Privacy and Confidentiality of Individually Identifiable Health Information
REG 01.25.09
Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.
History: First Issued: April 14, 2003.
Related Policies:
NCSU REG01.25.08 - Research Activities and HIPAA
NCSU RUL01.25.02 - Use and Disclosure of Protected Health Information
Additional References:
HIPAA Forms; The Health Insurance Portability and Accountability Act (HIPAA); Department of Health and Human Services Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule); Department of Health and Human Services Security and Electronic Signature Standards (HIPAA Security Rule); Department of Health and Human Services Standards for Electronic Transactions (HIPAA Electronic Transactions Rule).
NCSU Health care Components
Contact Info: NCSU Privacy Officer.
1. INTRODUCTION
1.1. This regulation addresses the privacy and confidentiality of individually identifiable health care information (PHI) created or received by NCSU health care units that are required to comply with The Health Insurance Portability and Accountability Act of 1996 and its accompanying regulations (HIPAA). Under HIPAA, NCSU covered health care components and those internal functional units that provide support services to these components (collectively "Covered Health Care Components") are required to protect the privacy and security of individually identifiable health information (protected health information or PHI) and to use certain standardized formats, data content and code sets when conducting electronic transactions.
1.2. PHI under HIPAA excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC1232g and records described at 20 USC 1232g(a)(4)(B)(iv). See NCSU REG 11.00.1 - Family Educational Rights and Privacy (FERPA or Buckley Amendment). The privacy and confidentiality of individually identifiable health care information of students are governed by FERPA and its implementing regulations.
1.3. Covered Health Care Components, defined below, are delegated authority to establish rules within their defined areas of responsibility to implement this regulation in accordance with the requirements of HIPAA and FERPA. To the extent feasible and not inconsistent with FERPA, Covered Health Care Components may treat student health care records similarly to non-student PHI for specified situations, such as access to or amendment of PHI. The treatment of student health care information by NCSU Covered Health Care Components shall be addressed by rules adopted by these units either individually or jointly.
1.4. NCSU's Privacy Officer must approve rules issued by a covered health care component. The Privacy Officer, Security Officer and Research Administration shall develop and propose regulations and/or rules to address their respective responsibilities for HIPAA compliance.
2. DEFINITIONS
2.1. Covered Health Care Components: Student Health Services, the Counseling Center, and Sports Medicine. The following functional units that provide support services to these Covered Health Care Components are also included:
- Administrative Computing Services Enterprise Information Systems Network and Client Services Internal Audit Legal Affairs Risk Management University Cashier
- Accounts Receivable
2.2. Protected Health Information: PHI is (1) health information, including demographic information, (2) created or received by a health care provider (3) which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and (4) that identifies or can be used to identify any individual. PHI also does not include de-identified PHI. De-identified PHI is health information that cannot be identified to the individual patient. De-identified PHI must remove specific identifiers (described in HIPAA) with respect to the individual, his or her relatives, employers and household members.
2.3. Individual: Means the person who is the subject of protected health information.
2.4. Designated Record Set: A designated record set is comprised of records that are the medical and billing records used in part or in whole to make decisions about the patient. Excluded from Designated Record Set are psychotherapy notes and other records which under the law may not be accessed by the patient. Individuals have a right of access to and amendment of PHI contained in a Designated Record Set.
2.5. Consent: Permission for use and disclosure of PHI for treatment, payment, and health care operations.
2.6. Authorization: Specialized written permission for use and/or disclosure of PHI for purposes other than treatment, payment or health care operations. An Authorization for use and disclosure of non- student PHI must be HIPAA compliant and an Authorization for use and disclosure of student PHI must be FERPA compliant.
3. GENERALLY PERMITTED USES AND DISCLOSURES OF PHI
3.1. Treatment, payment and health care operations. Health Care Components may use and disclose PHI for treatment, payment, and health care operation activities with the Consent of the Individual.
3.2. Disclosures other than for treatment, payment and health care operations. Health Care Components may use and disclose PHI for purposes other than treatment, payment and health care operation activities pursuant to an Authorization, or as otherwise permitted by this policy.
3.2.1. Each covered Health Care Component shall designate a person or persons to handle requests governing the release of PHI. Such designees shall consult with the Privacy Officer and/or the Office of Legal Affairs as appropriate to ensure compliance with this policy, HIPAA and FERPA.
3.2.2. NCSU approved forms must be used for Authorizations requested by NCSU. Authorizations submitted to NCSU covered Health Care Components from outside the University for release of non-student PHI must contain the following specific information as required by HIPAA, otherwise the Authorization will not be considered valid:
3.2.2a. A specific description of the information to be used or disclosed;
3.2.2b. The name of the person(s) or class of persons authorized to make the use or disclosure;
3.2.2c. Name of the person(s) or class of person(s) to whom the disclosure may be made;
3.2.2d. The purpose of the requested use or disclosure;
3.2.2e. An expiration date or event that relates to the Individual or the purpose of the use or disclosure;
3.2.2f. Signature of the Individual (or authorized representative and relationship to the Individual) and date;
3.2.2g. Statements adequate to place the Individual on notice as to
i.) The Individual's right to revoke the authorization in writing, exceptions to the right to revoke and how the Individual may revoke the authorization; ii. The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on signing the authorization (state consequences if conditional); and
ii.) The potential for the information disclosed to be subject to re-disclosure by the recipient and no longer protected by the federal privacy rule.
3.3. Individual's Right to Request Restrictions on Use and Disclosure of PHI.
3.3.1a. An Individual has a right to request restrictions on the uses and disclosures of PHI to carry out treatment, payment or health care operations; and restrictions on disclosures made to the Individual's family, friends, or relatives. The Covered Health Care Component is not required to agree to the requested restriction. However, if the Covered Health Care Component does agree, it must abide by the restriction except in emergencies and in situations where use or disclosure is permitted by HIPAA without an Authorization.
3.3.1b. An agreed-upon restriction may be terminated by the Individual or by the Covered Health Care Component provided that the termination is only effective for PHI created or received after the date of notification.
3.3.3c. Restrictions that are agreed to and terminations of agreed upon restrictions must be documented and retained for a period of six years from the date of its creation or from the date it was last in effect whichever is later.
3.4. De-identified PHI. De-identified PHI may be used or disclosed without Consent or Authorization as long as no means of re-identification is disclosed. Release of de-identified data must receive the prior approval of NCSU's Privacy Officer.
3.5. Marketing. The use or disclosure of PHI for marketing purposes (communication intended to encourage the purchase or use of products or services) requires an Authorization, except for face to face communications to the individual patient by the Covered Health Care Component (a) to describe health related products or services that are provided by or included in a plan of benefits; (b) for treatment of the patient; or (c) for case management or care coordination or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to that individual.
3.6. Business Associates. PHI may be used and disclosed to a business associate of a covered component provided the business associate has signed and is in compliance with a Business Associate Agreement in a form approved by the Office of Legal Affairs. A business associate is a person or entity that is not a part of NCSU's workforce that performs certain functions, activities or services for NCSU's covered health care components involving the use and/or disclosure of PHI.
3.7. Research. Use or disclosure of PHI for research purposes generally requires the permission of the Individual. Such permission must be in the form of an Authorization as described above. Use or disclosure is permitted without an
Authorization if NCSU's institutional review board (IRB) grants a waiver of the Authorization requirement. The circumstances under which PHI may be used for research activities at NCSU and the procedures for use and disclosure of PHI for research, including but not limited to the procedures for obtaining a waiver of Authorization by the IRB are set forth in the University Administrative Regulation addressing Research Activities and HIPAA.
3.8. Authorization Not Required under HIPAA. The disclosures set forth below are permitted by HIPAA without an Authorization. In certain situations there may be more restrictive requirements (e.g., mental health information, alcohol/drug abuse information, HIV information, and student health information). To ensure compliance with federal and/or state law, as applicable, disclosures under this section may only be made after review and approval of the Privacy Officer except (1) where the release is to the Individual, or (2) where delay in seeking such approval would impair response to a health or safety emergency, or (3) where such release is permitted by rules issued by a Covered Health Care Component or the IRB. The Privacy Officer may seek assistance from the Office of Legal Affairs when reviewing requests to release information without an Authorization.
3.8.1. Disclosures required by law. PHI may be disclosed to the extent required by law.
3.8.2. Public Health Activities. PHI may be used and disclosed to a public health authority that is authorized by law to collect or receive such information for preventing or controlling disease, injury or disability, including public health issues, vital records, child or adult abuse or neglect; adverse food or drug events, and investigations of work-related illnesses or injuries as required by law.
3.8.3. Victims of Abuse, Neglect or Domestic Violence. PHI may be used or disclosed to a government authority that is investigating a report of abuse, neglect or domestic violence to the extent disclosure is required or permitted by law.
3.8.4. Health Oversight Activities. With certain exceptions, PHI may be used or disclosed to a health oversight agency for oversight activities authorized by law, including audits, civil, administrative or criminal investigations or proceedings, inspections, licensure or disciplinary actions.
3.8.5. Judicial and Administrative Proceedings. PHI may be disclosed in the course of a judicial or administrative proceeding in response to an order of court.
3.8.6. Law enforcement purposes. PHI may be disclosed for law enforcement purposes under certain conditions.
3.8.7. Decedents. PHI regarding decedents may be disclosed to coroners, medical examiners and funeral directors if necessary to carry out their duties.
3.8.8. Serious Threats to Health or Safety. PHI may be used or disclosed under certain circumstances if a covered component believes in good faith that the use or disclosure is necessary to protect a person or the public from serious harm.
3.8.9. Specialized Government functions. PHI may be used or disclosed for specialized government functions such as military and veterans activities, security and intelligence activities, protective services for officials, medical suitability, and correctional institutions and other law enforcement custodial situations.
3.8.10. Workers Compensation. PHI may be used or disclosed to the extent required to comply with workers' compensation laws and similar programs.
4. RIGHTS OF INDIVIDUALS TO RECEIVE A NOTICE OF PRIVACY PRACTICES, TO ACCESS PHI, TO REQUEST AMENDMENT OF PHI AND TO RECEIVE AN ACCOUNTING OF DISCLOSURES OF PHI
4.1. Right to Notice of Privacy Practices. NCSU Covered Health Care Components shall develop a Notice of Privacy Practices containing a description of (a) the uses and disclosures of PHI that may be made by an NCSU Covered Health Care Component, (b) the covered components duties with regard to PHI, and (c) the rights afforded to patients. The notice of privacy practices must be posted by each covered component and provided to students upon request. The Notice must be provided to all patients other than students no later than the date of the first service delivery or in an emergency situation, as soon as reasonably practicable after the emergency treatment situation.
4.2. Right to Access PHI. Under HIPAA, a patient has a right of access to inspect and obtain a copy of his or her PHI in a Designated Record Set for as long as NCSU maintains the information, except for information specifically exempted from disclosure to the patient by HIPAA. Students' right of access to PHI may be more limited under FERPA. Components may by rule elect to provide student patients the same right of access provided by HIPAA. Requests for access must be made to the applicable Covered Health Care Component.
4.3. Right to Request an Amendment of PHI. Under HIPAA, a patient has a right to request an amendment of PHI contained in a Designated Record Set. A Covered Health Care Component is not required to grant the request and may deny the request as permitted by HIPAA. Under FERPA, a student patient has a right to amend his or her education records. Requests to amend PHI must be made in writing to the applicable Covered Health Care Component.
4.4. Right to Receive an Accounting of Disclosures.
4.4.1. Under HIPAA an Individual has the general right to receive an accounting of disclosures of PHI made in the six years prior to the date on which the accounting is requested except for disclosures:
4.4.1a. To carry out treatment, payment, and health care operations activities of the covered health care components or another provider;
4.4.1b. To Individuals of PHI about them;
4.4.1c. Pursuant to an Authorization;
4.4.1d. Incident to a use or disclosure otherwise permitted by HIPAA;
4.4.1e. For national security or intelligence purposes,
4.4.1f. To correctional institutions or law enforcement officials g. As part of a "limited data set", as defined by HIPAA, and
4.4.1h. That occurred prior to the HIPAA compliance date for the covered entity.
4.4.2. Each Covered Health Care Component shall keep an accounting of all disclosures other than those that are excepted by HIPAA so that an accounting of disclosures can be made to the individual when requested. Documentation must be maintained for no less than six years. The accounting must include the following information:
4.4.2a. The date of the disclosure
4.4.2b. The name of the entity or persons who received the PHI and, if known, the address of such entity
4.4.2c. A brief description of the PHI disclosed, and
4.4.2d. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.
4.4.3. Requests for an accounting of disclosures must be made to the applicable Covered Health Care Component.
4.5. Procedures. Each Covered Health Care Component shall establish rules addressing procedures to be followed by Individual's requesting (1) access to PHI, (2) amendment of PHI and (3) accounting of disclosures of PHI. Each covered component shall designate an individual to receive and process these requests and shall maintain documentation of the names and titles of such designees for a period of no less than six years.
4.6. Documentation and Records Retention. Each Covered Health Care Component must maintain documentation of the Notice of Privacy Practices in effect for a period of no less than six years. Documentation of requests for access to PHI, amendment of PHI, and accounting of disclosures of PHI, together with each Covered Health Care Components response must be maintained for a period of no less than six years.
5. PHYSICAL AND ELECTRONIC SECURITY OF PHI
HIPAA requires physical and electronic security to maintain the privacy of PHI. This includes access to PHI in all forms, including oral, written, and electronic. Covered Health Care Components shall establish procedures to ensure the physical and electronic security of all PHI, and shall by rule address the categories of staff that are authorized to have access to PHI. The Security Officer shall develop rules to address security of PHI electronically maintained and transmitted by covered health care components.
6. BREACHES OF PRIVACY AND SECURITY
6.1. Breaches of privacy or security of PHI are to be reported to NCSU's Privacy and/or Security officers, as applicable.
6.2. Covered Health Care Components must mitigate to the extent practicable, any known harmful effects of the use or disclosure of PHI in violation of HIPAA.
7. COMPLAINTS
Individuals have a right to complain if they believe their privacy rights have been violated. The Privacy Officer shall develop procedures for the documentation, investigation and resolution of complaints. Neither NCSU nor any of its employees or contractors may intimidate, threaten, coerce, discriminate against or take any other retaliatory action against any person for legally exercising his or her rights under this policy or HIPAA. Students who have complaints may also file a grievance if their complaint is not resolved by the Privacy Officer.
8. PENALTIES
Employees and contractors who violate HIPAA may be subject to both civil and criminal penalties under HIPAA regulations. Employees who violate this regulation and/or rules established pursuant to this regulation are subject to discipline, up to and including dismissal from employment. Existing disciplinary procedures shall be followed.
9. TRAINING
Covered Health Care Components shall ensure that staff having access to PHI receive appropriate training regarding the requirements of HIPAA and FERPA. Documentation of training shall be maintained by each Covered Health Care Component for a period of no less than six years.
