University Of Maine System HIPPA
General Operating Policy #1
I. USES AND DISCLOSURES OF HEALTH INFORMATION
1. It is the policy of the University of Maine System that an individual’s identifiable protected health information may only be used within a Health Care Component or disclosed to entities outside the Health Care Component after notification to and/or with the express permission of the patient, except in cases of emergency or where specifically permitted or required by law. Access to information stored in any Campus file or depository, stored electronically, or that exists in any recording device or in any clinical or research data base, collectively hereafter referred to as "health record", is limited to those who have a valid business or medical need for the information or otherwise have a right to know the information. With the exception of purposes related to treatment and other limited exceptions, access to an individual’s protected health information must, to the extent practicable, be limited only to that necessary to accomplish the intended purpose of the approved use, disclosure or request. For the purposes of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), employment records and UM System student records subject to the Family Educational Rights and Privacy Act (FERPA) and UM System student medical records, are specifically excluded from the definition of "protected health information."
II. POLICY PURPOSE
1. The purpose of this policy is to assure that protected health information contained in any System Health Care Component (HCC) health record is only used or disclosed for its intended purpose in accordance with general and/or specific patient notifications and permissions, except where permitted or required by law.
III. POLICY STANDARDS
1. An individual’s protected health information may be used by a System HCC for treatment, payment, and healthcare operations (routine purposes), after a System HCC has provided to the individual its Notice of Privacy Practices and has made a good faith effort to obtain an acknowledgment of its receipt. The University will also provide the Notice to participants in the Health Care Advantage Account Plan and the System EAP. Additionally, a System HCC may use an individual’s protected health information for other (non-routine) purposes or may disclose an individual’s protected health information to external entities for non-routine purposes upon obtaining a valid authorization from the individual giving permission for that stated use or disclosure. Further, a System HCC may use and disclose an individual’s health information without prior permission or authorization where the health information has been sufficiently "de-identified" so as to hide the identity of the individual(s), is part of a limited "data set", or for other uses where allowed by statute. When authorization is required, this requirement to obtain authorization may only be waived by the specific System Campus Institutional Review Board (IRB).
2. Protected health information may be used or disclosed without a patient’s acknowledgment of or receipt of the Notice of Privacy Practices in the event of an emergency or where a communications barrier makes prior permission or notification impossible. System Campus health professionals may, at their discretion, use or disclose an individual’s protected health information without giving prior Notice of Privacy Practices when providing or obtaining such would compromise patient care.
3. From time to time, a System HCC may disclose protected health information to other entities for use by the recipient for treatment. Further, a System HCC may disclose protected health information to other entities to assist the recipient in obtaining payment and, under limited circumstances, may disclose identifiable health information to other entities for purposes associated with healthcare operations.
MINIMUM NECESSARY STANDARDS AND SECURITY
1. Health information may only be accessed, used or disclosed by authorized personnel. With the exception of the use and disclosure of health information directly related to treatment, to the individual, pursuant to an authorization, as required by law and for compliance purposes, and to the extent practicable, access to health information by University employees or other authorized personnel is restricted to the minimum necessary to execute their job responsibilities. It is the responsibility of each University department or administrative unit to identify those persons or classes of persons who are authorized to access, use or disclose health information and specifically to identify what health information they may have access to, and limit their access to that information.
2. Physical access to controlled areas and user accounts that provide access to protected health information are to be revoked upon the termination of an employee, student, or trainee or when others, such as contractors or vendors, no longer require access. All protected health information in the possession of these individuals or entities is to be returned to the System Campus or, in the alternative, an attestation must be received indicating that such information has been destroyed. If this is not possible due to the nature of an on-going research effort, a statement must be received by the System Campus attesting that the health information will remain confidential and safeguarded as long as it is in the possession of a third party.
V POLICY SANCTIONS
1. The unauthorized access to or unauthorized use or disclosure of protected health information that exists in any System HCC health record may subject the responsible employee, student, or trainee to disciplinary action up to and including termination from employment or suspension or expulsion from a student or trainee program. This extends to the unauthorized use or disclosure of health information that is overheard during the course of business or health information that is otherwise learned or secured by any System Campus employee, student or trainee by virtue of their employment or academic or training association with the System Campus.
2. System Campus department or administrative units that become aware of the unauthorized use or disclosure of protected health information that causes or reasonably could cause harm should immediately report the incident to the System Campus Privacy Official. To the extent practicable, the System Campus will attempt to minimize the known harmful effects and/or correct instances of harm.
VI TRAINING
1. All System Campus employees who may use, disclose, or have access to protected health information contained in any health record must, as a condition of continued employment, complete a System Campus sponsored training program that outlines employee responsibility and patient rights under the statutory privacy regulations contained in the Health Insurance Portability and Accountability Act (HIPAA). Additionally, all students or trainees who may use, disclose, or have access to any protected health information contained in any heath record must complete a System Campus training program of their obligations regarding patient rights under HIPAA.
VII BUSINESS ASSOCIATES
1. A System Campus will, from time to time, disclose protected health information to business associates who have been contracted with to provide services to the System Campus. Health information provided to a business associate must be made pursuant to an assurance that the business associate, and its sub-contractors, will use the information only for the purposes intended, will restrict access to information on a "need to know" basis only, and will otherwise take appropriate measures to safeguard the information in its possession. There must be a valid, signed business associate agreement in place before protected health information may be provided.
2. Except to the extent that patient care may be compromised, the use or disclosure of protected health information must comply with the System Campus approved and published Notice of Privacy Rights. In addition, except to the extent that patient care might be compromised, the use and disclosure of an individual’s protected health information must comply with any restrictions requested and subsequently agreed to by the System Campus.
VIII INDIVIDUAL RIGHTS
1. The University will not intimidate, threaten, coerce, discriminate against, or take retaliatory action against any individual for the exercise by the individual of any right under, or for participation by the individual in any process established under HIPAA regulations, including the filing of a complaint
2. The University will not require individuals to waive their rights to file complaints or other rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.