- Section VI - 19.00(A) UMB POLICY ON PRIVACY OF PROTECTED HEALTH INFORMATION
(Effective date: April 14, 2003)
The University of Maryland Baltimore (UMB) has designated itself as a Hybrid Covered Entity in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). As a hybrid entity, UMB is divided into Covered Components and Non-covered Components. Covered Components are the University of Maryland School of Medicine and the University of Maryland Dental School. UMB's other schools and administrative units are Non-Covered Components. All activities conducted by the workforce of the Medical School are subject to the HIPAA policies and procedures issued by the Medical School. All activities conducted by the workforce of the Dental School are subject to the HIPAA policies and procedures issued by the Dental School. UMB Personnel of Non-covered Components may need to obtain or use Protected Health Information (PHI) from a Covered Component in order to provide support functions to a Covered Component. All UMB Personnel are subject to this policy on privacy of protected health information. To the extent UMB Personnel from Non-covered Components have access to PHI to perform support functions for a Covered Component, UMB Personnel are also subject to the policies and procedures of the Covered Component. Provisions of Maryland law concerning health care and privacy that are more protective of individual privacy than HIPAA remain in effect along with HIPAA. UMB Personnel must comply with applicable provisions of both HIPAA and State law. Student education records, included student health records created or maintained by UMB, continue to be protected under the Family Education Rights and Privacy Act. Other federal privacy laws may also apply to information created or maintained by UMB Personnel.
HIPAA - the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191
Health Information – Information that relates to the past, present, or future physical or mental health or condition of an individual, or that relates to the provision of healthcare in the past, present or future.
Individually Identifiable Health Information – Health Information and demographic information that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.
Privacy Rule. – HIPAA Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
Protected Health Information (PHI) – Individually Identifiable Health Information that is used or maintained by a Covered Component regardless of form or how transferred . PHI excludes Individually Identifiable Health Information in education records covered by FERPA, as amended, 20 U.S.C. 1232g including records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by UMB, including its Covered Components in the role of employer.
UMB Personnel - All UMB employees, full-time and part-time, including student employees; students; consultants, visitors; and others using UMB resources.
Workforce - Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Component, is under the direct control of the Covered Component, whether or not they are paid by the Covered Component.
- Campus Privacy Official
The UMB Chief Information Officer is the Privacy Official for UMB. The Privacy Official will have responsibilities that include, but may not be limited to, the following:
Coordinate overall HIPAA compliance of UMB
Receive complaints regarding HIPAA policies or compliance
Resolve complaints in consultation with the privacy official of the appropriate Covered Component
Coordinate training as required for UMB Personnel in Non-covered Components
Revise and reissue this policy when necessary
- HIPAA Policies and Procedures of Covered Components
Each Covered Component will designate a HIPAA privacy official and establish and implement HIPAA policies and procedures. The polices and procedures will comply with the requirements of HIPAA and will include, but not be limited to, a description of:
• Mechanisms to control the flow of PHI from the Covered Component to Non-covered Components;
• Physical, administrative, and procedural safeguards to ensure PHI is not improperly obtained or used by Non-covered Components;
• Methods to ensure that UMB Personnel from Non-covered Components who have access to PHI to perform support functions for the Covered Component are included in policy updates, training programs and compliance audits;
• Steps to provide adequate separation when staff is shared between the Covered and Non-Covered Components.
- Access to PHI by Non-Covered Components
The Dean of a Covered Component, or designee, will consult with the Vice President or Dean of a Non-covered Component, or designee, as necessary to determine when UMB Personnel in Non-covered Components reasonably need access to PHI to provide support functions to the Covered Component. The Covered Component will issue policies and procedures on access to PHI by UMB Personnel in Non-covered Components.
HIPAA Training for Personnel in Non-Covered Components
Each Covered Component will be responsible for ensuring HIPAA training is provided to UMB Personnel in Non-covered Components who require such training. Determining and documenting training requirements is the responsibility of the Covered Component. The Covered Component will take into consideration input from Non-Covered Components when determining training requirements and procedures. The Vice President or the Dean of the Non-covered Component, or designee, will make reasonable efforts to ensure that UMB Personnel in their unit or school complete HIPAA training as specified by a Covered Component.
Obligations and Activities of Non-covered Components
Non-covered components that perform support functions for Covered Components that involve access to PHI will protect PHI in accordance with the HIPAA policies and procedures of the Covered Component and the following guidelines:
Personnel in the Non-covered component will:
1. Not use or disclose PHI other than as permitted or required by the HIPAA policies of the Covered Component, this policy, HIPAA, or other applicable law.
2. Use appropriate physical, technical, administrative and procedural safeguards to prevent use or disclosure of PHI in violation of HIPAA, other applicable laws, and this policy.
3. Mitigate, to the extent practicable, any harmful effect that is known to the Non-covered Component of a use or disclosure of PHI by the Non-covered Component in violation of HIPAA;
4. Report to the Covered Component any use or disclosure of the Covered Component’s PHI in violation of HIPAA of which it becomes aware.
5. Ensure that any person who is not UMB Personnel to whom the Non-covered Component provides PHI agrees to the same restrictions and conditions that apply to the Non-covered Component under this policy with respect to such PHI.
6. Make internal practices, books, and records relating to the use and disclosure of PHI received from the Covered Component to the Secretary of the Department of Health and Human Services or his designee, for purposes of the Secretary determining a Covered Component’s compliance with the Privacy Rule.
7. Document disclosures of PHI and information related to such disclosures as would be required for the Covered Component to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
8. Upon direction of a Covered Component, return or destroy all PHI received from a Covered Component, or created or received by the Non-covered Component on behalf of Covered Component, unless another provision of this policy expressly provides otherwise. In the event that the Non-covered Component determines that returning or destroying the PHI is unfeasible, the Non-covered Component shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction unfeasible, for so long as the Non-covered Component maintains such PHI.
Permitted Uses and Disclosures of PHI by Non-Covered Components
1. Non-covered Components may use or disclose PHI on behalf of, or to provide services to, a Covered Component for any purpose, if such use or disclosure of PHI would not violate the Privacy Rule if done by the Covered Component or the policies and procedures of the Covered Component.
2. If use or disclosure of PHI by a Non-Covered Component is not for purposes of providing service to support a Covered Component, PHI may be disclosed by the Non-Covered Component for the proper management and administration of the Non-covered Component and provided that disclosures are either required by law, or the Non-covered Component obtains reasonable assurances from any person to whom the information will be further disclosed that the PHI will remain confidential, be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person will notify the Non-covered Component of any instances of which it is aware in which the confidentiality of the PHI has been breached.
3. The Non-covered Component may use PHI to provide data aggregation services to a Covered Component as permitted by 42 CFR § 164.504(e)(2)(i)(B).
4. UMB Personnel may use PHI to report violations of law to appropriate Federal and State authorities only when such use is consistent with § 164.502(j)(1) or other applicable law.
Obligations of Covered Components
A Covered Component will:
1. Notify Non-covered Components of any limitation(s) in the Covered Component’s notice of privacy practices of Covered Component in accordance with 45 CFR § 164.520, to the extent that such limitation may affect a Non-covered Component’s use or disclosure of PHI.
2. Notify Non-Covered Components of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect a Non-covered Component’s use or disclosure of PHI.
3. Notify Non-Covered Components of any restriction to the use or disclosure of PHI that a Covered Component has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect a Non-Covered Component’s use or disclosure of PHI.
4. Not request that a Non-covered Component use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Component, except if the Non-covered Component will use or disclose PHI for data aggregation or management and administrative activities of the Non-covered Component.
5. Provide an opportunity for Non-covered Components to correct violations of the Privacy Rule. If material violations are not corrected, the Covered Component shall report the violation to the Privacy Officer of UMB, and to the Secretary of the Department of Health and Human Services or his designee.
- Resolution of Conflicts
Should a conflict arise between UMB Covered Components, the Deans of the Covered Components, or designees, will determine a resolution. If a conflict arises between a Covered Component and a Non-Covered Component, the Dean of the Covered Component, or designee, and the Vice President or Dean of the Non-Covered Component, or designee, will determine a resolution. If a resolution cannot be reached, the President, UMB, will decide. The President’s decision will be final.
Violation of this policy by UMB Personnel may subject the violator to disciplinary action for misconduct, which action may include termination or expulsion, in accordance with applicable University of Maryland Baltimore and school policies and procedures.
- No Retaliation
UMB will not intimidate, threaten, coerce, discriminate or retaliate against an individual for exercising any rights under, or participating in any applicable process established by the HIPAA privacy regulations, including filing a complaint, testifying, assisting or participating in an investigation, compliance review, proceeding, or hearing under Subpart C of the Privacy Rule or opposing any act or practice made unlawful by the Privacy Rule, provided the person has a good faith belief that the practice is unlawful and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of HIPAA.
1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.
2. Amendment. UMB will amend this policy from time to time as necessary to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
3. Interpretation. Any ambiguity in this policy shall be resolved to permit a Covered Component to comply with the Privacy Rule.
APPROVED BY THE PRESIDENT:
David J. Ramsay, D.M., D.Phil.