It is the policy of the University Health Care Components (HCC) to protect the privacy of individually identifiable health information in compliance with federal and state laws governing the use and disclosure of protected health information (PHI). To accomplish that policy, and to establish uniformity in the verification process, prior to disclosing individually identifiable PHI to third parties, the University or Unit Privacy Officer or designee shall verify the identity of the requestor and ensure the requestor has the proper authority to request such information.
The University’s HCC
- Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium, by a covered entity, health plan or clearinghouse as defined under HIPAA administration simplification standards.
- Individually Identifiable Health Information: Any information, including demographic information, collected from an individual that –
- Is created or received by a healthcare provider, health plan, employer, healthcare clearinghouse or pharmacy clearinghouse; and
- Related to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual, and
- Identifies the individual, or
- With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
- Verification: Process to verify the identity of a person requesting PHI and the authority of any such person to have access to PHI under this subpart, if the identity or any such authority of such person is not known to the HCC; and must include obtaining any documentation, statements, or representations, whether oral or written from the person requesting the PHI when such documentation, statement or representation is a condition of the disclosure under this subpart.
- Privacy Officer: The person officially designated to oversee activities related to the development, implementation, maintenance of, and adherence to HCC regulations pertaining to the privacy of, and access to, patient health information in compliance with federal and state laws and the Notice of Privacy Practices. See HIPAA Procedure 1.005, Form 3.
- Public Official: A person who has been legally elected or appointed and who has been empowered by law/regulation to exercise the duties and functions of their office for the public good.
- The patient or personal representative must sign a valid authorization for the disclosure of confidential PHI before such PHI can be released, except in accordance with existing HIPAA requirements.
- All requests for disclosure shall be forwarded to the Unit Privacy Officer or designee including the following:
- The name of the requesting party or parties and
- Any documentation, statements or representations from the person requesting the PHI of his/her authority to request such information (i.e., legal representative of patient, law enforcement official, etc.).
- The patient must present identification prior to receipt of any records regarding themselves.
- The Unit Privacy Officer or designee may rely on the following information to demonstrate identity:
- Presentation of agency identification, credentials or other proof of government status (a badge, identification card, etc.);
- A written request on agency letterhead or an oral statement if a written statement would not be possible (a natural disaster, other emergency situations, etc.);
- If the disclosure is requested by a person acting on behalf of a public official, a written statement on government letterhead that the person is acting under the government’s authority, or a contract or purchase order evidencing the same; or
- A court order.
- The Unit Privacy Officer or designee shall verify identity of any phone requests from all individuals, including law enforcement officers and others who have an official need for PHI by using a callback phone number before releasing information.
- The Unit Privacy Officer or designee shall verify facsimile number of any faxed requests. The main number of the sending agency shall be called, and the fax number verified. Each HCC shall set its fax machines to imprint the origin. All incoming faxes shall be reviewed for imprint origin.
- The Unit Privacy Officer or designee shall verify e-mail address by calling requestor. The general number for the sending agency shall be called, and then a request shall be made to be transferred to the specific individual who made the contact.
- The Unit Privacy Officer or designee is responsible for copying verification information or obtaining badge number, etc., and for maintaining it in the patient’s health information file.
- The Unit Privacy Officer or designee must review the forwarded information and determine if he or she is satisfied that the documents verify the identity of the requestor and that the requestor has authority to request the information under state and federal law.
- The Unit Privacy Officer or designee may disclose information to the requestor if all requirements for use and disclosure are met.
- The Unit Privacy Officer or designee shall contact agencies or other entities for further verification of identity or authority to receive PHI, if necessary.
- The Unit Privacy Officer or designee may deny access to information, if verification of identity or authority is not accomplished.
- Tracking Disclosures. The University Privacy Officer and Unit Privacy Officer shall assure that a mechanism is in place which tracks disclosure of both written and verbal PHI. One format shall be utilized for all HCCs.
- Sanctions. Any person found to have violated the requirements of this policy shall be subject to disciplinary action up to and including dismissal.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
HISTORY: Effective March 21, 2003