The purpose of this policy is to establish Georgia Health Sciences University’s compliance with the applicable laws protecting the confidentiality of health information. Georgia Health Sciences University is committed to protecting the privacy of our patients and research subjects.
All faculty, staff and students of Georgia Health Sciences University shall comply with this and all applicable policies, laws and regulations regarding the privacy of health information. While engaged in activities at non-GHSU facilities, all faculty, staff and students shall also abide by the applicable policies of that facility.
3.1 HIPAA – The Health Insurance Portability and Accountability Act of 1996, and the regulations issued pursuant to that law. Reference: Public Law 104-191; 45 C.F.R. 160 & 164.
3.2 Protected Health Information (PHI) – Health information transmitted or maintained in any form that:
a. Relates to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provisions of health care to an individual; and
b. Identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual; and
c. Is not an educational record (as defined the Family Educational Rights and Privacy Act, 20) U.S.C. 1232g, or excluded under 20 U.S.C. 1232g(a)(4)(B)(iv); and
d. Is not an employment record.
3.3 Use – The sharing, utilization or analysis of protected health information by GHSU faculty, staff and students.
3.4 Disclosure – The release, transfer, or divulging of protected health information outside of GHSU.
4.0 Georgia Health Sciences University’s Status Under HIPAA
Georgia Health Sciences University (GHSU) is a unit of the Board of Regents of the University System of Georgia (Board of Regents). The Board of Regents is not primarily engaged in covered activities under HIPAA, but GHSU is primarily engaged in covered activities. Therefore, the Board of Regents is a hybrid entity, and GHSU is a health care component within that hybrid entity.
“GHSU is part of the MCG Health System, composed of MCG Health, Inc. (MCGHI), Georgia Health Sciences University Physicians Practice Group (PPG), and GHSU. Together, these three entities have formed an Organized Health Care Arrangement (OHCA) under HIPAA. As participants in the OHCA, GHSU, MCGHI and PPG shall work together to develop consistent privacy policies and procedures and utilize a single joint Notice of Privacy Practices. All clinical and educational activities of GHSU that are based in the facilities operated by MCGHI and PPG will participate in the OHCA, along with all GHSU research activities. GHSU hereby adopts the policies and procedures of the OHCA as published by MCGHI as the health information policies and procedures for the GHSU activities participating in the OHCA.
All other GHSU activities will not participate in the OHCA. Such non-OHCA activities include, but are not limited to, the health care delivery provided (in facilities not operated by MCGHI or PPG) by the College of Dental Medicine, the Georgia War Veterans Nursing Home, the Student Health Service, and Georgia Correctional Health Care. GHSU’s non-OHCA activities will follow this policy, and develop procedures to implement the requirements of this policy, as necessary.
All GHSU faculty, staff and students shall protect the privacy of our patients and research subjects.
6.0 Use & Disclosure of PHI
Designated Record Set –
6.1 Records Included. The designated record set shall include health and billing records, regardless of the medium in which they are stored.
“Health records” shall mean all records identifiable to an individual patient that are collected, created or used for the provision of health care, except as excluded below. Examples include discharge summaries, progress notes, advance directives, consent forms, and medication records. Health records shall also include all health records obtained from another entity, if those records are filed in the patient’s record for use in health care decisions. Health records shall also include records created by business associates that meet the definition of “health records” in this policy, and that are not duplicated in the GHSU patient record.
“Billing records” shall mean patient statements, records of payment by the patient or their payor, and claims adjudication records.
Records Excluded. The designated record set shall exclude records of quality assurance activities; records of peer and medical review activities; records prepared in anticipation of litigation; records of risk management and compliance activities; birth and death registries; cancer registry information; source data, such as raw data from psychological and neuro-psychological tests, radiological films and images, videotapes, monitoring strips, provided that a professional interpretation or report of the source data is included in the record; research records that are not placed in the medical record; health information in Human Resources records; appointment or surgical schedules; and law enforcement investigations, unless these records are used to make decisions regarding the patient. The designated record set shall also exclude psychotherapy notes, and all records required to be kept from the patient by law, such as those records maintained subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, unless exempted from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).
“Psychotherapy notes” shall mean the notes recorded by a mental health professional reflecting the contents of communications during a counseling session, provided these records are kept separate from the patient’s full health record. “Psychotherapy notes” shall not mean medication records, counseling start and stop times, the modalities and frequency of treatment, test results, summaries of a patient’s diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.
6.2 Use & Disclosure of PHI With and Without An Authorization – In general, GHSU may use and disclosure a patient’s PHI without an authorization for the purposes of treatment, payment and health care operations. GHSU, however, must obtain a signed authorization from the individual or the individual’s personal representative for all uses and disclosures of PHI that are not otherwise permitted or required by law.
6.3 Minimum Necessary Use, Disclosure and Request for PHI – All individuals associated with GHSU are generally expected to limit their uses and disclosures of PHI, and requests for PHI to the minimum amount of information necessary to perform their duties. This general expectation does not mean that providers should restrict exchanges of information required in order to treat patients quickly and effectively. Those divisions within GHSU that routinely use and exchange health information will develop policies and/or procedures explaining how much information may be used, disclosed or requested in situations that occur on a routine and non-routine basis. For divisions that do not routinely use and exchange health information, the responsible manager should advise the employee(s) on how the health information may be used and disclosed, in consultation with the Privacy Officer.
6.4 De-Identification of PHI – GHSU is permitted to allow the use or disclosure of PHI for the purpose of creating de-identified information. De-identified information is health information from which GHSU or another entity has deleted, or blocked identifiers, so that the remaining information cannot reasonably be used to identify the person who is the subject of the information. To be fully de-identified, the following identifiers must be removed: (1) Names; (2) All geographic identifiers smaller than State, including street addresses, cities, counties, zip codes, etc.; (3) Except for the year, all dates related to the patient or subject such as birth date, date of admission or discharge, date of death, all ages over 89 unless merely specified as “age 90 or older;” (4) Phone and fax numbers; (5) E-mail addresses, personal web-sites, URLs and IP addresses; (6) Social Security numbers; (7) Medical record numbers; (8) Health plan beneficiary numbers; (9) Account numbers; (10) Certificate or license numbers; (11) Device identifiers such as serial numbers and vehicle license plate numbers; (12) Biometric identifiers such as finger and voice prints; (13) Images that can be used to identify the patient or subject, such as full-face photographs; (14) Any other unique identifying number or characteristic, except for an identifier assigned by and unique to GHSU that will allow GHSU alone to re-identify the patient or subject. Information may also be deemed de-identified if a person with knowledge and experience with the statistical and scientific methods for rendering information not individually identifiable determines that the risk is very small that the information to be disclosed could be used to identify the person who is the subject of the information.
GHSU may provide either de-identified information or a limited data set in response to a requestor. Unless otherwise restricted or prohibited by other federal or state law, GHSU can use or disclose de-identified information for research, education and other appropriate purposes, without further restriction.
6.5 Use & Disclosure of PHI via Electronic Media – GHSU will reasonably safeguard PHI used or disclosed via electronic media from any intentional or unintentional use or disclosure. All persons provided access to GHSU PHI have an obligation to maintain the confidentiality of patient and employee information via electronic media. Obligations regarding confidentiality continue even after termination of employment, service, association, or privileges with GHSU. All individuals within the GHSU will exercise appropriate measures and care when storing, transporting, photocopying, disposing of, network printing, downloading, emailing or faxing confidential information. Precautions will be taken to avoid having computer monitors, printers, fax machines, Personal Digital Assistant’s (PDA’s) or paper records in view of unauthorized onlookers while such data is displayed. Security measures should be in place for all electronic media devices that are portable.
6.6 Use & Disclosure of PHI for Research Purposes – GHSU’s use of PHI for research purposes shall be strictly limited to that information required to fulfill the stated purposes of the approved study. Disclosure of such information shall be limited to those individuals who are authorized by the approved study to have access to such information. Disclosure of information that is not essential to the stated purposes of the study is prohibited. All disclosures of protected health information for research purposes will be in accordance with state and federal law, and the guidelines and procedures of the GHSU Human Assurance Committee (HAC).
6.7 Use & Disclosure of PHI of Psychotherapy Notes – In general, a current or former patient is entitled to reasonable access to review and examine his/her mental health records. A current patient may be denied such access if the chief medical officer or the patient’s treating physician or psychologist determines that the patient’s access to his/her mental health records or a disclosure of information to the patient is likely to endanger the life or physical safety of the patient or cause substantial harm to a person referenced in the records. The GHSU treating physician or psychologist is responsible for restricting the patient’s access to his/her mental health records or information must make a notation of such determination in the patient’s mental health records.
6.8 Use & Disclosure of PHI for Marketing Purposes – Except for activities permitted by the OHCA’s policies, no division or unit of GHSU shall use health information for marketing or fundraising without the approval of the Privacy Officer. Most marketing communications involving the use of PHI about patients cannot be made without first obtaining the patient’s written authorization. Patient information or lists will not be used or released for fundraising purposes without obtaining an appropriate authorization. A patient’s written authorization to use and disclose his/her PHI is not required for face-to-face communications between the patient and their health care provider, e.g., giving the patient a product sample, or advising them of a potential research study.
6.9 Use & Disclosure of PHI for Media Relations – GHSU’s Public Relations Office will not disclose protected health information without authorization from the patient or their authorized representative. Inquiries regarding patients receiving care in the OHCA shall be referred to MCGHI’s Public Relations Office.
6.10 Disclosure of PHI to Persons Involved in a Patient’s Care – GHSU may disclose to a family member, relative, close personal friend, or any other person or entity identified by the patient, PHI that is directly relevant to such person’s involvement with the patient’s care or payment. Furthermore, GHSU may request PHI from a patient’s family member, relative, close personal friend or any other person or entity identified by the patient if such information would be required for the patient’s care or payment. GHSU faculty, staff and students should use their professional judgment in determining the identity of a patient’s relative or other representative.
6.11 Patients in the Custody of Correctional Institutions or Law Enforcement – Notwithstanding any other provision in this policy, patients who are in the custody of a correctional institution or law enforcement authority are not required to be given a Notice of Privacy Practices, or an accounting of disclosures to correctional institutions and law enforcement authorities.
7.0 Notice of Privacy Practices
The GHSU areas engaged in patient care outside of the OHCA, including the Student Health Service, the College of Dental Medicine, and the Georgia War Veterans Nursing Home shall develop a Notice of Privacy Practices. The Privacy Officer must approve all Notices of Privacy Practices. All GHSU areas engaged in patient care shall provide their Notice of Privacy Practices to individuals regarding the use and disclosures of PHI at the time of the patient’s first treatment encounter on and after the effective date of this policy. GHSU will make a good faith effort to obtain an individual’s written acknowledgement of receipt of the Notice of Privacy Practices. GHSU will maintain a record keeping system to track the acknowledgement of receipt of the Notice of Privacy Practices
8.0 Individual’s Rights
8.1 Right to Receive a Paper Copy of the Notice of Privacy Practice – Although the Notice of Privacy Practices may be provided electronically, GHSU will offer all of its patients a paper copy of its Notice of Privacy Practice (except for inmates).
8.2 Right to Request Access and Receive a Copy of PHI – Patients have the right to access, inspect and obtain a copy of PHI about them that is maintained in the designated record set. GHSU, acting as a covered health care provider under the direction of the correctional institution may deny, in whole or in part, an inmate’s request to obtain a copy of PHI, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or
the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate. “All requests for appointments to inspect and copy health records must be in writing. Requests must be acted upon within 30 days. An extension of 30 days is allowed if GHSU provides the requestor with the reason for the delay and the date by which the action will be completed.
8.3 Right to Request An Amendment to Health Record – GHSU will provide an individual the right to request an amendment to his/her PHI for as long as the information is maintained in the designated record set. Corrections and amendments to health records may be needed due to errors or omissions that have resulted from clerical errors, documentation delays, miscommunication or misunderstanding. Documentation that occurs, as part of the routine record completion process following patient discharge or departure is not considered a correction or amendment. “Patients who believe information in their health records is incomplete or incorrect may request an amendment or correction to the information. The requests must be made in writing and must be acted upon within 60 days from receipt. A one-time 30-day extension is allowable if GHSU provides a written statement of the reason for the delay. Under certain provisions, GHSU may deny the patient’s right to amend the health record. If the request is denied, the Privacy Officer will be notified to ensure the denial process is followed. Inmates wishing to request an amendment to their health record should submit an inmate grievance through the correctional facility where they are incarcerated, since inmate health records are the property of the Georgia Department of Corrections.
8.4 Right to Request A Restriction of the Use & Disclosure of PHI – GHSU will allow and take all necessary steps to permit individuals to request restrictions on the uses and disclosures of PHI. GHSU, however, is not required to agree to a restriction. Upon agreeing to such a restriction, GHSU will not violate the restriction, unless required to do so by law, or as specified within this policy.
8.5 Right to Request Confidential Communications – GHSU will take necessary steps to accommodate reasonable requests by patients to receive confidential communication regarding their PHI. Patients have the right to request receipt of PHI by alternative means or at alternative locations. The reasonableness of a request will be determined solely on the basis of the administrative complexity of complying with the request. Requests will not be denied based on a perception of the merits of the patient’s reason for making the request. Requests may be denied if the patient has not provided information as to how payment, if applicable, will be handled, or if the patient has not specified an alternative address or method of contact.
8.6 Right to Receive An Accounting of Disclosure of PHI – GHSU patients have the right to request, in writing, an accounting of certain disclosures of their PHI. The accounting will be provided to the patient within 60 days of a written request and will include: 1) disclosures which occurred after April 14, 2003; 2) disclosures which were not authorized by the patient, subject to certain exceptions; 3) a list of protocol or other research activity for which the patient’s protected health information may have been disclosed; 4) the disclosure dates; 5) a summary or listing of the information disclosed; 6) the individuals or organizations to whom the information was disclosed; 7) the individuals who disclosed the information; and 8 ) the purposes of the disclosures. Disclosures not required to be included in the PHI Disclosure Report include those disclosure made: 1) for treatment, payment or healthcare operations; 2) more than six years prior to the request or before the April 14, 2003 effective date; 3) as disclosures to the patient or those authorized by the patient.
9.0 Administrative Requirements
9.1 Personnel Designation – The President shall designate a Privacy Officer for GHSU. The Privacy Officer’s responsibilities are detailed in the Privacy Officer’s job description. Among the Privacy Officer’s primary responsibilities are:
- Overseeing the implementation of GHSU’s privacy policies and HIPAA compliance;
- Advising Privacy Coordinators and others as needed on health information privacy and security;
- Receiving and responding to any inquiries or complaints from governmental or licensing/accrediting bodies regarding privacy practices;
- Ruling on disputed requests for access, accountings of disclosure, and amendments; and,
- Coordinating OHCA compliance with the Privacy Officers at MCG Health, Inc. and PPG.
The following GHSU divisions shall each appoint a Privacy Coordinator: the College of Dental Medicine; the Georgia War Veterans Nursing Home; the Student Health Service; and Georgia Correctional Health Care. Privacy Coordinators shall be responsible for:
- Compliance with this policy within their division, including the implementation of any procedures and training programs;
- Handling complaints from patients regarding privacy practices;
9.2 Workforce Training – GHSU will train all members of its workforce including employees, faculty and students, regarding the proper use and disclosure of patients’ health information. Training will be appropriate for the level of staff and their duties and may include both general training and advanced training. The Division of Human Resources will be responsible for administering and documenting the training program for employees. The colleges in which a student is enrolled are responsible for ensuring that their students have been trained. All existing workforce members should be trained by the effective date of this policy, and all new workforce members must complete training in a reasonable time frame after the person joins the workforce.
9.3 Safeguards – GHSU will reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of GHSU’s patient privacy polices and applicable federal and state law. Safeguards include administrative procedures, physical measures and technical means to protect patient’s health information.
9.4 Right to Make a Complaint – Any individual who believes his/her rights, granted by HIPAA privacy regulations or any other state or federal laws dealing with privacy and confidentiality, have been violated may file a written complaint regarding the alleged privacy violation. Complaints should be brought to the attention of the relevant Privacy Coordinator, or the Privacy Officer. Other faculty, staff, and students who receive complaints from patients should inform the relevant Privacy Coordinator and/or the Privacy Officer. “Copies of all written complaints, resolved or unresolved, must be forwarded to the Privacy Officer for tracking and quality improvement purposes.”
9.6 Mitigation – To the extent practicable, GHSU will mitigate any harmful effect that becomes known to GHSU as a result of an improper use or disclosure of PHI.
9.7 Refrain from Intimidating or Retaliatory Acts- GHSU will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against an individual for the exercise of his/her rights to: (i) file a privacy complaint with the Secretary of the Department of Health and Human Services; (ii) testify, assist or participate in an investigation, compliance review, proceeding or hearing regarding health privacy; and (iii) oppose any act or practice made unlawful by the HIPAA privacy provisions, provided that the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve the disclosure of PHI.
9.8 Non-Waiver of Rights as a Condition of Treatment – GHSU may not require individuals to waive their rights of privacy, as provided through HIPAA, as a condition of the provision of treatment.
9.9 Documentation Requirements – All records created as a result of this policy, including health records, notices of privacy, internal procedures, accounting of disclosures, etc., shall be retained until at least the later of: (1) six years from the last date the record was in effect; (2) six years from the creation of the record; or, (3) any period longer than six years if required by any other applicable law, regulation, or policy of GHSU, the OHCA, or the Board of Regents. GHSU will incorporate into its policies, procedures, guidelines and other administrative documents any changes in law and will properly document and implement any changes to policies, procedures, and guidelines as necessary by changes in law. Georgia Health Sciences University reserves the right to amend this policy, and all internal forms, policies and procedures related to this policy. All internal policies, procedures, notices of privacy practices and other documents created to comply with this policy shall specifically state that Georgia Health Sciences University reserves the right to amend these policies and documents.
9.10 Effective Date – This policy shall take effect April 14, 2003.
10.0 Business Associates
HIPAA Privacy Rules define a business associate as a person or entity that provides certain functions, activities, or services on behalf of the covered entity, involving the use or disclosure of PHI. The business associate may only use the PHI that it receives in its capacity as the business associate, as permitted by law, and its contract with GHSU.
If a GHSU employee knows or has reason to believe that a business associate is inappropriately using or disclosing PHI, whether the PHI was received by the individual entity or not, the employee is required to notify GHSU’s Privacy Officer immediately regarding the suspected violation.
All agreements with business associates of GHSU must be in writing and must contain certain mandatory provisions designed to protect the privacy and security of our patients’ PHI. No GHSU employee shall disclose PHI to a business associate without a signed business associate agreement.
The GHSU Legal Office shall screen all contracts routed through the Division of Sponsored Program Administration to determine if the outside contractor/vendor meets the definition of a business associate and whether appropriate business associate contract language is required. The Legal Office and Materials Management shall develop screening criteria to be used by Purchasing to determine if any of their agreements need to contain language addressing health information privacy. Purchasing and the Legal Office shall provide the Privacy Officer with copies of all business associate agreements.