Printed on: 02/21/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

ADMINISTRATIVE POLICY

Protected Health Information

Responsible University Officer(s):

  • Vice President, Academic Health Center

Policy Owner(s):

  • Chief Health Information Compliance Officer

Policy contact(s):

Date Revised:

January 2016

Effective Date:

January 2016

POLICY STATEMENT

The University is committed to handling Protected Health Information (PHI) in compliance with all applicable laws and regulations, including but not limited to HIPAA, HITECH, and Minnesota law (collectively “Health Information Privacy Laws”).  This policy applies to all University employees, trainees, students and volunteers who are affiliated with a unit of the University that:

  • handles PHI in its role as a Health Care Provider or Health Plan,
  • supports a unit at the University that operates as a Health Care Provider or Health Plan and needs access to PHI to provide that support, or
  • has entered into a Business Associate Agreement or sub-contractor Business Associate Agreement, or otherwise handles PHI on behalf of an organization other than the University.   

This policy addresses administrative requirements, breaches, Business Associates, fundraising, individual rights, information security, research, sanctions for violations of this or other University policies and procedures concerning PHI, and training.  Units at the University that handle or access PHI may implement additional policies, procedures and guidelines concerning PHI, provided they do not conflict with this policy.

Administrative Requirements

To comply with the requirements of the Health Information Privacy Laws and to secure PHI appropriately, the University must:

  • maintain policies and procedures designed to comply with Health Information Privacy Laws;
  • designate a Chief Health Information Compliance Officer/HIPAA Privacy Officer to develop and implement such policies and procedures;
  • establish and maintain appropriate administrative, technical and physical safeguards to protect the privacy of PHI, which safeguards will be established and maintained by the Chief Health Information Compliance Officer/HIPAA Privacy Officer in collaboration with the Chief Information Security Officer/HIPAA Security Officer and others;
  • maintain documentation of its status under HIPAA as a "Hybrid Entity," which documentation will be maintained on the University Health Information Privacy and Compliance Office website; and 
  • maintain all documentation required by Health Information Privacy Laws for not less than 6 years.

Breaches

Members of the University community who know of or suspect any acquisition, access, use or disclosure of PHI not authorized by the Individual whose PHI is involved, or not otherwise specifically authorized by law (a “Breach”) must report the Breach to the Health Information Privacy and Compliance Office.  Reports of Breaches or suspected Breaches can be made anonymously, by phone or by email as outlined on the Health Information Privacy and Compliance Office website. Breaches of PHI in any form, whether electronic, paper, verbal or other media, must be reported.

The Health Information Privacy and Compliance Office will coordinate an investigation of any reported Breach and assess whether notification regarding the Breach must be provided to the Individual whose PHI has been breached, the federal department of Health and Human Services, and the media, all in accordance with the requirements of Health Information Privacy Laws.

Business Associates

Units must enter into a Business Associate Agreement with any vendor that: (i) provides data transmission services to the University with respect to PHI and requires access on a routine basis to such PHI; or (ii) will create, receive, maintain or transmit PHI on behalf of the University. The University form of Business Associate Agreement is maintained in the Contracts Library. It must be signed on behalf of the University by a representative of the unit retaining the vendor, as well as by the University’s Chief Health Information Compliance Officer. If a unit does not use the form of Business Associate Agreement maintained in the Contracts Library, the alternate form of Business Associate Agreement must be reviewed and approved by the Health Information Privacy and Compliance Office prior to execution of the alternate form. Any form of Business Associate Agreement, including the University form maintained in the Contracts Library, must be signed in connection with an underlying services agreement or other form of agreement with the vendor.

Fundraising

The University of Minnesota Foundation in its capacity as an Institutionally Related Foundation may perform fundraising activities on behalf of University health care facilities, including M Health.  In connection with its fundraising activities, the University of Minnesota Foundation is permitted to use certain demographic information of Individuals who receive treatment at University health care facilities in accordance with Health Information Privacy Laws and other applicable laws and regulations and as approved by the University Health Information Privacy and Compliance Office. All fundraising appeals made directly to Individuals must include information on how Individuals may opt out of future fundraising. 

Any other organizations performing fundraising activities on behalf of University health care facilities must first enter into a services agreement and Business Associate Agreement with the University. The Business Associate Agreement must meet the requirements of this policy concerning Business Associates.

Individual Rights

Patients of Health Care Providers and beneficiaries of Health Plans at the University:

  • must receive a Notice of Privacy Practices in a form and manner approved by the Health Information Privacy and Compliance Office;
  • must be permitted access to their records upon request;
  • must be permitted to request amendments to their records, which requests must be reviewed on a timely basis and amendments made as appropriate; and
  • must be permitted to request restrictions on the use or disclosure of their records, and all reasonable requests must be accommodated.

Use and disclosure of an Individual’s PHI must be limited to those uses and disclosures that are authorized by the Individual in a form and manner approved by the Health Information Privacy and Compliance Office, or are otherwise authorized or permitted by Health Information Privacy Laws.  Use of PHI for marketing purposes must be approved in advance by the Health Information Privacy and Compliance Office.

Disclosures of PHI for purposes other than treatment, payment or health care operations that are not authorized by the Individual in writing or are not otherwise exempt from an accounting pursuant to Health Information Privacy Laws must be noted in the Individual’s record, and an accounting of such disclosures must be made available to the Individual upon request.

Information Security

PHI is classified at the highest level of data security for the University, Private Highly Restricted, in accordance with Administrative Policy: Data Security Classification and related Appendix. PHI must be handled in accordance with the highest security level identified in the appendices of Administrative Policy: Information Security, and such other policies, procedures, standards and guidelines as may be developed for the handling of PHI by the University. Units that handle PHI may be required to participate in information security risk assessments from time to time as required by Administrative Policy: Information Security Risk Management.

Release and disclosure of PHI by the Individual or by organizations other than the University, such as the media, does not change the data security classification of such PHI for the University, nor does it allow such PHI to be handled in any manner other than as set forth in this policy or other applicable University policies and procedures or Health Information Privacy Laws.

Research

All University research involving PHI must comply with Health Information Privacy Laws and University policies, including Institutional Review Board (IRB) Policies. Use of PHI for research purposes is generally permitted where one of the following conditions is met:

  • the Individual whose PHI will be used has signed an authorization form permitting the use of the PHI for research purposes.  The authorization must be in a form approved by the IRB.  
  • the IRB has approved an alteration to or waiver of Individual authorization for use of PHI, as set forth in IRB Policies.
  • the PHI is of decedents, is necessary for the research purposes, and is solely for research on the PHI of the decedents.
  • the PHI is sought solely to prepare a research protocol or for similar purposes preparatory to research, the PHI will not be removed by the researcher in the course of the review, and the PHI is necessary for the research purposes.
  • the PHI is a Limited Data Set and is subject to the University’s form of Data Use Agreement (available on the IRB website) or another form of Data Use Agreement approved by the Health Information Privacy and Compliance Office.  Requirements for the creation of a Limited Data Set can be found on the Health Information Privacy and Compliance website.
  • the PHI is de-identified in accordance with HIPAA requirements.  Requirements for the de-identification of PHI can be found on the Health Information Privacy and Compliance website.

Requests for the use of University of Minnesota Health data for research must be directed through the Clinical and Translational Science Institute’s data access and informatics consulting group (CTSI).  Where the University is releasing PHI for research purposes and the release is pursuant to an IRB approval of a waiver of Individual authorization rather than authorization by the Individual, and the release is not part of a Limited Data Set subject to a Data Use Agreement, then the unit releasing the information must document the release so that it can provide an accounting of disclosures to the Individual whose information was released, in the event the Individual requests such an accounting.  The information that must be documented includes the date the information was released, to whom the information was released, a description of the information released and the reason for the release.  This information must be maintained for not less than six years from the date of the release of the information.

Sanctions for Violations

Any University employee, trainee, student or volunteer who violates this policy, any other University policies or procedures concerning PHI, or any federal or state law related to PHI, may be sanctioned.  Sanctions for employees and trainees may include additional training, curtailing or otherwise altering job responsibilities, or other disciplinary action up to and including termination of employment.  Sanctions for students may include additional training, or suspension or termination of enrollment in academic programs.  Sanctions for volunteers may include additional training, or termination of volunteer participation in any University program or event.

In order to determine appropriate sanctions for employees and trainees, the appointing authority of the employee or trainee will consult with the Vice President and/or Dean (or the designee of the Vice President and/or Dean) of the employee or trainee, the Health Information Privacy and Compliance Office and the Office of Human Resources. Appropriate sanctions for violations by students and volunteers will be determined by the Dean (or  designee) of the applicable school in consultation with the Health Information Privacy and Compliance Office.  Factors to be considered in determining the appropriate sanctions include the person’s intent with respect to the violation, severity of the violation, history of any other violations, applicable processes for the specific employment category for employees and/or trainees, and whether any other organization is responding to the same violation by the same person (e.g., University of Minnesota Health, University of Minnesota Foundation).

A person reporting a violation by any other person will not be retaliated against for such report.

Training

Training regarding PHI and policies and procedures applicable to PHI must be provided to:  (i) all employees, including student employees and trainees, of the units that comprise the Hybrid Entity; (ii) all students in the schools that comprise the Hybrid Entity; (iii) any volunteers that will be handling PHI or may have access to PHI on a regular basis; and (iv) anyone else that may be considered part of the University’s “work force” and is handling PHI. Training may also be provided to other units that handle sensitive health information or enter into Business Associate agreements.

Employees must be trained within a reasonable time after beginning employment with the University, or after transitioning to a new position within the Hybrid Entity. Students must be trained within a reasonable time after enrollment. Volunteers must be trained prior to engaging in activities with access to PHI. Failure to take training in a reasonable time may result in sanctions for employees and students, and termination of relationships with volunteers. Check with your supervisor or the Health Information Privacy and Compliance Office website for guidance on when you must complete training.

The University Health Information Privacy and Compliance Office is responsible for the development of training materials, delivery of training materials, and communications about the timing and frequency of training. Individual units may require their employees, students and/or volunteers to take additional training, and/or require that the training be taken more frequently than is communicated by the Health Information Privacy and Compliance Office.

REASON FOR POLICY

To implement Board of Regents Policy: Protection of Individual Health Information, to comply with applicable state and federal laws, and to provide for the appropriate handling of PHI.

PROCEDURES

FORMS/INSTRUCTIONS

APPENDICES

FREQUENTLY ASKED QUESTIONS

CONTACTS

SubjectContactPhoneFax/Email
Primary Contact(s) Lori J. Ketola 612-626-5844 ljketola@umn.edu
General Questions Health Information Privacy and Compliance Office 612-624-7447 privacy@umn.edu
PHI Breach Reporting Health Information Privacy and Compliance Office 612-624-7447 privacy@umn.edu
Information Security Brian Dahlin 612-625-1505 bdahlin@umn.edu

DEFINITIONS

Business Associate
A person (other than an employee or member of the work force of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to a Covered Entity and where the provision of the service involves the disclosure of PHI.
Business Associate Agreement
An agreement between a Covered Entity and a Business Associate, or between a Business Associate and a sub-contractor, that identifies the manner in which PHI is to be handled. 
Covered Entity
A Health Care Provider, Health Plan or a health care clearinghouse.
Covered Functions
Those functions of a Covered Entity the performance of which makes the entity a Health Plan, Health Care Provider, or health care clearinghouse.
Data Use Agreement
An agreement between a Covered Entity and a recipient of a Limited Data Set of the Covered Entity.  
Health Care Component
A component, unit, or department in a Hybrid Entity designated as part of the Hybrid Entity.
Health Care Provider
A person or organization providing health care to individual patients and transmitting health information in electronic form in accordance with federal standards to obtain payment for such health care services from insurers and others.
Health Information Privacy Laws
HIPAA, HITECH, Minnesota Health Records Act and other statutes, laws, rules and regulations applicable to the handling of individual health information.
Health Plan
A group health plan. HMO, health insurance issuer or any individual or group plan that provides or pays the cost of medical care.
HITECH
Health Information Technology for Economic and Clinical Health Act and its implementing regulations and any updates or amendments to the same.
HIPAA
Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and any updates or amendments to the same.
Hybrid Entity
A single legal entity that is a Covered Entity whose business activities include both covered and non-covered functions and has designated its Health Care Components in accordance with HIPAA.
Individual
The person who is the subject of PHI.
Institutionally Related Foundation
A foundation that qualifies as a nonprofit charitable foundation under section 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to a Covered Entity.
IRB
Institutional Review Board.
Limited Data Set
PHI that excludes numerous direct identifiers of Individuals and the Individuals’ relatives, employers and household members.  More information on the creation of Limited Data Sets can be found on the Health Information Privacy and Compliance website. 
Notice of Privacy Practices
A notice to Individuals from Health Plans and Health Care Providers that identifies the rights of Individuals with respect to their PHI.
Protected Health Information (PHI)
Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Health Care Provider, Health Plan or health care clearinghouse, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is a reasonable basis to believe can be used to identify an individual.  PHI specifically excludes information of Individuals who have been deceased for more than 50 years.

RESPONSIBILITIES

Health Information Privacy and Compliance Office
Develops and administers the University’s compliance programs and initiatives involving PHI.
HIPAA Steering Committee
Oversight committee that reviews and provides direction on issues brought by the Health Information Privacy and Compliance Office.  Chaired by the VP, Health Sciences with representation from OHR, OIC, OIT-Security, AHC-IS, OGC, OVPR and the IRB.
Unit Privacy and Compliance Officers
Perform duties at the unit level that align with the University’s compliance programs and initiatives; may develop more detailed policies and procedures applicable to a respective unit.
University employees, trainees, students and volunteers
Comply with the requirements of this policy, any applicable unit policies and procedures, and the Health Information Privacy Laws; report Breaches to the Health Information Privacy and Compliance Office.
VP, Health Sciences
Appoints the Chief Health Information Compliance Officer/HIPAA Privacy Officer; chairs the HIPAA Steering Committee.

RELATED INFORMATION

Board of Regents Policies

Administrative Policies and Appendices

Other Related Information 

HISTORY

Amended
New appendix and form added related to the use of text messages to communicate with research participants.
Effective
January 2016 - New Policy. 30 Day Review. 1. Consolidates information from three existing policies and 23 procedures, and provides better organization of the information. 2. Applies to units who enter into Business Associate agreements to handle PHI of organization other than the University. 3. Expands the language and sanctions associated with policy violations, which were based on modifications in the law and in the focus of the enforcement agency (HHS/Office of Civil Rights).
Document Feedback