Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 1 - Uses and Disclosures of PHI: General Rules

 

Title: Permitted Uses and Disclosures Policy: PRV-01.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(a), 164.510
Standard: Uses and Disclosures of PHI: General Rules Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify what OSU may use and disclose in regards to protected health information.

Policy

OSU is permitted to use or disclose PHI as follows:  §164.502(a)(1)

  1. To the Individual; §164.502(a)(1)(i)
  2. For Treatment, Payment, or Health Care Operations, as permitted by and in compliance with §164.506 Uses and Disclosures to carry out treatment, payment, or health care operations;  §164.502(a)(1)(ii)
  3. Incident to a use or disclosure otherwise permitted or required by the Privacy Rule, provided that OSU has complied with the applicable requirements of §§164.502(b) Minimum Necessary, 164.514(d) Minimum Necessary Requirements, and 164.530(c) Safeguards, with respect to such otherwise permitted or required use or disclosure;  §164.502(a)(1)(iii)
  4. Except for uses and disclosures prohibited under §164.502(a)(5)(i) Use and Disclosure of genetic information for underwriting purposes, pursuant to and in compliance with a valid authorization under §164.508 Uses and Disclosures for Which an Authorization is Required.  §164.502(a)(1)(iv)
  5. Pursuant to an agreement under, or as otherwise permitted by §164.510 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object; and §164.502(a)(1)(v)
  6. As permitted by and in compliance with this section (§164.502), §164.512 Uses and Disclosures for Which an Authorization or opportunity to agree or object is not required, §164.514(e) Limited Data Set, (f) Uses and Disclosures for Fundraising, or (g) Uses and Disclosures for Underwriting and Related Purposes.  §164.502(a)(1)(vi)
Procedure
  1. Permitted uses and disclosures: 
    • PHI may be disclosed to the individual to whom the PHI applies
    • For treatment, payment or health care operations
    • As part of other permitted uses
    • In response to and in compliance with a valid authorization
    • In a facility directory as described in the Notice of Privacy Practices and164.510
    • As described in 164.510 to a family member, close friend or other person identified by the patient
  1. .  OSU is required to disclose PHI:
    • To an individual when requested and when no other restrictions prohibit such disclosure as defined within these policies.
    • When required by the Secretary of HHS to investigate or determine OSU compliance with HIPAA policies.

top of page top

 

Title: Required Disclosures Policy: PRV-01.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(a)(2)
Standard: Uses and Disclosures of PHI: General Rules Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU is required to disclose protected health information.           

Policy

OSU is required to disclose PHI:  §164.502(a)(2)

  1. To an individual, when requested under and required by §164.524 Access of Individuals to protected health information or §164.528 Accounting of Disclosures of PHI; and  §164.502(a)(2)(i)
  2. When required by the Secretary under The Enforcement Rule to investigate or determine OSU’s Compliance with the Privacy Rule.  §164.502(a)(2)(ii)
Procedure

OSU will give access and disclose PHI that has been requested by an individual pursuant to the above.  The detailed steps have been outlined in the OSU policies regarding Access of Individuals to protected health information.

OSU will disclose necessary PHI to the Secretary of the Department of Health and Human Services as required by law or other rules, regulations, or court proceedings.


top of page top

 

Title: Business Associates: Permitted and Required Uses and Disclosures Policy: PRV-01.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(a)(3) & (4)
Standard: Uses and disclosures of protected health information: General rules Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the permitted uses and disclosures of PHI by Business Associates.

Policy

A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(e) Business Associate Contracts or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of the Privacy Rule, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.  §164.502(a)(3)

A business associate is required to disclose protected health information:  §164.502(a)(4)

  • (i) When required by the Secretary under the Enforcement Rule to investigate or determine the business associate's compliance with the Privacy Rule.  §164.502(a)(4)(i)
  • (ii) To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information.  §164.502(a)(4)(ii)
Procedure

OSU when acting as a business associate or will require of its business associates to not use or disclose, other than as required by law, any use or disclosure Not permitted by the Business Associate Contract.


top of page top

 

Title: Prohibited Uses and Disclosures Policy: PRV-01.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(a)(5)
Standard: Uses and disclosures of protected health information: General rules Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the prohibited uses and disclosures of PHI.

Policy

The following are prohibited actions under §164.502(a)(5):

  • 1. Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of the Privacy Rule, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of this paragraph, underwriting purposes means, with respect to a health plan:  §164.502(a)(5)(i)
    • (A) Except as provided in paragraph B) of this section:  §164.502(a)(5)(A)
      • (1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);  §164.502(a)(5)(i)(A)(1)
      • (2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);  §164.502(a)(5)(i)(A)(2)
      • (3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and  §164.502(a)(5)(i)(A)(3)
      • (4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.  §164.502(a)(5)(i)(A)(4)
    • (B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.  §164.502(a)(5)(i)(B)
  • (2) Sale of protected health information: §164.502(a)(5)(ii)
    • (A) Except pursuant to and in compliance with § 164.508(a)(4), a covered entity or business associate may not sell protected health information.  §164.502(a)(5)(ii)(A)
    • (B) For purposes of this policy, sale of protected health information means:  §164.502(a)(5)(ii)(B)
      • (1) Except as provided in the following paragraphs of this section, a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.  §164.502(a)(5)(ii)(B)(1)
      • (2) Sale of protected health information does not include a disclosure of protected health information:  §164.502(a)(5)(ii)(B)(2)
        • (I) For public health purposes pursuant to § 164.512(b) Uses and Disclosures for Public Health Activities or § 164.514(e) Limited Data Set;  §164.502(a)(5)(ii)(B)(2)(i)
        • (ii) For research purposes pursuant to § 164.512(i) Uses and Disclosures for Research Purposes or § 164.514(e) Limited Data Set, where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes;  §164.502(a)(5)(ii)(B)(2)(ii)
        • (iii) For treatment and payment purposes pursuant to § 164.506(a) Permitted Uses and Disclosures;  §164.502(a)(5)(ii)(B)(2)(iii)
        • (iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to § 164.506(a) Permitted Uses and Disclosures;  §164.502(a)(5)(ii)(B)(2)(iv)
        • (v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to §§ 164.502(e) Disclosures to Business Associates and 164.504(e) Business Associate Contracts, and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities;  §164.502(a)(5)(ii)(B)(2)(v)
        • (vi) To an individual, when requested under § 164.524 Access of Individuals to protected health information or § 164.528 Accounting of Disclosures of PHI;  §164.502(a)(5)(ii)(B)(2)(vi)
        • (vii) Required by law as permitted under § 164.512(a) Uses and Disclosures Required by Law; and  §164.502(a)(5)(ii)(B)(2)(vii)
        • (viii) For any other purpose permitted by and in accordance with the applicable requirements of  the Privacy Rule, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.  §164.502(a)(5)(ii)(B)(2)(viii)
Procedure

OSU will not use any PHI, including the Use and Disclosure of Genetic Information for underwriting purposes, nor will OSU sell PHI in any way that is prohibited by law.


top of page top

 

Title: Minimum Necessary Policy: PRV-01.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(b)
Standard: Minimum Necessary Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify what is the Minimum Necessary and when it applies.

Policy

When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, OSU  must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.  §164.502(b)

  • (2) Minimum necessary does not apply. This requirement does not apply to:  §164.502(b)(2)
    • (i) Disclosures to or requests by a health care provider for treatment;  §164.502(b)(2)(i)
    • (ii) Uses or disclosures made to the individual, as permitted under the General Rules of this section or as required the Required Disclosures section PRV-01.02;  §164.502(b)(2)(ii)
    • (iii) Uses or disclosures made pursuant to an authorization under § 164.508 Uses and Disclosures for Which an Authorization is Required;  §164.502(b)(2)(iii)
    • (iv) Disclosures made to the Secretary in accordance with the Enforcement Rule;  §164.502(b)(2)(iv)
    • (v) Uses or disclosures that are required by law, as described by § 164.512(a) Uses and Disclosures Required by Law; and  §164.502(b)(2)(v)
    • (vi) Uses or disclosures that are required for compliance with applicable requirements of  the Privacy Rule.  §164.502(b)(2)(vi)
Procedure

OSU, its employees, agents, or any other person acting for or on behalf of OSU shall use within reason, the Minimum Necessary information to accomplish the intended purpose of the use, disclosure or request when PHI is involved.

Employees will be trained to use the Minimum Necessary in the required yearly training.

Employees of OSU who abuse this and use more than necessary to accomplish the intended purpose will face sanctions.

OSU employees are to use the Minimum Necessary information when emailing other employees about a patient, as long as the intended purpose falls within Treatment, Payment or Operations.  Emails containing PHI should not be sent outside of TPO. 

Emails sent to patients are to be sent securely, unless the patient requests the email be sent unsecure.  If the patient requests that emails be sent unsecure, the employee should document in the patient’s chart of such a request.

Reference

PRV-07.03 Minimum Necessary Uses of Protected Health Information


top of page top

 

Title: Uses and Disclosures of PHI subject to an agreed upon restriction Policy: PRV-01.06
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(c)
Standard: Uses and Disclosures of PHI subject to an agreed upon restriction Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To establish that OSU must to adhere to restrictions on Use and Disclosure.
Policy

If OSU has agreed to a restriction pursuant to §164.522(a)(1) Right of an individual to request restriction of uses and disclosures; OSU may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in § 164.522(a) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations.

Procedure

If OSU has a restriction in place by an individual, OSU will not violate such a restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, OSU  may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.

Any violation of such a restriction would be considered an inappropriate disclosure, and breach notification policies would then need to be followed.

Reference
Right of an individual to request restriction of uses and disclosures Policy

top of page top

 

Title: Uses and Disclosures to Create De-Identified Information Policy: PRV-01.07
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(d)(1)
Standard: Uses and Disclosures of de-identified protected health information. Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish that OSU may use or disclose de-identified PHI.

Policy

OSU may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by OSU.  §164.502(d)(1)

Procedure

Upon proper de-identification standards, OSU may use or disclose such information to a business associate, whether or not OSU would use such de-identified information.

Reference

Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule – Office for Civil Rights 9/4/2012


top of page top

 

Title: Uses and Disclosures of De-Identified Information Policy: PRV-01.08
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(d)(2)
Standard: Uses and Disclosures of de-identified protected health information. Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To establish that OSU may use or disclose de-identified PHI.
Policy

Health information that meets the standard and implementation specifications for de-identification under § 164.514(a) De-Identification of PHI and (b) Uses and Disclosures for Public Health Activities are considered not to be individually identifiable health information, i.e., de-identified.  The requirements of the Privacy Rule do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514 Other Requirements Relating to Uses and Disclosures of PHI, provided that:  §164.502(d)(2)

  • (i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and  §164.502(d)(2)(i)
  • (ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by the Privacy Rule.  §164.502(d)(2)(ii)
Procedure

Upon proper de-identification standards, OSU may use or disclose such information, whether or not OSU would use such de-identified information.

Reference

Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule – Office for Civil Rights 9/4/2012


top of page top

 

Title: Disclosures to Business Associates Policy: PRV-01.09
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(e)(1)
Standard: Disclosures to Business Associates Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify the process of disclosing PHI to business associates
Policy

OSU may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if OSU obtains satisfactory assurance that the business associate will appropriately safeguard the information. OSU is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.  §164.502(e)(1)(i)

A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.  §164.502(e)(1)(ii)
Procedure

OSU will have language in its Business Associate Agreements/Contracts that will allow for Business Associates to perform the various duties that have been requested by OSU and are in accordance with the above mentioned policy.


top of page top

 

Title: Documentation Policy: PRV-01.10
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(e)(2)
Standard: Disclosures to Business Associates Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the documentation requirement for satisfactory assurances of compliance by business associates.

Policy

The satisfactory assurances required by policy PRV-01.09 must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e) Business Associate Contracts.  §164.502(e)(2)

Procedure

OSU will have language in its Business Associate Agreements/Contracts that will allow for Business Associates to perform the various duties that have been requested by OSU and to provide satisfactory assurances that they are in compliance with the law.


top of page top

 

Title: Deceased Individuals Policy: PRV-01.11
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(f) & (g)(4)
Standard: Deceased Individuals Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify how long OSU must comply with HIPAA in regards to deceased individuals.

Policy

OSU must comply with the requirements of the Privacy Rule with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.  §164.502(f)

If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, OSU must treat such person as a personal representative under the Privacy Rule, with respect to protected health information relevant to such personal representation.  §164.502(g)(4)

Procedure

OSU will keep all decedent patient protected health information private and secure in accordance with the Privacy Rule for 50 years past the date of death.

If an executor, administrator, or other person that has authority to act on behalf of a deceased individual or of the individual's estate, OSU will recognize that individual as a personal representative of the deceased.

OSU staff should make every reasonable effort to obtain assurance that the individual is indeed a personal representative.

If the deceased has made known through surviving documentation of their wishes to not allow specified individuals access to the deceased’s medical information, OSU is obligated under HIPAA to honor such requests.

Reference

PRV-06.07 Uses and Disclosures about Decedents, Cadaveric Organ, Eye, or Tissue Donation Purposes


top of page top

 

Title: Adults and Emancipated Minors Policy: PRV-01.12
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(g)(1)
Standard: Personal Representatives Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

The purpose is to identify how and who OSU must treat as a personal representative of the individual patient.

Policy

If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, OSU  must treat such person as a personal representative under the Privacy Rule, with respect to protected health information relevant to such personal representation.§164.502(g)(2)

Procedure
  1. OSU will make all efforts to obtain:
    1. Verbal confirmation from the patient when possible that the individual in question is a personal representative of the patient; or
    2. Written confirmation from the patient when possible that the individual in question is a personal representative of the patient.
  2. If the patient is unable to confirm in step 1, such as the patient is physically or mentally unable to do so, unconscious, or in an emergent situation, and is an adult or emancipated minor, OSU faculty and staff will question the possible personal representative in a friendly manner as if they were the patient, allowing all health care decisions to be made by the personal representative.
  3. OSU staff shall document in the patient’s chart the name and relation of all known personal representatives.

top of page top

 

Title: Unemancipated Minors Policy: PRV-01.13
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(g)(3)(i)
Standard: Personal Representatives Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

The purpose is to identify how and who OSU must treat as a personal representative of the individual patient.

Policy
  1. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a OSU must treat such person as a personal representative under the Privacy Rule, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if:  §164.502(g)(3)(i)
  1. The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;  §164.502(g)(3)(i)(A)
  2. The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service; or  §164.502(g)(3)(i)(B)
  3. A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider (OSU) and the minor with respect to such health care service.  §164.502(g)(3)(i)(C)

 

  1. Notwithstanding the provisions of the first paragraph of this policy:  §164.502(g)(3)(ii)
    1.  If, and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law, OSU  may disclose, or provide access in accordance with § 164.524 Access of Individuals to protected health information to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis§164.502(g)(3)(ii)(A)
    2.  If, and to the extent, prohibited by an applicable provision of State or other law, including applicable case law, a covered entity may not disclose, or provide access in accordance with § 164.524 Access of Individuals to protected health information to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis ; and  §164.502(g)(3)(ii)(B)
    3. Where the parent, guardian, or other person acting in loco parentis, is not the personal representative under this policy or PRV-01.12 Adults and Emancipated Minors, and where there is no applicable access provision under State or other law, including case law, a covered entity may provide or deny access under § 164.524 Access of Individuals to protected health information to a parent, guardian, or other person acting in loco parentis, if such action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment.  §164.502(g)(3)(ii)(C)
Procedure
  1. OSU staff will follow the above policy.
  2. OSU staff will make every effort to obtain parent or guardian consent where applicable.
  3. If no parent or guardian is available for consent, and no one else meets the qualifications listed in the above policy section, OSU will use the unemancipated minor’s decisions in relation to health care services.
  4. In regards to a personal representative of an unemancipated minor, OSU will make all efforts to obtain:
    1. Verbal confirmation from the patient when possible that the individual in question is a personal representative of the patient; or
    2. Written confirmation from the patient when possible that the individual in question is a personal representative of the patient.
  5. If the patient is unable to confirm in step 4, such as the patient is physically or mentally unable to do so, unconscious, or in an emergent situation, and is an unemancipated minor, OSU faculty and staff will question the possible personal representative in a friendly manner as if they were the patient, allowing all health care decisions to be made by the personal representative.
  6. OSU staff shall document in the patient’s chart the name and relation of all known personal representatives.

top of page top

 

Title: Abuse, Neglect, Endangerment Situations Policy: PRV-01.14
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(g)(5)
Standard: Personal Representatives Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify how OSU will handle situations that arise out of Abuse, Neglect, or Endangerment Situations and PHI.

Policy

Notwithstanding a State law or any requirement of this policy to the contrary, OSU may elect not to treat a person as the personal representative of an individual if:  §164.502(g)(5)

  1. OSU has a reasonable belief that:  §164.502(g)(5)(i)
    1. The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or  §164.502(g)(5)(i)(A)
    2. Treating such person as the personal representative could endanger the individual; and §164.502(g)(5)(i)(B)
  2. OSU, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.  §164.502(g)(5)(ii)
Procedure

If a physician or other agent of OSU feels that the patient may be subject to Abuse, Neglect or Endangerment Situations, and due to the individual purporting to be a personal representative of the patient, OSU is under NO obligation to treat the individual as such.

Under the direction of the attending physician, Staff should assist the attending physician in treatment of the patient without the individual who is suspected of Abuse, Neglect or Endangerment Situations present.

The attending physician is obligated to report any such cases to the Oklahoma Department of Human Services and any other required agency to which one would report such occurrences without delay.


top of page top

 

Title: Uses and Disclosures Consistent With Notice Policy: PRV-01.15
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(i)
Standard: Uses and Disclosures Consistent With Notice Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To establish that OSU will not use or disclosure information that is not consistent with the Notice of Privacy Practices.
Policy

OSU is required by § 164.520 Notice of Privacy Practices for PHI to have a notice and may not use or disclose protected health information in a manner inconsistent with such notice. OSU is required by § 164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in § 164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice.  §164.502(i)

Procedure
  1. OSU will maintain a current Notice of Privacy Practices as required by §164.520.
  2. OSU will not use or disclose protected health information in any manner that would violate the notice.
  3. Any use or disclosure of PHI that violates said notice would be considered an inappropriate use/disclosure and the breach notification rule would then be addressed.
Reference

Notice of Privacy Practices


top of page top

 

Title: Disclosures by Whistleblowers Policy: PRV-01.16
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(j)(1)
Standard: Disclosures by Whistleblowers and Workforce Member Crime Victims Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify what constitutes a disclosure in relation to whistleblowers.       
Policy

OSU  is not considered to have violated the requirements of  the Privacy Rule if a member of its workforce or a business associate discloses protected health information, provided that:  §164.502(j)(1)

  1. The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and  §164.502(j)(1)(i)
  2. The disclosure is to:
    1. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of OSU or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by OSU; or  §164.502(j)(1)(i)(A)
    2. An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph 1 (one) of this section.  §164.502(j)(1)(i)(B)
Procedure

Any disclosures made by whistleblowers that meet the above criteria are not considered inappropriate and therefore deemed legal.

Any disclosures made by whistleblowers that do not meet the above criteria will be deemed inappropriate, and breach notification policies will then be followed.

OSU does not tolerate retaliation in any form.  OSU and its agents will not retaliate against any employee or other individual that is deemed a Whistleblower.
Any such retaliation will be dealt with according to the Sanctions Policy and any legal means necessary.

Reference

SEC-01.03 Sanctions Policy


top of page top

 

Title: Disclosures by Workforce Members Who Are Victims of a Crime Policy: PRV-01.17
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(j)(2)
Standard: Disclosures by Whistleblowers and Workforce Member Crime Victims Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify what constitutes a disclosure in relation to workforce members who are victims of a crime.

Policy
  1. OSU is not considered to have violated the requirements of the Privacy Rule if a member of its workforce who is the victim of a criminal act discloses protected health information to a law enforcement official, provided that:  §164.502(j)(2)
    • The protected health information disclosed is about the suspected perpetrator of the criminal act; and  §164.502(j)(2)(i)
    • The protected health information disclosed is limited to the information listed in § 164.512(f)(2)(i) Limited Information for Identification and Location Purposes§164.502(j)(2)(ii)
Procedure

OSU will address every disclosure with law enforcement individually to ensure the disclosure is part of a criminal investigation or to avert a serious or harmful threat to others.

OSU will only disclose the limited information as set forth by §164.512(f)(2)(i), which is:

  • Name and Address
  • Date and Place of Birth
  • Social Security Number
  • ABO Blood Type and rh Factor
  • Type of Injury
  • Date and Time of Treatment
  • Date and time of death, if applicable
  • A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

OSU will not disclose anything not listed above
Any disclosure of protected health information not listed above will be considered an inappropriate disclosure and the breach notification rules would then apply.

Reference

SEC-01.03 Sanctions Policy


top of page top

 

Title: Use/Disclosure In Social Media Policy: PRV-01.18
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.502(a)(5)
Standard: Prohibited Uses and Disclosures Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To ensure PHI is not used or disclosed in a social media setting.
Policy

OSU and its employees will NOT use social media with ANY patient information including but not limited to demographic, health, and financial information for any reason.

Procedure
  1. Social media is defined as web-based and mobile based technologies which are used to turn communication into interactive dialogue between organizations, communities, and individuals that allow the creation and exchange of user-generated content.
  1. Examples of social media include, but are not limited to:
    1. Facebook, Twitter, YouTube, Flickr, Wordpress, Blog’s, Linked In, Podcasts, etc.

 

  1. Patients of OSU have the right to use social media for their own personal information within the confines of an OSU facility, as long as it does not infringe on the rights of any other patient or employee.
  1. Employees who violate this policy will be subject to sanctions
Reference

SEC-01.03 Sanctions Policy


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube