATIVES
Purpose: To define when and what protected health information (PHI) may
be released to an individual’s personal representative.
Policy: The university unit in possession of PHI will treat the personal
representative as the individual when using and disclosing the
individual’s PHI EXCEPT
A
“personal representative” is an individual who has authority by law
(parent, legal guardian) or by authority from the individual receiving
services to act in the place of that individual. This includes parents,
legal guardians, persons with power of attorney and may also include the
family or next of kin of a non-autonomous student-athlete who has no
legally appointed surrogate. The authority of the personal
representative is limited: the representative must be treated as the
individual only to the extent that PHI is relevant to the matters on
which the personal representative is authorized to represent the
individual.
Procedures: What follows are guidelines in determining a
student-athlete’s personal representative. Questions about whether or
not a person is a personal representative of a patient should be
directed to the University’s HIPAA Privacy Officer.
A. Adults and Emancipated Minors
If
a person has authority by law to act on behalf of an individual who is
an adult or an emancipated minor in making decisions related to use and
disclosure of PHI, that person will be treated as a personal
representative. Once a minor is emancipated, a guardian or a parent
cannot be recognized as a personal representative.
B. Children (under 18 years)
In
general, parents will be the personal representatives of their
children. In some cases, there will be a legal guardian or another
individual who has been designated to act on behalf of a child. These
individuals will be recognized as personal representatives.
Note: A minor does not require the consent of an adult and any consent
to treatment for: testing and counseling for sexually transmitted
diseases, treatment and rehabilitation for substance abuse, and limited
reproductive issues. The minor will be treated as an individual and may
provide authorization for release of their PHI.
C. Deceased Individuals
The personal representative will be an executor, administrator or other
person designated to act on behalf of a deceased individual or the
estate.
D. Exception
The UI may elect not to recognize an individual as a personal
representative if there is reason to believe that:
· Deceased Individuals
If
an executor, administrator, or other person has authority to act on
behalf of a deceased individual or of the individual’s estate, UIHC will
treat such person as a personal representative with respect to PHI
relevant to such personal representative.
· Abuse, Neglect, Endangerment Situations
Elect not to recognize a person as the personal representative of an
individual if Athletic Training Services has a reasonable belief that:
1. The individual has been or may be subjected to domestic
violence, abuse, or neglect by a parent, guardian or personal
representative; or
2. Treating such a person as the personal representative could
endanger the individual; and
3. In the exercise of professional judgment it is not in the best
interest of the individual to treat the person as the individual’s
personal representative.
Definitions:
Protected Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information is considered PHI where there is a reasonable basis to
believe the information can be used to identify an individual.
References: 45 C.F.R. §164.502
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
VERIFICATION OF IDENTITY AND AUTHORITY OF PERSONS REQUESTING PROTECTED
HEALTH INFORMATION
Purpose: To define guidelines and procedures that should be followed to
verify the identity and authority of persons and entities requested
Protected Health Information (PHI).
Policy: Protected Health Information (PHI) will be disclosed only to
persons who are authorized to receive it. Appropriate statements or
documents confirming the identity of the persons requesting PHI are
required as a condition of disclosure.
Procedures:
bullet PHI will be disclosed as a customary part of providing
student-athlete care, between and among individuals assisting in care
and as part of the teaching mission of the University. This is
permissible.
bullet Before PHI is released for purposes other than treatment,
payment, or operations, there must be appropriate documentation or
statements, which provide authorization for disclosure.
I. Verifying Public Officials or Request under Legal
Authority
A. Staff may rely on any of the following to verify identity when
the disclosures of PHI is to a public official or a person acting on
behalf of the public official:
1. If the request is made in person, presentation of an
agency identification badge, other official credentials, or other proof
of government status;
2. If the request is in writing, the request is on the
appropriate government letterhead;
3. If the disclosure is to a person acting on behalf of
a public official, a written statement on appropriate government
letterhead that the person is acting under the government’s authority or
other evidence or documentation of agency, such as a contract or
services, memorandum of understanding, or purchase order, that
establishes that the person is acting on behalf of the public official;
4. A written statement of legal authority under which
the information is requested, or if a written statement would be
impracticable, an oral statement of such legal authority; or
5. If a request is made pursuant to legal process,
warrant, subpoena, order, or other legal process issued by a grand jury
or a judicial or administrative tribunal, it is presumed to constitute
legal authority.
II. Imminent threat to safety
If
there is an imminent threat to safety, it is lawful to disclosure PHI to
prevent or lessen a serious and imminent threat to the health or safety
of a person or the public if disclosure is made to a person reasonably
able to prevent or lessen the threat. If these conditions are met, no
further verification is needed.
III. Verification of an Individual
Individual will be given access to his/her PHI (under most
circumstances). Staff will take reasonable steps to verify the identity
of the individual making the request.
IV. Verification of a Personal Representative
Staff may require proper documentation of the personal representative’s
legal authority; or may ask questions to determine that an adult acting
for a young child has the requisite relationship to the child, if a
personal representative is not known. Documentation of the
statements/representatives should be noted in the record.
Definitions:
Protection Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information is considered PHI where there is a reasonable basis to
believe the information can be used to identify an individual.
Reference: 45 C.F.R. §164.514, 164.510(b)
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
Purpose: To define the process for responding to requests from
student-athletes or their legal representation to restrict uses and
disclosures of their Protected Health Information (PHI); to provide
direction to staff on how to respond to requests for restrictions on
uses and disclosures of their PHI.
Policy: Student-athletes and their legal representatives have the right
to request restrictions on the uses and disclosures of PHI for:
treatment, payment, health care operations, disclosures to a family
member or other relative or close personal friend, or any other person
identified by the student-athlete.
Procedure: A student-athlete or legal representative may request a
restriction in writing on the attached form, directed to the Privacy
Officer. A written response will be provided and all relevant
documentation will be kept on file for 6 years.
Exceptions to restrictions include the following:
· The Office of DHHS,
· Where consent is not required for disclosure (required by law;
public health; health oversight activities; abuse and neglect; law
enforcement purposes; judicial and administrative proceedings; approved
research; specialized government functions; organ donation; worker’s
compensation).
· To health care providers for emergency treatment.
Termination of restrictions: Restrictions will be terminated when the
student-athlete or legal representative asks that the restriction be
ended. This request needs to be communicated to care provides and the
HIPAA Privacy Officer.
Other restrictions: Student-athletes may request restrictions on the
disclosure of PHI to family members, friends or others. Care providers
are to exercise professional judgment in each instance and advise the
student-athlete of their decision.
Reference: 45 CFR §164.522, §164.512
The University of Iowa
Privacy Rule
Request for Restricting Use or Disclosure of Protected Health
Information
Instructions: Place a check or other mark in the space provided or
indicate “not applicable” (N/A) to indicate which request applies
I
wish to restrict the use or disclosure of my protected health
information by The University of Iowa in the following manner:
I. I wish to restrict release of the following information
(e.g. that I have had a particular treatment or diagnosis (to the extent
this is permissible by law) ____________________________________
II. I wish to restrict the use and disclosure of protected
health information in the following way:__________________________
III. I request that this restriction apply to the following
individuals or entities: (identify the person or entities to whom you
do not want information released):__________________________________
_____________________
___________________
Signature
Athletic Training Room
______________________
Date
Signature of Staff Member
Title Date
Give this request to the Associate Director ATS or send it to the HIPAA
Privacy Officer, C-43 GH, The University of Iowa, Iowa City, Iowa, 52242
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION
Purpose: To define the process for responding to requests from
student-athletes or their legal representatives to receive an accounting
of Protected Health Information (PHI) disclosures made by health care
units of the University of Iowa; to provide direction to staff members
regarding their responsibilities when a patient requests an accounting
of disclosures of their PHI.
Policy: It is the policy of the University to provide, at the
student-athlete’s request, an accounting of disclosures made of the
student-athlete’s PHI. The accounting of disclosures may include up to
six years prior to the date the accounting is requested and not prior to
April 14, 2003. Disclosures made under the following circumstances are
excluded from the accounting:
bullet Disclosures made for purposes of treatment, payment, and
operations (including education of future health professionals);
bullet Disclosures to the student-athlete;
bullet Disclosures to people involved in the student-athlete’s care;
bullet Disclosures authorized by the student-athlete or the
student-athlete’s legal representative;
bullet Disclosures authorized or required by law.
Procedures:
bullet A student-athlete must make the request for an accounting
using the “Request for Accounting of Disclosures” form.
bullet These forms can be obtained from and submitted to the
Associate Director of ATS or care provider.
bullet Request for Accounting forms are to be sent to the UI Privacy
Officer.
bullet UIHC will retain for a period of six years copies of the
request and a copy of the written accounting that was provided to the
student-athlete.
bullet A student-athlete may authorize in writing that the accounting
of disclosures be released to another individual or entity. The request
must clearly identify all information required to carry out the request
(name, address, phone number, etc.).
Providing the accounting.
bullet The UI Privacy Officer will provide the student-athlete with
an accounting of disclosures within 60 days after receipt of the
request.
bullet If the accounting cannot be completed within 60 days after
receipt of the request, the student-athlete will receive a written
statement of the reason for the delay and the expected completion date.
The accounting must be provided to the student-athlete within 90 days.
bulletThe UI will provide the accounting to the individual at no charge
for a request made once during any twelve-month period. A fee may be
charged for any additional requests made during a twelve-month period as
explained in the Privacy Notice and on the request form.
*Definition of Protected Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information considered PHI where there is a reasonable basis to believe
the information can be used to identify an individual.
Reference: 45 C.F.R. §164.528
The University of Iowa
Privacy Rule
Request for Accounting of Disclosures
!.
Student-athlete Information
Name______________________________________________
Date of Birth_________________________________________
Date of this Request___________________________________
Address____________________________________________
Address to which accounting should be sent if different from
above:
_____________________________________________________
2.
Request for Accounting of Disclosures and Dates Requested
I
understand that I have the right to receive an accounting (or list) or
certain disclosures of my protected health information made by The
University of Iowa during the six (6) years before the date on which I
request the accounting, but not prior to April 14, 2003. I hereby
request an accounting of the disclosures of my protected health
information that were made during the following time frames:
From:_________________(mo/date/yr) To_______________(mo/date/yr)
I
understand that this accounting excludes disclosures related to
treatment, payment, operations, disclosures authorized by me, and
disclosures made pursuant to any legal requirement such as a mandatory
report.
3.
Response Time
I
understand that the accounting I have requested will be provided to me
within 60 days unless I am notified in writing that an extension of up
to 30 days is required.
_______________________________________________
Signature
_______________________________________________
Date
When you have completed this form, give it to the Association Director
of ATS or send it to the HIPAA Privacy Officer, C-43 GH, The University
of Iowa, Iowa City, Iowa, 52242.
________________________________________________________________
Date Request received:_____________________________________________
Date Accounting sent:______________________________________________
Extension requested:________no_________yes . If yes,
explain_____________
____________________________________________________
Individual notified in writing of extension (date and by
whom)________________
_____________________________________________________
Name of staff member processing Request______________________________
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
CORRECTIONS AND AMENDMENTS TO RECORD
Purpose: To define the process for responding to requests from
student-athletes and/or student-athlete’s representatives to correct or
amend the Protected Health Information (PHI) in the record and to advise
staff on how to respond to requests to correct or amend the record.
Policy: It is the policy of the University of Iowa to allow
student-athletes or their legal representatives to request amendments to
the PHI contained in the health record.
Procedure:
bullet If a student-athlete feels a correction should be made, the
student-athlete should be referred to the principal health care
provider.
bullet Care providers should exercise professional judgment and
determine whether that correction or amendment is appropriate.
bullet If the care provider agrees with the amendment to the record,
the change should be made.
bullet If the care provider does not agree with the request, believes
it should denied, or does not wish to make the correction, the provider
should ask the student-athlete to submit the request, in writing, on the
“Request for Correction/Amendment” Form.
bullet This form
should be submitted to the Associate Director of ATS who will work with
the University Privacy Officer and others, as needed, to resolve the
issue.
Response to Request for Amendment:
The Associate Director of ATS (or designee) must respond to requests for
amendment no later than 60 days after receipt of the request. A
one-time extension up to 30 days may be granted as long as the
student-athlete or the legal representative is provided with a written
statement of the reason for the delay.
bullet Denial of Amendment.
The student-athlete’s request for amendment may be denied if it is
determined that the PHI or record created by the U of I unit is accurate
and complete.
bullet A statement documenting the denial will be appended to the
student-athlete’s medical record.
bullet Making the Amendment.
bullet If the amendment is accepted, the Associate Director of ATS
(or designee) must make the amendment by designating the records that
are affected and attaching or providing a link to the location of the
amendment.
bullet The student-athlete or the legal representative must be
informed in a timely manner that the amendment has been accepted and the
names of persons with whom the amendment must be shared must be
obtained.
bullet Reasonable efforts must be made to provide the amendment to
persons identified by the student-athlete or their legal representative
and/or persons who may have relied or could foreseeably rely on the
information to the detriment of the student-athlete.
bullet Statement of Disagreement; Rebuttal statement.
bullet A student-athlete of their legal representative may submit a
written statement disagreeing with the denial or a requested amendment.
bullet This statement may be limited in length.
bullet A rebuttal may be prepared to such a statement.
bullet Such statements will be appended to the record.
bullet Future Disclosures.
o If a statement of disagreement has been submitted, future
disclosures will include the appended material, or if appropriate, an
accurate summary of such information with any subsequent disclosure of
PHI to which this disagreement relates.
o If no statement of disagreement has been submitted, future
disclosures will include the student-athlete’s request for amendment and
denial of such only if the student-athlete or their legal representative
requests.
*
Definition of Protected Health Information (PHI):
Individually identifiable health information transmitted
or maintained in any form or medium,
including oral, written and electronic. Individually
identifiable health information relates to an
individual’s health status or condition, furnishing
health services to an individual or paying or
administering health care benefits to an individual.
Information is considered PHI where there
is a reasonable basis to believe the information can be
used to identify an individual.
Reference: 45 C.F.R. §164.526, §164.524
The University of Iowa
Privacy Rule
Request to Amend Health Care Records
I
wish to request that The University of Iowa correct or complete my
medical and/or health care information in its records as follows:
A. Describe what information is incomplete or incorrect
and what you believe should be changed. State what information you
believe should be added and/or
deleted:_____________________________________________
B. Describe the reason that supports your request. Attach
copies of
documents that support your request, if
applicable:___________
The University may deny your request for an amendment if it is not in
writing or it does not include a reason to support the request. In
addition, the University may deny your request to amend information that
1) was not created by the University of Iowa Athletic Training Service
or health care unit; 2) is not part of the record maintained by the
University of Iowa and its health care units.
______________________________
_______________________
Signature Address
______________________________
Date
______________________________
Athletic Training Room
Please give this form to the Associate Director of ATS or send it to the
HIPAA Privacy Officer, 320 CMAB, The University of Iowa, Iowa City, Iowa
52242
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
PROTECTED HEALTH INFORMATION TRANSFERRED TO OTHER SYSTEMS
Purpose: To outline security safeguards that must be in place when PHI
is transferred to other systems and devices.
Policy: Protected Health Information (PHI) transferred from university
computers, systems or devices to other systems or devices are subject to
the requirements of the Privacy Rule. The need for rigorous security
provisions applies to all devices that contain PHI, regardless of device
type, ownership, or the method of transfer.
Any individual or entity electing to download report data or
transferring to a personal or hand-held computer is responsible for
ensuring the security and privacy of PHI on the target system.
Protection controls can include (but are not limited to) the use of
strong passwords changed at regular intervals; the use and enforcement
of system locks or session time-out controls; secure equipment storage;
procedures for purging PHI from magnetic media prior to device release
or reuse. This applies to PHI used in any device regardless of location
or ownership.
Use of downloaded or transferred data is limited to the acceptable uses
delineated in the Privacy Rule (treatment, payment, and operations,
which include research and education); subject to the “minimum
necessary” standard. The use of downloaded or transferred data for the
purposes above does not grant the right to share the data with other
individuals and/or entities or to subsequent transfers. Violations of
these regulations can result in severe legal and financial penalties.
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)
Purposes: To define the guidelines and procedures necessary for the
de-identification of Protected Health Information (PHI) contained in
university records, to provide direction to staff regarding the use of
de-identified PHI.
Policy: Protected Health Information is confidential, except when
disclosure is authorized or compelled and the university has a duty to
protect the privacy of records.
PHI can be de-identified by removing identifying characteristics.
De-identified health information is no longer considered to be
individually identifiable health information and the requirements of the
Privacy Rule do not apply.
Procedure:
For PHI to be de-identified, one of the following must occur:
1) Statistical De-identification: A person with appropriate
knowledge of and experience with generally accepted statistical and
scientific principles and methods for rendering information not
individually identifiable determines the PHI is de-identified. This
person must determine that the risk is very small that the information
could be used, alone or in combination with other reasonably available
information, by an anticipated recipient, to identify an individual who
is a subject of the information. This person must document the methods
and results of the analysis that justify such determination. This
process must be approved by the UI Privacy Officer.
2) Alternative Method of De-identification Prescribed by Privacy
Rule:
a) De-identification requires the elimination not only of primary
or obvious identifiers, such as name, address, date of birth, but also
of secondary identifiers through which a user could deduce the
individual’s identity. For PHI to be de-identified the following
identifiers of the individual or of relatives, employers, or household
member of the individual, must be removed:
1) Names
2) Address information smaller than a state, including
street address, city, county, zip code (except if by combining all zip
codes with the same initial three digits, there are more than 20,000
people)
3) Names of relatives and employers
4) All elements of dates (except year), including date
of birth, date of medical or health care, date of death; all ages over
89 and all elements of dates including year indicative of such age
except that such age elements may be aggregated into a single category
of age 90 or older
5) Telephone numbers
6) Fax numbers
7) Email addresses
8) Social Security Number
9) Medical or other record number
10) Health beneficiary plan number
11) Account numbers
12) Certificate/License Number
13) Vehicle identifiers, including license plate numbers
14) Device ID and serial number
15) Uniform Resource Locator (URL)
16) Identifier Protocol (IP) addresses
17) Biometric identifiers, including finger and voice print
18) Full face photographic images and other comparable
images
19) Any other unique identifying number characteristic, or
code;
b) In addition, the university does not have actual knowledge that
the information could be used alone of in combination with other
information to identify an individual who is a subject of the
information.
*Definitions:
Protected Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written, and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information is considered PHI where there is a reasonable basis to
believe the information can be used to identify an individual.
Reference: 45 C.F.R. §164.514
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
BUSINESS ASSOCIATES
Purpose: To define the guidelines and procedures that must be followed
for Business Associates* at the University of Iowa.
Policy: A Business Associate is a person or entity that provides certain
functions, activities, or services on behalf of the University involving
the use and/or disclosure of Protected Health Information (PHI)**. The
University is required to take action if it becomes aware of a practice
or pattern that constitute a violation of the policy protecting
confidentiality of PHI.
Procedures:
bullet The University will identify its Business Associates and
maintain a database of Business Associates.
Business Associate Contracting
bullet The University will enter into contracts, approved by the
Business Officer, with Business Associates.
bullet Contracts between the University and Business Associates will
be consistent with the requirements of the HIPAA Privacy Rule and will
provide, at a minimum, that the Business Associate will:
bullet Use appropriate safeguards to prevent use or disclosure of PHI
other than as provided for by its agreement;
bullet Report to the UI any use or disclosure of PHI not provided for
by its agreement of which the Business Associate became aware;
bullet Not use or further disclose PHI except as permitted by the
agreement or required by law;
bullet Ensure that any agents, or sub-contractors, to whom it
provides PHI received from, created by, or on behalf of UI, agree to the
same restrictions and conditions that apply to the Business Associate
with respect to PHI;
bullet Make available PHI in accordance with UI policies and
procedures;
bullet Make available internal records, documents, books or other
items related to the use and disclosure of PHI received from or created
on behalf of UI, available to DHHS upon request for audit or compliance
purposes;
bullet At termination of the agreement, return or destroy all PHI
received from or created on behalf of UI that the Business Associate
maintains any form, and retain no copies. If return or destruction is
not feasible, extend the protections of the contract to the information
and limit further uses and disclosures to those purposes that make the
return of the information infeasible.
Searches of Contract
bullet In the event that UI becomes aware of a pattern or practice of
the Business Associate that constitutes a violation of the Business
Associate’s obligations under its agreement, UI will take reasonable
steps to end the violation.
bullet In the event that the Business Associate cannot or will not
remedy the practice or pattern, UI may terminate the contract if
feasible. Where termination is not feasible, the UI Privacy Officer
will report the problem to appropriate authorities.
*
“Business Associate” is a person or entity who, on behalf of a covered
entity, 1) performs or assists in the performance of (a) a function of
activity involving the use or disclosure of individually identifiable
health information. Examples include claims processing, data analysis,
utilization review, quality assurance, billing, benefit management,
practice management, and repricing; or (b) Any other function or
activity regulated the HIPAA Privacy Rule; or 2) provides, in a capacity
other than as a member of the workforce, legal, actuarial, accounting,
consulting, data aggregation, management, administration, accreditation,
financial, or other services to, for, or on the behalf of the covered
entity, in which the covered entity participates and where the provision
of the service involves the disclosure of individually identifiable
protected health information.
**Definition of Protected Health Information (PHI):
Individually identifiable health information transmitted or maintained
in any form or medium, including oral, written, and electronic.
Individually identifiable health information relates to an individual’s
health status or condition, furnishing health services to an individual
or paying or administering health care benefits to an individual.
Information is considered PHI where there is reasonable basis to believe
the information can be used to identify an individual.
References: 45 C.F.R. §§164.504, 164.524, 164.526, 164.528
BUSINESS ASSOCIATE AGREEMENT
This Agreement dated as of ________ ______________is made by and between
University of Iowa (Hereinafter “Covered Entity”) and____ ____________,
(Hereinafter “Business Associate”).
INTRODUCTION
This Agreement governs the terms and conditions under which Business
Associate will access personal health information belonging to patient’s
of Covered Entity in performing services for, or on behalf of, Covered
Entity. Specifically, this agreement governs the terms and conditions
under which Koch Brothers will provide microfilming services to the
Department of Speech Pathology and Audiology.
1) DEFINITIONS
Terms used, but not otherwise defined, in this Agreement shall have the
same meaning as those terms in 45 CFR 160.103 and 164.501. For purposes
of this section:
a) Individual. “Individual” shall have the same meaning as the term
“individual” in 45 CFR 164.501 and shall include a person who qualifies
as a personal representative in accordance with 45 CFR 164.502(g).
b) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy
of Individually Identifiable Health Information at 45 CFR part 160 and
part 164, subparts A and E.
c) Protected Health Information. “Protected Health Information”
shall have the same meaning as the term “protected health information”
in 45 CFR 164.501, limited to the information created or received by
Business Associate from or on behalf of Covered Entity.
d) Required By Law. “Required By Law” shall have the same meaning as
the term “required by law” in 45 CFR 164.501.
e) Secretary. “Secretary” shall mean the Secretary of the Department
of Health and Human Services or his designee.
2) OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
Business Associate agrees to:
a) Not use or further disclose Protected Health Information other
than as permitted or required by the Agreement or as Required By Law.
b) Use appropriate safeguards to prevent use or disclosure of the
Protected Health Information other than as provided for by this
Agreement.
c) Mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure of Protected Health
Information by Business Associate in violation of the requirements of
this Agreement.
d) Report to Covered Entity any use or disclosure of the Protected
Health Information not provided for by this Agreement.
e) Ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information received from, or created or
received by Business Associate on behalf of Covered Entity agrees to the
same restrictions and conditions that apply through this Agreement to
Business Associate with respect to such information.
f) In the event that the Business Associate maintains PHI in a
designated records set, Business Associate agrees to provide access, at
the request of Covered Entity, and in the time and manner designated by
Covered Entity, to Protected Health Information in a Designated Record
Set, to Covered Entity or, as directed by Covered Entity, to an
Individual in order to meet the requirements under 45 CFR 164.524.
g) In the event that the Business Associate maintains Protected
Health Information in a designated records set, Business Associate
agrees to make any amendment(s) to Protected Health Information in a
designated record set that the Covered Entity directs or agrees to
pursuant to 45 CFR 164.526 at the request of Covered Entity or an
Individual, and in the time and manner designated by Covered Entity.
h) Make internal practices, books, and records relating to the use
and disclosure of Protected Health Information received from, or created
or received by Business Associate on behalf of, Covered Entity available
to the Covered Entity, or at the request of the Covered Entity to the
Secretary, in a time and manner designated by the Covered Entity or the
Secretary, for purposes of the Secretary determining Covered Entity's
compliance with the Privacy Rule. In the event such a request comes
directly from the Secretary, Business Associate agrees to notify Covered
Entity immediately of such request.
i) Document such disclosures of Protected Health Information and
information related to such disclosures as would be required for Covered
Entity to respond to a request by an Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 CFR
164.528.
j) Provide to Covered Entity or an Individual, in time and manner
designated by Covered Entity, information collected in accordance with
this section, to permit Covered Entity to respond to a request by an
Individual for an accounting of disclosures of Protected Health
Information in accordance with 45 CFR 164.528.
3) PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
Except as otherwise limited in this Agreement, Business Associate may
use or disclose Protected Health Information, as follows:
on
behalf of, Covered Entity, provided that such use or disclosure would
not violate the Privacy Rule if done by Covered Entity.
a) Except as otherwise limited in this Agreement, Business Associate
may disclose Protected Health Information for the proper management and
administration of the Business Associate, provided that disclosures are
required by law, or Business Associate obtains reasonable assurances
from the person to whom the information is disclosed that it will remain
confidential and used or further disclosed only as required by law or
for the purpose for which it was disclosed to the person, and the person
notifies the Business Associate of any instances of which it is aware in
which the confidentiality of the information has been breached.
4) OBLIGATIONS OF COVERED ENTITY
Covered Entity shall provide Business Associate with the notice of
privacy practices that Covered Entity produces in accordance with 45 CFR
164.520, as well as any changes to such notice.
5) PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose
Protected Health Information in any manner that would not be permissible
under the Privacy Rule if done by Covered Entity.
6) TERM AND TERMINATION
a) Term. The obligations set forth in this section shall be
effective as of the date the first protected health information is
released to Business Associate pursuant to this Agreement, and shall
terminate only when all of the Protected Health Information provided by
Covered Entity to Business Associate, or created or received by Business
Associate on behalf of Covered Entity, is destroyed or returned to
Covered Entity, or, if it is infeasible to return or destroy Protected
Health Information, protections are extended to such information, in
accordance with the termination provisions in this Section.
b) Termination for Cause. Upon Covered Entity's knowledge of a
material breach by Business Associate, Covered Entity shall provide an
opportunity for Business Associate to cure the breach or end the
violation. Covered Entity may terminate this Agreement if Business
Associate does not cure the breach or end the violation within the time
specified by Covered Entity.
c) Effect of Termination.
(i) Except as provided in paragraph (ii) of this section, upon
termination of this Agreement, for any reason, Business Associate shall
return or destroy all Protected Health Information received from Covered
Entity, or created or received by Business Associate on behalf of
Covered Entity. This provision shall apply to Protected Health
Information that is in the possession of subcontractors or agents of
Business Associate. Business Associate shall retain no copies of the
Protected Health Information.
(ii) In the event that Business Associate determines that returning or
destroying the Protected Health Information is infeasible, Business
Associate shall provide to Covered Entity notification of the conditions
that make return or destruction infeasible. Upon mutual agreement of the
Parties that return or destruction of Protected Health Information is
infeasible, Business Associate shall extend the protections of this
Agreement to such Protected Health Information and limit further uses
and disclosures of such Protected Health Information to those purposes
that make the return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information.
d) Survival. The respective rights and obligations of Business
Associate under this section shall survive the termination of this
Agreement.
7) OWNERSHIP OF INFORMATION
Covered Entity holds all right, title, and interest in and to the PHI
and Business Associate does not hold and will not acquire by virtue of
this Agreement or by virtue of providing goods or services to Covered
Entity, any right, title, or interest in or to the PHI or any portion
thereof.
8) RIGHT TO INJUNCTIVE RELIEF
Business Associate expressly acknowledges and agrees that the breach, or
threatened breach, by it of any provision of this Agreement may cause
Covered Entity to be irreparably harmed and that Covered Entity may not
have an adequate remedy at law. Therefore, Business Associate agrees
that upon such breach, or threatened breach, Covered Entity will be
entitled to seek injunctive relief to prevent Business Associate from
commencing or continuing any action constituting such breach without
having to post a bond or other security and without having to prove the
inadequacy of any other available remedies. Nothing in this paragraph
will be deemed to limit or abridge any other remedy available to Covered
Entity at law or in equity.
9) MISCELLANEOUS
a) Regulatory References. A reference in this Agreement to a section
in the Privacy Rule means the section as in effect or as amended, and
for which compliance is required.
b) Amendment. The Parties agree to take such action as is necessary
to amend this Agreement from time to time as is necessary for Covered
Entity to comply with the requirements of the Privacy Rule and the
Health Insurance Portability and Accountability Act, Public Law 104-191.
c) Interpretation. Any ambiguity in this Agreement shall be
resolved in favor of a meaning that permits Covered Entity to comply
with the Privacy Rule.
University of Iowa
By:____________________
Andrew Ives, Business Manager
Date: ___________________
BUSINESS ASSOCIATE
By:________
Name:______
Title:_______
Date:___________________
BUSINESS ASSOCIATE ADDENDUM
In
addendum to the [insert reference and date of Service Agreement], the
parties agree to the following terms and conditions:
1) DEFINITIONS
Terms used, but not otherwise defined, in this Agreement shall have the
same meaning as those terms in 45 CFR 160.103 and 164.501. For purposes
of this section:
a) Business Associate. “Business Associate” shall mean [insert the
name of the Business Associate, ].
b) Covered Entity. “Covered Entity” shall mean Individual.
“Individual” shall have the same meaning as the term “individual” in 45
CFR 164.501 and shall include a person who qualifies as a personal
representative in accordance with 45 CFR 164.502(g).
c) Privacy Rule. “Privacy Rule” shall mean the Standards for
Privacy of Individually Identifiable Health Information at 45 CFR part
160 and part 164, subparts A and E.
d) Protected Health Information. “Protected Health Information”
shall have the same meaning as the term “protected health information”
in 45 CFR 164.501, limited to the information created or received by
Business Associate from or on behalf of Covered Entity.
e) Required By Law. “Required By Law” shall have the same meaning as
the term “required by law” in 45 CFR 164.501.
f) Secretary. “Secretary” shall mean the Secretary of the
Department of Health and Human Services or his designee.
2) OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
Business Associate agrees to:
a) Not use or further disclose Protected Health Information other
than as permitted or required by the Agreement or as Required By Law.
b) Use appropriate safeguards to prevent use or disclosure of the
Protected Health Information other than as provided for by this
Agreement.
c) Mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure of Protected Health
Information by Business Associate in violation of the requirements of
this Agreement.
d) Report to Covered Entity any use or disclosure of the Protected
Health Information not provided for by this Agreement.
e) Ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information received from, or created or
received by Business Associate on behalf of Covered Entity agrees to the
same restrictions and conditions that apply through this Agreement to
Business Associate with respect to such information.
f) In the event that Business Associate maintains records in a
designated records set, to provide access, at the request of Covered
Entity, and in the time and manner designated by Covered Entity, to
Protected Health Information in a designated record set, to Covered
Entity or, as directed by Covered Entity, to an Individual in order to
meet the requirements under 45 CFR 164.524.
g) In the event that Business Associate maintains records in a
designated records set, make any amendment(s) to Protected Health
Information in a designated record set that the Covered Entity directs
or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity
or an Individual, and in the time and manner designated by Covered
Entity.
h) Make internal practices, books, and records relating to the use
and disclosure of Protected Health Information received from, or created
or received by Business Associate on behalf of, Covered Entity available
to the Covered Entity, or at the request of the Covered Entity to the
Secretary, in a time and manner designated by the Covered Entity or the
Secretary, for purposes of the Secretary determining Covered Entity's
compliance with the Privacy Rule. In the event such a request comes
directly from the Secretary, Business Associate agrees to notify Covered
Entity immediately of such request.
i) Document such disclosures of Protected Health Information and
information related to such disclosures as would be required for Covered
Entity to respond to a request by an Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 CFR
164.528.
j) Provide to Covered Entity or an Individual, in time and manner
designated by Covered Entity, information collected in accordance with
this section, to permit Covered Entity to respond to a request by an
Individual for an accounting of disclosures of Protected Health
Information in accordance with 45 CFR 164.528.
3) PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
b) Except as otherwise limited in this Agreement, Business Associate
may use or disclose Protected Health Information to perform functions,
activities, or services for, or on behalf of, Covered Entity as
specified in [Insert Name of Services Agreement], provided that such use
or disclosure would not violate the Privacy Rule if done by Covered
Entity.
b) Except as otherwise limited in this Agreement, Business Associate
may disclose Protected Health Information for the proper management and
administration of the Business Associate, provided that disclosures are
required by law, or Business Associate obtains reasonable assurances
from the person to whom the information is disclosed that it will remain
confidential and used or further disclosed only as required by law or
for the purpose for which it was disclosed to the person, and the person
notifies the Business Associate of any instances of which it is aware in
which the confidentiality of the information has been breached.
4) OBLIGATIONS OF COVERED ENTITY
Covered Entity shall provide Business Associate with the notice of
privacy practices that Covered Entity produces in accordance with 45 CFR
164.520, as well as any changes to such notice.
5) PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose
Protected Health Information in any manner that would not be permissible
under the Privacy Rule if done by Covered Entity.
6) TERM AND TERMINATION
a) Term. The obligations set forth in this section shall be
effective as of the date the first protected health information is
released to Business Associate pursuant to this Addendum, and shall
terminate only when all of the Protected Health Information provided by
Covered Entity to Business Associate, or created or received by Business
Associate on behalf of Covered Entity, is destroyed or returned to
Covered Entity, or, if it is infeasible to return or destroy Protected
Health Information, protections are extended to such information, in
accordance with the termination provisions in this Section.
b) Termination for Cause. Upon Covered Entity's knowledge of a
material breach by Business Associate, Covered Entity shall provide an
opportunity for Business Associate to cure the breach or end the
violation. Covered Entity may terminate this Agreement if Business
Associate does not cure the breach or end the violation within the time
specified by Covered Entity.
c) Effect of Termination
(i) Except as provided in paragraph (ii) of this section, upon
termination of this Agreement, for any reason, Business Associate shall
return or destroy all Protected Health Information received from Covered
Entity, or created or received by Business Associate on behalf of
Covered Entity. This provision shall apply to Protected Health
Information that is in the possession of subcontractors or agents of
Business Associate. Business Associate shall retain no copies of the
Protected Health Information.
(ii) In the event that Business Associate determines that returning or
destroying the Protected Health Information is infeasible, Business
Associate shall provide to Covered Entity notification of the conditions
that make return or destruction infeasible. Upon mutual agreement of
the Parties that return or destruction of Protected Health Information
is infeasible, Business Associate shall extend the protections of this
Agreement to such Protected Health Information and limit further uses
and disclosures of such Protected Health Information to those purposes
that make the return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information.
d) Survival. The respective rights and obligations of Business
Associate under this section shall survive the termination of this
Agreement.
7) OWNERSHIP OF INFORMATION
Covered Entity holds all right, title, and interest in and to the PHI
and Business Associate does not hold and will not acquire by virtue of
this Agreement or by virtue of providing goods or services to Covered
Entity, any right, title, or interest in or to the PHI or any portion
thereof. Except as specified in Paragraph ___above [delete if there is
no provision allowing such requirements/right to compile reports,
aggregate data, etc. Otherwise, include specific paragraph reference in
this Addendum or in the Service Agreement that references that
obligation of the BA specifically], or as otherwise agreed to in writing
by the parties, Business Associate will have no right to compile and/or
distribute statistical analyses and reports utilizing aggregated data
derived from the PHI or any other health and medical data obtained from
Covered Entity.
8) RIGHT TO INJUNCTIVE RELIEF
Business Associate expressly acknowledges and agrees that the breach, or
threatened breach, by it of any provision of this Agreement may cause
Covered Entity to be irreparably harmed and that Covered Entity may not
have an adequate remedy at law. Therefore, Business Associate agrees
that upon such breach, or threatened breach, Covered Entity will be
entitled to seek injunctive relief to prevent Business Associate from
commencing or continuing any action constituting such breach without
having to post a bond or other security and without having to prove the
inadequacy of any other available remedies. Nothing in this paragraph
will be deemed to limit or abridge any other remedy available to Covered
Entity at law or in equity.
9) MISCELLANEOUS
a) Regulatory References. A reference in this Agreement to a
section in the Privacy Rule means the section as in effect or as
amended, and for which compliance is required.
b) Amendment. The Parties agree to take such action as is necessary
to amend this Agreement from time to time as is necessary for Covered
Entity to comply with the requirements of the Privacy Rule and the
Health Insurance Portability and Accountability Act, Public Law 104-191.
c) Interpretation. Any ambiguity in this Agreement shall be
resolved in favor of a meaning that permits Covered Entity to comply
with the Privacy Rule.
University of Iowa
By:________
University of Iowa
Date:___________________
BUSINESS ASSOCIATE
By:________
Name:______
Title:_______
Date:___________________
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
PRIVACY PROTECTION IN AREAS WITH PUBLIC ACCESS
Purpose: To define guidelines and procedures for areas in which
student-athlete care is provided but there is also public access through
tours, visitors, recruits, or limited access through job shadowing or
other community or professional groups.
Policy: Patient confidentiality and dignity must be protected but the
University, as a public teaching institution, must provide access to its
facilities for educational and informational purposes.
Procedures:
bullet Formal tours are only allowed on special open house days
designated for this purpose by the associate director
bullet Visitors or recruits and their family members (either in small
groups or individually) should be guided by staff and kept away from
student-athlete care when possible.
bullet Student tours or job shadow experiences should not include
access to PHI.
bullet While groups or individuals are waiting to gain access to the
athletic training rooms for tours, recruiting, or education, they should
remain outside the athletic training room or in office space/conference
areas and away from student-athlete care areas.
bullet Public access to the athletic training rooms for first aid
purposes should be limited to appropriate and necessary emergency care
and should avoid student-athlete care areas whenever possible.
bullet Whenever student-athletes are being treated, privacy and
dignity should be observed among athletic training staff members to move
student-athletes to appropriate treatment locations or to restrict
access to the athletic training room.
bullet Access to patient information should be inadvertent or
incidental.
The University of Iowa
HIPAA Privacy Rule
Policies and Procedures
VIOLATION OF PROVISIONS OF PRIVACY RULE
Purpose: To clarify that violations of the HIPAA Privacy Rule will
subject University employees to disciplinary action.
Policy: The University of Iowa is committed to complying with the legal
and ethical requirements that assure student-athlete confidentiality,
specifically the treatment of all protected health information (PHI) in
a manner consistent with the Privacy Rule. Violations of the Privacy
Rule that results in the unauthorized release of PHI may result in
disciplinary action.
Procedure: If a violation of the Privacy Rule, or of associated
university, collegiate or other policies is reported or observed, it
will be investigated in a manner consistent with applicable procedures
for that unit and that employee.
The investigation, conclusions, and any subsequent disciplinary action
will be managed by the college or department, in accordance with
existing procedures.
|