HIPAA Privacy Manual

Effective:  09/01/2013
Revised:   09/27/2014, 03/28/2014, 09/13/2013

This HIPAA Privacy Manual is effective as of September 1, 2013. These rules supersede all previous HIPAA rules adopted by The University of Texas at Dallas (UT Dallas).

UT Dallas respects the privacy and confidentiality of its patients’ medical information. Protection of patient confidentiality is a core value of UT Dallas. This Policy and Procedure Manual for the Confidentiality of Health Care Information, (“Manual”) addresses policies and procedures for protecting the health information of UT Dallas’ patients, consistent with the requirements of the HIPAA Privacy Standards and Texas law. All members of UT Dallas’ workforce, including administrative staff, volunteers, trainees, students, faculty and third party contractors who act as members of the UT Dallas Hybrid Entity’s Workforce are required to be familiar with and comply with this Manual.

DEFINITIONS

The following terms, when used in this Manual, shall have the definitions provided below unless the context clearly and plainly indicates otherwise. In addition, any Capitalized term included in this Manual which is not defined in this Section 1, shall have the meaning defined in HIPAA unless the context clearly and plainly indicates otherwise.

Authorization: Written permission required prior to disclosing a patient’s PHI when the use or disclosure is for a purpose other than for treatment, payment, or operations. A valid authorization must contain all of the elements listed in the Privacy Standards for the specific type of disclosure and entity.

Authorized Health Care Provider:  The Workforce members charged with providing care and directing the provision of care to the Center’s patients.

Breach: Acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

Breach Notification Rule: The requirements for Breach Notification for Unsecured Protected Health Information under the HITECH Act that mandate notice to individuals in some cases if their PHI is improperly accessed, used, or disclosed, as well as a report to HHS of such incidents. Media notice may also be required. The notice/report contents, timing, and distribution requirements are prescribed by the Breach Notice Rule at 45 CFR Subparts D of Part 164.

Business Associate: A person or organization who performs a function or activity on behalf of a covered entity or who performs a specified service regardless of whether it involves performing a service on behalf of a covered entity. The specified services where disclosure of personally identifiable health information is considered routine include: legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services. When a covered entity discloses PHI to a business associate, a business associate agreement between the covered entity and the person or organization performing functions on behalf of the covered entity or specified services is required to protect the use and disclosure of PHI.

Callier Center for Communication Disorders or Callier Center or Center: An educational, research and treatment center within The University of Texas at Dallas that focuses on communication and communication disorders. It provides health care services to the public and which engages in transactions that make it a Covered Entity that is subject to HIPAA.

Covered Entity: A health care provider that performs certain electronic transactions that are subject to HIPAA, a health plan or a clearinghouse required to comply with HIPAA. The term includes Hybrid Entities.

Covered Functions: Operations performed by a Covered Entity or a Business Associate that require access to PHI and that subject the entity to HIPAA.

Data Use Agreement: An agreement required before a Covered Entity may use or disclose a limited data set so that a covered entity may obtain satisfactory assurance that the limited data set recipient will only use or disclose the PHI for limited purposes.

De-identified: The status of information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. Information that has been de-identified according to the methodology described in 45 C.F.R. § 164.514 is not subject to the Privacy Standards.

Designated Record Set: The designated record set that includes the Original Medical Record (OMR) and billing records of patients. The Callier Center’s designated record set is the OMR. Additionally, the designated record set includes any records that the Callier Center or a Business Associate has used while making health care decisions. For example, medical records from non-Callier Center sources used to make health care decisions. The designated record set specifically excludes:

  • Healthcare operations not related to medical care
  • Copyrighted materials or Trade Secrets
  • Outside records provided by caregivers which are not necessary for treatment purposes. These records are returned to the provider or shredded.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Health and Human Services: The Department of Health and Human Services (HHS) is the United States government’s principal agency for protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves.

Health Care Component: The Health Care Component at UT Dallas consists of the Callier Center and the offices and departments that provide services to and on behalf of the Callier Center that require access to Callier Center PHI and would meet the definition of a Callier Center’s Business Associate Agreement if the office or department were not part of the University. They are listed in the University’s Hybrid Entity Designation, which is included in this Manual.

Health Care Operations: Includes, but are not limited to, any of the following activities to the extent these activities are related to the Covered Entity’s functions as a health care provider:

  • conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
  • reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
  • conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
  • business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the covered entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
  • business management and general administrative activities of the covered entity, including, but not limited to:
  • management activities relating to implementation of and compliance with the requirements of the covered entity’s policies and procedures and the HIPAA Privacy Standards;
  • customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer;
  • resolution of internal grievances;
  • the sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and,
  • consistent with the applicable requirements of 45 CFR § 164.514 creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

At UT Dallas, these are functions the University provides in conjunction with operation of the Callier Center as a Health Care Provider, including general administrative and business functions necessary for the Callier Center to remain a viable health care provider and to ensure that UT Dallas meets it other compliance and legal duties as a public institution of higher education.

Health Care Provider: An entity or person licensed of otherwise authorized by law to provide medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who is legally authorized to furnish, bill, or be paid for health care in the normal course of business.

HIPAA or Health Insurance Portability and Accountability Act: Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 Administrative Simplification provisions and the regulations adopted by the U.S. Department of Health and Human Services (HHS) to implement HIPAA. HIPAA give the Secretary of Health & Human Services (HHS) the authority to establish standards and requirements for the electronic transfer of health care information, and for the privacy and security of PHI. A reference to HIPAA in this manual generally refers to the requirements of the statute and the regulations as interpreted by HHS.

Health Oversight Agency: A health oversight agency is an agency or a person or entity acting under a grant of authority from or contract with such public agency, that is authorized by law to oversee a health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

Hybrid Entity: A single legal entity that is a HIPAA Covered Entity, performs business activities that include both Covered and non-Covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a Hybrid Entity, the Privacy Rule generally applies only to its designated Health Care Components. However, non-Health Care Components of a Hybrid Entity may be affected because the Health Care Component is limited in how it can share PHI with the non-health care component. The Hybrid Entity also retains certain oversight, compliance, and enforcement responsibilities on behalf of its Health Care Components.

Institutional Review Board or IRB: A board that approves proposed research projects conducted at an institution and/or using the institutions data. The UT Dallas IRB has the authority to decide whether to waive individual authorization for the use or disclosure of University PHI for research purposes.

Limited Data Set: PHI that excludes the following direct identifiers of the individuals or of relatives, employers, or household members of the individuals: (i) names; (ii) postal address information other than town or city, state, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) e-mail addresses; (vi) Social Security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) Web Universal Resource Locators (“URLs”); (xiv) Internet Protocol (“IP”) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images. Identifiable information that may remain in a limited data set includes dates relating to a patient (dates of service, admission, or discharge; date of birth; date of death) and information relating to the town or city, state, and five-digit zip code of the patient, his or her employer, and the patient’s household members.

Manual: This Policy and Procedure Manual for the Confidentiality of Health Care Information. Also, referred to as the HIPAA Privacy Manual.

Medical Media: Any health information in a media that cannot be scanned or filed into the Acorde OMR. Some medical media may be maintained in the original media for a period of time and then transformed into a format that can be scanned into the electronic medical record. Other types of medical media may require retention in the original media. Examples of Medical Media may include, but are not limited to, tests protocols, video tapes, compact discs, audio tapes and thumb drives.

Medical Record Administrator (MRA): The person appointed as the Callier Center record custodian responsible for the Medical Records Department and responsible for the maintenance, retention, access, data integrity, and data quality of PHI; including protecting patient privacy and providing information security, other duties related to access and review of PHI and complying with standards and regulations regarding PHI under the direction of the HIPAA Privacy Officer. For purposes of this policy, the MRA may also refer to individuals who have been officially designated to act in the place of the MRA.

Medical Record Department (MRD): The department that houses the Center’s official patient care records.

Minimum Necessary Standard: A limitation placed on uses, disclosures, and requests for PHI. When Using or Disclosing protected health information or when requesting PHI from another Covered Entity or Business Associate, the University and its Business Associates must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.

Mitigation: Reasonable actions taken by a Covered Entity to lessen the damage of known wrongful use or disclosure of PHI in violation of the Covered Entity’s policies and procedures or the requirements of the Privacy Standards.

Official Medical Record (OMR): The Callier Center medical record maintained by the Center that constitutes all significant medical/clinical information pertaining to a Patient. Portions of the OMR may be housed at either Callier Center location until becoming scanned and filed in the electronic medical record system. The OMR has a permanent retention schedule. The OMR constitutes the Callier Center’s designated record set.

Patient: Activities undertaken by a health provider to obtain or provide reimbursement for the provision of health care; or by a health plan to fulfill its responsibility for coverage and the provision of benefits. These activities include, but are not limited to:

  • Determining eligibility, and adjudication or subrogation of health benefit claims;
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
  • Billing, claims management, collection activities, obtaining
  • Payment under a contract for reinsurance, and related health care processing;
  • Review of healthcare services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
  • Utilization review activities, including pre-certification and preauthorization services, concurrent and retrospective review of services; and
  • Disclosure to consumer reporting agencies of certain PHI relating to reimbursement.

Personal Representative: A person legally authorized to act on behalf of a Patient for purposes of exercising the Patient’s rights under HIPAA or this Manual or fulfilling the Patient’s responsibilities under this Manual.

Policy: A principle of required action adopted or proposed by this Manual.

Privacy Notice or Notice of Privacy Policies or NOPP: A description, provided to Patients or Personal Representatives at specific times, and to other persons upon a request concerning its uses and disclosures of PHI, which also informs them of their rights with respect to PHI.

Privacy Standards or Privacy Rule: Privacy Standards or Privacy Rule refer to the final rule “Standards for Privacy of Individually Identifiable Health Information,” at 45 CFR Part 160 and Subparts A and E of Part 164.

Protected Health Information or PHI Individually identifiable health information that is transmitted or maintained in any medium or form including oral, written, and electronic. Individually identifiable health information relates to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) past, present, or future payment for the provision of health care to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. Demographic information on patients is also considered PHI. PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended; in records described at 20 U.S.C. §1232g(a)(4)(B)(iv) (student treatment records excepted from FERPA); and in employment records held by a covered entity in its role as an employer.

Public Health Authority: An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with a public agency, including the employees or agents of the public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. A public health authority can create health information as well as receive it.

Sanctions: Administrative actions by a Covered Entity taken against members of its Workforce who fail to comply with the entity’s policies and procedures or with the requirements of the Privacy Standards. A Covered Entity must establish and apply appropriate Sanctions and must document the Sanctions that are applied.

Secretary or Secretary of Health and Human Serices: The US Department of Health and Human Services (HHS) is headed by the Secretary. The Secretary or any other officer or employee of HHS to whom authority has been designated will implement and/or enforce HIPAA rules and regulations or investigate allegations of HIPAA violations.

Security Rule: Refers to the final rule adopting standards for the security of electronic protected health information as required by the Administrative Simplification title of the Health Insurance Portability and Accountability Act of 1996, 45 CFR Part 160 and Subparts A and C of Part 164.

Shadow Records or Shadow Medical Records (Shadow MR):  The medical record maintained by an authorized Workforce member, other thanthe Medical Records Department, that includes patient care information also included in the OMR. These records may be used for teaching purposes.  Shadow MR information does not contain any pertinent patient care information that cannot be found in the OMR.  A Shadow MR is considered a convenience copy and is destroyed as soon as it is no longer needed.  The Shadow MR is sometimes referred to as Case Management Records.

Treatment: Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.

Treatment, Payment and Health Care Operations or TPO: The three core functions of providing health care and/or health care coverage to patients that require access to the Patient’s PHI. When performed by a Covered Entity, an Authorization is not required to use or disclose a Patient’s PHI.

The University of Texas at Dallas or UT Dallas or University: A Texas state agency and public institution of higher education that is a Hybrid Entity which is subject to HIPAA compliance due to its operation of the Callier Center for Communications Disorders.

Use: Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the Health Care Component at UT Dallas which is the Callier Center.

Workforce: The employees (including faculty and staff), students who are receiving training or performing internships at the Callier Center, volunteers, contract employees that are not Business Associates of UT Dallas, and any other individuals whose conduct, in the performance of work for the Health Care Component of UT Dallas, is under the direct control of UT Dallas, whether or not they are paid by UT Dallas.

Reviewed and Approved:  06/09/2015

Donise Pearson, HIPAA Privacy Officer
UT Dallas Callier Center