Section 1: Introduction and Glossary of Terms
Effective Date: April 14, 2003
Last Amended: July 24, 2006
The University of Texas at Dallas (UTD) respects the privacy and confidentiality of its patients’ medical information. Protection of patient confidentiality is a core value of UTD. This Policy and Procedure Manual for the Confidentiality of Health Care Information, (“Manual”) addresses policies and procedures for protecting the health information of UTD’s patients, consistent with the requirements of the HIPAA Privacy Standards and Texas law. All members of UTD’s workforce, including administrative staff, volunteers, trainees, students, faculty and medical staff shall be familiar with and comply with this Manual.
UTD is a “Hybrid Entity” in accordance with 45 C.F.R. § 164.504(c)(3)(iii). UTD is a single legal entity, (1) that is a covered entity, (2) whose business activities include both covered and non-covered functions and that (3) appropriately designates health care components. Effective April 14, 2003, UTD designated the School of Behavioral and Brain Sciences (BBS) as a health care component. BBS is a health care provider, as defined in the statute cited above. For the purpose of this manual, references to a "covered entity" or "health care provider" are a reference to BBS. A reference to "protected health information" is a reference to health information that is created by or received by or on behalf of BBS.
Glossary of Terms
Administrative Simplification – The Administrative Simplification provisions are set forth in Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Administrative Simplification provisions give the U.S. Department of Health and Human Services the authority to establish standards and requirements for the electronic transfer of health care information, and for the privacy and security of PHI.
Authorization – Authorization is written permission required prior to disclosing a patient’s PHI when the use or disclosure is for a purpose other than for treatment, payment, or operations. A valid authorization must contain all of the elements listed in the Privacy Standards for the specific type of disclosure and entity.
Business Associate – A business associate is a person or organization who performs a function or activity on behalf of a covered entity or who performs a specified service regardless of whether it involves performing a service on behalf of a covered entity. The specified services where disclosure of personally identifiable health information is considered routine include: legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services. When a covered entity discloses PHI to a business associate, a business associate agreement between the covered entity and the person or organization performing functions on behalf of the covered entity or specified services is required to protect the use and disclosure of PHI. (See Section 16 of this Manual.)
Data Use Agreement – A data use agreement is required before a covered entity may use or disclose a limited data set so that a covered entity may obtain satisfactory assurance that the limited data set recipient will only use or disclose the PHI for limited purposes.
A data use agreement must:
- establish the permitted uses and disclosures of the information and may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the Privacy Standards if done by the covered entity;
- establish who is permitted to use or receive the limited data set; and
- provide that the limited data set recipient will:
- not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
- use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
- report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
- ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
- not identify the information or contact the individuals.
There is no prescribed form for a data use agreement, which may be a formal contract, an informal memorandum of understanding or, if the use of the limited data set is by a covered entity’s workforce members, the covered entity may choose to enter into a data use agreement with those workforce members similar to the manner in which a covered entity would enter into a confidentiality agreement with its workforce members. (See Section 5.2 of this Manual.)
De-identified – De-identified describes the status of information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. Information that has been de-identified according to the methodology described in 45 C.F.R. § 164.514 is not subject to the Privacy Standards. (See Section 5.1 of this Manual.)
Designated Record Set – A designated record set is a group of records maintained by or for a covered entity that consists of the medical records and billing records about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
Disclosure – Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
Health Care Operations – Health care operations activities include, but are not limited to, any of the following activities to the extent these activities are related to the covered entity’s functions as a health care provider:
- conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
- conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
- business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the covered entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- business management and general administrative activities of the covered entity, including, but not limited to:
- management activities relating to implementation of and compliance with the requirements of the covered entity’s policies and procedures and the HIPAA Privacy Standards;
- customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer;
- resolution of internal grievances;
- the sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
- consistent with the applicable requirements of 45 C.F.R. § 164.514 (see Section 5.1 of this Manual (relating to de-identified information); see Section 5.2 (relating to limited data sets); and see Section 9 of this Manual (relating to fundraising)), creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
Health Oversight Agency – A health oversight agency is an agency or a person or entity acting under a grant of authority from or contract with such public agency, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
Hybrid Entity – A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, nonhealth care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component. The covered entity also retains certain oversight, compliance, and enforcement responsibilities.
IRB – IRB is an acronym for Institutional Review Board. The University of Texas at Dallas IRB has the authority to decide whether to waive individual authorization for the use or disclosure of PHI for research purposes.
Limited Data Set – A limited data set is PHI that excludes the following direct identifiers of the individuals or of relatives, employers, or household members of the individuals: (i) names; (ii) postal address information other than town or city, state, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) e-mail addresses; (vi) Social Security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) Web Universal Resource Locators (“URLs”); (xiv) Internet Protocol (“IP”) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images. (See paragraph 2(b) of Section 6 of this Manual for an analysis of Texas law’s impact on the definition of “limited data set.”) Identifiable information that may remain in a limited data set includes dates relating to a patient (dates of service, admission, or discharge; date of birth; date of death) and information relating to the town or city, state, and five-digit zip code of the patient, his or her employer, and the patient’s household members. (See Section 5.2 of this Manual.)
Manual – Manual refers to this Policy and Procedure Manual for the Confidentiality of Health Care Information also known as the HIPAA Privacy Manual.
Minimum Necessary Standard – The minimum necessary standard is a limitation placed on uses, disclosures, and requests for PHI. It applies when using or disclosing PHI or when requesting PHI from another covered entity. A covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The minimum necessary standard does not apply to certain disclosures or requests. (See Sections 6.1 and 6.3.1 of this Manual.)
Mitigation – Mitigation is the reasonable action taken by a covered entity to lessen the damage of known wrongful use or disclosure of PHI in violation of the covered entity’s policies and procedures or the requirements of the Privacy Standards. (See Section 15 of this Manual.)
Payment Activities – Payment activities are the activities undertaken by a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of plan benefits, as well as those activities undertaken by a covered provider to obtain or to provide reimbursement for the provision of health care. Such activities include, but are not limited to, determinations of eligibility or coverage, risk adjusting amounts due based on enrollee health status and demographic characteristics, billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing, review of health care services, utilization review activities, and disclosure to consumer reporting agencies of any of the following PHI: name and address; date of birth; Social Security number; payment history; account number; and name and address of the health care provider and/or health plan. (See also Appendix: A.6.2.1.)
Privacy Standards or Privacy Rule – Privacy Standards or Privacy Rule refer to the final rule “Standards for Privacy of Individually Identifiable Health Information,” which the Department of Health and Human Services published at 65 Fed. Reg. 82462 et seq. (Dec. 28, 2000), and modified at 67 Fed. Reg.53182 et seq. (Aug. 14, 2002).
Protected Health Information (“PHI”) – PHI or protected health information is individually identifiable health information that is transmitted or maintained in any medium or form. PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended; in records described at 20 U.S.C. §1232g(a)(4)(B)(iv) (student treatment records excepted from FERPA); and in employment records held by a covered entity in its role as an employer.
Public Health Authority – Public health authority means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with a public agency, including the employees or agents of the public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. A public health authority can create health information as well as receive it.
Sanctions – Sanctions are administrative actions by a covered entity taken against members of its workforce who fail to comply with the entity’s policies and procedures or with the requirements of the Privacy Standards. A covered entity must have and apply appropriate sanctions and must document the sanctions that are applied. (See Section 14 of this Manual.)
Security Rule – Security Rule refers to the final rule adopting standards for the security of electronic protected health information as required by the Administrative Simplification title of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See 45 C.F.R. Parts 160, 162, and 164; 68 Fed. Reg. 8334 et seq. (Feb. 20, 2003).
Treatment – Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another. (See also Appendix: A.6.2.1.)
Use – Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains the information.