Washington University

Summary of HIPAA Privacy Policies

Plan to Comply with HIPAA Privacy Policies #1

Intent:

• Define University’s overriding commitment to comply with HIPAA and define organizational structure to accomplish compliance.

Components:

• Defines terms under HIPAA.

• Outlines the relationship between the University and BJC.

Access by Individuals to Protected Health Information # 2

Intent:

• Establish conditions under which a patient may access his/her own protected heath information.

Component:

• Introduces a term "Designated Medical Record Set" and it elements.
• Specifies circumstances for requesting access as well as approving or denying the request.

Accounting for Uses or Disclosures of Protected Health Information # 3

Intent:

• Establish a process for documenting and reporting disclosures of protected health information.

Components:

• Defines disclosures not subject to the accounting.
• Provides guidance on format, timeframes, cost to the requesting party and minimum record keeping standards.

Amendment of Protected Health Information # 4

Intent:

• Establish the right of an individual/patient to request amendment of protected health information.

Components:

• Introduces "Designated Record Set".

• Defines situations exempt from the amendment right.

• Provides process for approving/denying the request.

Authorization Required for Uses or Disclosures of Protected Health Information # 5

Intent:

• Define process for obtaining written authorization to disclose protected health information.

Components:

• Defines when an authorization is required (marketing, fundraising, research).

• Specifies elements, format, time-period and signature requirements of an authorization

Use or Disclosure of Protected Health Information with Business Associates # 6

Intent:

• Establish a link between WU and parties known as Business Associates related to HIPAA.

Components:

• Defines the term Business Associate.

• Specifies elements related to protected health information to be observed by both parties.

Appropriate Methods of Communicating Protected Health Information #7

Intent:

• Establish guidelines for day to day communications containing protected health information.

Components:

• Provides examples related to verbal communications, both face to face and telephonic.

• Provides examples related to written communications, whether in hard copy, email, other electronic formats or faxes.

Use or Disclosure of Protected Health Information in Fundraising # 8

Intent:

• Establish conditions under which protected health information may or may not be used for fundraising purposes.

Components:

• Defines fundraising under HIPAA.

• Specifies authorizations needed for use of protected health information.

Use or Disclosure of Protected Health Information in Marketing # 9

Intent:

• Establish conditions under which protected health information may or may not be used for marketing purposes.

Components:

• Defines Marketing under HIPAA.

• Provides situational examples of what is and isn’t considered ‘marketing’.

• Specifies information that can be used without prior authorization from the individual/patient.

Use of Protected Health Information in Media Relations # 10

Intent:

• Establish guidelines for provider and institutional interactions with the media as it relates to specific patients

Components:

• Provides situational examples of individual/patient rights related to interviews, media inquiries and photographs/videos.

Minimum Necessary Request, Use or Disclosure of Protected Health Information # 11

Intent:

• Provide guidelines for determining the minimum amount of protect health information required to accomplish jobs.

Components:

• Distinguishes requests, uses and discloses of protected health information.
• Establishes draft templates for addressing information needs by job class or situation.

Notice of Privacy Practices # 12

Intent:

• Advise individuals/patients of their privacy rights and responsibilities.

Components:

• Specifies when to make the Notice available.
• Outlines essential elements of the Notice.
• Provides a sample Notice.

Uses or Disclosures of Protected Health Information without Verbal or Written Authorization # 13

Intent:

• Establish circumstances under which protected health information may be or must be shared without verbal or written authorization.

Components:

• Provides situational examples in which protected health information may be shared such as:

• Public health/health oversight activities
• Victims of abuse, neglect, domestic violence
• Corners, etc.
• Provides situational examples in which protected health information must be shared such as:
• Individual/patient request
• Department of Health and Human Services
• Other requirements by law such as court orders

Use or Disclosure of Psychotherapy Notes # 14

Intent:

• Specify individual/patient rights and provider rights and exclusions specific to Psychotherapy Notes.

Components:

• Defines differences between general HIPAA privacy rules and rules specific to this population of individuals/patients.

Use or Disclosure of Protected Health Information in Research # 15

Intent:

• Specify when protected health information may/may not be internally used or externally disclosed related to research.

Components:

• Outlines when an authorization or waiver is required.
• Addresses recruitment of research subjects.
• Defines "de-identification".

Restrictions on Use or Disclosure of Protected Health Information # 16

Intent:

• Establish the right of an individual/patient to request alternative methods for using or disclosing his/her protected health information.

Components:

• Outlines how an individual/patient makes a request.
• Defines situations not subject to the request even if honored.
• Provides process to be followed if request is honored.

Security Methods Required to Comply with Privacy Policies # 17

Intent:

• Establish basic guidelines for adherence to HIPAA Privacy Policies.

Components:

• Defines both physical and electronic security measures required to comply with HIPAA privacy regulations.

Verbal /Inferred Agreement to Use or Disclose Protected Health Information # 18

Intent:

• Define when protected health information can be used/disclosed upon verbal/inferred authorization.

Components:

• Outlines process when the individual/patient is present and has the capacity to respond.

• Establishes process when individual/patient is not present, incapacitated or in an emergency situation.

Last Revision Date: January 24, 2003