University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
POLICY
University of Minnesota
University of Minnesota
University M logo on red background
ADMINISTRATIVE POLICY
Home : Administration & Operations : Health Sciences

Protection of Individual Health Information by U Health Care Components (HIPAA)

Effective Date: April 2003
Last Update: February 2010
Responsible University Officer:
  • Vice President - Academic Health Center
  • Chief Health Information Compliance Officer
Policy Owner:
  • Chief Health Information Compliance Officer
Policy Contact:

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

Health care components of the University that provide health services to individuals are obligated to protect the privacy of individual health information in accordance with applicable law and all University and health care component level policies and procedures related to privacy and security of individual health information. All health care components designated by the University must be aware of and adhere to these obligations.

These designated health care components include units that provide health care ("Provider Components") and the Health Plan of the University ("Health Plan Component"). Health care components must follow the same rules or principles when sharing Protected Health Information (PHI) with one another and with units of the University who provide business or professional services that require access to PHI as apply when PHI is disclosed to an outside entity.

Health care components will use and disclose individual health information in a manner consistent with the applicable Notice of Privacy Practices in effect at the time (see Administrative Procedure: Providing Notice of Privacy Practices). Efforts to limit use, disclosure and requests of PHI to a limited data set or the minimum necessary as determined by the health care component to carry out the intended purpose of the use, disclosure or request will be made wherever such standard is applicable.

University health care components will not use or disclose individual health information without written authorization (see Administrative Procedure: Obtaining Individual Authorization for Use and Disclosure of PHI), except where permitted or required by state and federal law. (See Administrative Procedures: Uses and Disclosures for Treatment Payment and Health Care Operations; Communicating to Persons Involved in the Individual's Care; Disclosing Individual Health Information for Public Purposes and Using and Disclosing Individual Health Information of Deceased Persons). Health care components will follow the special requirements when using and disclosing PHI for marketing or fundraising purposes (see Administrative Procedures: Using and Disclosing PHI for Fundraising Purposes and Using and Disclosing PHI for Marketing Communications).

The University will enter into business associate agreements with outside parties as required by federal law when the outside party performs business associate functions related to the University health care component's provision of health care services (see Administrative Procedure: Disclosing PHI to Business Associates).

University health care components may create, use or disclose limited data sets for public health, health care operations or research purposes (see Administrative Procedure: Creating and Disclosing a Limited Data Set). To the extent health care components de-identify health information consistent with federal requirements, the de-identified data is not subject to any other requirements of this policy (see Administrative Procedure: De-identifying Health Information).

University health care components will provide individuals with rights to access individual health information, request amendments to PHI, request restrictions on use and disclosure of PHI and receive an accounting of disclosures. (See Administrative Procedures: Accounting of Disclosures; Responding to Patient Requests for Restrictions on Use or Disclosure of PHI; Allowing Individuals Access to their Covered Records ; and Reviewing Patient Requests to Amend Records).

Students who require access to individual health information while participating in training and educational programs will protect the information in accordance with the policies and procedures of the site at which they are participating and will not use, disclose or request individual health information in a manner that violates the policies and procedures of the University, the clinical site, or state and federal law.

Health care components will disclose PHI when requested and required by the Secretary of the Department of Health and Human Services ("Secretary") for compliance.

REASON FOR POLICY

  • To protect the privacy of individual health information in accordance with state and federal laws.
  • To assure that health care components comply with individual's rights, including access to PHI, requests for amendments to PHI, and receipt of an accounting of disclosures, requests for restrictions and receipt of Notice of Privacy Practices.
  • To assure compliance with all laws and regulations regarding the content, revision, retention, and distribution of the Notice of Privacy Practices.
  • To ensure compliance by University's designated health care components.

PROCEDURES

FORMS/INSTRUCTIONS

There are no forms related to this policy.

APPENDICES

There are no appendices related to this policy.

FREQUENTLY ASKED QUESTIONS

There is no FAQ related to this policy.

ADDITIONAL CONTACTS

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-626-5844
Policy
Privacy Officer
612-624-7447
Procedural Questions
Privacy Officer
612-624-7447
Complaints
Privacy Officer
612-624-7447
Training and Education Questions
Privacy Officer
612-624-7447

DEFINITIONS

Authorization
Document by which the individual agrees that certain PHI may be used or disclosed. Authorization is not required for purposes of treatment, payment or health care operations and certain other purposes as permitted by HIPAA.
Business Associate
With respect to a health care component, a person or entity not a part of the University who, on behalf of the health care component performs or assists in the performance of certain functions requiring use or disclosure of PHI. Members of the workforce of one University health care component who perform the business function for another University health care component are not business associates. See Administrative Procedure: Disclosing PHI to Business Associates.
Consent under Minnesota law
A consent to release individual health information for treatment, payment or health care operations is valid under Minnesota law if it is signed and dated by the individual or the individual's personal representative. The consent is effective for no more than one year, unless the individual specifically agrees to a longer period for current treatment, third party payment, fraud investigations or quality of care review. A consent that meets the requirements of Minnesota law is not sufficient to authorize a use or disclosure where written authorization is required by HIPAA.
Data Use Agreement
Written agreement between a health care component and a person requesting a disclosure of PHI contained in a limited data set. Data use agreements must meet the requirements of limited data set procedure.
De-identified Data
Data that does not identify an individual and reasonably cannot be used to identify an individual. Health information must be de-identified using Administrative Procedure: De-identifying Health Information.
Designated Records Set
Group of items, collections, or groupings of information that include PHI and are maintained, used, collected or disseminated by or for a health care component that are the medical and billing records about individuals maintained by or for the health care component.
Disclosure
To release, transfer, provide access to, or divulge PHI outside the University health care component.
Fundraising
Activities undertaken for the purpose of raising funds for the benefit of the University or an institutionally related foundation.
Health Care
Care, services or supplies related to the health of an individual. Health care includes but is not limited to:
  • Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to physical or mental state.
  • Sale or dispensing of drugs, devices, equipment or other item in accordance with a prescription condition, or functional status of an individual or that affects the structure or function of the body.
Health Care Component
Unit(s) of the University that provide health care or are part of the health plan and are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.
Health Care Operations
Any of the following activities of the covered entity to the extent that the activities are related to covered functions (i.e. those functions of a health care provider or health plan that make it a covered entity):
  • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines where generalizable knowledge is not the primary purpose, population based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives, and related functions that do not include treatment;
  • Reviewing the competence or qualifications of health care professionals;
  • Evaluating practitioner and provider performance & health plan performance;
  • Conducting training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers;
  • Training of non-health care professionals;
  • Accreditation, certification, licensing, or credentialing activities;
  • Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
  • Underwriting, premium rating and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits, and transferring, securing or placing a contract of reinsurance;
  • Business planning and development, such as conducting cost-management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies;
  • Business management and general administrative activities, including but not limited to:
    • Activities related to implementation and compliance with HIPAA;
    • Customer service, including provision of data analyses for policy holders, plan sponsors or other customers, provided that PHI is not disclosed to the policy holder, plan sponsor or customer;
    • Resolution of internal grievances;
    • The sale, transfer, merger or consolidation of all or part of the covered entity, or an entity that will become a covered entity, and due diligence related to such activity;
    • Creating de-identified data or a limited data set; and
    • Fundraising for the benefit of the health care component.
Health Care Provider
A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business and who transmits information in electronic form to carry out financial or administrative activities related to health care.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A federal law related to the privacy of health information.
Health Plan Component
Designated health care component of the University that performs covered functions in the course of administering a group health plan, as defined in 45 C.F.R. §160.103, sponsored by the University.
Individual Health Information
Protected health information covered by HIPAA and health records protected under Minnesota state law.
Limited Data Set
A subset of individual health information that has had certain direct identifiers removed, but does contain other PHI that could potentially identify the individual, and is used for a specific research purpose, public health or health care operations purposes only. A limited data set is not considered de-identified data.
Marketing
The following types of communications are marketing activities:
  • An arrangement between a health care component and any other entity whereby the health care component discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service; or
  • A communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the activity meets one of the exclusions from the marketing definition. The categories of communications which are excluded from the definition of marketing when made by the health care component are communications about:
    • The individual's treatment;
    • Case management or care coordination for the individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to the individual; or
    • Description of a health related product or service, or payment for the product or service that is provided by, or included in the health care component's plan of benefits.
Payment
Activities undertaken by a health plan to obtain premiums or for coverage determinations and/or responsibilities by a provider or health plan to obtain or provide reimbursement.
Personal Representative
A person who has authority under state law to act on behalf of an individual to make decisions related to health care.
Privacy Coordinator
Person designated by each health care component and charged with carrying out the HIPAA compliance responsibilities for their respective health care component.
Privacy Officer
Person and associated office designated by the University to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.
Protected Health Information (PHI)
Health information transmitted or maintained in any form or medium that:
  • Identifies or could be used to identify an individual;
  • Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
  • Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
The following records are exempted from the definition of PHI:
  • Student records maintained by an educational institution;
  • Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
  • Employment records held by a covered entity in its role as employer.
Provider Component
Designated health care component of the University that provides health care to individuals.
Psychotherapy notes
Notes recorded by a mental health therapist in documenting or analyzing the contents of conversation during a counseling session that capture the therapist's impressions about the patient and contain details of the conversation. Psychotherapy notes are separated from the rest of the patient's medical record and used only by the provider who created the note.
The following information is not psychotherapy notes:
  • Medication prescription and monitoring;
  • Session start/stop times;
  • Modalities and frequency of treatment;
  • Results in clinical tests; and
  • Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.
Secretary
The Secretary of the Department of Health and Human Services or designee.
Security Officer
Person and associated office designated by the University to develop and implement policies and procedures and to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.
Treatment:
Provision, coordination, or management of health care and related services by one or more providers, including coordination and management of care by provider with third party, consultation between providers about a patient, or referrals.
Use
To employ, apply, utilize, examine or analyze PHI maintained within the health care component of the University.

RESPONSIBILITIES

Persons with Access Rights and Responsibilities
Certain members of the University community require access to individual health information in the course of carrying out their job role in a health care component of the University. Persons with access have a responsibility to understand their obligation to protect the privacy of individual health information that has been entrusted to them and are responsible for complying with all relevant University of Minnesota policies and procedures, as well as all current state and federal laws.
Persons with access are responsible for the following:
  • Comply with all University policies and procedures and state and federal laws related to privacy of individual health information.
  • Complete all required training on policies, procedures and state and federal laws related to privacy of individual health information.
  • Use or disclose individual health information only as permitted or required by the University or health care component policies and procedures or state and federal law.
  • Disclose only PHI that is minimally necessary for the purpose of the disclosure.
  • Access and use only PHI minimally necessary to carry out their job function.
  • Verify the identity and authority of persons to whom PHI is disclosed.
  • Workforce members who perform duties for both a covered and non-covered component will not use or disclose PHI created or received in the course of work for the health care component in a prohibited manner.
  • Consequences of Violations: Alleged policy violations will be referred to the appropriate University investigative or disciplinary units. Depending on the nature and severity of the offense, policy violations may result in loss of privileges, University disciplinary action, up to and including termination of student and/or employee status and referral for criminal prosecution.
University Rights and Responsibilities
The University is responsible for taking measures to assure that the privacy of individual health information at the University's health care components is protected in accordance with all applicable state and federal laws. When the University becomes aware of prohibited uses or disclosures of individual health information, either through routine administration activities or from a complaint, it is the University's responsibility to investigate as needed and to take necessary actions to end and/or prevent the violation.
Health Care Components of the University may define additional conditions and procedures related to the privacy of individual health information. Such additional conditions and procedures must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions.
Roles and Responsibilities for specific University entities and individuals are defined in greater detail below.
Vice President for Health Sciences
  • Require designation of a Privacy Coordinator for each health care component.
  • Designate and document the designation of a Privacy Officer to be responsible for the development and implementation of the policies and procedures of the University.
  • Designate and document the designation of a contact person or office to be responsible for receiving complaints related to privacy of PHI and who is able to provide further information about matters covered by the Notice of Privacy Practices.
  • Provide a procedure for individuals to make complaints concerning policies and procedures related to privacy of PHI, or its compliance with such policies and procedures.
  • Have in place the appropriate administrative, technical and physical safeguards to protect the privacy of PHI.
  • Ensure compliance of the University's designated health care components, including but not limited to ensuring compliance with required policies and procedures, enforcement and implementing the appropriate administrative, technical and physical safeguards to protect the privacy of PHI.
  • Assure that appropriate sanctions are imposed against members of the University's workforce and students who fail to comply with the University and health care component privacy policies and procedures and state and federal law.
Privacy Officer
  • Maintain ongoing communication with all Privacy Coordinators.
  • Implement training programs for workforce members in cooperation with the Privacy Coordinators.
  • Respond to complaints regarding University policies, procedures and practices related to the privacy and security of health information.
  • Document all complaints received and the disposition of any such complaints.
  • Respond to requests for further information regarding practices related to privacy of PHI.
  • Respond to or refer to the appropriate health care component requests by individuals for access, amendment, an accounting of disclosures or requested restrictions to the use and disclosure of the individual's PHI.
  • Develop policies and procedures related to privacy of PHI that are designed to comply with the applicable laws and require that the University's health care components do the same.
  • Change the University policies and procedures related to the privacy of health information as required to comply with changes to applicable laws, and document any changes prior to the effective date of such change.
Privacy Coordinator
  • Perform the role of liaison and maintain ongoing communication with the Privacy Officer.
  • Communicate with the Privacy Officer regarding privacy policies of the health care component and the monitoring of the policies.
  • Develop and maintain component policies consistent with this policy for protection of PHI in their health care component.
  • Oversee systems and procedures for protecting privacy of individual health information at the health care component.
  • Maintain all health care component policies and procedures related to privacy of individual health information in written or electronic form.
  • To assure knowledge of these policies, inform workforce members about the policies through various mechanisms, including staff meetings, orientation for new workforce members, and ongoing education.
  • Monitor health care component workforce training program.
  • Monitor process for identifying workforce members who require access.
  • Report to the Privacy Officer violations that result in an impermissible use or disclosure of PHI.
Security Officer
  • Maintain ongoing communication with all Privacy Coordinators & Contacts.
  • Implement training programs for workforce members.
  • Respond to complaints regarding University policies, procedures and practices related to the security of electronic protected health information (ePHI).
  • Document all complaints received and the disposition of any such complaints.
  • Respond to requests for further information regarding practices related to security of PHI.
  • Develop policies and procedures related to security of PHI that are designed to comply with the applicable laws.
  • Change the University policies and procedures related to the security of health information as required to comply with changes to applicable laws, and document any changes prior to the effective date of such change.
Health Care Components
  • Name a Privacy Coordinator for the health care component to perform the role of liaison with the Privacy Officer and to oversee activities related to privacy of individual health information at the component level, including development, implementation and enforcement of component level policies and procedures, monitoring practices in the health care component to safeguard privacy of PHI, and reporting information related to privacy of PHI at the health care component to the Privacy Officer.
  • Develop and implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI at the health care component.
  • Identify workforce members who require access to PHI for the performance of their job role. Categorize the workforce roles based on the level of access minimally necessary to perform the job function and restrict access accordingly.
  • Identify members of its workforce who must complete the required training and take steps to ensure that such training appropriate for their job role is completed within a reasonable time.
  • Mitigate, to the extent practicable, any harmful effect that is known to the health care component of any unlawful use or disclosure of PHI or any use or disclosure in violation of the policies and procedures of the University, the health care component or state and federal law.
  • Ensure that all covered functions are kept distinct and separate from non-covered functions. A health care component must not disclose PHI to another (non-health care) component of the University in a manner that would be prohibited by HIPAA if the two units were separate legal entities.
  • Implement component policies and procedures related to privacy of PHI that are designed to comply with the state and federal laws, and in accordance with any applicable University policies and procedures.
  • Change health care component level policies and procedures as required to comply with changes to state and federal law, and document any changes prior to the effective date of such change.
  • Retain all required documentation related to the privacy of PHI for a period of no less than 6 years from the date of creation or the date when it was last in effect, whichever is later.
  • Define and document the designated records sets maintained by the health care components.
  • Designate and document the persons or offices responsible for receiving and processing requests for access, amendments, restrictions and accountings of disclosures at the health care components.
  • Make reasonable efforts to limit use, disclosure and requests for PHI to the minimum necessary to carry out the intended purpose of the use, disclosure or request wherever such standard is applicable.
  • Identify business associates of the health care components in accordance with the Disclosing to Business Associates procedure. Execute business associate agreements or include business associate provisions in all contracts where an identified business associate arrangement exists. Log all disclosures to business associates using the Accounting of Disclosures procedure.
  • Units of the University that provide business or professional services for or on behalf of the health care components must not use or disclose in a prohibited manner information created or received on behalf of the health care components.
  • Permit individuals to request, and must accommodate all reasonable requests by individuals, to receive confidential communications of PHI from the provider by alternative means or at alternative locations.
  • Assure that Notice of Privacy Practices is provided as required.

RELATED INFORMATION

Related Policies:

State of Minnesota:

Federal:

HISTORY

Amended:
February 2010 - Updated policy and procedures to comply with HITECH regulations.  Clarified 3rd paragraph in Policy Statement. Updated Procedures: Disclosing PHI to Business Associates, Using and Disclosing PHI for Fundraising Purposes, Using and Disclosing PHI for Marketing Communications, Responding to Patient Requests for Restrictions on Use or Disclosure and Allowing Individuals Access to their Covered Records.
Amended:
September 2005 - Added Security Officer responsibilities to responsibilities section. Defined Security Officer in definitions section.
Amended:
April 2005 - In policy statement "privacy of individual health information" changed to "privacy and security of individual health information".
Effective:
April 2003

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2013 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on November 4, 2013