It is the policy of Missouri State University and its Health Care Components (HCC) to protect the privacy of individually identifiable health information in compliance with federal and state laws governing the use and disclosure of protected health information (PHI) pursuant to the requirements of HIPAA (45 CFR Section 164.502 et seq.). Therefore, all patients (or their legal guardian or parent, if a minor) should be provided access to the most current Notice of Privacy Practices (NPP), and a good faith attempt must be made to have each patient acknowledge the Notice of Privacy Practices as required in 45 CFR Section 164.520.
The University’s HCC
Notice of Privacy Practices: A document outlining adequate notice of the uses or disclosures of protected health information that may be made by the HCC and which sets out the patient’s rights and the HCC’s legal duties with respect to protected health information (PHI), a copy of which is attached to this procedure. (See Form 2, attached.)
Individually Identifiable Health Information: Any information, whether oral or recorded, including demographic information collected from an individual that:
Is created or received by a healthcare provider, health plan, public health authority, pharmacy, employer, life insurer, school, university or healthcare clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
Identifies the individual, or
With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
Protected Health Information: Individually identifiable health information that is transmitted or maintained in electronic medium, or in any other form or medium.
Reasonably Practicable: In emergency treatment or contact situations, the Notice of Privacy Practices and a good faith attempt to have the consumer acknowledge the Notice of Privacy Practices should be initiated within ninety-six (96) hours of treatment.
FERPA. Student education and treatment records are protected from unauthorized disclosure under the Family Educational Rights and Privacy Act (FERPA). Guidance is provided by the University’s FERPA Policy. Records protected by FERPA will be protected and disclosed as permitted by that law and University policy, but HCCs are permitted to apply HIPAA regulations and practices as long as there is no violation of FERPA.
At the date of the first delivery of, or appearance for, service at a HCC, or application for services, even those services received electronically, the patient (or their legal guardian or parent, if a minor) should be presented with the Notice of Privacy Practices. This timing is considered the initial moment of contact between a patient and a HCC. The sending of an application packet is not considered the point of first delivery of or appearance for service.
When the patient presents in any way described in (A), the HCC must make a good faith effort to obtain a written acknowledgment of the receipt of the Notice of Privacy Practices.
Documentation of acknowledgment of receipt (defined for HCC’s purposes as the patient’s signature or mark on a cover sheet to the current Notice of Privacy Practices) that such a Notice has been presented to a patient (or their legal guardian or parent, if a minor) must be placed in the patient’s record, except when the patient has agreed to receive the Notice electronically. The cover sheet to the Notice of Privacy Practices is to be removed from the Notice and filed in the medical record/designated records set. (See Form 1, attached.)
If the patient’s first point of contact of service is an emergency treatment situation, then the Notice of Privacy Practices must be provided as soon as reasonably practicable after the emergency treatment situation. In such emergency treatment situations, an acknowledgment is not initially required, but should be obtained as soon as reasonably practicable.
If the patient’s first point of contact of service is an emergency contact situation, then the Notice of Privacy Practices should be mailed to the patient, with acknowledgement obtained during an emergency telephone contact. A request should be made to have the acknowledgement mailed back to the sending office.
Example: If the patient has been placed on "inactive" status, the new Notice of Privacy Practices must be given at the time of service re-initiation.
If the HCC does not obtain the acknowledgement in a non-emergency situation, then the HCC shall document its good faith efforts to obtain the acknowledgment, and document the reason(s) why the acknowledgment was not obtained on the acknowledgment cover sheet to the Notice of Privacy Practices.
A copy of the Notice of Privacy Practices shall be posted in a highly visible and prominent location at the HCC, where it is reasonable to expect individuals will be able to locate and read the Notice.
Whenever the Notice of Privacy Practices is revised, the revised Notice must be made available upon request by a patient, and it is to be posted on any website maintained by the HCC.
The Notice of Privacy Practices must be placed and available electronically on the HCC website.
If a patient wishes to receive the Notice of Privacy Practices via electronic mail, the patient shall submit a written request to receive Notices by electronic mail in writing to the Unit Privacy Officer or other designee. If the facility is aware that an electronic mail transaction has failed, patient should be sent a paper copy of the Notice of Privacy Practices.
When a material change in the NPP, the HCC must make that revised Notice available upon request, and the revised Notice must be posted at the HCC.
The Unit Privacy Officer responsibilities are set forth in Form 3, attached. HCC Unit Privacy Officers will assist the University Privacy Officer with those responsibilities as applicable to their HCC. The Unit Privacy Officer or designee will facilitate employee training regarding the Notice of Privacy Practices in accordance with procedures related to employee HIPAA education/training.
Patient questions related to the Notice of Privacy Practices should be directed to the Unit Privacy Officer or designee, if applicable, or to the University Privacy Officer, or designee.
The Unit Privacy Officer, if applicable, or the University Privacy Officer, shall maintain a historical record of all versions of the Notice of Privacy Practices, and the applicable dates for each. A Unit Privacy Officer may approve modifications to a University HIPAA form or NPP for application by the HCC.
If a member of an organized health care arrangement (OHCA) (see 45 CFR 164.520d) has provided a copy of the Notice of Privacy Practices to the patient, a HCC may rely on the provision of the OHCA privacy notice if:
The HCC has received written confirmation that the patient has already been provided with the OHCA joint Notice of Privacy Practices, and,
The written confirmation is from the Privacy Officer or other authorized designee of the OHCA member, and
The HCC documents in the medical record the following: (a) The patient received the OHCA privacy notice; (b) The date the patient received the OHCA privacy notice; (c) The OHCA member who provided the Notice; and
The patient received the OHCA privacy notice;
The date the patient received the OHCA privacy notice;
The OHCA member who provide the Notice; and
The identity of the OHCA person who confirmed the above information.
Sanctions. Failure to comply or assure compliance with the policy may result in disciplinary action, up to and including dismissal.
Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
HISTORY: Effective March 21, 2003.