click here to download MS Word format

 

UNIVERSITY POLICY 

SUBJECT:

CORPORATE COMPLIANCE AND PRIVACY

                              TITLE:

STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

 

CODING:

00-01-15-05:00

    ADOPTED:

       01/27/03

         AMENDED:

02/12/08

                                                                                                                                LAST REVIEWED: 02/12/08
I.        PURPOSE

To establish a policy to ensure UMDNJ’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and to establish standards for Privacy of Individually Identifiable Health Information.

II.       ACCOUNTABILITY

Under the direction of the President, the Executive Vice President for Academic and Clinical Affairs, the Deans, Vice President/Chief Ethics and Compliance Officer, Senior Vice President for Administration, Senior Vice President for Finance, Senior Vice President and General Counsel, Vice President for Research, President/CEOs of the Healthcare Units, University Hospital Medical Director, Vice President for Finance and Treasurer, Vice President for Human Resources and the Vice President, Supply Chain Management shall ensure compliance with this policy.

III.      APPLICABILITY

This policy shall apply to health information that is generated during provisions of health care to patients in any of the University’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of the University or by any of its agents in all UMDNJ Schools, Units, Departments and University owned or operated facilities.

IV.     REFERENCES

A.       45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement

B.       45 CFR, 164.514(e), Code of Federal Regulations, Title 45, Part 164, Subpart E, Security and Privacy, Privacy of Individually Identifiable Health Information

C.       45 CFR, 164.530, Code of Federal Regulation, Security and Privacy, Administrative Requirements

D.       Policy Process Requirements                 00-01-01-05:00

V.       POLICY

UMDNJ will implement and maintain a Privacy Program to assure compliance with state and federal laws and UMDNJ policies protecting the confidentiality of individually identifiable health information of its patients.

All UMDNJ employees, students, and individuals working on behalf of UMDNJ in any capacity (including Board members, medical staff, business associates, independent contractors, and volunteers) will conduct themselves and their activities in a manner so as to protect the confidentiality of patients’ individually identifiable health information as required by state and federal law and in conformance with University policies.

A.       Requirements:

1.       UMDNJ’s Privacy Program will consist of the following elements:

a.       University-wide and Unit Privacy Liaisons

i.        The Vice President/Chief Ethics and Compliance Officer, and the University’s Senior Compliance Officer, Privacy and Security, will oversee the development, implementation and maintenance of UMDNJ’s Privacy Program.

ii.        Each School’s or Unit’s Compliance Officer will also serve as the School or Unit Privacy Liaison. The Privacy Liaison will assist the Senior Compliance Officer, Privacy and Security in implementing the Privacy Program and University-wide policies and procedures within the units, and overseeing the development, implementation and maintenance of unit or departmental privacy policies and procedures as appropriate.

iii.       UMDNJ’s Institutional Review Boards (IRBs), with the assistance of the Office of Research and the University’s Senior Compliance Officer, Privacy and Security, will act as the privacy board for research related disclosures, including assuring that informed consents include authorizations for such disclosures or that authorization has been appropriately waived.

b.       School and Healthcare Unit Custodian of Medical Records

i.        The President/CEO of each Healthcare Unit, and the Deans of Schools maintaining Protected Health Information (PHI), will appoint a Custodian of Medical Records. The functions of this position may be incorporated in to one currently approved.

ii.        It will be the responsibility of the Custodian of Medical Records to assure that processes are in place at their Healthcare Unit or School, and subordinate work units, to implement and monitor compliance with the elements detailed in Section V.A.1.c., below.

c.       The Vice President/Chief Ethics and Compliance Officer, through the University’s Senior Compliance Officer, Privacy and Security, and with the assistance of appropriate Custodian of Medical Records and Unit Privacy Liaisons, will assure that the following elements are developed, implemented and maintained in conformance with state and federal requirements, and are reflected in policies and procedures accordingly:

i.        Providing notice to patients of UMDNJ’s privacy practices for Protected Health Information (PHI);

ii.       Protecting the confidentiality of uses and disclosures of PHI, including requiring appropriate authorizations, and/or an opportunity to agree or object when mandated by law for uses and disclosures of PHI;

iii.       Implementing appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of PHI from unauthorized use or disclosure;

iv.       Assuring that a written process is in place that allows individuals to restrict uses and disclosures of their health information. UMDNJ, however, is not required to agree to such requests.

v.        Assuring that patients can receive communications of their health information by alternate means or alternate locations, if requested.

vi.        Implementing a written process for maintaining and providing an accounting of UMDNJ’s uses and disclosures of PHI to requesting individuals to whom the information pertains;

vii.       Assuring that a written process is in place that allows individuals to access, inspect and/or obtain a copy their health information;

viii.      Assuring that a process is in place that allows individuals to request that a unit amend their health information. UMDNJ, however, may deny requests under specified circumstances;

ix.        The School or Unit Privacy Liaisons will be the designated contact person for individuals seeking further information or clarification relating to the Unit’s health information policies, and privacy and patient rights requirements covered under the notice. The University’s Senior Compliance Officer, Privacy and Security, will be designated to receive complaints concerning UMDNJ and its compliance with health information privacy and patient rights requirements. The School or Unit Privacy Liaison is responsible for ensuring that the unit has an adequate supply of the notices for distribution to patients.

d.        All existing or new unit or departmental policies and procedures addressing any of the items in section V.A.c. above, or that concern the use or disclosure of PHI, and all consent/authorization forms for the disclosure of PHI, must be presented to the University’s Senior Compliance Officer, Privacy and Security, through and in consultation with the School or Unit Privacy Liaison for review to assure compliance with University-wide policies, as well as state and federal requirements.

e.        The School or Unit Privacy Liaisons will provide a written quarterly report to the University’s Senior Compliance Officer, Privacy and Security, and the Presidents/CEOs of the Healthcare Units or Dean on the status of all policies and procedures concerning PHI, the Privacy Program, including its implementation, training, any recommended changes or amendments. The School or Unit Privacy Liaisons will immediately notify the Vice President/Chief Ethics and Compliance Officer of any complaints or issues of non-compliance with University or Corporate Compliance and Privacy policies.

f.         UMDNJ will promptly revise its policies and procedures related to the Privacy Program as discussed above as necessary and appropriate to comply with changes in the law. All policies and procedures will be reviewed periodically by the Senior Compliance Officer, Privacy and Security, along with the School and Unit Privacy Liaisons to assure compliance with the laws, as well as for operational effectiveness. If the changes in the law also materially affect privacy practices stated in UMDNJ’s notice to patients regarding privacy practices, the notice must also be changed in a timely manner.

g.         Changes to the policies must be done in accordance with the University policy, Policy Process Requirements, 00-01-01-05:00.

h.          All notices to patients concerning UMDNJ’s privacy practices must state that UMDNJ reserves the right to make changes in its privacy practices at any time.

2.       Education and Training

a.       The Vice President/Chief Ethics and Compliance Officer, through the Director of Ethics Programs will provide general training to refresh the University workforce regarding the Privacy Program, policies and procedures and the regulatory requirements.

b.       Each member of the workforce must receive the training.

c.       The Department of Human Resources will assure that all new members of the workforce partake in the privacy training within one month after the person joins the workforce.

d.       School or Unit Privacy Liaisons will assure retraining of the workforce whose functions are affected by a material change in the policies and procedures within a reasonable period of time after the change becomes effective.

e.       Training provided will be appropriately documented and the documentation will be maintained by the School or Unit Privacy Liaisons for a minimum of six (6) years or as specified by the New Jersey State Retention Schedule.

3.       Refraining from Intimidating and Retaliatory Acts or Requiring Waiver of Rights

UMDNJ will maintain in the Code of Conduct and other applicable policies and procedures that intimidating, threatening, coercing, discriminating or taking other retaliatory action against the following is prohibited.

a.       Patients for exercising any right established by HIPAA privacy guidelines, 45 CFR 164, subpart E;

b.       Individuals and others for filing a complaint with the Secretary of Health and Human Services under 45 CFR 160, subpart C;

c.       Individuals and others for testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI; or

d.       Individuals or others for opposing any act or practice made unlawful by 45 CFR 164, subpart E, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of 45 CFR 164, subpart E.

B.       Responsibilities:

1.        The Vice President for Human Resources shall be responsible for communicating and enforcing the above policy as it relates to all employees University-wide.

2.        The Medical Directors and President/CEOs of the Healthcare Units shall be responsible for communicating and enforcing the above policy as it relates to persons involved in patient contact.

3.        The Vice President, Supply Chain Management or his or her successors shall be responsible for communicating and enforcing the above policy as it relates to vendors, independent contractors, business associates, etc.

4.        UMDNJ and its units may not require individuals to waive their rights to file a complaint to the Secretary of Health and Human Services or any other right under CFR 164, subpart E, including 164.500 through 164.530, as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits.

5.        Monitoring and Evaluation

a.       The Ethics & Compliance Oversight Committee is the governing body for the evaluation and monitoring of the Privacy Program and will review compliance issues.

b.       The IRBs and the University’s Research Compliance Officer will monitor compliance with requirements for research related disclosures.

c.       The University’s Senior Compliance Officer, Privacy and Security, will periodically request external or internal audits to be conducted to ensure compliance with this policy.

d.       The University’s Senior Compliance Officer, Privacy and Security, is responsible for investigating and reporting on allegations of non-compliance with UMDNJ privacy policies.

e.       School and Unit Privacy Liaisons, under the direction of the University’s Senior Compliance Officer, Privacy and Security, may be asked to conduct investigations of non-compliance with UMDNJ privacy policies.

6.        Sanctions for Non-Compliance

a.       UMDNJ will apply appropriate sanctions against any member of the workforce who fails to comply with UMDNJ privacy policies and procedures.

b.       The Deans and President/CEOs of the Healthcare Units, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently.

c.       UMDNJ will document all sanctions that are applied.

7.        Documentation

Documentation evidencing implementation of the Privacy Program, including complaints, training, sanctions, auditing, etc., will be maintained for a minimum of six (6) years or the time period specified by the New Jersey State Retention Schedule, whichever is longer.

8.        Compliance Date

UMDNJ and all its units will implement all the requirements in this policy by March 1, 2008.

By Direction of the President:

_____________________________________________
Vice President/Chief Ethics & Compliance Officer

Policy Manual Table of Contents OPPM Home Page UMDNJ Home Page