Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 6 - Uses and Disclosures for Which an Authorization or opportunity to agree or object is not required

 

Title:Uses and Disclosures Required by Law Policy: PRV-06.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512
Standard:Uses and Disclosures Required by Law Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU must use or disclose information as required by the various laws.

Policy

OSU may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.  §164.512(a)(1)

OSU must meet the requirements described in policies regarding:

  • PRV-06.03 Disclosures about victims of Abuse, Neglect or Domestic Violence
  • PRV-06.05 Disclosures for Judicial and Administrative Proceedings
  • PRV-06.06 Disclosures for Law Enforcement

for uses or disclosures required by law.  §164.512(a)(2)

Procedure

OSU will only use or disclose information in regards to the above mentioned instances when it is permitted without patient authorization. 

Reference

PRV-06.03 Disclosures about victims of Abuse, Neglect or Domestic Violence
PRV-06.05 Disclosures for Judicial and Administrative Proceedings
PRV-06.06 Disclosures for Law Enforcement


top of page top

 

Title: Uses and Disclosures for Public Health Activities Policy: PRV-06.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(b)
Standard: Uses and Disclosures for Public Health Activities Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU must use or disclose information as required by public health activities.

Policy

Permitted Uses and Disclosures – OSU may use or disclose protected health information for the public health activities and purposes described in this paragraph to:  §164.512(b)(1)

  1. A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;  §164.512(b)(1)(i)
  2. A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;  §164.512(b)(1)(ii)
  3. A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:  §164.512(b)(1)(iii)
    1. To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;  §164.512(b)(1)(iii)(A)
    2. To track FDA-regulated products;  §164.512(b)(1)(iii)(B)
    3. To enable product recalls, repairs, or replacement, or look back (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of look back); or  §164.512(b)(1)(iii)(C)
    4. To conduct post marketing surveillance;  §164.512(b)(1)(iii)(D)
  4. A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if OSU or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or  §164.512(b)(1)(iv)
  5. An employer, about an individual who is a member of the workforce of the employer, if:  §164.512(b)(1)(v)
    1. The covered entity is a covered health care provider who provides health care to the individual at the request of the employer:  §164.512(b)(1)(v)(A)
      1. To conduct an evaluation relating to medical surveillance of the workplace; or  §164.512(b)(1)(v)(A)(1)
      2. To evaluate whether the individual has a work-related illness or injury;  §164.512(b)(1)(v)(A)(2)
    1. The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;  §164.512(b)(1)(v)(B)
    2. The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and  §164.512(b)(1)(v)(C)
    3. The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:  §164.512(b)(1)(v)(D)
      1. By giving a copy of the notice to the individual at the time the health care is provided; or  §164.512(b)(1)(v)(D)(1)
      2. If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.  §164.512(b)(1)(v)(D)(2)
  1. A school, about an individual who is a student or prospective student of the school, if:  §164.512(b)(1)(vi)
    1. The protected health information that is disclosed is limited to proof of immunization;  §164.512(b)(1)(vi)(A)
    2. The school is required by State or other law to have such proof of immunization prior to admitting the individual; and  §164.512(b)(1)(vi)(B)
    3. OSU obtains and documents the agreement to the disclosure from either: §164.512(b)(1)(vi)(C)
      1. A parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or §164.512(b)(1)(vi)(C)(1)
      2. The individual, if the individual is an adult or emancipated minor.  §164.512(b)(1)(vi)(C)(2)
Procedure

OSU will report to the Oklahoma State Department of Health, Tulsa Health Department or other applicable public health authority of the events described in this policy.

OSU will report any communicable diseases without delay to the Oklahoma State Department of Health, Tulsa Health Department or other applicable public health authority.

Any work related injuries or treatments of such injuries may be to be disclosed to OSU officials for the purposes outlined in section 5 of this policy.  Such individuals include but are not limited to: Human Resources Personnel, Safety Officer, Campus Security/Police, and Administration.

OSU shall only disclose information about patients to school’s as outlined in section 6 above.  Any other disclosure outside of immunization information must have authorization.  Verbal and written communication is acceptable for such disclosure.

All OSU Student health records shall be kept separate from their individual, personal health records.  OSU Student health records, more specifically the immunization records shall only be disclosed for required purposes which includes but not limited to training, teaching, shadowing, and evaluation, to ensure the Student has received all applicable immunizations.


top of page top

 

Title: Disclosures About Victims of Abuse, Neglect or Domestic Violence Policy: PRV-06.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(c)
Standard: Disclosures About Victims of Abuse, Neglect or Domestic Violence Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU must disclose information as required for victims of abuse, neglect or domestic violence.

Policy

Permitted Disclosures - Except for reports of child abuse or neglect permitted by a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect, OSU may disclose protected health information about an individual whom OSU reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence:  §164.512(c)(1)

  1. To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;  §164.512(c)(1)(i)
  2. If the individual agrees to the disclosure; or  §164.512(c)(1)(ii)
  3. To the extent the disclosure is expressly authorized by statute or regulation and:  §164.512(c)(1)(iii)
    1. OSU in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or  §164.512(c)(1)(iii)(A)
    2. If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.  §164.512(c)(1)(iii)(B)

Informing the Individual – If OSU makes a disclosure permitted under the “Permitted Disclosures” section of this policy, then OSU must promptly inform the individual that such a report has been or will be made, except if:  §164.512(c)(2)

  1. OSU in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or  §164.512(c)(2)(i)
  2. OSU would be informing a personal representative, and OSU reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by OSU, in the exercise of professional judgment.  §164.512(c)(2)(ii)
Procedure

OSU will report any known or suspect instances of abuse, neglect or domestic violence to the appropriate authorities in the exercise of professional judgment.

All reports to the appropriate authorities will be made by the attending physician or by the clinic supervisor or other documented designee.

Upon report to the appropriate authorities, other than the exceptions as stated in sections 1 & 2 of Informing the Individual, the attending physician shall communicate to the individual, (verbal communication to the individual is permitted) however, the disclosure still must be documented in the patient’s medical record except where prohibited by law.


top of page top

 

 

Title: Uses and Disclosures for Health Oversight
Activities
Policy: PRV-06.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(d)
Standard: Uses and Disclosures for Health
Oversight Activities
Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU must disclose information as required for victims of abuse, neglect or domestic
violence.

Policy

Permitted Disclosures - OSU may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: §164.512(d)(1)

  1. The health care system; §164.512(d)(1)(i)
  2. Government benefit programs for which health information is relevant to beneficiary eligibility; §164.512(d)(1)(ii)
  3. Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or §164.512(d)(1)(iii)
  4. Entities subject to civil rights laws for which health information is necessary for determining compliance. §164.512(d)(1)(iv)

Exception to Health Oversight Activities - For the purpose of the disclosures permitted by the above section of this policy, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to: §164.512(d)(2)

  1. The receipt of health care; §164.512(d)(2)(i)
  2. A claim for public benefits related to health; or §164.512(d)(2)(ii)
  3. Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services. §164.512(d)(2)(iii)

Joint Activities or Investigations - Nothwithstanding the above Exception paragraph of this policy, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of this section. §164.512(d)(3)

Permitted Uses – If OSU is also is a health oversight agency, OSU may use protected health information for health oversight activities as permitted by this section. §164.512(d)(4)

Procedure

OSU may disclose the appropriate information to health oversight related activities as discussed above.

OSU is not a health oversight agency and therefore will only disclose information to appropriate oversight agencies.


top of page top

 

 

 

Title: Disclosures for Judicial and Administrative Proceedings Policy: PRV-06.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(e)
Standard: Disclosures for Judicial and Administrative Proceedings
Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU can disclose information in relation to Judicial and Administrative Proceedings   


Policy

Permitted Disclosures – OSU may disclose protected health information in the course of any judicial or administrative proceeding:  §164.512(e)(1)

  1. In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or  §164.512(e)(1)(i)
  2. In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:  §164.512(e)(1)(ii)
    1. OSU receives satisfactory assurance, as described in paragraph 3 of this policy, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or  §164.512(e)(1)(ii)(A)
    2. OSU receives satisfactory assurance, as described in paragraph 4 of this policy, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph 5 of this policy.  §164.512(e)(1)(ii)(B)
  3. For the purposes of paragraph 2a of this policy, OSU receives satisfactory assurances from a party seeking protected health information if OSU receives from such party a written statement and accompanying documentation demonstrating that:  §164.512(e)(1)(iii)
    1. The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);  §164.512(e)(1)(iii)(A)
    2. The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and  §164.512(e)(1)(iii)(B)
    3. The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:  §164.512(e)(1)(iii)(C)
      1. No objections were filed; or  §164.512(e)(1)(iii)(C)(1)
      2. All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.  §164.512(e)(1)(iii)(C)(2)
  1. Notwithstanding paragraph 2 of this policy, OSU may disclose protected health information in response to lawful process described in paragraph 2 of this policy without receiving satisfactory assurance under paragraph 2 a or b of this policy, if OSU makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph 3 of this policy or to seek a qualified protective order sufficient to meet the requirements of paragraph 5 of this policy.  §164.512(e)(1)(iv)
    1. The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or   §164.512(e)(1)(iv)(A)
    2. The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.  §164.512(e)(1)(iv)(B)
  2. For purposes of the Permitted Disclosures paragraph of this policy, a qualified protective order means, with respect to protected health information requested under paragraph 2 of this policy, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:  §164.512(e)(1)(v)
    1. Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and  §164.512(e)(1)(v)(A)
    2. Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.  §164.512(e)(1)(v)(B)
  3. Nothwithstanding paragraph 2 of this policy, OSU may disclose protected health information in response to lawful process described in paragraph 2 of this policy without receiving satisfactory assurance under paragraph 2 a or b of this policy, if OSU makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph 3 of this policy or to seek a qualified protective order sufficient to meet the requirements of paragraph 4 of this policy.  §164.512(e)(1)(vi)

Other Uses and Disclosures under this section - The provisions of this paragraph do not supersede other provisions of this policy that otherwise permit or restrict uses or disclosures of protected health information.  §164.512(e)(2)


Procedure

OSU shall disclose only the protected health information as requested in a court order, subpoena or other legal document we receive.

Any request for disclosure that is not accompanied by an order of the court or an administrative tribunal, OSU shall seek to obtain satisfactory assurances that all reasonable efforts have been made that the individual’s whose records are being requested have been properly notified or good faith attempt has been made to notify in writing the individual of such disclosure.

If OSU is unable to determine if a good faith effort or reasonable assurances have been made to obtain a written record of the individual, OSU shall seek to obtain written documentation from the individual.

If any OSU agent is unable to determine or obtain the aforementioned assurances have been made, the OSU agent shall contact the HIPAA Compliance Office for help.  If the HIPAA Compliance Office is unable to determine, the Compliance Office may seek advice from legal counsel.


top of page top

 

 

Title:Disclosures for Law Enforcement Purposes Policy: PRV-06.06
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(f)
Standard:Disclosures for Law Enforcement Purposes Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify when OSU can disclose information in relation to law enforcement purposes. 
Policy

OSU may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs 1 through 6 of this policy are met, as applicable.  §164.512(f)

1-Pursuant to process and as otherwise required by law. OSU may disclose protected health information:  §164.512(f)(1)

  1. As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to Uses and Disclosures for Public Health Activities or Disclosures about victims of Abuse, Neglect or Domestic Violence; or  §164.512(f)(1)(i)
  2. In compliance with and as limited by the relevant requirements of:  §164.512(f)(1)(ii)
    1. A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;  §164.512(f)(1)(ii)(A)
    2. A grand jury subpoena; or  §164.512(f)(1)(ii)(B)
    3. An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:  §164.512(f)(1)(ii)(C)
      1. The information sought is relevant and material to a legitimate law enforcement inquiry;  §164.512(f)(1)(ii)(C)(1)
      2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and  §164.512(f)(1)(ii)(C)(2)
      3. De-identified information could not reasonably be used.  §164.512(f)(1)(ii)(C)(3)

2-Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph 1 of this policy, OSU may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:  §164.512(f)(2)

  1. OSU may disclose only the following information:  §164.512(f)(2)(i)
    1. Name and address;  §164.512(f)(2)(i)(A)
    2. Date and place of birth;  §164.512(f)(2)(i)(B)
    3. Social security number;  §164.512(f)(2)(i)(C)
    4. ABO blood type and rh factor;  §164.512(f)(2)(i)(D)
    5. Type of injury;  §164.512(f)(2)(i)(E)
    6. Date and time of treatment;  §164.512(f)(2)(i)(F)
    7. Date and time of death, if applicable; and  §164.512(f)(2)(i)(G)
    8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.  §164.512(f)(2)(i)(H)
  2. Except as permitted by paragraph 2.1 of this policy, OSU may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.  §164.512(f)(2)(ii)

3-Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if:  §164.512(f)(3)

  1. The individual agrees to the disclosure; or  §164.512(f)(3)(i)
  2. The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that:  §164.512(f)(3)(ii)
    1. The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;  §164.512(f)(3)(ii)(A)
    2. The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and  §164.512(f)(3)(ii)(B)
    3. The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.  §164.512(f)(3)(ii)(C)

4-Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.  §164.512(f)(4)

5-Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.  §164.512(f)(5)

6-Reporting crime in emergencies. §164.512(f)(6)

  1. A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to:  §164.512(f)(6)(i)
    1. The commission and nature of a crime;  §164.512(f)(6)(i)(A)
    2. The location of such crime or of the victim(s) of such crime; and  §164.512(f)(6)(i)(B)
    3. The identity, description, and location of the perpetrator of such crime.  §164.512(f)(6)(i)(C)
  2. If a covered health care provider believes that the medical emergency described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, paragraph (f)(6)(i) of this section does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to paragraph (c) of this section.  §164.512(f)(6)(ii)
Procedure

OSU may use protected health information for its own purposes, including campus security/police as part of Health Care Operations as long as the minimum necessary is used.

Should the need for OSU to contact outside law enforcement officials, OSU shall adhere to the above policy and only disclose the minimum necessary standard according to the above.

Should any outside law enforcement agency contact OSU, alerting OSU to any possible or potential issues, OSU will make every reasonable effort to assist with law enforcement in any way possible, as long as it is permitted in this policy, or by other legal means, court order or subpoena.


top of page top

 

 

Title: Uses and Disclosures About Coroners and Medical Examiners, Funeral Directors, Cadaveric Organ, Eye or Tissue Donation Purposes Policy: PRV-06.07
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(g), (h)
Standard: Uses and Disclosures about Decedents Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify what may be used or disclosed in relation to deceased individuals.
Policy
  1. Coroners and Medical Examiners – OSU may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.  §164.512(g)(1)
  2. Funeral Directors – OSU may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, OSU may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death.  §164.512(g)(2)
  3. Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation Purposes – OSU may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.  §164.512(h)
Procedure

In accordance with OSU policy PRV-01.11 Deceased Individuals and this policy, OSU will only disclose authorized information or as required by law regarding deceased individuals.

If the deceased individual does not have any record or other documentation regarding organ, eye or tissue donation, OSU will not authorize or use any body part for transplants or any other function where no documentation is known to exist.

Reference

PRV-01.11 Deceased Individuals


top of page top

 

Title: Uses and Disclosures for Research Purposes-Permitted Uses and Disclosures Policy: PRV-06.08
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(i)
Standard:Uses and disclosures for research purposes Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To set forth Uses and Disclosures for Research Purposes.
Policy

OSU may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:  §164.512(i)(1)

  1. Board Approval of a Waiver of Authorization – OSU obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 Uses and Disclosures for Which an Authorization is Required for use or disclosure of protected health information has been approved by either:  §164.512(i)(1)(i)
    1. An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or  §164.512(i)(1)(i)(A)
    2. A privacy board that:  §164.512(i)(1)(i)(B)
      1. Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests;  §164.512(i)(1)(i)(B)(1)
      2. Includes at least one member who is not affiliated with OSU, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and  §164.512(i)(1)(i)(B)(2)
      3. Does not have any member participating in a review of any project in which the member has a conflict of interest.  §164.512(i)(1)(i)(B)(3)
  1. Reviews Preparatory to Research – OSU obtains from the researcher representations that:  §164.512(i)(1)(ii)
    1. Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;  §164.512(i)(1)(ii)(A)
    2. No protected health information is to be removed from OSU by the researcher in the course of the review; and  §164.512(i)(1)(ii)(B)
    3. The protected health information for which use or access is sought is necessary for the research purposes.  §164.512(i)(1)(ii)(C)
  2. Research on Decedents Information – OSU obtains from the researcher:  §164.512(i)(1)(iii)
    1. Representation that the use or disclosure sought is solely for research on the protected health information of decedents;  §164.512(i)(1)(iii)(A)
    2. Documentation, at the request of OSU, of the death of such individuals; and  §164.512(i)(1)(iii)(B)
    3. Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.  §164.512(i)(1)(iii)(C)
  3. Documentation of Waiver Approval - For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph 1 of this policy, the documentation must include all of the following:  §164.512(i)(2)
    1. Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved;  §164.512(i)(2)(i)
    2. Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:  §164.512(i)(2)(ii)
      1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;  §164.512(i)(2)(ii)(A)
        1. An adequate plan to protect the identifiers from improper use and disclosure;  §164.512(i)(2)(ii)(A)(1)
        2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and  §164.512(i)(2)(ii)(A)(2)
        3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by the Privacy Rule;  §164.512(i)(2)(ii)(A)(3)
      2. The research could not practicably be conducted without the waiver or alteration; and  §164.512(i)(2)(ii)(B)
      3. The research could not practicably be conducted without access to and use of the protected health information.  §164.512(i)(2)(ii)(C)
  1. Protected Health Information Needed - A brief description of the protected health information for which use or access has been determined to be necessary by the institutional review board or privacy board, pursuant to paragraph 2c of this policy;  §164.512(i)(2)(iii)
  2. Review and Approval Procedures - A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:  §164.512(i)(2)(iv)
    1. An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110);  §164.512(i)(2)(iv)(A)
    2. A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (1)(b)(2) of this policy, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with the immediate following paragraph of this policy;  §164.512(i)(2)(iv)(B)
    3. A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and  §164.512(i)(2)(iv)(C)
  3. Required Signature - The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board, as applicable.  §164.512(i)(2)(v)
Procedure

The procedure for this policy will defer to the OSU-CHS Institutional Review Board Protection of Human Subjects Research Policy and Procedure Manual, maintained by the Research Department as long as those policies and procedures are updated on a regular basis.

Reference

IRB – Protection of Human Subjects Research Policy and Procedures Manual.


top of page top

 

 

Title: Uses and Disclosures to Avert a Serious Threat to Health or Safety Policy: PRV-06.09
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(j)
Standard: Uses and Disclosures to Avert a Serious Threat to Health or Safety Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To make known what options OSU has when an individual(s) potentially pose a serious threat to health or safety of themselves, or others.

Policy
  1. Permitted Disclosures – OSU may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if OSU, in good faith, believes the use or disclosure:  §164.512(j)(1)
      1. Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and  §164.512(j)(1)(i)(A)
      2. Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or  §164.512(j)(1)(i)(B)
  1. Is necessary for law enforcement authorities to identify or apprehend an individual:  §164.512(j)(1)(ii)
    1. Because of a statement by an individual admitting participation in a violent crime that OSU reasonably believes may have caused serious physical harm to the victim; or  §164.512(j)(1)(ii)(A)
    2. Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms are defined in §164.501 Definitions.  §164.512(j)(1)(ii)(B)
  1. Use or Disclosure Not Permitted - A use or disclosure pursuant to paragraph (1)(a)(a) of this policy may not be made if the information described in paragraph (1)(a)(a) of this policy is learned by OSU:  §164.512(j)(2)
    1. In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (1)(a)(a) of this policy, or counseling or therapy; or  §164.512(j)(2)(i)
    2. Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (2)(a) of this policy.  §164.512(j)(2)(ii)
  2. Limit On Information That May Be Disclosed - A disclosure made pursuant to paragraph (1)(a)(a) of this policy shall contain only the statement described in paragraph (1)(a)(a) of this policy and the protected health information described below:  §164.512(j)(3)
    1. Name and address;  §164.512(f)(2)(i)(A)
    2. Date and place of birth;  §164.512(f)(2)(i)(B)
    3. Social security number;  §164.512(f)(2)(i)(C)
    4. ABO blood type and rh factor;  §164.512(f)(2)(i)(D)
    5. Type of injury;  §164.512(f)(2)(i)(E)
    6. Date and time of treatment;  §164.512(f)(2)(i)(F)
    7. Date and time of death, if applicable; and  §164.512(f)(2)(i)(G)
    8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.  §164.512(f)(2)(i)(H)
  3. Presumption of Good Faith Belief – If OSU uses or discloses protected health information pursuant to paragraph (1) of this Policy is presumed to have acted in good faith with regard to a belief described in paragraph (1)(i) or (1)(ii) of this policy, if the belief is based upon OSU’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.  §164.512(j)(4)
Procedure

When an OSU provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat.

OSU shall report to the proper authorities or law enforcement agencies, in accordance with the above policy, individuals who meet the standards listed above.  Such proper authorities or law enforcement officials include but are not limited to: Police, parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.
The OSU provider who suspects such danger, will use their best judgment in determining if an individual poses any such threat or danger in reliance on a credible representation by a person with apparent knowledge or authority.  The OSU provider may consult with other OSU providers, OSU legal counsel, Administration, and/or the Compliance Department in determining the best course of action.

The individual’s name and other identifying indicators shall not be used other than by the individual’s OSU physician when in the course of determining an appropriate course of action when consulting with other appropriate OSU agents.

The OSU provider who suspects possible danger or threats should not delay in seeking an appropriate course of action, and should make every effort to avert the threat upon due diligence of looking into the matter.

Reference

Letter to Nation’s Health Care Providers.  January 15, 2013 Office for Civil Rights, Department of Health & Human Services Director Leon Rodriguez


top of page top

 

 

Title: Uses and Disclosures for Specialized Government Functions Policy: PRV-06.10
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(k)
Standard: Uses and Disclosures for Specialized Government Functions Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when OSU may use or disclose protected health information in regards to special Government and Military functions.

Policy
  1. Military and Veterans Activities – Armed Forces Personnel.  OSU may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information:  §164.512(k)(1)(i)
  1. Appropriate military command authorities; and  §164.512(k)(1)(i)(A)
  2. The purposes for which the protected health information may be used or disclosed.  §164.512(k)(1)(i)(B)
  1. Separation or Discharge from Military Service – A Covered Entity that is a component of the Departments of Defense or Homeland Security may disclose to the Department of Veterans Affairs (DVA) the protected health information of an individual who is a member of the Armed Forces upon the separation or discharge of the individual from military service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs.  §164.512(k)(1)(ii)
  2. Veterans - A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs.  §164.512(k)(1)(iii)
  3. Foreign Military Personnel - A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph 1 of this policy.  §164.512(k)(1)(iv)
  4. National Security and Intelligence Activities – OSU may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq. ) and implementing authority ( e.g., Executive Order 12333).  §164.512(k)(2)
  5. Protective Services for the President and Others – OSU may disclose protected health information to authorized Federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056 or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879.  §164.512(k)(3)
  6. Medical Suitability Determinations - A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes:  §164.512(k)(4)
    1. For the purpose of a required security clearance conducted pursuant to Executive Orders 10450 and 12968;  §164.512(k)(4)(i)
    2. As necessary to determine worldwide availability or availability for mandatory service abroad under sections 101(a)(4) and 504 of the Foreign Service Act; or  §164.512(k)(4)(ii)
    3. For a family to accompany a Foreign Service member abroad, consistent with section 101(b)(5) and 904 of the Foreign Service Act.  §164.512(k)(4)(iii)
  7. Correctional Institutions and Other Law Enforcement Custodial Situations
  1. Permitted Disclosures.  OSU may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for:  §164.512(k)(5)(i)
    1. The provision of health care to such individuals;  §164.512(k)(5)(i)(A)
    2. The health and safety of such individual or other inmates;  §164.512(k)(5)(i)(B)
    3. The health and safety of the officers or employees of or others at the correctional institution;  §164.512(k)(5)(i)(C)
    4. The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another;  §164.512(k)(5)(i)(D)
    5. Law enforcement on the premises of the correctional institution; or  §164.512(k)(5)(i)(E)
    6. The administration and maintenance of the safety, security, and good order of the correctional institution.  §164.512(k)(5)(i)(F)
  1. Permitted Uses - A covered entity that is a correctional institution may use protected health information of individuals who are inmates for any purpose for which such protected health information may be disclosed.  §164.512(k)(5)(ii)
  2. No Application After Release - For the purposes of this provision, an individual is no longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in lawful custody.  §164.512(k)(5)(iii)
  1. Covered Entities That Are Government Programs Providing Public Benefits
  1. A health plan that is a government program providing public benefits may disclose protected health information relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if the sharing of eligibility or enrollment information among such government agencies or the maintenance of such information in a single or combined data system accessible to all such government agencies is required or expressly authorized by statute or regulation.  §164.512(k)(6)(i)
  2. A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs.  §164.512(k)(6)(ii)
Procedure

OSU does not act or currently have components in its health care organization that would qualify as:

  1. A component of the Departments of Defense or Homeland Security
  2. A component of the Department of Veterans Affairs
  3. A component of the Department of State
  4. A Health Plan

Any need to use or disclose protected health information under the above 4 categories for purposes of this policy do not apply to OSU and its health care components.  Should at any time OSU and any of its components qualify or considered to be categorized under any or all of the 4 above mentioned components, this policy would then immediately apply.

Sections 1, 4, 5, 6, and 8 Apply to all health care components of OSU at all times.  All uses and disclosures will follow the above policy in regards to Federal Government, Armed Forces or Correctional Institutions and Inmates.


top of page top

 

 

Title:Disclosures for Workers’ Compensation Policy: PRV-06.11
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(I)
Standard: Disclosures for Workers’ Compensation Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify when it is appropriate to disclose protected health information for Workers’ Compensation purposes.

Policy

OSU may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.  §164.512(l)

Procedure

OSU will only disclose such information deemed necessary to meet its obligations under all applicable workers’ compensation laws and regulations and for all OSU applicable policies and procedures related to workers’ compensation.

All employee’s workers’ compensation information will only be used and disclosed by those authorized OSU agents who have access to such information.

Any employee inappropriately accessing workers’ compensation information will be violating this policy, as well as SEC-03.02 Access Authorization.


top of page top

 

 

 

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube