Privacy Notice

Athletic Training at Iowa

education program

about our program

ats news

current events

ats services

services and locations

calendar of events

program events

conference presentations

conference topics

sports medicine symposium

symposium details

announcements

alumni newsletter

OSHA training

staff openings

Privacy Notice

This web page is currently under review. You can find pertinent privacy rule general information and frequently asked questions by accessing this web page: http://www.uiowa.edu/homepage/policy/HIPAA/index.html

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

NOTICE OF PRIVACY PRACTICES

Purpose: To define the required content of the University of Iowa’s Privacy Notice, applicable to covered units within the U of I not covered by UI Health Care

Policy: Under the provisions of the HIPAA Privacy Rule, an individual has a right to know the uses and disclosures of protected health information (PHI) that may be made by the University of Iowa College or unit providing health care. The individual also has a right to know what his or her responsibilities are with respect to PHI. The U of I is required to provide a notice of privacy practices to all patients as well as to individuals requesting a copy.

Procedure: The College or health care unit will:

· Provide the Notice of Privacy Practices at the first date of service to all patients

· Make a good faith effort to obtain a written acknowledgement of receipt of the notice

· Have the Privacy Notice visible in clinic and service locations

· Have the Privacy Notice available for student-athletes to take with them

Exceptions: in an emergency, if it is impossible or impractical to provide the notice, or if doing so would delay care, providing student-athlete care takes the highest priority.

Content of the Privacy Notice.

The U of I Health Care units will provide a Privacy Notice that is written in plain language and that contains the following elements:

· Header: The Privacy Notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

· Uses and disclosures: The Privacy Notice must contain:

o A description, including at least one example, of the types of uses and disclosures that are permitted to make for each of the following purposes: Treatment, Payment, and Health Care Operations**;

o A description of each of the other purposes for which disclosure of PHI is permitted or required without that student-athlete’s written authorization;

o A statement that other uses and disclosures will be made only with the student-athlete’s written authorization and that the student-athlete may revoke such authorization as provided by UI “Policy on Uses and Disclosures of Protected Health Information”;

o A statement that the patient may be contacted to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the patient

Individual rights

The Privacy Notice must contain a statement of the student-athlete’s rights with respect to PHI and a brief description of how the individual may exercise these rights as follows:

· The right to request restrictions on certain uses and disclosures of PHI as provided by University policy, “Restrictions on Use and Disclosure of Protected Health Information.”

· The right to receive confidential communications of PHI as provided by policy “Request for Confidential Communications.”

· The right to inspect and attain a copy of the student-athlete’s PHI as provided by policy “Access of Individuals to Protected Health Information in the Designated Record Set”.

· The right to request an amendment to PHI as provided by policy “Corrections and Amendments to Protected Health Information”.

· The right to receive an accounting of disclosures of PHI as provided by policy “Accounting of Disclosures”.

· The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice from UI upon request.

Covered entity’s duties.

The Privacy Notice must contain a statement that the University of Iowa:

· Is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI;

· Is required to abide by the terms of the notice currently in effect; and

· Reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised notice.

Complaints.

· The Privacy Notice must contain a statement that individuals may complain to the University of Iowa and to the Department of Health and Human Services if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint, and a statement that the individual will not be retaliated against for filing a complaint.

Contact.

· The Privacy Notice must contain the name, or title, and telephone number of a person or office to contact for further information.

Requirements for Electronic Notice

· The University of Iowa will provide an updated electronic version of the Privacy Notice on its website at http://www.uiowa.edu/homepage/policy/HIPAA/index.html.

· The notice may be provided to an individual by e-mail, if the requirements for communicating with the individual through email is in compliance with the HIPPA electronic Mail Policy.

· Provision of electronic notice will satisfy the provision requirements if receipt of the notice by the individual is documented.

· The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from the University of Iowa.

Documentation of Privacy Notice:

· The University of Iowa will document compliance with the Privacy Notice requirements by retaining copies of the Privacy Notices issued by UI Health Care.

· Those persons who register or admit patients will be responsible for distributing the Privacy Notice to all patients and documenting the receipt of the “Notice of Privacy Practices Acknowledgement Form” in the record. If a written acknowledgement was not obtained from the patient, must document the reason for the failure to obtain the written acknowledgement on the “Notice of Privacy Practices Acknowledgement Form”. Such reason for failure may be, for example, that the patient refused to sign after being requested to do so.

Revisions to the Privacy Notice.

· The Privacy Notice will be revised and made available whenever there is a material change to the uses or disclosures, the individual’s rights, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.

* Definition of Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium, including oral, written and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

** Treatment, Payment and Health Care Operations (TPO):

Treatment involves the administering, coordinating and management of health care services. Payment includes any activities undertaken to obtain premiums, determine or fulfill its responsibility for coverage and the provision of benefits or to obtain or provide reimbursement for the provision of health care. Health Care Operation includes general administrative and business functions, including audit, quality review, and financial management. Under the rules, “operations” also includes “the training of future health professionals”.

UNIVERSITY OF IOWA PRIVACY NOTICE

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

Our Legal Responsibility

As a health care provider, we are legally required to protect the privacy of your health information, and to provide you with this notice about our legal duties and privacy practices. This requirement applies to all clients served by units within the University of Iowa that provide health care to clients.

If you have any questions or want more information about this notice, please contact our Privacy Officer at the contact information listed below.

Your Protected Health Information (PHI)

Throughout this notice we will refer to your protected health information as PHI. Your PHI includes information that identifies you and describes the care and services you receive.

This notice applies to all of the records, both electronic and paper, about your care. It includes all information created by University of Iowa staff. This staff includes physicians, other health care professionals, students and other staff members.

This notice about privacy practices explains how, when, and why we use and share your PHI. It explains your rights and our responsibilities and tells you where to get additional information.

We may change the terms of this notice and our privacy policy in the future. Any changes will apply to your past, current, or future PHI. When we make an important change to our policies, we will change this notice and post a new notice on our Web site (www.uiowa.edu “privacy rule”). You may also request a copy of our current notice at any time from the University of Iowa HIPAA Privacy Officer, Office of the Provost, University of Iowa, Iowa City, Iowa 52242.

Uses of Protected Health Information

The unit at the University of Iowa where you receive services collects health information about you and stores it in a chart and may also store it on a computer. This is your medical record. The medical record is the property of the University of Iowa, but the information in the medical record belongs to you.

We use and disclose health information for many reasons. The following examples describe some of the categories of our uses and disclosures. Please note that not every use or disclosure in a category is listed.

· Treatment – We may use and disclose medical information about you to physicians, nurses, technicians, physicians in training, or other health care professionals who are involved in your care. Different health care professionals, such as pharmacists, lab technicians, and x-ray technicians, also may share information about you in order to coordinate your care.

· Health care operations – We may use and disclose your PHI as part of our routine operations. For example, we may use your PHI to evaluate the quality of health care services you received or to evaluate the performance of health care professionals who cared for you. We may also disclose information to physicians, nurses, technicians, medical, nursing and other health professional students, and other personnel as part of our educational mission.

· Appointment reminders and health-related benefits or services – We may use your PHI to provide appointment reminders or give you information about treatment alternatives or other health care services.

· Public health activities – We report information about births, deaths, and various diseases to governmental officials in charge of collecting that information. We provide coroners, medical examiners, and funeral directors information about an individual’s death.

· Law enforcement – We may disclose PHI to government agencies and law enforcement personnel when the law requires it. For example, we report about victims of abuse, neglect, or domestic violence, and gunshot victims, and when ordered to do so in judicial or administrative proceedings.

· Health oversight activities – We may disclose PHI to a health oversight agency for audits, investigations, inspections, and licensure, as authorized by law. For example we may disclose PHI to the Food and Drug Administration, state Medicaid fraud control, or the Health Human Service Office for Civil Rights.

· Research studies – We may disclose your PHI to help conduct research. Research may involve finding a cure for an illness or helping to determine how effective a treatment is. All research studies are subject to a specific approval process by a Privacy Board or Institutional Review Board. This process evaluates a proposed research study to determine that measures are in place to balance research needs with the need for the privacy of your health information. For some research activities you may be asked to participate in a study and if you agree, the researcher will be required to obtain your permission to use your PHI for that study.

· Organ donation – We may use your PHI to notify organ donation organizations, and to assist them in organ, eye, or tissue donation and transplants.

· Worker’s compensation purposes – We may disclose PHI at your employer’s request regarding a work-related injury.

· National security and intelligence activities – We may release PHI to authorized federal officials when required by law.

Uses and Disclosures for which You Have the Opportunity to Object

· Directory – listing your information in a directory of patients (such as an information desk for visitors)

· Fundraising – providing your information to University entities for purposes of sending you materials for fundraising purposes

· Disclosures to family, friends, or others – providing information that you are a patient

Except as described above, all other uses and disclosures of your PHI will require your authorization.

Your Rights Regarding PHI

You have the right to:

· Request Restrictions

You have the right to ask that we limit how we use and disclosure your PHI. We will consider your request, but we are not legally required to accept it. If we accept your request, we will put any limits in writing and follow them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make. To request a restriction, contact the Privacy Officer listed at the end of this notice.

· Request Confidential Communications

If we send notices or information to you, you have the right to ask that we send PHI to you at a different address. For example, you may wish to have appointment reminders and test results sent to a PO Box or a different address than your home address. We will accommodate reasonable requests. To make a request, contact any member of your health care team.

· Inspect and Copy

You have the right to inspect and obtain a copy of medical information that may be used to make decisions about your care. Usually this includes the medical record and billing records. To inspect and obtain a copy of medical information, you must submit your request in writing to either: the university department where you are receiving care or the Privacy Officer listed at the end of this notice.

We will make every effort to respond to your request within a reasonable period of time. You may be charged a fee to cover the costs of copying, mailing, or other supplies associated with your request.

· Disclosures

You have the right to obtain a list of instances in which we have disclosed your PHI. Your request must state a time period not longer than six years and your request may not include dates before April 14, 2003. The list will not include uses or disclosures made for treatment, payment or health care operations. In addition, the list will not include uses or disclosures that you have specifically authorized in writing. You must submit your request in writing to the Privacy Officer listed at the end of this notice.

· Amend

You have the right to request an amendment of your PHI if you think that information is inaccurate or incomplete in your medical record. You may request an amendment for as long as that record is maintained. You may submit a written request for an amendment to: Release of Information, for amendment to your medical record.

· Paper copy of this notice

You have the right to request a paper copy of this notice. You may pick up a copy at any check-in point or request that a copy be sent to you.

Revocation of Permission

If you provide us with permission to use or disclose medical information about you, you may revoke that permission at any time. You must make your request in writing to Release of Information. Contact information is listed at the end of this notice.

If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written revocation. We are unable to take back any disclosures previously made with your permission. Also, we are required to keep all records of the care that we provided to you.

Complaints and Questions

If you believe your privacy rights have been violated, you may file a complaint with the University of Iowa, or with the Office of Civil Rights. To file a complaint with University of Iowa, contact the University of Iowa Privacy Officer at the address and phone number listed below. You will not be penalized for filing a complaint and your care will not be compromised.

If you have questions about this notice, any complaints about our privacy practices, or you would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, Office of Civil Rights, please contact:

University of Iowa Privacy Officer

Office of the Provost, 111 JH

Iowa City, Iowa 52242

319-335-0292

This notice is in effect April 14, 2003.

H:Document/Policies/Uiprivacynotice04/22/03

UNIVERSITY OF IOWA

Privacy Notice Acknowledgment Form

By signing this form I acknowledge that I have received the University of Iowa Privacy Notice. I have the right to review the Privacy Notice prior to signing this acknowledgment form.

The University of Iowa has the right to change the Privacy Notice from time to time. The revised Privacy Notice will be posted within the clinical facilities, on the University of Athletic Training Iowa web site, and paper copies will be available at Athletic Training Rooms.

Student-Athlete Name:___________________________________ Date: ________

Signature of Student-Athlete

or Legal Representative: ________________________________________________

Relationship to the Student-Athlete: ______________________________________

This will be retained with the student-athlete record. Please return this form to the Athletic Training Room Office.

For failure to obtain acknowledgment, check the appropriate reason:

‰ Substantial communication barriers

‰ Refusal to sign

‰ Other _________________________________

Description:

_____________________________________________________________

Staff Signature: Date:

__________________________________ _________________

Department: Title:

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

Purpose: To define whether use or disclosure of Protected Health Information (PHI) is required, permitted, or subject to authorization requirements; to provide direction to staff regarding when patient authorization is required for use or disclosure of PHI; and to provide direction to staff regarding when PHI may be used or disclosed without patient authorization.

Policy: It is the policy of the University of Iowa that the confidentiality of Protected Health Information contained in records and collected pursuant to treatment will be protected to the fullest extent possible. To maintain this confidentiality, UI staff may not disseminate PHI unless it is pursuant to a valid request, a valid authorization or a legally recognized exception to this requirement.

Procedures

1. Required disclosures

· To a student-athlete who requests to see his or her own record or an accounting of disclosures.

· To the legal representative of a student-athlete who makes a request.

· To the Department of Health and Human Services for purposes of determining compliance with the Privacy Rule.

2. Permitted uses and disclosures

· For purposes of treatment, payment, operations (“operations” includes education)

· PHI will be available to students in educational programs for use within the Athletic Training Rooms where the records are maintained

· In accordance with a student-athlete’s authorization

· Incident to a permitted use or disclosure

· In specific instances defined in the Privacy Rule (below)

3. Permitted uses and disclosures requiring verbal agreement and opportunity to agree or object

· Facility directory, media, marketing

· Persons assisting in the student-athlete’s care

· Family members, close personal friends (patient assent)

4. Permitted uses and disclosures for which authorization is not required

· Required by law

· Public health activities

· Disclosures to health oversight agencies

· Release pursuant to court order, subpoena or other discovery request

· Required disclosures pertaining to victims of abuse, neglect or domestic violence

· Disclosures for law enforcement purposes

· Disclosures to avert threats to public health and safety and to support specialized government functions (military and security)

· Disclosures related to organ donation

· Disclosures related to workers compensation

Research is a critical mission of the University. Disclosure of PHI for research purposes is permitted in accordance with protocols administered by the Human Subjects Office.

Definitions:

Protected Health Information (PHI):

Use:

Use of PHI includes anything done with the information inside UIHC (i.e. sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information, 45 C.F.R. §164.501).

Disclosure:

Disclosure of PHI means anything done with the information outside the covered entity (i.e. release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information, 45 C.F.R. §164.501).

Health Oversight Agency:

Health Oversight Agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

Reference: 45 C.F.R. §164.512

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

HIPAA-PROTECTED RECORDS: DESIGNATED RECORD SET

Purpose: To define those records maintained outside of the UI Health Care units that are subject to the provisions of the HIPAA Privacy Rule.

Policy:

bullet All records containing Protected Health Information, regardless of location, are protected by the Privacy Rule.

bullet The following units are subject to the staff training and other requirements as elements of the University’s “hybrid entity”: Client records in these units are subject to the Privacy Rule.

bullet University of Iowa Staff Benefits Office

bullet College of Dentistry

bullet Employee Wellness

bullet Wendall Johnson Speech and Hearing Clinic

bullet Seashore Psychology Training Clinic

bullet Athletic Training Rooms

bullet All records contained in employee files or elsewhere that include PHI, health history or status or medical information about the employee.

bullet Employee-submitted material including consent or authorization forms, leave request reports, or related documentation.

Definition:

The “designated record set includes:”

bullet Medical records

bullet Billing records

bullet Enrollment, payment, claims adjudication records

bullet Case management records

References: 45 C.F.R. §164.501

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

ACCESS OF INDIVIDUALS TO PROTECTED HEALTH INFORMATION

Purpose: To define the process for responding to requests from student-athletes their PHI and to provide guidance to staff regarding their responsibilities when student-athletes request access to PHI.

Policy: Student-athletes have a right to inspect and copy PHI contained in their records.

Procedures:

1. Requests to inspect or receive copies of PHI

A student-athlete must make the request in writing using the Student-Athlete Request to Access Protected Health Information Form and submitting it to the Associate Director of Athletic Training or the HIPAA Privacy Officer.

2. Response

The Associate Director of Athletic Training or HIPAA Privacy Officer will contact the individual making the request within 30 days and arrange for inspection and/or copying.

The University reserves the right to deny access under the same circumstances outlined in Athletic Training Policy “Access of Individuals to Protected Health Information in the Designated Record Set.”

Reference: 45 C.F.R. §164.524

University of Iowa

Student-Athlete Request to Access Protected Health Information

Student-Athlete Name________________________ Date of Birth___/___/____

Date of Request___/___/____

I request that University of Iowa provide me with access to my personal health information as described below:

_____________________________________________________________

I request access to my personal health information covering the dates of ___/___/____ through ___/___/____.

Type of access requested:

q Copies of requested information (please specify the format you desire)

q Hard Copy

q Other____________________

I understand that University of Iowa may charge a fee for the costs of copying, mailing, preparing a summary or other supplies associated with my request.

Please contact me at the following telephone number to arrange inspection or copying:

Telephone number: ____________________

e-mail: ______________________________

hours preferred: _______________________

___________________________________________ ___/___/____

Signature of Student-Athlete or Student-Athlete’s Authorized Representative Date

If signed by the student-athlete’s Representative, please print the name and describe relationship to the student-athlete:

______________________________ _______________________

Print Name Relationship

You will receive a response within 30 days of the receipt of your request.

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

REQUEST FOR CONFIDENTIAL COMMUNICATIONS

Purpose: To define the process for responding to requests from student-athletes or their legal representatives to receive confidential communications of their Protected Health Information (PHI); to instruct staff on how to respond to requests from student-athletes or their legal representatives for confidential communications of their PHI.

Policy: It is the policy of the University of Iowa to accommodate requests from student-athletes or their legal representatives to receive communications of PHI by alternative means or at alternative locations. The provision of this communication may require an alternative address or other method of contact.

Procedures:

bullet Student-athletes or their legal representatives may request to receive communications of PHI by alternative means or at a different location by contacting the Associate Director of Athletic Training or a care provider.

bullet The request should be in writing in order to document to alternative method or location on the attached.

bullet The request may be denied if the student-athlete fails to specify an alternative address or means of contact.

bullet The alternative address/contact will be used until the student-athlete or the student-athlete’s legal representative advises the college or health care unit to return to the original designated address.

Reference: 45 C.F.R. §164.522

The University of Iowa

Privacy Rule

Request for Confidential Communications Regarding Medical Information

I wish to request that the communication about my health and medical care, which contains Protected Health Information, be communicated to me in the following manner: (check one):

_____ By telephone at my home number

______By telephone at another number

______By FAX at a number provided

______By mail at an address other than he one on the record

Please proved the information we will need to send the information to you at your preferred location (complete address, phone number, etc.:__________________

The University will not ask you the reason for your request and will accommodate all reasonable requests.

If you cannot be reached at the designated alternative location you specify, the University may use other means to contact you.

When you have completed this form, please give it to your health care provider or send it to: HIPAA Privacy Offices, C-43 GH, University of Iowa, Iowa City, Iowa

52242.

__________________________ ___________________

Signature Date

_________________________ ___________________

Staff member Title

The University of Iowa

HIPAA Privacy Rule

Policies and Procedures

DISCLOSURE OF PROTECTED HEALTH INFORMATION TO PERSONAL REPRESENTATIVES

Purpose: To define when and what protected health information (PHI) may be released to an individual’s personal representative.

Policy: The university unit in possession of PHI will treat the personal representative as the individual when using and disclosing the individual’s PHI EXCEPT

A “personal representative” is an individual who has authority by law (parent, legal guardian) or by authority from the individual receiving services to act in the place of that individual. This includes parents, legal guardians, persons with power of attorney and may also include the family or next of kin of a non-autonomous student-athlete who has no legally appointed surrogate. The authority of the personal representative is limited: the representative must be treated as the individual only to the extent that PHI is relevant to the matters on which the personal representative is authorized to represent the individual.

Procedures: What follows are guidelines in determining a student-athlete’s personal representative. Questions about whether or not a person is a personal representative of a patient should be directed to the University’s HIPAA Privacy Officer.

A. Adults and Emancipated Minors

If a person has authority by law to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to use and disclosure of PHI, that person will be treated as a personal representative. Once a minor is emancipated, a guardian or a parent cannot be recognized as a personal representative.

B. Children (under 18 years)

In general, parents will be the personal representatives of their children. In some cases, there will be a legal guardian or another individual who has been designated to act on behalf of a child. These individuals will be recognized as personal representatives.

Note: A minor does not require the consent of an adult and any consent to treatment for: testing and counseling for sexually transmitted diseases, treatment and rehabilitation for substance abuse, and limited reproductive issues. The minor will be treated as an individual and may provide authorization for release of their PHI.

C. Deceased Individuals

The personal representative will be an executor, administrator or other person designated to act on behalf of a deceased individual or the estate.

D. Exception

The UI may elect not to recognize an individual as a personal representative if there is reason to believe that:

· Deceased Individuals

If an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, UIHC will treat such person as a personal representative with respect to PHI relevant to such personal representative.

· Abuse, Neglect, Endangerment Situations

Elect not to recognize a person as the personal representative of an individual if Athletic Training Services has a reasonable belief that:

1. The individual has been or may be subjected to domestic violence, abuse, or neglect by a parent, guardian or personal representative; or

2. Treating such a person as the personal representative could endanger the individual; and

3. In the exercise of professional judgment it is not in the best interest of the individual to treat the person as the individual’s personal representative.

Definitions:

Protecte