Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 7 - Other Requirements Relating to Uses and Disclosures of PHI

 

Title: Requirements for De-Identification of Protected Health Information Policy: PRV-07.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(a)
Standard: De-Identification of Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish what requirements OSU must follow in regards to De-Identification of protected health information.

Policy

Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.  §164.514(a)

OSU may determine that health information is not individually identifiable health information only if:  §164.514(b)

  1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:  §164.514(b)(1)
    • Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and  §164.514(b)(1)(i)
    • Documents the methods and results of the analysis that justify such determination; or  §164.514(b)(1)(ii)
  2. The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:  §164.514(b)(2)(i)
    • Names  §164.514(b)(2)(i)(A)
    • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:  §164.514(b)(2)(i)(B)
      • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and  §164.514(b)(2)(i)(B)(1)
      • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.  §164.514(b)(2)(i)(B)(2)
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;  §164.514(b)(2)(i)(C)
    • Telephone numbers;  §164.514(b)(2)(i)(D)
    • Fax numbers;  §164.514(b)(2)(i)(E)
    • Electronic mail addresses;  §164.514(b)(2)(i)(F)
    • Social security numbers;  §164.514(b)(2)(i)(G)
    • Medical record numbers;  §164.514(b)(2)(i)(H)
    • Health plan beneficiary numbers;  §164.514(b)(2)(i)(I)
    • Account numbers;  §164.514(b)(2)(i)(J)
    • Certificate/license numbers;  §164.514(b)(2)(i)(K)
    • Vehicle identifiers and serial numbers, including license plate numbers;  §164.514(b)(2)(i)(L)
    • Device identifiers and serial numbers;  §164.514(b)(2)(i)(M)
    • Web Universal Resource Locators (URLs);  §164.514(b)(2)(i)(N)
    • Internet Protocol (IP) address numbers;  §164.514(b)(2)(i)(O)
    • Biometric identifiers, including finger and voice prints;  §164.514(b)(2)(i)(P)
    • Full face photographic images and any comparable images; and  §164.514(b)(2)(i)(Q)
    • Any other unique identifying number, characteristic, or code, except as permitted by the PRV-07.02 Re-Identification Policy; and  §164.514(b)(2)(i)(R)
  3. OSU does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.  §164.5124(b)(2)(ii)
Procedure

In the course of needing to de-identify protected health information, OSU and its agents shall utilize either one of the following methods:

  1. Use Expert Determination as mentioned in paragraph 1 of this policy.  This method will also apply statistical or scientific principles in the process.  This method, in theory, will allow a very small risk that anticipated recipient could identify an individual.
  2. Meet the Safe Harbor requirements as identified in paragraph 2 of this policy.  All 18 types of identifiers shall be removed and No actual knowledge of residual information can be used to identify an individual.

Once information has been “de-identified” it is no longer considered “Protected Health Information” and may be used and disclosed without any authorization or without worry for any recourse.  As long as the information remains in a de-identified state, the information may be disseminated and used or disclosed according to the need of the OSU agent who has de-identified the data.

Any information that is disclosed that has not been properly de-identified should be considered possibly inappropriate and the breach notification rules need to be followed to make an official determination.

Reference

Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule; Sept 4, 2012.


top of page top

 

Title: Re-Identification Policy: PRV-07.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(c)
Standard: De-Identification of Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify how OSU may once again use and protect de-identified information through the re-identification process.

Policy

OSU may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:  §164.514(c)

  1. Derivation - The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and  §164.514(c)(1)
  2. Security – OSU does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.  §164.514(c)(2)
Procedure

If, in the process of collecting data and de-identification of patient data, the OSU agent wishes to assign an identifier to each record, so if at some point in the future the records can be re-identified then the Agent may do so.  Any numbering sequence may be used including but not limited to clinical trial numbers, other characteristic, or code.

Such identifier of each record shall not be used on any published or final reports, or data that is sent out or disclosed.

Identifiers, outside the required 18 that are to be de-identified, are to be used only for purposes specific to the Agent in putting together data or reports, and shall not be disclosed.

Reference

Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule; Sept 4, 2012.


top of page top

 

Title: Minimum Necessary Uses of Protected Health Information Policy: PRV-07.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(d)(1)
Standard: Minimum Necessary Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify what OSU needs to do to be compliant with the Minimum Necessary requirement.

Policy

In order to comply with PRV-01.05 Minimum Necessary, and this policy, OSU must meet the requirements of paragraphs (1) through (4) of this policy with respect to a request for, or the use and disclosure of, protected health information.  §164.514(d)(1)

  1. Minimum Necessary Uses of Protected Health Information – OSU must identify:  §164.514(d)(2)(i)
      • Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and  §164.514(d)(2)(i)(A)
      • For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.  §164.514(d)(2)(i)(B)
  2. OSU must make reasonable efforts to limit the access of such persons or classes identified in paragraph (1)(i) of this policy to protected health information consistent with paragraph (1)(ii) of this policy.  §164.514(d)(2)(ii)
  1. Minimum Necessary Disclosures of Protected Health Information
    • For any type of disclosure that it makes on a routine and recurring basis, OSU must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.  §164.514(d)(3)(i)
    • For all other disclosures, OSU must:  §164.514(d)(3)(ii)
      • Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and  §164.514(d)(3)(ii)(A)
      • Review requests for disclosure on an individual basis in accordance with such criteria.  §164.514(d)(3)(ii)(B)
    • OSU may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:  §164.514(d)(3)(iii)
      • Making disclosures to public officials that are permitted under §164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);  §164.514.(d)(3)(iii)(A)
      • The information is requested by another covered entity;  §164.514.(d)(3)(iii)(B)
      • The information is requested by a professional who is a member of its workforce or is a business associate of OSU for the purpose of providing professional services to OSU, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or  §164.514.(d)(3)(iii)(C)
      • Documentation or representations that comply with the applicable requirements of § 164.512(i) Uses and Disclosures for Research Purposes have been provided by a person requesting the information for research purposes.  §164.514.(d)(3)(iii)(D)
  1. Minimum Necessary Request for Protected Health Information
    • OSU must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.  §164.514(d)(4)(i)
    • For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.  §164.514(d)(4)(ii)
    • For all other requests, OSU must:  §164.514(d)(4)(iii)
      • Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and  §164.514(d)(4)(iii)(A)
      • Review requests for disclosure on an individual basis in accordance with such criteria.  §164.514(d)(4)(iii)(B)
  2. Other Content Requirement - For all uses, disclosures, or requests to which the requirements in this policy apply, OSU may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.  §164.514(d)(5)
Procedure

OSU and it Agents shall only use or disclose the minimum necessary protected health information to get the job done.

Requests to access PHI by other covered entities or business associates – Any covered entity or business associate who requests records of an individual for the purposes of treatment, payment or health care operations shall receive such records by the appropriate OSU medical records staff or their designee.  Only the minimum requested shall be sent.  For example, if another covered entity requests just the last 6 months of records on an individual, we shall only send the last 6 months, even if we have more than that.  Any disclosure of more than requested to another covered entity is not appropriate and should be avoided.

Requests to access PHI by patients or others – Patients or those authorized by the patient seeking to obtain access or copies of their protected health information shall fill out the required Authorization Revocation form, found on the OSU HIPAA website or here.  OSU and it Agents shall only provide the records requested and nothing more.  If the patient or other individual does not completely fill out the form, OSU is under no obligation to provide such records until the necessary information is complete.

Access to PHI by OSU and its Agents – The OSU HIPAA Compliance Office is in charge of approving or denying ALL access to protected health information within the OSU Physician’s Clinic System.  The HIPAA Compliance Office has been and will be heavily involved in setup and maintenance of the security of the various software systems that the clinic system utilizes.  The supervisor of an employee needing access to such a system will follow the appropriate steps outlined in SEC-03.03 Access Establishment and Modification.

Reference

PRV-01.05 Minimum Necessary
SEC-03.03 Access Establishment and Modification
SEC-12.01 Unique User Identification
SEC-12.05 Temporary Staff Access
SEC-15.01 Person or Entity Authentication


top of page top

 

Title: Minimum Necessary Access and MyHealth Policy: PRV-07.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(d) and (e)
Standard: Minimum Necessary Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify appropriate Uses and Disclosures in relation to MyHealth Access Network.

Policy

OSU CHS is a participant of the MyHealth Access Network, Health Information Exchange.  As such, we have agreed to fully comply with all applicable laws and MyHealth policies and procedures and promulgate the internal policies required for such compliance in order to provide essential privacy protections for patients with respect to accessing only the minimum necessary information from the MyHealth Access Network to accomplish the intended purpose for which the information was accessed.  OSU-CHS faculty/staff who have access to MyHealth via OSU-CHS, are not to login to MyHealth for treatment purposes of a patient at a facility outside of OSU-CHS that is not a MyHealth Participant.

Procedure
  1. Uses
    1. Each Authorized user will, when using or disclosing PHI, or requesting PHI from another Participant in MyHealth, limit the disclosure of PHI, to the extent practicable, to the Limited Data Set, or will use or disclose only the minimum amount of PHI obtained through MyHealth as necessary to accomplish the intended purpose for which the information was accessed.
    2. OSU will allow access to such information by only those identified Workforce members, agents, and contractors who need the PHI in connection with their job function or duties.

  2. Disclosures by MyHealth for Public Health Reporting and Healthcare Operations of Participants
    MyHealth will disclose only the minimum amount of information necessary for the purpose of meeting public health reporting and healthcare operations requirements.  To the extent practicable, disclosure of PHI will be limited to the Limited Data Set or, if more information is needed, the disclosure will be limited to that necessary to accomplish the intended purpose of the disclosure. 
  1. Disclosures for Treatment Purposes and Required by Law
    The minimum necessary standard does not apply to disclosures of PHI made for treatment purposes or disclosures required by law.
  1. De-identified Information
    This Policy does not apply to the use or disclosure of or requests for de-identified information.
Reference

45 CFR 164.514(d) and (e)
HITECH Act, Section 13405(b)(1)(A)
MyHealth Privacy and Security Glossary


top of page top

 

Title: Limited Data Set Policy: PRV-07.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(e)(1)
Standard: Limited Data Set Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify limited data sets and permitted usage.

Policy

OSU may use or disclose a limited data set that meets the requirements of paragraphs (1) and (2) of this policy, if OSU enters into a data use agreement with the limited data set recipient, in accordance with paragraph (3) of this policy.  §164.514(e)(1)

  1. A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:  §164.514(e)(2)
    • Names;  §164.514(e)(2)(i)
    • Postal address information, other than town or city, State, and zip code;  §164.514(e)(2)(ii)
    • Telephone numbers;  §164.514(e)(2)(iii)
    • Fax numbers; §164.514(e)(2)(iv)
    • Electronic mail addresses;  §164.514(e)(2)(v)
    • Social security numbers;  §164.514(e)(2)(vi)
    • Medical record numbers;  §164.514(e)(2)(vii)
    • Health plan beneficiary numbers;  §164.514(e)(2)(viii)
    • Account numbers;  §164.514(e)(2)(ix)
    • Certificate/license numbers;  §164.514(e)(2)(x)
    • Vehicle identifiers and serial numbers, including license plate numbers;  §164.514(e)(2)(xi)
    • Device identifiers and serial numbers;  §164.514(e)(2)(xii)
    • Web Universal Resource Locators (URLs);  §164.514(e)(2)(xiii)
    • Internet Protocol (IP) address numbers;  §164.514(e)(2)(xiv)
    • Biometric identifiers, including finger and voice prints; and  §164.514(e)(2)(xv)
    • Full face photographic images and any comparable images.  §164.514(e)(2)(xvi)
  2. Permitted Uses and Disclosures –
    • OSU may use or disclose a limited data set under paragraph (1) of this policy only for the purposes of research, public health, or health care operations.  §164.514(e)(3)(i)
    • OSU may use protected health information to create a limited data set that meets the requirements of paragraph (1) of this Policy, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by OSU.  §164.514(e)(3)(ii)
  3. Data Use Agreement
    • Agreement Required – OSU may use or disclose a limited data set under paragraph (1) of this policy only if OSU obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this policy, that the limited data set recipient will only use or disclose the protected health information for limited purposes.  §164.514(e)(4)(i)
    • Contents - A data use agreement between OSU and the limited data set recipient must:  §164.514(e)(4)(ii)
      • Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (2) of this policy. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of the Privacy Rule, if done by OSU;  §164.514(e)(4)(ii)(A)
      • Establish who is permitted to use or receive the limited data set; and  §164.514(e)(4)(ii)(B)
      • Provide that the limited data set recipient will:  §164.514(e)(4)(ii)(C)
        • Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;  §164.514(e)(4)(ii)(C)(1)
        • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;  §164.514(e)(4)(ii)(C)(2)
        • Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;  §164.514(e)(4)(ii)(C)(3)
        • Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and  §164.514(e)(4)(ii)(C)(4)
        • Not identify the information or contact the individuals.  §164.514(e)(4)(ii)(C)(5)
    1. Compliance –
      • OSU  is not in compliance with the standards in the first paragraph of this policy if OSU knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:  §164.514(e)(4)(iii)(A)
        • Discontinued disclosure of protected health information to the recipient; and  §164.514(e)(4)(iii)(A)(i)
        • Reported the problem to the Secretary.  §164.514(e)(4)(iii)(A)(ii)
      • A covered entity that is a limited data set recipient and violates a data use agreement will be in noncompliance with the standards, implementation specifications, and requirements of the first paragraph of this policy.  §164.514(e)(4)(iii)(B)
Procedure

OSU may use and disclose a limited data set without authorization for the purposes of research, public health, or operations if OSU and the recipient of the data enter into a data use agreement.  Any such use of a limited data set outside of a data use agreement is not appropriate and will be addressed with.

Any requests to enter into a data use agreement will be approved or denied by the HIPAA Compliance Office or designee.  Any requests that do not meet the above policy requirements will automatically be denied and will not be considered until the agreement satisfies this policy and Federal Regulations.

Any Use or Disclosure of information outside of the Data Use Agreement is not appropriate and the Breach Notification Rules will need to be followed to determine official breach status.

If OSU is the limited data set recipient and violates the data use agreement, we will be liable for any such inappropriate use and disclosure.  OSU shall notify the affected covered entity without delay or as required by the agreement.


top of page top

 

Title: Fundraising Requirements Policy: PRV-07.06
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(f)(1)
Standard: Uses and Disclosures for Fundraising Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Establish requirements on use and disclosure of PHI for fundraising

Policy
  1. Subject to the conditions of paragraph (2) of this policy, OSU may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508:  §164.514(f)(1)
    • Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth;  §164.514(f)(1)(i)
    • Dates of health care provided to an individual;  §164.514(f)(1)(ii)
    • Department of service information;  §164.514(f)(1)(iii)
    • Treating physician;  §164.514(f)(1)(iv)
    • Outcome information; and  §164.514(f)(1)(v)
    • Health insurance status.  §164.514(f)(1)(vi)
  2. Fundraising Requirements –
    • OSU may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (1) of this policy unless a statement required by § 164.520(b)(1)(iii)(A) is included in OSU’s notice of privacy practices.  §164.514(f)(2)(i)
    • With each fundraising communication made to an individual under this paragraph, OSU must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost.  §164.514(f)(2)(ii)
    • OSU may not condition treatment or payment on the individual's choice with respect to the receipt of fundraising communications.  §164.514(f)(2)(iii)
    • OSU may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (2)(b) of this policy.  §164.514(f)(2)(iv)
    • OSU may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications.  §164.514(f)(2)(v)
Procedure

OSU does not actively use patient information for fundraising purposes.

The vast majority of all OSU fundraisers are from Alumni or current students or other areas within the University, non-healthcare related.  If any such donor happens to be an OSU patient, they received the fundraiser material from some other source, not because of their patient information.

All fundraising materials directed to patients must indicate that a patient can opt out of participation by sending a letter to the HIPAA Compliance Office requesting such withdrawl.  Any fundraising program must get the approval of the HIPAA Compliance Office prior to initiating any communication with patients of OSU.

Any fundraising requests sent out to OSU patients without the approval of the HIPAA Compliance Office will be deemed inappropriate and the offending OSU Agents will face sanctions.


top of page top

 

Title: Uses and Disclosures for Underwriting and Related Purposes Policy: PRV-07.07
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(g)
Standard: Uses and Disclosures for Underwriting and Related Purposes Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the rules for Underwriting.

Policy

If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at § 164.502(a)(5)(i) with respect to genetic information included in the protected health information.  §164.514(g)

Procedure

OSU is not and does not operate as a health plan, and will not use or disclose protected health information for underwriting or related purposes.


top of page top

 

Title: Verification Policy: PRV-07.08
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.514(h)(1)
Standard: Verification Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify the rules of verifying identities of those seeking protected health information.
Policy
  1. Prior to any disclosure permitted by this subpart, The Privacy Rule, OSU must:  §164.514(h)(1)
    • Except with respect to disclosures under § 164.510 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under the Privacy Rule, if the identity or any such authority of such person is not known to OSU; and  §164.514(h)(1)(i)
    • Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under the Privacy Rule.  §164.514(h)(1)(ii)
  2. Verification –
    • Conditions on Disclosures - If a disclosure is conditioned by the Privacy Rule on particular documentation, statements, or representations from the person requesting the protected health information, OSU may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, meet the applicable requirements.  §164.514(h)(2)(i)
      • The conditions in §164.512(f)(1)(ii)(C) may be satisfied by the administrative subpoena or similar process or by a separate written statement that, on its face, demonstrates that the applicable requirements have been met.  §164.514(h)(2)(i)(A)
      • The documentation required by § 164.512(i)(2) may be satisfied by one or more written statements, provided that each is appropriately dated and signed in accordance with § 164.512(i)(2)(i) and (v).  §164.514(h)(2)(i)(B)
    1. Identity of Public Officials – OSU may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official:  §164.514(h)(2)(ii)
      • If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;  §164.514(h)(2)(ii)(A)
      • If the request is in writing, the request is on the appropriate government letterhead; or  §164.514(h)(2)(ii)(B)
      • If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.  §164.514(h)(2)(ii)(C)
    2. Authority of Public Officials – OSU may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official:  §164.514(h)(2)(iii)
      • A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority;  §164.514(h)(2)(iii)(A)
      • If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.  §164.514(h)(2)(iii)(B)
    3. Exercise of Professional Judgment - The verification requirements of this paragraph are met if OSU relies on the exercise of professional judgment in making a use or disclosure in accordance with § 164.510 or acts on a good faith belief in making a disclosure in accordance with § 164.512(j).  §164.514(h)(2)(iv)
Procedure
  1. OSU will take reasonable steps to verify an outsider’s identity prior to release of PHI if the outsider is not known to OSU staff.  Acceptable documentation includes a driver’s license, student ID, requiring the outsider to provide certain personal information such as a date of birth or insurance ID number.  For vendor access to EPHI, acceptable verification includes provision of account number and/or key words identified by the HIPAA compliance office.
  1. OSU will take reasonable steps to verify an outsiders authority to have access to a patient’s PHI if it is not known whether the outsider has such authority.  For instance, it may be required to determine the existence of a power of attorney or marital status.
  1. It is not necessary to verify identity of an outsider seeking directory information.
  1. It is not necessary to verify the identity of any known or documented person involved in the current health care of the patient, such as a family member or other relative, close friend or any other person identified by the patient.  Examples include:
    Blood relative
    Spouse
    Boyfriend/girlfriend
    Domestic partner
    Neighbor
    Colleague
    Such disclosures to the above persons should be made upon the exercise of professional judgment.
  1. A public official or someone acting on the official’s behalf may ask for PHI.  In these cases, OSU will rely on the following items to verify the identity of the requestor, if such request is made in person:
    Agency ID
    Official credentials
    Other proof of government status, (letter on letterhead)
    If the request is made in writing, OSU will rely on the following items to verify the identity of the requestor:
        • Appropriate government letterhead
        • A written statement on the appropriate letterhead that the person making the request is acting under the government’s authority
        • Other confirmatory documentation
  2. If a public official or someone acting on the official’s behalf requests disclosure of PHI, OSU may rely on the following:
        • A warrant, subpoena or court order issued by a grand jury or judicial official
        • A written statement on government letterhead describing the legal authority under which the request is made
        • The good faith statement by the official that the information is needed to avert risk of the health or safety of a person or the public.

top of page top

 

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube