Layout for printingPolicy Number:UW-104Old Policy Number:3.3Responsible Office:Office of Compliance University PolicyRationale/Purpose:In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the new Federal privacy standards. Show DisclosureThe release, transfer, provision of access to, or divulging in any manner of PHI by an individual within the HCC or ACE with a person or entity outside the HCC or ACE.Health care operationsAny of a number of business and administrative activities, including
Health care operations do not include research and many fundraising and marketing activities. See UW-107 Uses and Disclosures of Protected Health Information for Marketing and UW-108 Uses and Disclosures of Protected Health Information for Fundraising for more information. PaymentThe activities undertaken by a health care provider to obtain payment for the provision of care or by a health plan to provide reimbursement for the provision of care.Protected health information (“PHI”)Health information, or healthcare payment information, including demographic information, which identifies the individual or can be used to identify the individual. PHI does not include student records held by educational institutions or employment records held by employers.TreatmentThe provision, coordination, or management of health care and related services.University of Wisconsin affiliated covered entity (“UW ACE”)The UW-Madison Health Care Component (except University Health Services and the State Laboratory of Hygiene), the University of Wisconsin Medical Foundation and the University of Wisconsin Hospital and Clinics. See UW-101 Designation of UW Affiliated Covered Entity.UseThe sharing, employment, application, utilization, examination, or analysis of PHI by an individual within the UW HCC or the UW ACE.UW-Madison health care component (“UW HCC”)Those units of the University of Wisconsin-Madison that have been designated by the University as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units. Scope:Applies to all members of the UW HCC. Policy SummaryThe HIPAA Privacy Rule does not require that patients provide written or verbal authorization prior to some uses or disclosures of their protected health information. UW-Madison follows HIPAA regulations regarding when patient authorization, written or verbal, is not required prior to certain uses or disclosures of their protected health information. Policy DetailNote that special rules apply to records or information concerning HIV status, substance abuse treatment and mental health. Unless otherwise specified, the information below applies to general treatment records and information (i.e. excludes HIV status, substance abuse treatment and mental health). Contact the HIPAA Privacy Officer or the UW Office of Legal Affairs for more information. Under the HIPAA Privacy Rule, the following uses and disclosures do not require obtaining patient authorization or providing the patient with an opportunity to agree or object to the use or disclosure:
Consequences for Non-ComplianceFailing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance. Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties. Supporting ToolsAdditional information may be found at www.compliance.wisc.edu/hipaa. External References:45 C.F.R. § 164.510 Policy AdministrationVice Chancellor for Legal AffairsPolicy Manager:HIPAA Privacy Officer Contact:HIPAA Privacy Officer -- Jack Talaska, , (608) 265-4077Effective Date:04-14-2003Revised Dates:06-13-2014: Effective date of the revised policy: 06-13-2014. Which situation would require a written authorization from a patient to disclose the PHI?Authorization. A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
What is the release of PHI?Release of PHI includes both written records and verbal information. Parents/Guardians: We want to be able to speak with you on behalf of your dependent child (over the age of 18 or between ages 14-18 for certain diagnosis) about their PHI. In order to do this, we are required to have their written consent.
|