HIPAA Privacy Manual
- Breach involving Personal Health Information (PHI)
- Business Associate
- Covered Entity
- Health Care Component
- Hybrid entity
- Unsecured PHI
- Required Legal Documents
- Use and Disclosure of Personal Health Information (PHI)
- Treatment, Payment, and Health Care Operations as Defined by HIPAA
- Use and Disclosure by and for Personal Representatives, Minors, and Deceased Individuals
- Use and Disclosure of Protected Health Information for Workers’ Compensation Process
- Use and Disclosure of Protected Health Information for Judicial and Administrative Proceedings
- Disclosure to Third Parties
- Use or Disclosure of Protected Health Information for Marketing Purposes
- Patient Photography, Videotaping, other Imaging, and Audio Recording
- Permission to Gather Personal Health Information
- Individual Rights
- Patient’s Right to Access, Inspect and Copy Protected Health Information
- Patient’s Right to Request Amendment of Protected Health Information
- Patient’s Right to Request Restrictions on Confidential Communications
- Patient’s Right to Revoke Authorization for Disclosure of Protected Health Information
- Accounting of Disclosures
- Risk Management Activities
- Mandatory HIPAA Education and Training
- Patient Privacy-Related Complaints
- Sanctions for Failure to Comply with Privacy Policies
- Retention of Records and Reasonable Fee for Release
- Identity Verification
- Destruction/Disposal of Patient Health Information
- A covered entity may be a business associate of another covered entity.
- Business Associate includes:
- A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
- A person that offers a personal health record to one or more individuals on behalf of a covered entity.
- A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
- For a complete definition, see 45 CFR 160.103.
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
Health Care Component
- Curry Health Center Services
- DeWit RiteCare Speech, Language, and Hearing Clinic
- Health Center Pharmacy
- IPHARM - Improving Health Among Rural Montanans
- MonTech (includes Montana Adaptive Equipment and Montana Assistive Technology Programs)
- New Directions Wellness Center
- Rhinehart Athletic Training Center
- UM Physical Therapy Clinic (formerly Nora Staael Evert Clinic)
- That is a Covered Entity;
- Whose business activities include both covered and non-covered functions; and
- That designates health care components in accordance with paragraph 45 CFR 164.105(a)(2)(iii)(D).
Under the federal law known as “HIPAA,” certain entities within the University of Montana must maintain the privacy of personal health information. These so-called “covered” entities include the Curry Health Center, the DeWit RiteCare Speech, Language, and Hearing Clinic, the Curry Health Center Pharmacy, MonTECH (includes Montana Adaptive Equipment Program and Montana Assistive Technology Programs) (MAEP), the New Directions Program, the Rhinehart Athletic Training Center, the UM Physical Therapy Clinic, and the IPHARM Pharmacy. The privacy notice describes how protected health information about treatment, payment, health care operations, and other purposes that are permitted or required may be used or disclosed. It also describes patient’s rights to access and control of protected health information. Please note that all personal health information will be available for release to patients, to a provider regarding patient’s treatment, or to certain other entities as required by law.
The “covered” entities within the University of Montana are required to abide by the terms of the Notice of Privacy Practices. However, the University reserves the right to change the privacy practices described in this notice, in accordance with the law. Changes to the privacy practices would apply to all health information maintained in the “covered” entities. If the privacy practices are changed, you may receive a revised copy of the privacy notice by contacting the University of Montana Chief Privacy Officer, in the Office of Research and Creative Scholarship, UH 116, 406-243-6670.
Issuing and Administering Privacy Notice
HIPAA privacy regulations require health care providers to notify patients of how the patient’s health information may be used and disclosed, and the patient’s rights and provider’s legal duties with regard to their health information.
If the provider is in a direct treatment relationship with the patient (e.g., not providing care under the orders of another provider), then the provider must provide the privacy notice to the patient no later than the date of the first service delivery after the compliance date.
The University of Montana must:
- Have the notice available at the service delivery site for patients to request to take with them;
- Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice;
- Make a reasonable effort to assure that each patient gets a Notice of Privacy Practice at the first office visit after 4/13/03 and get written documentation from the patient that he/she received this notice;
- Post the Privacy Notice on the covered entity’s website, if applicable; and
- Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the above two requirements.
Patient Acknowledgment of Receiving "Notice of Privacy Practices"
- A covered health care provider that has a direct treatment relationship with an individual must provide the Notice of Privacy Practices to the patient:
No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or
- In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
In addition, a covered health care provider must make a good faith effort to obtain a written acknowledgment of receipt of the notice provided, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained.
See the “Patient Acknowledgment Form” here. The patient acknowledgment can also be stored electronically if the covered component has the capability to do so.
The University of Montana (UM) protects the confidentiality and integrity of confidential medical information as required by professional ethics and state and federal law.
UM is not liable for privacy violations of its business associates and is not required to actively monitor or oversee the means by which its business associates carry out safeguards, or the extent to which the business associates abide by the requirements of the contract. However, UM is required to act if it becomes aware of a practice or pattern that constitutes a material breach of the contract.
“Business Associate” is a person or entity who provides certain functions, activities, or services, including the use and/or disclosure of Protected Health Information (PHI).
Mandatory Contract Terms
UM must enter into contracts with its business associates containing language that the business associate will:
- Not use or further disclose the information other than permitted or provided by the contract or required by law,
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for in its contract,
- Report to UM any use or disclosure of the information not provided for by its contract of which it becomes aware,
- Ensure any agents, including a subcontractor, to whom it provides PHI created by, or received from, or on behalf of UM, agree to the same conditions and restrictions that apply to the business associate with respect to such information,
- Make PHI available in accordance with the UM policy on patients’ access to PHI,
- Make PHI available for amendment and incorporate amendments to PHI in accordance with UM policy on patients’ right to amend or correct PHI,
- Make available the information required to provide an accounting of disclosures in accordance with the UM policy on Accounting of Disclosures of PHI,
- Make its internal practices, books, and records related to the use and disclosure of PHI received from, or created by, or on behalf of UM available to the U.S. Dept. of Health and Human Services (HHS) for the purposes of determining UM’s compliance,
- At the termination of its contract, if feasible, return or destroy all PHI received from, or created by, or on behalf of UM that the business associate retains in any form and retain no copies of such information. If such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses or disclosures to those purposes that make the return or destruction infeasible.
In the event that UM becomes aware of a practice or pattern of the business associate that constitutes a material breach or a violation of the business associate’s obligations under the contract, UM must take reasonable steps to cure the breach or end the violation, as applicable.
In the event that the business associate cannot or will not remedy the practice or pattern, UM must terminate the contract, if feasible. Where not feasible, contact the University of Montana HIPAA Privacy Officer, Office of Research and Creative Scholarship, 406-243-6670 for reporting to HHS, as applicable.
HIPAA Breach Notification Rule: Explanation and Guidance
On September 23, 2013, the “HIPAA Omnibus Rule” took effect modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules and implementing various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This rule provides for the notification of individuals following a breach of their unsecured protected health information. (Reference: 45 CFR 164.400-414)
Unsecured protected health information is defined as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary.
NOTICE: If you are a HIPAA covered component at the University of Montana and you believe the HIPPA–protected PHI in your records has been breached, you are advised to immediately call the HIPPA Security Officer at (406) 243-6375 and HIPAA Privacy Officer at 406-243-4755.
If, after investigating a suspected security breach, the HIPAA Security Officer and/or the HIPAA Privacy Officer determines that unsecured protected health information is reasonably believed to have been accessed, acquired, used, or disclosed in a manner not permitted and cannot demonstrate a low probability of compromise based on a risk assessment of the following four factors, the HIPAA Security Officer and/or HIPAA Privacy Officer will coordinate with covered components to notify affected individuals, following the methods required by 45 CFR 164.404.
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
To fulfill burden of proof requirements, the HIPAA Security Officer and/or HIPAA Privacy Officer will coordinate with covered components to document that all notifications were made or that the use or disclosure did not constitute a breach.
If it is determined that a breach of unsecured protected health information has occurred, the University must notify, in writing, the affected individuals within 60 days of the discovery. The notice must include a brief description of the breach, a description of the types on information involved in the breach, the steps the affected individual should take to protect themselves from potential harm, a brief description of what UM is doing to prevent future breaches, and contact information at the University for those individuals wanting more information.
If it is determined that a breach of unsecured protected health information involves more than 500 residents of a state or jurisdiction, the HIPAA Security Officer or HIPAA Privacy Officer will coordinate with covered components to notify prominent media outlets serving the affected area, as required by 45 CFR 164.406.
For all breaches affecting less than 500 individuals, the HIPAA Security Officer or HIPAA Privacy Officer will coordinate with covered components to submit notice of all such breaches discovered in the prior calendar year to the Department of Health and Human Services (HHS) via the HHS website. This notice will be submitted to HHS on an annual basis, no later than sixty (60) days after the end of each calendar year. For all breaches affecting more than 500 individuals, the HIPAA Security Officer or HIPAA Privacy Officer will coordinate with covered components to provide notice to HHS contemporaneously with the notification of affected individuals.
Notification is not required if PHI is secure via encryption; provided, however, that encryption keys must be kept on a separate device from the data they encrypt or decrypt. Nothing in this policy is meant to require a Health Care Component to provide information to an individual that is privileged under the attorney-client privilege, licensed mental health professional or other privilege laws. Further, the UM Hybrid Covered Entity will not disclose the names of any employees or other individuals involved in the Breach or any specific sanctions taken against such employees.
Note: Upon a breach of unsecured PHI, or any event that raises concern of a possible breach of unsecured PHI, notify UM legal counsel immediately, and in any event no later than 5 days. UM legal counsel must determine which, if any, state are laws triggered by the breach of unsecured PHI and whether any such state laws provide notification requirements that deviate from the protocol listed above. As of this publication, the following state statutes are known to require compliance that differs from the above instructions: Colo. Stat. Ann. § 6-1-716 (2018) and Fla. Stat. Ann. § 501.171 (2019).
Treatment, Payment, and Health Care Operations as Defined by HIPAA
In compliance with HIPAA, the University of Montana uses the following definitions for terms treatment,” “payment,” and “health care operations.”
TreatmentTreatment activities are those taken on behalf of a single individual, not an entire population. Only health care providers can deliver treatment, not group health plans or employers (in their role as an employer). Some activities, such as telephone nursing assistance, would be “treatment” if provided by a health care provider or “health care operations” if provided by a group health plan. Treatment includes:
- Providing, coordinating, or managing health care and related services by one or more health care providers;
- Coordinating or managing health care with a third party;
- Consulting between health care providers to provide care to an individual; and
- Referring the individual to another health care provider.
Payment includes all activities undertaken by a health care provider to get reimbursement for services provided to an individual. Payment includes:
- Determining the eligibility or coverage of an individual’s benefits;
- Billing, claims management, collection activities and related data and information processing activities;
- Utilization review activities – including pre-certifying and preauthorizing services, concurrent and retrospective review of services provided; and
- Disclosures to consumer reporting agencies for either collection of premiums or reimbursement. Health care providers may disclose:
- Name and address;
- Date of birth;
- Social security number;
- Payment history;
- Account number; and
- Name and address of the health care provider and/or health plan.
Health Care Operations
Health care operations include any of the following activities done as a Covered Entity (CE) (if the CE has components that are not CE’s):
- Conducting quality assessment & improvement activities, including outcomes evaluation and development of clinical guidelines, so long as such activities are not part of a research study (research is covered under separate IRB guidelines);
- Reviewing the competence and qualifications of health care professionals and evaluating their performance;
- Conducting training programs for students & interns to learn under supervision & practice or improve their skills as health care providers;
- Training health and non-health care professional employees;
- Accreditation, certification, licensing or credentialing activities;
- Conducting or arranging medical review, legal services and auditing functions – including fraud and abuse detection and compliance programs;
- Business planning and development – including cost-management and planning related analyses related to managing the group health plan. This may include developing and administrating the drug formulary; and developing or improving methods of payment or coverage policies; and
- General management and administration, including:
- Any management activities relating to implementing and complying with the Privacy Rule;
- Customer service;
- Resolving internal grievances with employees or patients; and
- Selling, transferring, merging or consolidating any part of or all of the group health plan.
A Personal Representative is treated as the individual. The personal representative (PR) may be any adult who has decision-making capacity and who is willing to act on behalf of the patient. A PR may include an individual who has lawful authority to act in the place of the individual. This includes parents, legal guardians or properly appointed agents designated by Montana law.
A minor is an individual under the age of 18 who has not been legally emancipated by a court and is:
- Not legally or previously married;
- Without children;
- Not a high school graduate;
- Not separated from parents and self-supporting;
- Not pregnant or carrying a communicable disease;
- Not in need of emergency care without which the minor’s health would be at stake.
The University of Montana does not have to recognize a PR as the individual, if the PR is suspected of abusing, neglecting or endangering the individual.
In compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the University of Montana may disclose protected health information (PHI) to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. However, the health information disclosed must be limited to the minimum amount necessary to carry out the purpose of the disclosure and must be limited to that which is relevant to the individual’s condition under consideration.
An employee filing a claim for workers’ compensation due to an on-the-job injury consents to certain conditions. One of those conditions is, at the employer’s request, they will submit to an examination to determine the validity of their claim. This information is then available, with certain restrictions, to the employee, employer, Department of Workforce Development, or representative of any of these to assist in resolving the claim.
Employees filing a workers’ compensation claim waive all provider-patient privilege of information or results regarding any condition or complaint reasonably related to the condition that they are claiming compensation for. This includes information normally covered by any applicable law, but only if it is related to the condition that the employee is seeking compensation for.
- Copies of medical records or verbal communications, reasonably related to a work injury, should be released within a reasonable time, after written request, to the employee, employer, workers compensation insurance carrier for the employer, Department of Labor and Industry or its representative.
- Requests for copies of medical records which extend beyond the scope of the work-related injury need to be accompanied by a written authorization from the patient/employee.
- Providers furnish legible duplicates of written material requested. Certified copies are furnished upon request. Refusal to provide the requested copies can result in the provider being liable for all costs of preparing the records and attorney’s fees incurred while attempting to get the requested copies.
- Fees for copies are set by State statute, with a limit of the greater of $7.50 per request or $.45 per page plus the actual postage cost.
- Records of the Department of Labor and Industry which identify an employee filing a worker’s compensation claim are confidential and not subject to inspection or copying. This includes the following:
- Identifying the employee
- Disclosing the nature of the claimed injury
- Disclosing past or present medical condition
- Describing the extent of disability
- Disclosing the amount, type or duration of any benefits provided to the employee
- Disclosing any financial information provided to the department by self-insured employer or person applying for exemption
There may be instances where a patient is involved with a legal proceeding, either conducted by a court of law (such as a state trial court or federal district court) or a government agency (such as a state Department of Health and Family Services or the federal Centers for Medicare and Medicaid Services).
In these legal proceedings, lawyers, judges and others involved with the proceeding may contact the University of Montana to access the patient’s PHI. Examples of health information these proceedings may require include information about a certain medical procedure the patient underwent to determine whether the procedure is covered under a health plan or the outcome of that procedure, results of blood or genetic tests in child custody or similar proceedings, medical records that document disabling conditions in discrimination cases, or health information that documents serious illnesses for conflicts pertaining to medical leave.
The University of Montana may disclose PHI in the course of any judicial or administrative proceeding according to the procedures below.
Disclosing PHI in response to a court/administrative order
Upon receipt an order from a court or administrative judge, the University shall only release the PHI which the order expressly authorizes to be disclosed if the request is relevant and material to a legitimate legal inquiry; the request is specific and limited in scope to the extent necessary; and de-identified information could not be used.
Disclosing PHI in response to a subpoena, discovery request or other lawful process (other than a court order)
The University may only release PHI in such instances if at least one of the following three events has occurred:
- The University may release PHI upon receipt of written satisfactory assurance from the party requesting the information that reasonable efforts have been made by such party to ensure that the patient who is the subject of the PHI has been given notice of the request.
Satisfactory assurance that the requesting party has tried to notify the patient of the PHI request means the requesting party has given the University a written statement and accompanying documentation demonstrating that:
- The requesting party has made a good faith attempt to provide written notice to the patient (if the patient’s location is unknown, documentation showing that a notice was mailed to the patient’s last known address);
- The notice provided by the requesting party to the patient contained enough information to allow the patient to make an informed objection to the court or administrative tribunal regarding the release of the patient’s PHI.
- The time for the patient to raise objections to the court or administrative tribunal has passed and either no objections were filed, or all objections filed by the patient have been resolved and the disclosures being sought are consistent with the court’s resolution.
- The University may release PHI to a requesting party upon receipt of written satisfactory assurance from the requesting party that reasonable efforts have been made by such party to secure a qualified protective order.
- A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties to the proceeding that prohibits the parties from using or disclosing PHI for any purpose other than the proceeding for which the information was requested and requires the parties to return the PHI (including all copies made) to the University of Montana at the end of the proceeding.
- Satisfactory assurance in this instance means that the University has received from the requesting party a written statement and accompanying documentation demonstrating that:
- The parties to the dispute giving rise to the request for PHI have agreed to a qualified protective order and have presented it to a court or administrative tribunal with jurisdiction over the dispute; OR
- The requesting party has asked for a qualified protective order from such court or administrative tribunal.
- The University may release PHI to a requesting party even without satisfactory assurance from that party if the University either:
- Makes reasonable efforts to provide notice to the patient about releasing his or her PHI, so long as the notice meets all of the following requirements:
- The notice is written and given to the patient (if the patient’s location is unknown, the University should establish documentation showing that a notice was mailed to the patient’s last known address);
- The notice contained enough information to allow the patient to make an informed objection to the court or administrative tribunal regarding the release of the patient’s PHI; and
- The time for the patient to raise objections to the court or administrative tribunal has elapsed and either no objections were filed, or all objections filed by the patient have been resolved and the disclosures being sought are consistent with the court’s resolution;
- Or, Seeks a qualified protective order from the court or administrative tribunal or convinces the parties to stipulate to such order.
- Makes reasonable efforts to provide notice to the patient about releasing his or her PHI, so long as the notice meets all of the following requirements:
The University of Montana (UM) may use and disclose certain PHI without the written consent or authorization to release the information from the individual. The individual must be informed in advance of the use or disclosure and have the opportunity to agree, prohibit, or restrict the disclosure.
UM may disclose to family members, other relatives, close personal friends, clergy, or others identified by an individual, the PHI directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s health care. UM may use or disclose PHI to notify or assist in the notification of a family member, a personal representative of the individual, or another person responsible for the care of the individual or the individual’s location, general condition, or death. The individual’s presence is a determining factor in order to use or disclose PHI for these purposes.
Use and Disclosure with the Individual Present
If an individual is present or otherwise available prior to a use or disclosure and has the capacity to make health care decisions, UM may use or disclose the PHI if it:
- Obtains the individual’s agreement;
- Provides the individual opportunity to object to use or disclosure, and the individual does not express an objection; or
- Reasonably infers from the circumstances, based on the exercise of professional judgment that the individual does not object to such disclosure.
Limited Uses and Disclosures when the Individual is not Present
If the individual is not present or the opportunity to agree or object to the use or disclosure cannot practically be provided due to the individual’s incapacity or an emergency circumstance, UM may, in exercise of professional judgment, determine whether the disclosure is in the individual’s best interest and, if so, disclose only the PHI which is directly relevant to that person’s involvement with the individual’s health care. UM may use professional judgment and its experience of common practice to make reasonable inferences of the individual’s best interests in allowing a person to act on the individual’s behalf to pick up filled prescriptions, X-rays, medical supplies, or other similar forms of PHI.
It is the policy of the University of Montana to secure an authorization to use or disclose protected health information (PHI) for marketing purposes in compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996. [45 CFR 164.501, 164.508(a)(3)]
Per 45 CFR 164.501, marketing is defined as:
- to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service; or
- an arrangement involving a covered entity whereby PHI is disclosed by the covered entity in exchange for direct or indirect remuneration, so that the other entity or affiliate can make a communication that encourages the purchase or use of its own product or service.
The following are examples of situations that do not meet the definition of marketing
- Communications that are merely promoting good health and not about a specific product or service does not meet the definition of marketing. So mailings reminding women to get an annual mammogram, or with information about how to lower cholesterol, about new developments in health care like new diagnostic tools or about health or wellness classes, support groups and health fairs are permitted and not considered marketing.
- Communications about government-sponsored programs do not fall within the definition of marketing. There is no commercial component to communications about benefits available through public programs, so the University of Montana is permitted to use/disclose PHI to communicate about eligibility for Medicare supplement benefits, or SCHIP.
- The University of Montana may make communications in newsletter format without authorization so long as the content of such does not fit the definition of marketing.
Exceptions to the Scope of Marketing Activities so Authorization is not needed
Marketing does not include:
- oral or written communications that describe the University of Montana network or covered services; or
- communications about treatment for the patient; or
- communications about case management or care coordination, or recommendations of treatment alternatives and care options, including health care providers or settings of care.
The following are examples of these exceptions:
- The University of Montana can convey information to beneficiaries and members about health insurance products offered by the University of Montana that could enhance or substitute for existing health plan coverage. For example, if a child is about to age out of coverage under a family’s policy, this provision will allow the plan to send the family information about continuation coverage for the child. This does NOT extend to excepted benefits such as accident-only policies or to other lines of insurance.
- Doctors can write a prescription or refer an individual to a specialist for follow-up tests because these are communications about treatment.
Procedure for Authorization to Use or Disclose PHI for Marketing Purposes
- The University of Montana will obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of a face-to-face communication with the patient; or a promotional gift of nominal value provided by a covered entity.
- If the marketing involves the University of Montana receiving direct or indirect remuneration by a third party, the authorization will state that such remuneration is involved.
The following are examples of situations that require authorization
- NPRM clearly states that nothing in the Final Rule will permit a covered entity to sell lists of patients or enrollees to third parties or to disclose PHI to a third party for the independent marketing activities of the third party.
- A pharmaceutical company cannot pay a provider for a list of patients with a particular condition or taking a particular medication and then use that list to market its own drug products directly to those patients.
The University of Montana may use a variety of media to collect health information and obtain the patient’s informed consent in writing before creating photographs, videotapes, other images, or audio recordings of the patient.
“Consent” means written documentation of the patient’s agreement to be photographed, videotaped, otherwise imaged, or recorded. Written consent establishes a reliable record of patient consent in case consent is later questioned. Written consents become part of the patient’s health record.
Consents are valid for only a reasonable period of time, e.g. the duration of the immediate health concern. A new consent should be obtained if the situation surrounding the imaging or recording has changed.
In addition, the patient has the right to withdraw the consent at any time, provided the withdrawal is in writing. Photographs, videotapes, other images, and audio recordings, which were obtained before the patient withdrew consent, are part of the patient’s health record and shall be maintained according to the University of Montana’s retention of records policy.
- Except under very limited circumstances, images and recordings may not be created for any purpose without the written consent of the patient.
- As part of obtaining consent, the patient is given an explanation of:
- The purpose of the photographing, videotaping, imaging, or recording;
- Any proposed use of the images or recordings for commercial, educational, promotional or legal purposes;
- The security mechanisms to be used to protect patient privacy; and
- The duration of retention of the images recordings.
- The University of Montana provides the patient with the above information in sufficient detail and understandable language to enable the patient to give informed consent to the proposed imaging or recording as a free and knowledgeable choice.
- A health care provider (physician, registered nurse, physician assistant, psychologist, counselor, etc.) is responsible for providing the patient with an appropriate explanation of the imaging or recording and obtaining the patient’s informed consent in writing.
- Circumstances that may involve patient imaging or recording include:
- Documentation of abuse or neglect. Reportable cases of actual or suspected abuse and neglect do not require consent from the patient prior to photography, videotaping, and other imaging. These images may be submitted to the investigating agency with appropriate authorization/court order, but are not to be used for other purposes without consent.
- Research. Consent for imaging or recording must be explicitly stated in the patient’s consent for participation in the research protocol. The University of Montana’s Institutional Revie w Board must approve the creation of images and recording as part of a research protocol.
- Telemedicine (including e-mail) and Internet transmission: Consent for the University of Montana to use images or recordings for these purposes must be explicitly stated in the patient’s written consent. The images or recordings, along with the medical record, should be encrypted in order to protect the patient’s privacy.
- Medical education or teaching. Consent for the University of Montana to use images or recordings for these purposes must be explicitly stated in the patient’s written consent.
- Marketing/Fundraising/Publicity/Media: Authorization/consent for the University of Montana to use images or recordings for these purposes must be explicitly stated in the patient’s written consent.
- Law enforcement or legal purposes. Consent for the University of Montana to use images or recordings for these purposes must be explicitly stated in the patient’s written consent.
- Videotaping for Trauma Certification/Performance Improvement Purposes. Videotaping as a documentation tool for peer review, performance improvement activities, or trauma certification may be carried out with patient authorization. However, viewing is limited to authorized staff as per the University of Montana guidelines. The videotapes are not considered a part of the patient’s health information and will be erased following completion of the performance improvement process.
- Photography of newborns. Consent of the parent must be obtained prior to photographing of newborns as a courtesy or for sale.
- Family/Friends. Documented consent is not needed for imaging or audio recording done by the patient’s family members or friends. However, if a family member or friend has the consent of the patient to videotape a birth or procedure, for example, this should be done only with the agreement of the attending physician and acknowledgment that the individual may be required to discontinue taping if the attending physician deems it necessary.
- The University of Montana may not release images and recordings to individuals outside the University of Montana without specific authorization from the patient, except when required by law or when the images or recording have been “de-identified” and are no longer considered individually identifiable health information.
- The University of Montana may determine that images and recordings are not individually identifiable health information only if identifiers, including full-face photographic images and any comparable ages of the individual or of relatives, employers, or household members of the individual, are removed. (See the University of Montana’s Destruction and Disposal of PHI policy).
- Storage and retention of images and recordings
- Images and recording must be clearly identified with the patient’s name, identification number and/or date of birth, and date of image or recording. Media must be stored securely to protect the patient’s confidentiality. If used to document patient care, images and recordings will be stored in compliance with the University of Montana’s retention of records policy and state law.
- Still images and recording created for medical purposes may be filed with the patient’s health record.
- Sensitive images and recordings may be stored in sealed envelopes within the patient’s health care record.
To ensure the veracity and security of Protected Health Information (PHI), the University of Montana only gathers PHI through the following two approaches:
- directly from an individual or, if a minor, an individual’s parent/guardian; and
- requesting information from an entity such as the individual’s healthcare provider, hospital, clinic, or health plan.
In compliance with the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), providers must have in place implemented policies and procedures to ensure patients’ right to access, inspect and copy protected health information (PHI). An individual has the right to access their information in all but a limited number of situations. It is the policy of the University of Montana to honor a patient’s right of access to inspect and obtain a copy of their PHI in the University’s designated record set, for as long as the PHI is maintained in compliance with HIPPA and the University’s retention policy.
Information not Subject to the Individual Right to Access
The University of Montana may deny the individual access without providing an opportunity for review if the requested information is any of the following:
- Psychotherapy notes;
- Information compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding;
- Protected health information subject to the Clinical Laboratory Improvements Amendment (CLIA) of 1988; or
- Protected health information exempt from CLIA, including protected health information generated by:
- Facilities or facility components that perform testing for forensic purposes;
- Research laboratories that test human specimens but do not report patient-specific results for diagnosis, prevention, treatment, or the assessment of the health of individual patients; or
- Laboratories certified by the National Institutes on Drug Abuse (NIDA) in which drug testing is performed that meets NIDA guidelines and regulations.
Situations not Subject to the Individual Right to AccessThe University of Montana may also deny an individual access without providing an opportunity for review when:
- The covered entity is a correctional institution or a healthcare provider acting under the direction of the correctional institution and an inmate’s request to obtain a copy of protected health information would jeopardize the individual, other inmates, or the safety of any officer, employee, or other person at the correctional institution, or a person responsible for transporting the inmate;
- The individual, when consenting to participate in research that includes treatment, agreed to temporary denial of access to protected health information created or obtained by a healthcare provider in the course of research, and the research is not yet complete;
- The records are subject to the Privacy Act of 1974 and the denial of access meets the requirement of that law; or
- The protected health information was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information.
Circumstances Involving Substantial Harm
The University of Montana may also deny an individual access under the following circumstances, provided that the individual is given a right to have such denials reviewed:
- A licensed healthcare professional has determined that the access is likely to endanger the life or physical safety of the individual or another person;
- The protected health information makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access request is reasonably likely to cause substantial harm to such other person; or
- The request for access is made by the individual’s personal representative and a licensed healthcare professional has determined that access is reasonably likely to cause substantial harm to the individual or another person.
Detailed requirements for denial review are outlined in 45 CFR 164.524.
Patient Requests for PHI
- A patient must make a request to a staff member to access and inspect their protected health information. Whenever possible, this request shall be made in writing and documented on either the Authorization for Disclosure form or in the notes of the patient’s health record.
- Determination of accessibility of the information shall be based on:
- Criteria outlined above, as supported by State and Federal laws;
- Availability of protected patient information (i.e., final completion of information, long term storage, retention practices, etc.)
- The University of Montana must take action within 10 days after receipt of the request when the PHI is on-site, and within 21 days when the PHI is off-site or not immediately available, if the University of Montana provides the patient with a written statement of the reasons for the delay and the date by which the access request will be processed. If the University of Montana does not maintain the requested PHI, it must tell the requestor who does.
- The University of Montana must document and retain the designated record sets subject to access, and the titles of persons or offices responsible for receiving and processing requests for access.
Access, Inspection and/or Copying if Request is Granted
- The patient and The University of Montana will arrange a mutually convenient time and place for the patient to inspect and/or obtain a copy of the requested PHI. Inspection and/or copying of PHI will be carried out within the University with staff assistance.
- The patient may choose to inspect the PHI, copy it, or both, in the form or format requested. If the PHI is not readily producible in the requested form or format, the University must provide the patient with a readable hard copy form, or other form as agreed to by the University and the patient.
- If the patient chooses to receive a copy of the PHI, the University may offer to provide copying services. The patient may request that this copy be mailed.
- If the patient chooses to copy their own information, the University may supervise the process to ensure that the integrity of the patient record is maintained.
- Upon prior approval of the patient, the University may provide a summary of the requested PHI.
- The University may charge a reasonable fee for the production of copies or a summary of PHI, if the patient has been informed of such charge and is willing to pay the charge.
- If upon inspection of the PHI the patient feels it is inaccurate or incomplete, the patient has the right to request an amendment to the PHI. The University shall process requests for amendment as outlined in additional University policy/procedures addressing this patient right.
Access, Inspection and/or Copying if Request is Denied in Whole or in Part
- The University must provide a written denial to the patient. The denial must be in plain language and must contain:
- The basis for the denial;
- A statement, if applicable, of the patient’s review rights; and
- A description of how the patient may complain to the University of Montana or to the Secretary of Health and Human Services.
- IIf access is denied because the University of Montana does not maintain the PHI that is the subject of the request, and the University of Montana knows where the PHI is maintained, the University of Montana must inform the patient where to direct the request for access.
- The University of Montana must, to the extent possible, give the patient access to any other PHI requested, after excluding the PHI as to which the University of Montana has grounds to deny access.
- If access is denied on a ground permitted under (HIPAA) 45 CFR 164.524, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the University of Montana to act as a reviewing official and who did not participate in the original decision to deny.
- The patient must initiate the review of a denial by making a request for review to the University of Montana. If the patient has requested a review, the University of Montana must provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time.
- The University of Montana must promptly provide written notice to the patient of the determination of the reviewing professional.
The University of Montana will honor a patient’s right to request an amendment or correction to the patient’s protected health information if the patient feels that the information is incomplete or inaccurate. The patient has the right to request an amendment of their protected health information for as long as that information is maintained in the designated record set.
How to Request an Amendment
- Patient requests for amendment of protected health information shall be made in writing to the University of Montana and clearly identify the information to be amended, as well as the reasons for the amendment. These requirements are detailed in the Notice of Privacy Practices.
- Requests may be denied if the material requested to be amended:
- was not created by the University of Montana, unless the originator is no longer available to act on the request.
- is not part of the individual’s health record.
- is not accessible to the individual because federal and state law do not permit it.
- is accurate and complete.
- The University of Montana must act on the individual’s request for amendment no later than 10 days after receipt of the amendment. The University of Montana may have up to 21 days for processing the amendment if the record is permanently or temporarily unavailable and if the individual is given a written statement of the reason for the delay, and the date by which the amendment request will be processed.
When Amendment Request is Granted
- If the request is granted, after review and approval by the individual responsible for the entry to be amended, the University of Montana must:
- Insert the amendment or provide a link to the amendment at the site of the information that is the subject of the request for amendment.
- Inform the individual that the amendment is accepted.
- Obtain the individual’s identification of and agreement to have the University of Montana notify the relevant persons with whom the amendment needs to be shared.
- Within a reasonable time frame, make reasonable efforts to provide the amendment to persons identified by the individual, and persons, including business associates, that the University of Montana knows have the protected health information that is the subject of the amendment and that may have relied on or could foreseeably rely on the information to the detriment of the individual.
When Amendment Request is Denied
- If the request is denied, the University of Montana must provide the individual with a timely manner, written denial in plain language that contains:
- The basis for the denial;
- The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
- A statement that if the individual does not submit a statement of disagreement, the individual may request that the University of Montana provide the individual’s request for amendment and the denial with any future disclosures of the protected health information that was the subject of the request.
- A description of how the individual may complain to the the University of Montana or the Secretary of Health and Human Services; and
- The name or title, and the telephone number of the designated contact person who handles complaints the University of Montana.
- The University of Montana must permit the individual to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such agreement. The University of Montana may reasonably limit the length of a statement of disagreement.
- The University of Montana may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the University of Montana must provide a copy to the individual who submitted the statement of disagreement.
- The University of Montana must, as appropriate, identify the record of protected health information that is the subject of the disputed amendment and append or otherwise link the individual’s request for amendment, the University of Montana’s denial of the request, the individual’s statement of disagreement, if any, and the University of Montana’s rebuttal, if any.
- If the statement of disagreement has been submitted by the individual, the University of Montana must include the material appended or an accurate summary of such information with any subsequent disclosure of the protected health information to which the disagreement relates.
- If the individual has not submitted a written statement of disagreement, the University of Montana must include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of protected health information only if the individual has requested such action.
- When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, the University of Montana must separately transmit the material required.
- When the University of Montana is informed by another covered entity of an amendment to an individual’s protected health information, the University of Montana must amend the protected health information in written or electronic form.
- The University of Montana must document the titles for the persons or offices responsible for receiving and processing requests for amendments.
Additional Considerations of Amendments from Other Covered Entities
- When a provider receives notification from another health care provider or health plan that a patient’s protected health information has been amended, the receiving provider:
- Must ensure that the amendment is appended to the patient’s health record; and
- Will inform its business associates that may use or rely on the patient’s protected health information of the amendment (as agreed to in the business associate contract) so that they may make the necessary revisions based on the amendment.
Patients/Individuals have the right to request restrictions on how and where their Protected Health Information (PHI) is communicated. To comply with HIPAA Privacy Rule sections 45 CFR 164.502 and 164.522(b) regarding confidential communications, the University of Montana must permit patients/individuals to request to receive communications of PHI by alternative means or at alternative locations.
The University of Montana may require that patient/individual requests to receive communications of PHI by alternative means or at alternative locations be made in writing. Writing requirements are detailed in the Notice of Privacy Practices.
Making a Request
Patients/Individuals may request to receive communications of PHI by alternative means or at alternative locations at the time of admission, visit, or at any time during the course of their care.
Patient/Individual requests may be made to any staff member of a covered component at the University of Montana (e.g. Curry Health Center).
When patients/individuals make a request, either formally or informally, the staff member receiving the request should document it in writing.
The University of Montana determines whether a request is reasonable based solely on the administrative difficulty of accommodating the request. The University of Montana should establish policies and procedures to determine whether a request is reasonable. The University of Montana must accommodate patient/individual requests if the patient/individual states that the disclosure of PHI could endanger him or her. The University of Montana shall not require that patients/individuals provide a reason for their request.
The University of Montana may not deny requests based on its perception of whether patients/individuals have a good reason for making the request. A patient’s/individual’s reason for making a request cannot be used to determine whether the request is reasonable.
The University of Montana may deny patient/individual requests if:
- The patient/individual does not specify an alternative address or other method of contact; or
- The patient/individual does not provide information as to how payment, if applicable, will be handled.
If The University of Montana grants a patient’s/individual’s request, it provides appropriate staff with the communication requirements and requires staff to adhere to them.
An individual may revoke authorization at any time, provided the revocation is in writing, unless the University of Montana has already provided PHI based on the individual’s authorization.
The University of Montana’s Authorization for Disclosure of PHI form shall give notice to individuals of their right to revoke an authorization of disclosure and the contact information of the person/office an individual is to contact in order to revoke authorization.
Upon receipt of a revocation of authorization to release information, the University of Montana shall stop providing information based on the individual’s prior authorization as soon as possible.
All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process.
Under the Health Insurance Portability and Accountability Act, the University of Montana must give patients an accounting of disclosures, if requested. Disclosures are not limited to hard-copy information but any manner that divulges information, including verbal or electronic data release. This policy applies to all University of Montana covered entities to ensure that patients can receive an accounting of disclosures of their protected health information, not including disclosures for purposes of treatment, payment or health care operations. Disclosures to business partners must be included in the accounting.
Information that must be maintained (tracked) and included in an accounting:
- Date of disclosure.
- Name of individual or entity who received the information and their address, if known.
- Brief description of the protected health information disclosed.
- Brief statement of the purpose of the disclosure or a copy of the individual’s written authorization or a copy of the individual’s written request for disclosure.
Multiple disclosures to the same party for a single purpose or pursuant to a single authorization may have a summary entry that includes all the above information for the first disclosure, the frequency with which disclosures were made, and the date of the last disclosure.
Information excluded from the accounting and tracking rule:
All disclosures of protected health information must be tracked except for disclosures made:
- Prior to April 14, 2003 or prior to the entity’s date of compliance with the privacy standards.
- To law enforcement or correctional institutions as provided in state law.
- For listed information for facility directories.
- To the individual patient.
- To people involved in the patient’s care.
- For treatment, payment, and healthcare operations.
- Pursuant to an individual’s authorization.
How to Track Disclosures
Disclosures may be tracked by a variety of internal processes that ensure accurate and complete accounting of disclosures. All systems must be maintained and accessible for a period of at least six years to meet the requirement of providing an accounting of disclosures for that time period.
How to Request an Accounting of Disclosures
A patient may make the request for an accounting in writing or orally. If the request is made orally, the University must document the oral request. The University must retain this request and a copy of the written accounting that was provided to the patient, as well as the name/departments responsible for the completion of the accounting.
A patient may authorize in writing that the accounting of disclosures be released to another individual or entity. The request must clearly identify all information required to carry out the request (name, address, phone number, etc.).
The University must provide the individual with an accounting of disclosures within 60 days after receipt of the request. If the accounting cannot be completed within 60 days after receipt of the request, provide the individual with a written statement of the reason for the delay and the expected completion date. Only one extension of time, 30 days maximum, per request is permitted.
The University will provide the accounting to the individual at no charge for a request made once during any twelve-month period. A reasonable fee can be charged for any additional requests made during a twelve month period provided that the individual is informed of the fee in advance and given an opportunity to withdraw or modify the request.
The University must maintain written requests for an accounting and written accountings provided to an individual for at least six years from the date of the request.
Mandatory HIPAA Education and Training
The University of Montana is responsible for providing the opportunity and direction needed to achieve the training and education required by this policy. All University of Montana students, faculty, employees, contract employees, and volunteers are required to attend and complete all applicable education, training and/or licensing courses as defined and required by the Montana University System and state and federal law.
The University of Montana shall ensure that students and employees:
- Comply with the institutional and departmental specific training and requirements; and
- Attend and complete the training and have the attendance documented.
Patient Privacy-Related Complaints
The University of Montana shall provide a process for a patient to file a complaint if the patient feels his or her privacy rights have been violated. The patient may also file a complaint concerning the University of Montana’s privacy policies and procedures, even without alleging a violation of rights.
The University of Montana HIPAA Privacy Officer is responsible for receiving, investigating and responding to patient complaints. The HIPAA Privacy Officer can be reached in the Office of Research and Creative Scholarship, 406-243-4755. The patient may also file a complaint with the US Department of Health and Human Services here. The University of Montana shall cooperate with a federal investigation of the patient’s complaint.
Any intimidation of or retaliation against patients, families, friends, or other participants in the complaint process is prohibited. Employees who violate this policy are subject to disciplinary action, up to and including termination.
If the patient’s rights have been violated, employees who violated those rights are subject to disciplinary action, up to and including termination. The University of Montana shall mitigate, to the extent feasible, any known harmful effects of the violation.
Filing a Complaint
A patient may call, write, or present in person to the HIPAA Privacy Officer or designated person the alleged privacy violation or complaint.
Investigation of Complaint
The HIPAA Privacy Officer or designated person will facilitate the investigation of the complaint.
Response to Complaint
- A written response will be provided to the patient within 30 days from the date the complaint was filed.
- A written summary of the complaint and action taken will be filed with the HIPAA Privacy Officer.
- Translators, interpreters, and readers who meet the communication needs of the patient may be provided during the complaint process.
- Patients are permitted to have a representative of their choice to represent their interests during the complaint process.
- Occurrences representing potential liability claims will be referred to Risk Management.
- All complaints received must be documented.
- All complaint dispositions must be documented.
- The documentation must be retained for six years.
Sanctions for Failure to Comply with Privacy Policies
All employees are expected to acquaint themselves with performance criteria for their particular job and with all rules procedures, and standards of conduct established by the Board of Regents of the Montana University System and the employee’s department or unit.
Any employee who does not fulfill the responsibilities set out by such performance criteria, rules, procedures, and standards of conduct may be subject to adverse disciplinary actions, as set forth below and in conjunction with the Progressive Disciplinary Policy of the Montana University System. Sanctions applied vary depending on factors such as the severity of the violation, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information. Sanctions may range from a warning to termination.
Conduct Subject to Disciplinary Action
- Work Performance: Failure of an employee to maintain satisfactory work performance standards constitutes good cause for disciplinary action which may include dismissal. The term “work performance” includes all aspects of an employee’s work.
- Misconduct: All employees are expected to maintain standards of conduct suitable and acceptable to the work environment. Disciplinary action, which may include dismissal, may be imposed for unacceptable conduct. Examples of unacceptable conduct, as applicable, include but are not limited to:
- Improper use or disclosure of an individual’s Protected Health Information (PHI);
- Improper storage, copying, printing, and disposal of PHI; and
- Creating or developing PHI documents that are greater than the minimum necessary for the specific task.
Types of Disciplinary Action
As set forth in the Montana University System’s Progressive Discipline Policy, specific infractions shall be analyzed, and the appropriate penalty determined, on a case by case basis. All formal disciplinary actions shall be documented.
Types of disciplinary actions include but are not limited to written warnings, suspension without pay and discharge. Formal disciplinary actions may be combined or include other disciplinary measures such as a requirement to seek counseling, job transfer, demotion, cancellation of leave, last chance agreement, etc.
Retention of Records and Reasonable Fee for Release
Upon a request for disclosure of PHI, the University of Montana may charge a reasonable fee, based upon actual costs. To ensure appropriate disclosure of PHI, the University of Montana compiles records of all requests for PHI disclosure. The University of Montana shall maintain these records for a reasonable time period to allow for compliance auditing.
The University of Montana shall retain the following records for the greater of six (6) years from the date of creation or last effective date of policies:
- Authorization(s) documentation
- Accountings of Disclosure (Copy of actual accounting and name of person/office providing authorization)
- Person or Office responsible for processing requests for amendment and access
- Record Sets available to individuals
- Restrictions on use of disclosure agreed to by the University of Montana
FeesThe University of Montana may charge a reasonable fee to provide a copy of patient’s health information. Fees may include only the cost of copying (supplies and labor), postage, and preparing a summary or explanation of an individual’s PHI (if the individual agrees in advance to the summary and fees charged for preparation of such summary). The University may charge a fee not exceeding 50 cents per page and $30.00 in administrative fees.
Identity Verification for HIPAA
It is the policy of the University of Montana to obtain proper identification of all individuals, including patients, prior to allowing access to protected health information. The University of Montana maintains patient confidentiality by obtaining identity verification of persons requesting the use and/or disclosure of protected health information as per the HIPAA standards, Section 164.512(h).
The University shall verify the identity of persons requesting any protected health information prior to allowing access to it.
University employees in covered components may consult the University of Montana’s Privacy Officer, Office of Research and Creative Scholarship, UH 116, 406-243-6670, before making any disclosure if uncertain whether or not sufficient verification has been obtained.
Destruction/Disposal of Patient Health Information
To ensure the privacy and security of protected patient health information in the maintenance, retention, and eventual destruction/disposal of such media, the destruction/disposal of patient health information at the University of Montana covered components shall be carried out in accordance with federal and state law and as defined in the University of Montana retention policy. The schedule for destruction/disposal shall be suspended for records involved in any open investigation, audit, or litigation.
Patient Health Information Media
Any record of patient health information, regardless of medium or characteristic that can be retrieved at any time including all original patient records, documents, papers, letters, billing statements, x-rays, films, cards, photographs, sound and video recordings, microfilm, magnetic tape, electronic media, and other information recording media, regardless of physical form or characteristic, that are generated and/or received in connection with transacting patient care or business.
- All destruction/disposal of patient health information media will be done in accordance with federal and state law and pursuant to the organization’s written retention policy/schedule. Records that have satisfied the period of retention will be destroyed and disposed of in an appropriate manner.
- Records involved in any open investigation, audit or litigation should not be destroyed or disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed and disposed of by the requesting party.
- Records scheduled for destruction/disposal should be secured against unauthorized or inappropriate access until the destruction/disposal of patient information is complete.
- A contract between the organization and a business associate must provide that, upon termination of the contract, the business associate will return or destroy and dispose of all patient health information. If such return or destruction/disposal is not feasible, the contract must limit the use and disclosure of the information to the purposes that prevent its return or destruction/disposal. These requirements also apply to a health plan that discloses patient health information to the plan sponsor.
- A record of all patient health information media destruction/disposal should be made and retained permanently by the organization. Permanent retention is required because the records of destruction/disposal may become necessary to demonstrate that the patient information records were destroyed and disposed of in the regular course of business. Records of destruction/disposal should include:
- Date of destruction/disposal.
- Method of destruction/disposal.
- Description of the destroyed and disposed record series or medium.
- Inclusive dates covered.
- A statement that the patient information records were destroyed and disposed of in the normal course of business.
- The signatures of the individuals supervising and witnessing the destruction/disposal.
- If destruction/disposal services are contracted, the contract must provide that the organization’s business associate will establish the permitted and required uses and disclosures of information by the business associate as set forth in the federal and state law (outlined in the Business Associate Agreement Contract) and include the following elements:
- Specify the method of destruction/disposal.
- Specify the time that will elapse between acquisition and destruction/disposal of data media.
- Establish safeguards against breaches in confidentiality.
- Indemnify the organization from loss due to unauthorized disclosure.
- Require that the business associate maintain liability insurance in specified amounts at all times the contract is in effect.
- Provide proof of destruction/disposal.
- Patient information media should be destroyed and disposed of using a method that ensures the patient information cannot be recovered or reconstructed. Appropriate methods for destroying and disposing of media are:
- Audiotapes: Methods for destroying and disposing of audiotapes include recycling (tape over) or pulverizing
- Computerized Data/ Hard Disk Drives: Methods of destruction/disposal should destroy data permanently and irreversibly. Methods may include overwriting data with a series of characters or reformatting the disk (destroying everything on it). Deleting a file on a disk does not destroy the data, but merely deletes the filename from the directory, preventing easy access of the file and making the sector available on the disk so it may be overwritten. Total data destruction does not occur until the back-up tapes have been overwritten.
- Computer Data/ Magnetic Media Methods may include overwriting data with a series of characters or reformatting the tape (destroying everything on it). Total data destruction does not occur until the back-up tapes have been overwritten. Magnetic degaussing will leave the sectors in random patterns with no preference to orientation, rendering previous data unrecoverable.
- Computer Diskettes: Methods for destroying and disposing of diskettes include reformatting, pulverizing, or magnetic degaussing.
- Laser Disks: Disks used in “write once-read many” (WORM) document imaging cannot be altered or reused, making pulverization an appropriate means of destruction/disposal.
- Microfilm/ Microfiche: Methods for destroying/disposing of microfilm or microfiche include recycling and pulverizing.
- PHI Labeled Devices, Containers, Equipment, Etc.: Reasonable steps should be taken to destroy or de-identify any PHI information prior to disposal of this medium. Removing labels or incineration of the medium would be appropriate.
- Paper Records: Paper records should be destroyed and disposed of in a manner that leaves no possibility for reconstruction of information. Appropriate methods for destroying and disposing of paper records include: burning, shredding, pulping, and pulverizing.
- Videotapes: Methods for destroying and disposing of videotapes include recycling (tape over) or pulverizing.
- The methods of destruction/disposal should be reassessed annually, based on current technology, accepted practices, and availability of timely and cost-effective destruction/disposal services.
Preservation or Destruction/Disposal of Patient Health Records Upon Closure of a Provider Office/Practice
The provider, or the provider’s successor, shall comply with state law to ensure appropriate preservation, patient notice, and/or destruction/disposal of the patient health care records in the possession of the health care provider at the time the practice was ceased or the provider died.