& & &
&
&
!
!
!
!
!
!
!
&
&
&
& &
August 1, 2014
1
PEPPERDINE UNIVERSITY
HIPAA Policies Procedures and Forms
Manual
& & &
&
&
&
& * * &
& & & & &
& & & &
& * * &
& * * * * * &
& & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & &
& ) ) ) &
& ) ) ) &
& ) ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & &
& ) ) &
& ) ) &
& ) ) ) &
Table of Contents
I. INTRO D U C TIO N ...............................................................................................................................4
A. GENERAL POLICY ..............................................................................................................................................4
B. SCOPE ..................................................................................................................................................................4
II. DEFINITIONS...................................................................................................................................5
III. GENERAL POLICIES AND PROCEDURES ................................................................................9
A. AUTHORIZATION&TO&USE OR DISCLOSE PROTECTED&HEALTH INFORMATION ......................................9
1. Policy ................................................................................................................................................................ 9
2. Procedure ....................................................................................................................................................... 9
3. Applicable Regulations...........................................................................................................................10
B. B
USINESS ASSOCIATES ..................................................................................................................................10
1. Policy ..............................................................................................................................................................10
2. Procedure .....................................................................................................................................................11
3. Applicable Regulations...........................................................................................................................11
C. C
OMPLAINT .....................................................................................................................................................11
1. Policy ..............................................................................................................................................................11
2. Procedure .....................................................................................................................................................11
3. Applicable Regulations...........................................................................................................................12
D. DE-IDENTIFICATION&OF PROTECTED&HEALTH INFORMATION..............................................................12
1. Policy ..............................................................................................................................................................12
2. Procedure .....................................................................................................................................................12
3. Applicable Regulations...........................................................................................................................13
E. LIMITED DATA&SHEETS ................................................................................................................................13
1. Policy ..............................................................................................................................................................13
2. Procedure .....................................................................................................................................................14
3. Applicable Regulations...........................................................................................................................14
F. MINIMUM NECESSARY&USE AND DISCLOSURE OF PROTECTED&HEALTH INFORMATION .................15
1. Policy ..............................................................................................................................................................15
2. Procedure .....................................................................................................................................................15
3. Applicable Regulations...........................................................................................................................16
G. NOTICE OF PRIVACY PRACTICES .................................................................................................................16
1. Policy ..............................................................................................................................................................16
2. Procedure .....................................................................................................................................................16
3. Applicable Regulation.............................................................................................................................23
H. PRIVACY OFFICIAL, SECURITY&OFFICER, AND&PRIVACY COORDINATORS ............................................23
1. Privacy Official ...........................................................................................................................................23
2. Security Official ..........................................................................................................................................23
3. Privacy Coordinators ...............................................................................................................................24
4. Applicable Regulation.............................................................................................................................26
I. RECORDS RETENTION....................................................................................................................................26
1. Policy ..............................................................................................................................................................26
2. Procedure .....................................................................................................................................................26
3. Applicable Regulation.............................................................................................................................27
J. RESEARCH ........................................................................................................................................................27
1. Policy ..............................................................................................................................................................27
2. Procedure .....................................................................................................................................................27
3. Applicable Regulations...........................................................................................................................29
August 1, 2014
2
& & &
&
&
& & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & & & &
& & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & &
& ) ) &
& ) ) &
& ) ) ) &
* * & & & * * &
& & & & & & & & &
& & & & & &
& & & & & &
& & & & & & & &
& & & & & & &
& & & & &
& & & & & & &
& & & & & &
& & & & & & & &
& & & & & & & & &
*&
* *
K. RIGHT TO REQUEST&ACCESS&TO PROTECTED&HEALTH INFORMATION ................................................29
1. Policy ..............................................................................................................................................................29
2. Procedure .....................................................................................................................................................29
3. Applicable Regulation.............................................................................................................................32
L. RIGHT TO REQUEST&AN ACCOUNTING OF&DISCLOSU RE S ........................................................................32
1. Policy ..............................................................................................................................................................32
2. Procedure .....................................................................................................................................................33
3. Applicable Regulation.............................................................................................................................34
M. RIGHT TO REQUEST&AN AMENDMENT TO PROTECTED&HEALTH INFORMATION ................................34
1. Policy ..............................................................................................................................................................34
2. Procedure .....................................................................................................................................................34
3. Applicable Regulation.............................................................................................................................36
N. RIGH T TO REQUEST&CONFIDENTIAL COMMUNICATION..........................................................................36
1. Policy ..............................................................................................................................................................36
2. Procedure .....................................................................................................................................................36
3. Applicable Regulation.............................................................................................................................36
O. RIGH T TO REQUEST&RESTRICTIONS ON THE&USE AND DISCLOSUR E OF PROTECTED&HEALTH
INFORMATION .........................................................................................................................................................37
1. Policy ..............................................................................................................................................................37
2. Procedure .....................................................................................................................................................37
3. Applicable Regulation............................................................................................................................. 37
P. S
AFEGUARDING&PROTECTED&HEALTH INFORMATION............................................................................37
1. Policy ..............................................................................................................................................................37
2. Procedure .....................................................................................................................................................38
3. Applicable Regulation.............................................................................................................................38
Q. TRAINING.........................................................................................................................................................38
1. Policy ..............................................................................................................................................................38
2. Procedure .....................................................................................................................................................39
3. Applicable Regulation.............................................................................................................................39
HIPAA SAMPLE FORMS [SEE FOLLOW ING PAGES] ..................................................................... 40
A. ACCOUNTING FOR DIS CL O SU RE S OF PROTECTED&HEALTH INFORMATION .........................................41
B. AUTHORIZATION&TO&USE/DISCLO S E PROTECTED&HEALTH INFORMATION&(HIPAA) .....................42
C. B
USINESS ASSOCIATE AGREEMENT............................................................................................................44
D. DENIAL OF REQUEST&FOR AN AMENDMENT..............................................................................................48
E. DENIAL OF REQUEST&FOR ACCESS..............................................................................................................49
F. PRIVACY COMPLAINT ....................................................................................................................................50
G. REQUEST&FOR ACCESS&TO PROTECTED&HEALTH INFORMATION ...........................................................51
H. REQUEST&FOR ACCOUNTING OF&DISCLOSURES ......................................................................................... 52
I. REQUEST&FOR AMENDMENT TO PROTECTED&HEALTH INFORMATION.................................................53
J. ACKNOW LEDGEM ENT OF&RECEIPT&OF NOTICE OF PRIVACY PRACTICES ..............................................54
August 1, 2014
3
& & &
&
&
&
& & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & && & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & &
&
& &
&
& &
& && & & & &
& & & & & &
&
& & &
& & & & &
&
& & & &
& & & &
& & &
&
& &
&
&
& & & & & & & & & &
&
&
& & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & &
& & & && & & & & & &
& & & & & && & &
& & & & & & & & & & &
&
&
&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
& & & & & & & & & & && & & & & &
& & & & & & && & & & & & & & & & &
I. Introduction
A. General Policy
Pepperdine University is committed to protecting the privacy of individual health
information in compliance with the Health Insurance Portability and Accountability&
Act of 1996 (HIPAA) and the regulations promulgated there under. These policies
and procedures apply to protected health information created, acquired, or
maintained by the designated covered components of the University after April 14,
2003.& The statements in this Manual&represent&the &University’s &general&operating&
policies and &procedures.&&For &further &details &regarding&these&policies and &procedures
see 45&C.F.R.&Parts& 160& and&164.
B. Scope
Pepperdine&University&is&a&hybrid&entity&as&defined&in&45&C.F.R.&§164.103 and
includes&both&covered&and&non-covered components. These policies and procedures
apply&only&to&the&University’s designated covered components, which include:
Athletic Training Center;
Boone Center for the Family;
Disability&Services&Office;
Human Resources, Benefits Department;
Pepperdine Community Counseling Center;
Pepperdine&Jerry&B.H. Union Rescue&Clinic;
Pepperdine&Psychology&and&Education&Clinic;
Student&Counseling; and
Student&Health&Center.
Certain administrative and/or support offices may also be designated as covered&
components.
The designated covered components may not share protected health information
with &the &non-covered components of the University, unless specifically permitted by
the &privacy &regulations.&&It&is &the &responsibility &of &each &designated &covered&
component to assure that their employees, students, volunteers, etc. comply with
these policies and procedures. A&designated covered component may develop and
incorporate&additional &policies&and&procedures&if&doing&so&is&necessary&and&
appropriate to &comply with more stringent state laws.
1
However, a designated&
covered component may not delete sections of these policies and procedures
without&first&consulting&the &Privacy &Official&or &the &Security &Official.
1
HIPAA ensures a federal standard (a “floor”) of privacy protections. State privacy laws may be
more stringent than th e HIPAA priva cy rule. In those cases, the m ore stringent state law will apply.
August 1, 2014
4
& & &
&
&
*
) & & &
& & & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & &
& && & & & & & & & & &
& & & &
& & & & &
& & & & & & & & & &
& & & & & & &
&& & & & & & & & & & & &&
& &&
&
) ) & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& &
&
) & & & & & & & & & & &
& & & & & & & & & & & & &
& &
&
) ) ) ) ) & & & & &
& & & & & & & & & & & &&
& & & & & & & & & & & & & &
&
&
) ) & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & & & & & &
& & & & &
&
) ) & & & & & & & &
& & & & & & & & & & && & && &
&
&
& & & & & & & & & & & & &
& & & & & & && & && & &
&
) & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & & & &&
II. Definitions
E/9&8-99 199$'&37-)means a person or&entity&who,&on&behalf&of&a &covered&entity,&
performs or assists in performance of a function or activity involving the use or
disclosure of individually identifiable health information, or any other function or
activity regulated by the HIPAA&Administrative Simplification Rules, including the
Privacy Rule. Business Associates are also persons or entities performing legal,
actuarial,&accounting,&consulting,&data aggregation, management, administrative,
accreditation,&or &financial&services to &or &for a&covered entity where performing those
services involves disclosure of individually identifiable health information by the
covered&entity&or&another&business&associate&of&the&covered&entity&to&that &person&or&
entity.&&A&member of a covered entity’s workforce is not&one&of&its&business&
associates. A&covered entity may be a business associate of another covered entity.
45&C.F.R.& §&160.103.&
B$>-,-. F87&7( means a health plan, a health care clearinghouse, or a health care
provider who transmits health information in electronic form&in connection with a
transaction for which the U.S. Department of Health and Human Services has
adopted &a&standard.&&45 &C.F.R.&&§ 160.103.
B$>-,-. G/8'7&$89 means those functions of a covered entity the performance of
which makes the entity a health plan, health care provider, or health care
clearinghouse.&&45&C.F.R.&&§ 160.103.
H-9&6837-. B$>-,-. B$I2$8-879 J$, B$>-,-. B$I2$8-879K means a component or
combination of components designated by the University, which is a Hybrid Entity.
The designated covered components of the University are listed in Section I.B. of this
Manual.
H-9&6837-. 5-'$,. A-7 means a group of records maintained&by&or&for&a covered&
entity that includes medical and billing records about individuals, or a group of
records that are used in whole or in part by or for the covered entity to make
decisions&about individuals.& 45&C.F.R.& § 164.501.
H&,-'7 L,-37I-87 5-%37&$89M&2 means a treatment relationship between an individual
and a healthcare provider that is not an indirect treatment relationship. 45 C.F.R. §
164.501.&
H&9'%$9/,- means the release, transfer, access to, or divulging of information in any
other&manner outside the entity holding the information. 45 C.F.R. § 160.103.
F%-'7,$8&' N-.&3 means electronic storage media including memory devices in
computers (hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or transmission
media used to exchange information already in electronic storage media.
August 1, 2014
5
& & &
&
&
& & & & &
& & & & & &
& & & & & && &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & && & && &
&
&
& & & & & & & & & &
&
) & & & & & & & & & & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & && & && & &
&
) & & & & & & & & & &
& & & & & & &
& & & & &
& &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & &
& & & & & & & & & &
& & & & & & & & && & && & &
&
) ) & & & & & &
&
& & & & &
& & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & &
& & & & & & && & && & &
&
) & & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & &
Transmission media includes,&for&example, the Internet (wide-open),&extranet (using
Internet technology to &link&a&business &with information accessible only to
collaborating&parties),&leased&lines,&dial-up&lines,&private&networks,&and &the&physical&
movement of removable/transportable electronic storage media. Certain
transmissions, including of paper via facsimile, and of voice via &telephone,&are&not
considered to be transmissions via electronic media because the information being
exchanged did not exist in electronic form&before the transmission. 45 C.F.R. §
160.103.
HHS stands for the Department of Health and Human Services.
Health Care means care, services, or supplies related to the health of an individual,
including (1) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or
palliative care, and counseling, services, assessment, or procedure with respect to
the physical or mental condition, or functional status, of an individual that affects
the &structure &or &function&of &the &body; and &(2) &sale &or &dispensing&of &a&drug,&device,&
equipment, or other item&in accordance with a prescription. 45 C.F.R. § 160.103.
Health Care)Clearinghouse means a public or private entity, including a billing
service,&re-pricing company, community health management information system&or
community health information system, and “value-added”&networks and &switches,&
that&does &either &of the &following&functions: &(1) processes or &facilitates the&
processing of health information received from&another entity in a nonstandard
format or containing nonstandard data content into standard data elements or a
standard&transaction;&(2)&receives&a standard transaction from&another entity and
processes or facilitates the processing of health information into nonstandard
format or nonstandard data content for the receiving entity. 45 C.F.R. § 160.103.
Health Care)Operations means any of the following activities &of &the &covered &entity&to
the &extent&that&the &activities &are &related to &covered &functions: &(1) &conducting&quality
assessment and improvement activities, population-based &activities,&and &related
functions that do not include treatment; (2) reviewing the competence of
qualifications&of&health&care&professionals,&evaluating&practitioner,&provider,&and&
health plan performance, conducting training programs where students learn to
practice or improve their skills as health care providers, training of professionals&
that&are &not&health &care &providers,&accreditation,&certification,&licensing,&or&
credentialing activities; (3) underwriting, premium&rating, and other activities
relating to the creation, renewal, or replacement of a contract of health insurance&or&
benefits; (4) conducting or arranging for medical review, legal services, and auditing
functions; (5) business planning and development, and (6) business management
and general administrative activities of the entity. 45 C.F.R. § 164.501.
Health Care)Provider means a provider of services (as defined in section 1861 (u) of
the Act, 42 U.S.C. § 1395x(u)),&a provider of medical or health services (as defined&in&
section 1861(s) of the Act, 42 U.S.C. §&1395x(s)), and &any&other &person&or
August 1, 2014
6
& & &
&
&
& & & & & & & & & & & & &
& & &
)
) & & & & & & & & & & &
& & & & & & & & & & & & & & &
& &
& & & & & & & & & & &
& & & & & & & & & & & & & & &&
& & &
&
) & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & & & & & & & &
&
) & & & & & & & &
& & & & & & & & && & && & &
&
) ) & & &
& &
& &
&
) & & & & & & & &
& & & & & & &
& & & & & & & & & & & & & & &
& &
& & & & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & &
&
& & & & & & & & & &
&
& &
&
) ) ) ) ) & & & &
& & & & & & & & & & &
& & & && & & & & & & & &
& & & & & & & & & &
& & && & & & & & & &
& & & & & & && & & & &
organization&who&furnishes, bills, or is paid for health care in the normal course of
business.&&45&C.F.R.& § 160.103.
O-3%7M P8@$,I37&$8 means any information whether oral or recorded in any form&or
medium, that (1) is created or received by a health care provider, health plan, public
health authority, employer,&life &insurer,&school&or &university,&or &health&care&
clearinghouse;&and&(2) relates to the past, present, or future physical or mental
health&or&condition&of&an&individual;&the&provision&of&health&care&to&an&individual;&or&
the past, present for future payment for the provision of health care to an individual.
45&C.F.R.& § 160.103.
O-3%7M #%38 means, with certain exceptions, an individual or group plan that
provides or pays the cost of medical care (as defined in section 2791(a)(2) of the
PHS Act, 42 U.S.C. § 300gg-91(a)(2)).& 45&C.F.R.& § 160.103.
O(4,&. F87&7( means a single legal entity&that is&a &covered&entity,&performs business
activities &that&include &both &covered and &non-covered&functions,&and&designates&its&
health care components as provided in the Privacy Rule. 45 C.F.R. § 164.103.
P8.&,-'7 L,-37I-87 5-%37&$89M&2 means a relationship&between&an&individual&and a&
health&care&provider&in&which&(1)&the&health&care&provider&delivers&health&care&to&the&
individual &based&on&the&orders&of&another&health&care&provider;&and&(2)&the&health&
care&provider&typically&provides&services&or&products,&or&reports&the&diagnosis&or&
results&associated&with&the&health&care, directly&to&another&health&care&provider, who&
provides &the&services or &products or &reports &to&the&individual.&&45&C.F.R.&&§ 164.501.
P8.&>&./3%%()P.-87&@&34%-)O-3%7M P8@$,I37&$8 means information that is a subset of
health&information, including demographic information collected from&an individual,
and (1) is created or received by a health care provider, health plan, employer, or
health&care&clearinghouse;&and&(2)&relates&to&the past,&present,&or &future&physical&or
mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health care of
an&individual; and&(a) &that&identifies &the &individual; &or &(b)&with&respect&to&which&
there is a reasonable basis to believe the information can be used to identify the
individual.&&45&C.F.R.& § 160.103.
#-,9$8 means any natural person, trust or estate, partnership, corporation,
professional&association&or corporation,&or&other&entity,&public&or&private.&&45&C.F.R.&&
§ 160.103.
#,$7-'7-. O-3%7M P8@$,I37&$8 J$, #OPK means individually identifiable information
transmitted or maintained in electronic media (ePHI), or transmitted or maintained
in any form&or medium. PHI excludes education records covered by the Family
Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g,&records&
described&at 20&U.S.C.& § 1232g(a)(4)(B)(iv), and employment records held by a
covered entity in its role as employer. 45&C.F.R.& § § 164.501,&160.103.
August 1, 2014
7
& & &
&
&
&
& & & & & & & & & & &
& & & & & & & & & & & &
& & &
& & & & & & & & & & & &
&& & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & &
&& & &
&
& & & & & & & & &
&
& &
&
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & &
&
& & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & &
&& & & & &
&
& & & & & & & & & & & & &
& & &
&
& & & & & & & & & &
& & & & & & & & & & & & & & &
& &
& &
Psychotherapy)Notes means notes recorded (in any medium) by a health care
provider who is a mental health professional documenting or analyzing the contents
of&conversation&during&a &private&counseling&session&or&a &group,&joint, or family
counseling session and that are separated from&the rest of the individual’s medical
records. Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies of treatment
furnished, results of clinical tests, and any summary of the following items:
diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress
to &date. 45&C.F.R&§ 164.501.
Research means a systematic investigation, including research development, testing,
and &evaluation&designed to &develop&or &contribute to &generalizable &knowledge.&&45
C.F.R. § 164.501.
Treatment means the provision, coordination, or management of health care and
related services by one or more health care providers, including the coordination or
management of health care by a health care provider with a third party;
consultation&between&health&care&provider relating to&a patient;&or&the&referral of&a
patient&for &health care from&one health care provider to another 45 C.F.R. § 164.501.
Secretary means the Secretary of the U.S. Department of Health and Human Services
or any other officer or employee of HHS to whom&the authority involved has been
delegated.& 45&C.F.R.&§ 160.103.
Use means, with respect to individually identifiable health information, the sharing,
employment, application, utilization, examination, or analysis of such information
within the entity or health care component (for hybrid entities) that maintains &such
information. 45 C.F.R. § 160.103.
Violation or&violate means, as the context may require, failure to comply with an
administrative simplification provision.
Workforce means employees, volunteers, trainees, or other persons whose conduct
in&the performance of work for a covered entity is under the direct control of such
entity,&whether&or&not &they&are&paid&by&the&covered&entity.&&45&C.F.R.&§ 160.103.&
August 1, 2014
8
& & &
&
&
&
&
& & & & & & & & &&
& & & & & & & & & & &
& & & & & &
& & & & & & & & & & & &
& & & & &
& & & & & & & & & &&
&
) )
& & & & & & & & & & &&
& &
& & &
& & & & & & &
&
& & & & & & & &
& &
& & & &&
& & & & & & & & & & &
&
& & & & & & & & & & &
&
& & & & & & & & & & &
&
& & & & &
&
& & & & &
& & & & & &
&
& & & & & & & & & &
&
& & & & & & & & &
& & & & & & & & &
&&
& &
III. General Policies and Procedures
A. Authorization to Use or Disclose Protected Health
Information
1. Policy
Pepperdine&University&will &obtain&an&individual’s&authorization&to&use&or&disclose&
protected health information in accordance with HIPAA&and its regulations.
Generally, designated covered components do not need to obtain an individual’s
authorization when&using&and &disclosing&protected health information for routine
purposes (e.g. treatment, payment, or health care operations), or for other limited
purposes,&as &described &in&Pepperdine&University’s &Notice&of &Privacy&Practices.&&
Otherwise, designated covered components must obtain&an&individual’s&valid&
authorization for the use or disclosure of protected health information.
2. Procedure
Authorization Form
Ø A&Sample Authorization may be found on page 36 of this Manual.
Ø The&authorization&shall &be&written&in&plain&langua ge&a nd&sha ll &contain&the&
following information:
o A description&of&t he& PHI to&be&used/disclosed&that ident ifies& the&
information in a specific and meaningful fashion;
o A description&of&ea ch& p urpose&of&the&requested&use&or&disclosure,&
for example, the statement “at the request of&the&individual” is&a&
sufficient descript ion& of&the&purpose&when&an&individual initiates&
the &authorization&and &does &not,&or &elects &not&to,&provide a&
statement of the purpose;
o The name of the person or organization authorized to disclose the
PHI;
o The name of the person or organization authorized to receive the
PHI;
o A statement that the individual has the right to revoke the
authorization&in&writing;
o A statement listing the &exceptions &to &an&individual’s right to&
revoke;
o A statement that information used or&disclosed&pursuant &to&the&
authorization may be subject to re-disclosure&by&the&recipient and&
no&longer &protected;
o A statement that the individual may refuse to sign the
authorization;
o A statement that the covered component will not condition
treatment, payment, enrollment or eligibility for benefits in a
health&plan,&based&on&the&individual &providing&authorization&for&
the &requested &use &or &disclosure;
o An expiration&dat e&(or&ex pira t ion&event);&and
August 1, 2014
9
& & &
&
& &
&
& & & & & & & & & & & &
&
&
)
& & & & &
&
& & & & & & & & &
& &
&
& & & & & & & & & & &
& & & & & & & &
& & & & & & & & &
& & & & & &
&
&&
& & & & & & & & & & & &
&
&
) ) )
& & & & & & & & & & & &
& & &
& & & & & & & & & &
& & & & &
&
)
& & & & & & & & & &
&
&
& & &
&
!
& & & & & & & & & &
& & &
& & & & & & & & & & & & &
& && & & & & & & & & &
& & & & & &
&
o The signature&of&the&individual and&date&(or& t he& signature&of&an&
individual’s&personal &representative).
Ø The University must provide the individual with a signed copy of the
authorization.
Psychotherapy)Notes
Ø The&University&will &obtain&an&individual’s&authorization&to&use&or&disclose&
psychotherapy&notes,&except&in the circumstances listed below.
Ø The&University&does&not &need&to&obtain&an&individual’s&authorization&to&
use&or &disclose&psychotherapy&notes:
o To carry out treatment, payment, or health care operations;
o For use&by&the&originator&of&the&psychotherapy&notes for&
treatment;
o For use or disclosure by the designated covered component for its
own training programs in which students, trainees, or
practitioners in mental health learn under supervision to practice
or improve their skills in counseling;
o For use&or &disclosure&by&the&covered&entity&to&defend&itself&in&a&
legal&action&or &proceeding&brought&by &the &individual; and
o For other limited uses and disclosures as described in 45 C.F.R. §
508(a)(2).
Revocation of Authorization
Ø An individual may revoke an authorization at any time, provided that the
revocation is& in writing.
Ø If &the&University&has &already&taken&action&in&reliance&on&the&authorization,&
the University will stop providing the protected health information based
on&the&revoked&authorization&with&a reasonable period of time.
Documentation
Ø The University must document and retain any signed authorization under
this &section.
3. Applicable Regulations
45&C.F.R. §§ 164.508,&164.512.
B. Business Associates
1. Policy
From&time to time, covered components may share protected health information
with &external&parties,&known&as&business&associates.&&Protected health information
generally may only be shared with business associates pursuant to a valid Business
Associate Agreement. A&Business Associate Agreement can be in the form&of a
written amendment to an existing agreement.
August 1, 2014
10
& & &
&
) )
& & & & & & & &
&
& & & & & & & & & & & &
& & & &
& & & & & & & & & &
& & & & & & &
&
& & & & & & & & &
& & & & &
&
& &
)
&
& & & & & & & & & & & & &
& & & & &
& & & & & & & & & & && &
& & & & & & & & & & &
&
&
) ) )
& & & & & &
& & & & & & & & & & &
&
& && & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & &
&
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & &
& & & & & & & & & & & & & &
2. Procedure
Business Associate)Agreement
Ø A&Sample Business Associate Agreement is set forth on&page&38 of&this&
Manual.
Ø Generally, PHI may only be shared with business associates pursuant to a
valid Business Associate Agreement.
Ø It is the responsibility of each designated covered component contracting
with &business &associates to assure that valid Business Associates
Agreements&are&executed.
Ø Business Associate Agreements must be in writing and must contain&
certain language that is HIPAA&compliant.
3. Applicable Regulations
45&C.F.R.&§§ 164.502(e),&164.504(e),&164.532,& 160.402.
C. Complaint
1. Policy
An individual who believes his or her HIPAA&privacy rights have been violated may
file a complaint regarding the&alleged&privacy&violation with&the&University’s&Privacy&
Official of the appropriate Office of Civil Rights (OCR) Regional office. Complaints
submitted to the University’s Privacy Official will be documented, reviewed, and
acted &upon,&if &necessary.
2. Procedure
Filing a Complaint
Ø A&Sample Complaint Form&is set forth on&page&46&of&this&Manual.
Ø If &an&individual&believes his or her &privacy&rights &have&been&violated,&an&
individual may file a complaint with the appropriate OCR Regional office,
or&with &the &University’s &Privacy &Official&located &in&the &office &of &the &Chief
Business &Officer,&Pepperdine &University,&24255 &Pacific&Coast&Highway,&
Malibu, CA&90263. Each designated covered component must develop
and implement a process for receiving complaints and reporting them&to
the University’s Privacy Official (this process can be as simple as
instructing individuals who wish to file a complaint to contact the
University’s&Privacy&Official).
Ø Individuals must file complaints in writing, either paper or electronically.
Ø A&complaint must be filed 180 days from&when the individual knew or
should have known of the circumstance that led to the complaint, unless
this time limit is waived for “good cause” shown.
Ø A&complaint must name the entity that is the subject of the complaint and
describe the acts or omission believed to be in violation of the HIPAA&
requirements.
Ø OCR may prescribe additional procedures for the filing of complaints, as
well as the place and manner of filing, by notice in the Federal Register.
August 1, 2014
11
& & &
&
& & & & & & & & &
&
) )
& & & & & & & & & & &
&
& & & & & & & & & &
&
& & & & & & & & & & & &
& & & & & &
&
& & &
&
&
& & & & & &
&
&
) ) )
& & & & & & &
& & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & &
& & & & & & & &
& & & & & & & & & & & &
&
&
& & & & & & & & &
&
&
& & & & & & &
& & & & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & &
& & & & & & & & & & &
&
& &
& &
& &
& & &
Ø Individuals may not be penalized for filing a complaint.
Investigation, Sanctions
Ø The Privacy Official will investigate alleged complaints to determine if a
breach &of &privacy &has &occurred.
Ø If the Privacy Official determines that a violation occurred, the Privacy&
Official&will&apply&appropriate &sanctions &against&the &person&or &entity&who
failed to comply with the privacy policies and procedures and instruct the
person&or &entity&to&take&the&corrective&actions,&if &necessary.&&The&Privacy&
Official will document any sanctions imposed.
3. Applicable Regulations
45&C.F.R. §§ 160.304,&160.306,&160.308,&160.310,&160.410,&164.530.
D. De-Identification of Protected Health Information
1. Policy
The University may use or disclose de-identified&PHI&without &obtaining&an&
individual’s&authorization.&&PHI&shall &be&considered&de-identified&if&either&of&the&two&
de-identification&procedures&set &forth&below &are&followed.
2. Procedure
Removal of Identifiers
Ø De-identified PHI is rendered anonymous when identifying
characteristics&are completely removed and when the University does not
have any actual knowledge that the information could be used alone or in
combination with other information to identify and individual.
Ø De-identification&requires the elimination not only of primary or obvious&
identifiers, such as the individual’s name, address, and date of birth, but
also &of &secondary&identifiers &through &which &a&user &could &deduce &the
individual’s&identity.
Ø For information to be de-identified the following identifiers must be&
removed:
o Names;
o All address information except for the state;
o Names of relatives and employers;
o All elements of dates (except year), including date of birth,
admission date, discharge date, date of death; and all ages over 89
and all elements of dates including year&indicative&of&such&age&
except that such ages and elements may be aggregated into a
single&category&of&age&90&or&older;
o Telephone numbers;
o Fax numbers;
o E-mail addresses;
o Social security numbers;
August 1, 2014
12
& & &
&
& & &
& & & &
& &
& &
& & & & & &
& & & & &
&
& &
& &
& & & & & & & &
& & & & & & & &
& & & &
)
) )
&
& & & & & &
&& & & & & & & & & & &
& & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
&
)
& & & & & & & & & & &
&
& & & & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & &
&
& &
&
&
& & & & & & & & & & & & &
&
& & & & & & & & & & &
& & & & & && & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & &
o Medical record numbers;
o Health plan beneficiary numbers;
o Account numbers;
o Certificate/license numbers;
o Vehicle identifiers, including license plate numbers;
o Device ID’s and serial numbers;
o Web&Universal &Resource&Locators&(URL);
o Internet Protocol &(IP)&addresses;
o Biometric identifiers;
o Full face photographic images and other comparable images;
o Any other unique identifying number characteristics (except as
otherwise permitted for re-identification&purposes).
Statistical Method
Ø PHI&is&considered&de-identified&if&a &person&with&appropriate&knowledge &of
and &experience &with &generally&accepted &statistical&and &scientific&
principles and methods for rendering information not&individually
identifiable: (a) determines that the risk is very small that the
information could be used, alone or in combination&w it h&other&reasonably&
available information, by an anticipated recipient to identify an individual
who &is a&subject of the information; and (b) documents the methods and
results of the analysis to justify such determination.
Re-identification
Ø A&covered component may assign a code or other means of record
identification&to&allow &information de-identified&under&this&section&to&be&
re-identified by the covered component, provided that&(a) &the &code &or
other means of record identification is not derived from&or&related&to&
information about the individual and (b) the covered component does not
use or disclose the code or other means of record identification for any
other purpose, and does not disclose the mechanism&for re-identification.
3. Applicable Regulations
45&C.F.R.&§§ 164.502(d),&164.514(a)& a nd& (b)
E. Limited Data Sheets
1. Policy
Covered components may use and disclose a limited data set without an individual’s
authorization&for &the &purposes &of &research,&public&health,&or &health &care &operations &if
the &covered component enters into a Data Use Agreement with the intended
recipient of the limited data set. A&designated covered component may use
protected health information to create a limited data set, or to disclose protected
health information to a Business Associate to create a limited data set on behalf of
the covered component.
August 1, 2014
13
& & &
&
&
) ) )
& & & & & & & & & & & &
& & & & & & & & & &
&
&
& & & & & & & & & &
&
& &
& &
& & &
& & &
& & &
& & & &
& &
& &
& & & & & & & &
&
&
& & & & &
& & & & & & &
& & &
&
) && & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & &
& & & & & & & & & &
& & & &
& &
& & & & & &
& &
& & & & & & & & & &
& &
& & & & & & & & & &
&
& & & & & & & &
&
& &
& &
2. Procedure
Limited Data Set
Ø A&limited data set is PHI that excludes the following direct identifiers of
the individual or relatives, employers, or household members of the
individual:
o Names;
o Postal address information, other than town, city, state, and zip
codes;
o Telephone numbers;
o Fax numbers;
o Electronic mail addresses;
o Social security numbers;
o Medical record numbers;
o Health plan beneficiary numbers;
o Account numbers;
o Certificate/license numbers;
o Vehicle identifiers and serial numbers (including license plate
number);
o Web&Universal&Resource &Locators &(URLs);
o Internet Protocol (IP) address numbers;
o Biometric identifiers, including finger and voiceprints; and
o Full fa ce& photographs&and&comparable images.
Data Use)Agreements.& Data use agreements must:
Ø Establish the permitted uses and disclosures of the limited data set;
Ø Establish who is permitted to use or receive the limited data set;&and
Ø Provide that the recipient of the information will:
o Not use or further disclose the information other than as
permitted by the agreement;
o Use appropriate &safeguards to &prevent&use &or &disclosure &other
than as permitted by the agreement;
o Report to &the &University any &uses &or &disclosures &that&recipient&is
aware of that is not provided for by the agreement;
o Ensure that&the &recipient’s &agents &who &have &access to &the
information agree to the same restrictions as imposed on the
recipient;&and
o Not identify the information or contact the individuals.
3. Applicable Regulations
45&C.F.R.&§ 164.514(e).
August 1, 2014
14
& & &
&
&
F. Minimum Necessary Use and Disclosure of Protected
Health Information
!
& & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & && & & &
& & & & & & & & &
&
& &
&
&& & & & & & & &
& & & &&
&
&& & &
& & & & & & & &
&
&&
& & & & & & & & & & & & &
& & & & & & & & & & & &
& &&
&
& & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & && & &
& & & & & & & & & & & & & &
&
& & & & & & & & & & &
& & & &
& & & & & & & & & & & & &
&
&
& & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
&& &
& & & & & & & & & & &
& & & & & & & & & &
1. Policy
When using or disclosing PHI or when requesting PHI from&another entity covered
by the HIPAA&privacy regulations, the University shall make a reasonable&effort to&
limit itself to the minimum&amount of protected health information necessary to
accomplish the intended purpose of the use, disclosure or request. The University is
not required to apply the minimum&necessary standard under the following&
circumstances:
Ø
Ø
For Treatment.&&Disclosure&to&or &requests&by&a&health&care&provider for
purposes of &diagnosing&or &treating&an&individual.
To&the&Individual. Uses or disclosures made to the individual.
Ø Pursuant to Patient’s Authorization. Uses&or&disclosures&pursuant &to&a&
valid&authorization.
Ø To&the&HHS. Disclosures&to&the&Office&for&Civil Rights&of&the&U.S.
Department of Health and Human Services for HIPAA&compliance
Ø
purposes.
Required&by&Law. Uses&or&disclosures&that &are&required&by&law&(i.e.,&a&
mandate that is contained in law that compels the University to use or
disclose protected health information and that is enforceable in a court of
law,&e.g.,&court&orders,&court-ordered&subpoenas,&civil &or&authorized&
investigative demands).
2. Procedure
The University recognizes that each designated covered component that uses or
discloses protected health information has a unique organizational structure and
that employees of the unit may perform&various functions for the unit that require
different levels of access to protected health information. Further, the
responsibilities&designated&to&these&functions&va ry& across&each&designated&covered&
component at the University and cannot be determined solely based on job title or
description.& For&these&reasons&it &is&the&responsibility&of&each&designated&covered&
component that uses and discloses protected health information to determine those
persons or &classes of &persons,&as&appropriate,&in&its&workforce&who&need&access&to&
protected health information to &carry &out&their &duties; and &for &each &such &person&or
class of persons, the category or categories of protected health information to which
access &is &needed &and &any&conditions &appropriate to &such &access.
For any type of disclosure that it makes on a routine&and&recurring&basis,&a covered&
component must implement policies and procedures (which may be standard
protocols) that limit the protected health information disclosed to the amount
reasonably&necessary&to&achieve&the&purpose&of&t he& disclosure. For&all&other
disclosures, the covered component must develop criteria designed to limit the
protected health information disclosed to the information reasonably necessary to
August 1, 2014
15
& & &
&
& & & & & & & & & & & &
&
&
& & & & &
&
!
& & & & & & & &
& && & &
& & & & & & & & & &
& & & &
& & & & & & &
&& & & & & & & & & &
& & & & & & & & & &
& & && & & &
& &
& & & & & &
&
&
) )
& &
&
& & &
& & & & & &
& & & & & & & &
&
&
) ) ) )
& & & & & & && &
& & &
& & & && & & & & & & &
& & & & & & & & &
& && & & & &
& & & & & & & &
& & & & & & & & & &
&
& & & & & &
& & & & & & & &
& && & & &
& & & & & & & &
& & & & & & & & & & & &
accomplish the purpose for which disclosure is sought and review requests for
disclosure&on&an&individual &basis&in&accordance&with&such&criteria.
3. Applicable Regulations
45 C.F.R. §§&164.502, and 164.514(d).
G. Notice of Privacy Practices
1. Policy
Pepperdine University is committed to maintaining and protecting&the
confidentiality&of&the&individual’s PHI. This&Notice&of&Privacy&Practices applies to
Pepperdine University (Athletics, Boone Center for the Family, Counseling Center,
Disability&Services&Office, Graduate&School of&Education and&Psychology&(PRYDE,
Union&Rescue&Mission,&Clinics), Human Resources, and Student Health Center)
(“Departments”). Pepperdine University is required by federal and state law,
including the Health Insurance Portability and Accountability Act (“HIPAA”), to
protect&the&individual’s PHI&and&other&personal information. Pepperdine is required
to&provide &the &individual&with &this &Notice&of&Privacy&Practices about&the &University’s
policies,&safeguards,&and &practices.&&When&Pepperdine&University&uses&or discloses&
an&individual’s PHI,&Pepperdine&University&is&bound&by the terms of this Notice&of&
Privacy&Practices,&or &the&revised&Notice&of&Privacy&Practices,&if&applicable.
The)University’s Obligations:
Pepperdine&is&required&by&law to:
Ø Maintain&the &privacy &of &PHI&(with &certain&exceptions)
Ø Give&the&individual this &notice &of &the &University’s legal&duties and &privacy
practices &regarding health information about the individual
Ø Follow the terms of the University’s Notice&of&Privacy&Practice that&is
currently&in&effect
2. Procedure
How the)University may)use)and disclose)PHI:
The following&describes&the&ways&the&University may use and disclose PHI. Except
for&the &purposes &described &below,&the &University will&use and &disclose &PHI&only&with
the individual’s written permission. The individual may revoke such permission at
any time by writing to Pepperdine University’s Compliance Officer.
Ø For Treatment. The&University&may use and disclose&PHI for&the&individual’s&
treatment and to provide the individual with treatment-rel ated&health care&
services.& For&example, the University may disclose PHI to doctors, nurses,
technicians,&or &other &personnel,&including&people&outside&the&University’s
office,&who&are&involved&in&the&individual’s medical care and need the
information to provide the individual with medical care.
Ø For Payment. The&University may use&and &disclose&PHI&so&that&the&University
or others may bill and receive payment from&the individual,&an&insurance&
company or a third party for the treatment and services the individual
August 1, 2014
16
& & &
&
&& & & & & &
& & & & & & & & & &
& & & & & & &&&
&& & & & & & & &
& & & & & & & &
& & & & & && & & & & &
& & & & & & & & &
& & & & & & & & &
& & & & & &
& &
& &
& & & & & & &
& * & & &
& & & & & & & & & &
& & &
& & & & & &
& & & & & & & & &
& & & & & & & & & & & &
** & & & & & & &
& & & &
& & & & & & & & && & & & &
& & & & & & &
& & & & & & & & & & &
&
&& & & & & & & &
& & && & & & & & & & & &
& & & & & & & & &
& & & & && & & & & & & &
& & &
& & && & & & &
& & & & & & & &
& && & & & & &
& & & & & & & & &
& & & & & &
& &
& & & & & & &
&
&
)
& && & &
&&
& & & & & & & & & & &
& & &
received. For&ex a mple,&the&University may tell the individual’s insurance&
company about a treatment the individual is going&to&receive to determine
whether &the &individual’s insurance company will cover the treatment.
Ø For&Health&Care&Operations. The&University may use and disclose PHI for
health&care&operations&purposes.&&These&uses&and&disclosures&are&necessary&
to make sure that all of the University’s patients &receive&quality&care&and&to&
operate and manage the University’s office. For example, the University may
share information with doctors, residents, nurses, technicians, clerks, and
other&personnel &for&quality&assurance&and&educational &purposes.&&The&
University also may share information with other entities that &have&a
relationship with&the&individual (for example, the individual’s insurance&
company&and&anyone&other&than&the&individual who &pays &for &the &individual’s
services)&for&the&individual’s health&care&operation&activities.
Ø Appointment Reminders, Treatment Alternatives, and Health Related
Benefits &and Services.& The&University may use and &disclose &PHI&to &contact&
the &individual to remind them that they &have an appointment with the
University.&&The&University also may use&and &disclose&PHI&to&tell&the&
individual about treatment alternatives or health-related &benefits and
services that may be of interest to the individual.
Ø Third Parties Involved in an Individual’s Care or Payment for an Individual’s
Care. When&appropriate,&the &University may share PHI with a person&who&is
involved&in&the&individual’s&medical&care &or &payment for the individual’s care,&
such as the individual’s family or a close friend. The University also may
notify the individual’s family about the individual’s location&or &general&
condition or disclose such information to an entity (such as the &Red &Cross)
assisting&in&a&disaster &relief &effort.
Ø Research. Under&certain circumstances, the&University may use and disclose
PHI for research. For example, a research project may involve comparing the
health of patients who received one treatment to those &who &received
another, for the same condition. The University will generally ask for the
individual’s written authorization&before &using&the &individual’s PHI&or&
sharing&it w it h&others&to&conduct research. Under limited circumstances, the
University may use and disclose PHI for research purposes &without&the&
individual’s permission. Before the University uses or&discloses PHI&for&
research&without the&individual’s permission, the project will go through a
special a pproval process&to&ensure&tha t research&conducted poses minimal
risk to&t he& individual’s&privacy. The&individu al’s&information&will&be &de-
identified. Researchers may contact the individual to &see &if &the &individual&is
interested&in&or&eligible&to&participate&in&a &study.
SPECIAL )SITUATIONS:
Ø As Required&by&Law. The&University will&disclose &PHI&when&required to &do &so
by &international,&federal,&state &or &local&law.
Ø To Avert a Serious Threat to Health or Safety.**The&University&may use and
disclose&PHI when&necessary&to&prevent&a&serious &threat&to the &individual’s
health&and&safety&or&the&health&and&safety&of&others.&&Disclosures,&however,&
August 1, 2014
17
& & &
&
& & & & & & & & & & & & & & & &
& & & & & & & & & && & & &
& & & & & & & & & & &
& & & & & & &&&
& && & & & &
& & & & & & &
& & & & & & & & & &
& & && & & & & & & & &
& & & & & & && &
& &
& & & & & & & & & & & &
&
**
& & &
& & & & & & & & &
&
&
** & & & & & & & &
& & & & & & & & & &&
& & & & & & & & & &
& & & & & & &
& ** & & & & & &
& & & && & & & & &
&
** & & & & & & & &
& &&
& & &
& & & &
& & & & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & &
&
& & && & & & & & & &
& & & & & & & & & & &
& & && & & & & & & &
& & & & & & & & &
& & & & & &
& & ** & & & & & & &
&
&
** &
& & & & & & & & & & &
will be made only to someone who may be able to help prevent or respond to
the threat, such as law enforcement or a potential victim. For example, the
University may need to disclose information to law enforcement when a
patient reveals participation in a violent crime.
Ø Business Associates. The&University may disclose&PHI to&the&University’s
business &associates that perform&functions on the University’s behalf or&
provide&the&University with services if the information is necessary for such
functions or services. For example, the University may use another company
to perform&billing services on the University’s behalf. All&of &the &University’s
business &associates&are&obligated&to&protect the&privacy&of&the&individual’ s
information and are not allowed to use or disclose any information other
than&as &specified &in&our &contract.
Ø Organ&and &Tissue &Donation. If &the&individual&is &an&organ&donor,&the&
University may use or&release&PHI&to&organizations&that &handle&organ&
procurement or other entities engaged in procurement, banking or
transportation&or &organs,&eyes &or &tissues to &facilitate &organ,&eye &or &tissue
donation&and&transplantation.
Ø Military and &Veterans. If &the&individual &is a member of the armed forces, the
University may release PHI as required by military command authorities.
The&University also may release PHI to the appropriate foreign military
authority&if &the &individual&is a member of a foreign military.
Ø Workers’ Compensation. The&University may release PHI for workers’
compensation or similar programs. These programs provide benefits for
work-related&injuries&or&illness.
Ø Public&Health&Risks. The&University may disclose PHI for public health risks
or&certain occu rrences. These&risks&and&occurrences&generally&include&
disclosures&to&prevent or&control disease,& inju ry&or&disability;&report births&
and &deaths; &report&child,&elder &or &dependent&adult&abuse &or &neglect; &report&
reactions to medications or problems&with&products;&notify&people&of&recalls&
of products they may be using; a person who may have been exposed to a
disease or may be at risk for contracting or spreading a disease or condition;
and the appropriate government authority if we believe a patient has&been&
the victim&of abuse, neglect, or domestic violence (we will only make this
disclosure&when&required&or&authorized&by&law).
Ø Health Oversight Activities. The&University may disclose PHI to a health
oversight agency, such as the California Department of Health and Human
Services&or &Center for &Medicare&and&Medical&Services,&for activities&
authorized by law. These oversight activities include, for example, audits,
investigations,&inspections,&and&licensure.&&These&activities&are&necessary&for&
the &government to monitor the health care system, government programs,
and compliance with civil rights laws.
Ø Data Breach&Notification Purposes. The University may use or disclose the
individual’s PHI&to&provide&legal l y&required&not ices&of&unauthorized&access&to&
or&disclosure&of&PHI.
Ø Lawsuits&and&Disputes. If &the&individual&is involved&in&a &lawsuit &or&a &dispute,&
the &University may disclose PHI in response to a court or administrative
August 1, 2014
18
& & &
&
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & &
& & & &
& &
& ** & & & & & & & & &
& & & & & && & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & & &
& & &
& & & & & ** & &
& & & & & & & && & & & & &
& & & & & & & & & & & && &
& & & & & & & & & & & &
&
& & & & ** & & & &
&
** & &
& & & & & & & & & & & &
&
&
& & & & ** & & & & &
& & & & &
& & & & & & & & & &
&
& &
&
& &
&
) ) ) ) ) ) ) ) ) )
) )
& & & & & & &
** & & & & & & &
& & & & &
&
& & & & & & && & & & &
& & & &
& & & & & & & & & & & &
& & **
order.&&The&University also may disclose PHI in response to a subpoena,
discovery request, or other lawful request by someone else involved in the
dispute,&but only&if&efforts&have been made to tell the individual about&the
request or&t o&allow the&individual to &obtain&an&order &protecting&the
information requested.
Ø Law Enforcement. The&University may release PHI if asked by a law
enforcement official if the information is: (1) in response to a court order,
subpoena, warrant, summons or similar process; (2) limited information to
identify or locate a suspect, fugitive, material witness, or missing person; (3)
about the victim&of a crime even if, under certain very limited circumstances,
the University is unable to obtain the individual’s agreement; (4) about a
death&the&University believes may be the result of criminal conduct; (5)&about
criminal conduct on the University’s premises; and (6) in an emergency to
report a crime, the location of the crime or victims, or the identity,
description&or&location&of&the&person&who&committed the crime.
Ø Coroners, Medical Examiners and Funeral Directors. The&University may
release PHI to a coroner or medical examiner. This may be necessary, for
example, to identify a deceased person or determine the cause of death. The
University also may release PHI to funeral directors as necessary for their
duties.
Ø National Security and Intelligence Activities. The&University may release PHI
to &authorized &federal&officials &for &intelligence,&counter-intell igence,&a nd&other&
national&security&activities &authorized by law.
Ø Protective&Services&for&the&President &and&Others. The&University may
disclose PHI to authorized federal officials so they may provide protection to
the &President,&other &authorized &persons &or &foreign&heads &of &state,&or to
conduct &special &investigations.
Ø Inmates or Individuals in Custody. If &the&individual&is an inmate of a
correctional &institution&or&under&the&custody&of a law enforcement official,
the &University may release PHI to the correctional institution or law
enforcement official.&&This&release&woul d&b e&necessa ry&if:&&(1)&for&the&
institution&to&provide&the&individual with health&care;&(2)&to&protect &the&
individual’s healt h&and&safety&or&the&health&and&safety&of&others;&or&(3)&the&
safety&and&security&of&the&correctional institution.
USES AND DISCLOSURES THAT REQUIRES THE UNIVERSITY TO GIVE THE
INDIVIDUAL AN )OPPORTUNITY )TO )OBJECT/OPT )OUT:
Ø Third&Parties Involved &in&the&Individual’s Care or Payment for Individual’s
Care. Unless&the&individual objects,&the&University may disclose to a member
of&the&individual’s family, a relative, a close&friend&or&any&other&person&the&
individual &identifies,&the&individual’s PHI&that &directly&relates&to&that &third&
party’s involvement in the individual’s health care. If the individual is unable&
to agree &or &object&to&such &a&disclosure,&the&University may disclose such&
information as necessary if the University determines that it is in the
individual’s&best &interest &based&on&the&University’s professional judgment.
August 1, 2014
19
& & &
&
** & & &
& & & & & & & & &
&
& &
&
* & & & & & &
&
&
)
)
& & & & & & & & & & & & & &
& &
& & & & & & & &
& & &
&
&
& & & & & & & & & & & & & & &
& & &
& & & & & & & &
& & & & & & & & &
& & &
& & & &
&
&
) ) ) )
** & & & &
& & & & & & & & & & & & &
& && & & & & & & &
&
& & & & & & & & & &
& && & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
& & & & && & & & & & &
& & & & & & & &
& & & & & & & & & & & &
&& & & & & & & & &
& && & & &
& &
& & &
& & & & & & & & & &
&
& & & &
& & &
Ø Disaster&Relief. The University may&disclose&the&individual’s PHI&to&disast er&
relief&organizations&that seek &the&individual’s&PHI&to&coordinate&the&
individual’s care,&or&notify family and friends of the individual’s location&or
condition&in&a&disaster.&&The&University&will &provide&the&individual with an&
opportunity&to&agree&or&object to &such &a&disclosure &whenever &the &University
practically&can&do&so.
Ø Fundraising. The University may notify the individual about&fundraising&
events&that &support &Pepperdine&University.
INDIVIDUAL’S)WRITTEN AUTHORIZATION )IS)REQUIRED)FOR)OTHER)USES)AND)
DISCLOSURES:
The&following uses and disclosures of the individual’s PHI will be made only with the
individual’s written&authorization:
1. Uses and disclosures of PHI for marketing purposes;
2. Disclosures&that constitute&a&sale&of &the&individual’s PHI;&and
3. Disclosures&of&psychotherapy&notes.
Ø Other &uses and &disclosures &of &PHI&not&covered &by&this Notice&of&Privacy&
Practice or the laws that apply to the University will be made only with the
individual’s written authorization.&&If &the &individual gives&us&authorization,&
the &individual may revoke it at any time by submitting&a&written&revocation&
to &Pepperdine &University Compliance Officer and we will no longer disclose
PHI&under&the&authorization.&&But &disclosure&that&the &University made in
reliance&on&an&individual’s authorization&before &the &individual revoked&it w il l
not&be&affected&by&the&revocation.
INDIVIDUAL’S RIGHTS REGARDING PHI:
Ø Right&to&Inspect&and&Copy. The&individual &has&a right to&inspect and&copy&PHI
that may be used to make decisions about the individual’s care or payment
for&the&individual’s care. This includes medical and billing records, other
than&psychotherapy notes.&&To&inspect&and&copy&the&individual’s&PHI,&the&
individual must make their request,&in&writing, to the Department in which
their care&was&provided. The University has up to 30 days to make the
individual PHI available to the individual and the University may charge the
individual a reasonable fee for the costs of copying, mailing or other&supplies&
associated with the individual’s request. The University may not charge the
individual &a &fee&if&the&individual needs the information for a claim&for benefits
under the Social Security Act or any other state or federal needs-based
benefit&program. The University may deny the individual’s request in certain&
limited circumstances. If the University does&deny&the&individual’s&request,&
the &individual&has the &right&to &have &the &denial&reviewed &by &a&licensed
healthcare&professional that was &not&directly&involved&in the&denial &of&the&
individual’s request, and&the&University will comply with the outcome of the
review.
Ø Right&to&Get&Notice&of&a&Breach. Pepperdine&University&is committed to
safeguarding&the&individual’s&PHI.& If&a breach&of&the&individual’s PHI&occurs,&
August 1, 2014
20
& & &
&
& &
&
& & & & & & & ** & &
& & & & & & & & &
& & & & &
& & & & & & & & & & & & & & &
& && & & & & & & & & &
& & & & && & & & & & & &
& & & & & & & & & & &
& & & &&
& & &
& &
& & &&&&
& & & & & ** & &
& & & & & & & & &
& & & & & & & &
& &
& & &
& & & & & & & & & &
&& & & & & & & & &
& &
& && & & & & & & & & & & &
& & & & & & & & &&&
** & &
& & & & & & & & &
& & & & &
& & & & & & & & & & & & & & &
& & & & & & & & & & & &
&& & & & & &
& & & & & & & & & & &
& && & & & & & & & & &
& & & & & & & &&
& &
& &
& & & & & & & & & & & & &
& & & & &
& & & & & & & & & &
& & & & & & & &
& & & & & & &
& & & & & & & & && & & &
& &
** & & &
&
& & & & & &
& & & & & & &
the &University &will&notify &the &individual in&accordance&with&state&and&federal
law.
Ø Right to Amend, Correct or Add an Addendum. If &the&individual feels&that the&
PHI&the&University&has is incorrect, incomplete, or the individual wishes to
add an addendum&to the &individual’s &records,&the &individual&has the &right&to
make such request for as long as the information is kept by or for the
University’s office. The individual must make their request in writing to&the
Department in which their care&was&provided. In the case of claims that the
information is incorrect, incomplete, or if the record was not created by
Pepperdine&University,&the&University may deny&the&individual’s request.
However, if&the&University denies&any&part of&the&individual’s&request,&the&
University&will &provide&the&individual with &a&written&explanation&of &the
reasons&for doing&so&within&60&days&of&the&individual’s request.
Ø Right to an Accounting of Disclosures. Individuals have&the&right &to&request a&
list&of &certain disclosures&the&University made of PHI for purposes other than
treatment, payment, health care operations, certain other purposes
consistent with& l aw,&or&for&which&the&individual provided &written&
authorization.&&To &request&an&accounting&of &disclosure,&individuals must make
their request, in writing, to&the Department in which the individual’s care&
was &provided. The&individual may request an accounting of disclosures for
up&to&the&previous &six&years of &services &provided &before the &date &of &the
individual’s request. If more than one request is made during a 12 month
period, Pepperdine University may charge a cost based fee.
Ø Right&to&Request&Restrictions. Individuals ha ve&t he&right &to&request a
restriction or limitation on the PHI Pepperdine University uses or&disclose&
for treatment, payment, or&health&care&operations.&&Individuals also &have &the
right to request a limit on the PHI we disclose to someone involved in the
individual’s care or the payment for the individual’s care, like a family
member &or &friend. For example, the individual could&ask &that&the &University
not share information about a particular diagnosis or treatment with the
individual’s spouse. To request a restriction, the individual must make their
request, in writing, to&the Department in which &their care&was&provided. The&
University is not&required&to&agree&to&the&individual’s&request&unless&the&
individual &is asking&us to &restrict&the &use and &disclosure &of &the &individual’s
PHI to a health plan for payment or health care operation purposes and &such
information the individual wishes to &restrict&pertains &solely &to &a&health &care
item&or service for which the individual has paid the University out-of-pocket&
in&full.&&If&the&University agrees, the University will comply with the
individual’s request&unless &the&information is needed to provide the
individual with emergency treatment or to comply with law. If the University
does&not&agree,&the&University will&provide &an&explanation&in&writing.&&
Ø Out-of-Pocket-Payments. If &the&individual pays out-of-pocket&(or &in&other
words,&the &individual&has &requested &that&the &University &not&bill&the
individual’s healt h&plan)&in&full &for&a &specific item&or service, the individual
has&the&right &to&ask &that &the&individual’s PHI with respect to that item&or
August 1, 2014
21
& & &
&
& & & & & & & & & & & &
& &
& & & & **
& & & & & & & & & & &
& && & & & & & &
& & & & & && & &
& & & & & & &
& & & & & &&
& & & & & &
& & & & &
& & & & & & & && & &
& & & & & & & & & & &
& & & & &
& &
& & & &
&
** &
&& & &
& &
& & & && & & & & &
& & &
& & & & & & &
& &
&
& & & & & &
&
) ) ) ) )
& &
& & & & & & &
& & & & &
& & &
& & &
&
& & & & & & & & & & & & & &
&
& & & & &
&
&
& & & &
& & & & & & & & &
& & & & & & & && &
& & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
service not be disclosed to a health plan for purposes of payment or&health&
care&operations,&and&the&University will&honor &that&request.
Ø Right to Request Confidential Communications. Individuals &have&the&right&to&
request that the University communicate with them about medical matters in
a&certain&way&or &at&a&certain location. For example, the individual can ask
that&the &University &only &contact&individuals by mail or at work. To request
confidential communications,&individuals must make their request, in
writing,&to&the Department in which their care&was&provided. The&
individual’s request must specify&how or&where&the&individual wishes to be
contacted.&&The&University will accommodate reasonable requests.
Ø Right&to Choose Someone to Act for the Individual. If &the&individual gives
someone medical power of attorney or if someone is the individual’s legal&
guardian,&that&person&can&exercise&the&individual’s rights and make choices
about&the &individual’s &PHI.&&The &University will&use &our &best&efforts to &verify
that&person&has&authority&to&act for&the&individual before&the&University takes
any&action.&&
Ø Right&to&a&Paper &Copy&of&This&Notice&of&Privacy&Practices. Individuals have&
the &right&to&a &paper&copy&of&this&N otice&of&Privacy&Practices. Individuals may
ask&the University&to&give&the&individual a&copy&of &this&Notice&of&Privacy&
Practices at any time. Even if the individual has agreed to &receive&this&Notice&
of&Privacy&Practices electronically,&individuals are &still&entitled &to &a&paper
copy&of&this&Notice&of&Privacy&Practices.&&Individuals may obtain a copy of this
Notice&of&Privacy&Practices on&our&web &site&at,&
http://www.pepperdine.edu/provost/content/policies/hipaa_manual_5_201
2.pdf.&&To&obtain&a&paper &copy&of&this&Notice&of&Privacy&Practices,&contact&the
Department in which the individual’s care&was&provided.
CHANGES TO THIS NOTICE OF)PRIVACY)PRACICES:
Ø Pepperdine&University reserves the &right&to &change &this &Notice&of&Privacy&
Practices and make the new Notice&of&Privacy&Practices apply&to &PHI&the
University&already&has as well as any information&the&University&receives&in&
the &future.&The University will&post&a&copy &of &the &University’s current &Notice&
of&Privacy&Practice at&our office.&&The&Notice&of&Privacy&Practices will&contain&
the&effective&date&on&the&first &page,&in&the&top&right-hand&corner.&Individuals
will be sent information regarding the changes via e-mail or via mail on how
they &can&obtain&a&new&copy.&&Individuals will&be &asked to &sign&off &on&the &new&
Notice&of&Privacy&Practices at&the &individual’s next scheduled appointment.
COMPLAINTS:
Ø If an&individual believes their privacy&rights&have&been&violated,&the&
individual may file a complaint with Kim&Miller, HIPAA&Compliance Officer,
24255 Pacific Coast Highway, Malibu, CA& 90263, 310.506.4208. All
complaints must be made in&writing.&&Individuals may also contact the
Secretary of the Department of Health and Human Services or Director, Office
of Civil Rights of the U.S. Department of Health and Human&Services.&&Please
contact the &University Compliance Officer if an&individual needs assistance
August 1, 2014
22
& & &
&
& & && & &
& & & & & &
&
& & &
&
&
& & & & & & & & &
& & & & &
&
& & & & & &
&
& & & & & & & & &
& &
& & & & & &
&
& & & & & & & &
& & & & &
& & & & & & &
& & & & & & & & & &
&
&
& & & & & & & &
&
&
&
& &
& & &
& &
&
&
& & & & & &
*
&
& & & &
&
&
& & & & & &
&
locating&current contact information. Individuals will&not&be &penalized &or
retaliated against for filing a complaint.
3. Applicable Regulation
45 C.F.R. §&164.520
H. Privacy Official, Security Officer, and Privacy
Coordinators
1. Privacy Official
The&University&has&designated&a &Privacy&Official &who&is&responsible&for&the&
development and implementation of the University’s policies and procedures
related&to&the&privacy&and&security&of&protected health information under HIPAA.
Responsibilities&of&the&Privacy&Official&include:
Ø Maintain ongoing communication with the Security Official&and all&
Privacy&Coordinators.
Ø Coordinate training programs for the designated covered components in
cooperation with &the &Privacy &Coordinators.
Ø Maintain ongoing communications with the IRB&regarding&research &use &of
PHI.
Ø Respond to complaints regarding University policies, procedures, and
practices &related &to&the privacy of health information.
Ø Respond&to,&or &refer &to the appropriate covered component, requests by
individuals for access and amendment, an accounting of disclosures, or
requested&restrictions&to&the&use&and&disclosure&of&t he& individual’s&PHI.
The contact information for the Privacy Official is:
Kim&Miller
Pepperdine&University
24255&Pacific&Coast Highway
Malibu, CA& 90263
E-mail: kim.miller@pepperdine.edu
Telephone:&(310)&506-4208
This&information is subject to change and &will&be &revised &accordingly.
2. Security Official
The&University&has&designated&a&Security&Official&to &assist&the &Privacy&Official&and
Privacy&Coordinators&in&carrying&out &University&adopted&policies&and&procedures
related&to&the&privacy&and&security&of&individuals’ ePHI under HIPAA.
Responsibilities&of&the&Security&Official&include:
Ø Maintain ongoing communication with the Privacy Official&and &all&Privacy&
Coordinators.
August 1, 2014
23
& & &
&
& & & & & & & & & & &
& &
& & & & & & & &
& & & & & & & & &
& & & & &
& & & & &
& & & & & & & & & &
& & & & & & & & & & & & &
& & & & &
&
& & & & & & & &
&
&
&
& &
& & &
& &
&
& & & & & & & & & & & & &
&
& & & & &
&
&
& & & & & & & & & &
&
& & & & & & & & & &
& & & & & & & & & & &
& &
& & & & &
& & & & & &
& & & &
& & & & & & & & &
& & & & & & &
& & & & & &
& & & & & & & & &
& &
& & & & & &
&
& & & & & & & & & & &
& & & &
Ø Assist in the development of policies and procedures of each covered
component related&t o& the&security&of&ePHI.
Ø Assist in the development and implementation of ongoing security&
awareness and training programs for the workforce of covered
components, researchers, and students with&respect &to&ePHI.
Ø Monitor &the &use &of &security measures to protect ePHI.
Ø Assist in revising the University’s policies and procedures related to the&
privacy and security of ePHI as required to comply with changes in any
applicable laws and document any&changes.
The contact information for the Security Official is:
Kim&Cary
Pepperdine&University
24255&Pacific&Coast Highway
Malibu, CA& 90263
E-mail: kim.cary@pepperdine.edu
Telephone:&(310)&506-6655
3. Privacy Coordinators
The&University&has&designated&Privacy&Coordinators&within&each&of&the&covered&
components to assist the Privacy Official and the Security Officer in carrying out
University&adopted&policies&and&procedures &related &to&the&privacy&and &security&of
protected health information under HIPAA.
Responsibilities&of&the&Privacy&Coordinators&include:
Ø Perform&the role of liaison and maintain ongoing communication with the
Privacy&Official &and&the&Security&Official.
Ø Communicate with the Privacy Official and the Security Official regarding
the privacy and security policies of the covered component within which
the Privacy&Coordinator&is&located.
Ø Develop and maintain procedures consistent with&the&policy&for&
protection&of PHI in the covered component.
Ø Maintain&all&policies and &procedures &in&written or electronic form.
Ø Inform&members of the covered component about the policies and
procedures through various mechanisms, including staff meetings,
orientation for new workforce members, and&ongoing&education.
Ø Monitor the process for identifying workforce members within the
covered component &who&require&access&to&PHI.
Ø Monitor compliance with the policies and procedures&of&the&covered&
component.
Ø Report to the Privacy Official violations that result in an impermissible
use&of &disclosure&of &PHI,&and &report&to&the&Security&Official&violations that&
result in an impermissible&use&of&disclosure&of&ePHI.
August 1, 2014
24
& & &
&
& & & & & &
&
&
& & & & & & & & & &
&
&
&
&& &
&
&
& & &
& & & &
&& &
&
&
&
& & &
&& &
&
&
&
& & & & &
& & & &
&
&
&
& & & &
& & & &
& & & &
&& &
&
&
& & & &
& & &
& & & &
&& &
&
&
&
& & & &
&
&& &
&
&
&
&
Ø ;Q_R QV$"SQ YZV%UV"QT YZ[R_U]VYQ `U%\ ;42!!&]VT &9VUWQS$U%X&RZ_UYUQ$
]VT &RSZYQT"SQ$,
:\Q YZV%]Y% UV^ZS[]%UZV ^ZS Q]Y\ Z^ %\Q 2SUW]YX 5ZZSTUV]%ZS$ U$e
8%"TQV%&;Q]_%\&5QV%QS
0QaQYY]&0Z_T]V
.A[]U_e SQaQYY],SZ_ T] VnRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+B'E&O3R%UZV&oB&^ZS&7"$UVQ$$&4Vb"USUQ$P
!%\_Q%UY :S]UVUV# 5QV%QS
HQWUV LSU#\%( !%\_Q%UY :S]UVQS
.A[]U_e iQWUV,`SU#\%nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+E*)
8%"TQV%&5Z"V$Q_UV#&5QV%QS
=S, /UW_] >U%kR]%SUYi
.A[]U_e VUW_],^U%kR]%SUYinRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+)'*
2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#UY]_ &p&.T"Y]%UZV]_ &5_UVUY
LQ$% 1Z$ !V#Q_Q$ -S]T"]%Q 5][R"$
=S, !]SZV !WUQS]( =USQY%ZS
.A[]U_e&&]]SZV,]WUQS]nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&CEJACGC)
2QRRQSTUVQ 5Z[["VU%X 5Z"V$Q_UV# 5QV%QS
3S]V#Q 5Z"V%X -S]T"]%Q 5][R"$
=S, ="VY]V LU##( =USQY%ZS
.A[]U_e T"VY]V,` U##n RQRRQSTUVQ,QT"
:Q_QR\ZVQe&&O@+@P&))BA)C))
2QRRQSTUVQ 5Z[["VU%X 5Z"V$Q_UV# 5QV%QS
.VYUVZ -S]T"]%Q 5][R"$
=S, !V]% 5Z\QV( =USQY%ZS
.A[]U_e ]V]%,YZ\QVnRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OJ'JP&C*'A'EE*
2QRRQSTUVQ&FQSSX&7,;,&9VUZV&0Q$Y"Q&5_UVUY
=S, !]SZV !WUQS]( =USQY%ZS
2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#X&p&.T"Y]%UZV]_ &5_UVUY
.A[]U_e ]]SZV,]WUQS]nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&CEJACGC)
!"#"$% '( )*'+
)C
& & &
&
&
& & &
&
&& &
&
&
& &
& &
&& &
&
&
&
&
&
&& &
&
&
& & & & &
&
&
& &
&
&
&
&
& &
&
&
&
& & & & & & & & & & &
& &
&
&
& & & & & & & &
& & & & & &
&
& & & & & & & & &
& & & & & & & & & & & & & &
&
2QRRQSTUVQ&FQSSX&7,;,&9VUZV&0Q$Y"Q&5_UVUY
=S, 5]SX&?U%Y\Q__( =USQY%ZS
2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#X&p&.T"Y]%UZV]_ &5_UVUY
.A[]U_e Y]SX,[U%Y\Q__nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EAJCCB
;"[]V 0Q$Z"SYQ$
!V#UQ 2QTQS$QV
.A[]U_e ]V#UQ,RQTQS$QVnRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+'@*
206=.&O2QRRQSTUVQ&0Q$Z"SYQ(&6Z"%\&=UWQS$UZV(&]VT&
.T"Y]%UZVP
HQVVQ%\ &LZZ#(&!$$ZYU]%Q&=USQY%ZS
-S]T"]%Q&8Y\ZZ_ &Z^&.T"Y]%UZV&]VT&2$XY\Z_Z#X
.A[]U_e iQVVQ%\,`ZZ#nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&O@+@P&)JBA**+'
7ZZVQ 5QV%QS ^ZS %\Q >][U_X
;Z__X&.aSU#\%
-S]T"]%Q&8Y\ZZ_ &Z^&.T"Y]%UZV&]VT&2$XY\Z_Z#X
.A[]U_e \Z__X,Qa SU#\% n RQRRQSTUVQ,QT"
:Q_QR\ZVQe&OB'*P&C*EA+GG'
=U$]aU_U%X&8QSWUYQ$&3^^UYQ
."VUYQ&5\ZV#
.A[]U_e Q"VUYQ,Y\ZV#nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&OB'*P&C*EAEC**
:\U$ UV^ZS[]%UZV U$ $"alQY% %Z Y\]V#Q ]VT `U__ aQ SQWU$QT ]YYZSTUV#_X,
4. Applicable Regulation
+C&5,>,0,&d 'E+,CB*O]P,
I. Records Retention
1. Policy
:\Q 9VUWQS$U%X `U__ []UV%]UV YQS%]UV TZY"[QV%]%UZV SQ#]STUV# U%$ ;42!!&
YZ[R_U]VYQ( UV `SU%%QV ZS Q_QY%SZVUY ^ZS[,
2. Procedure
Ø 5ZWQSQT YZ[RZVQV%$ ["$% SQ%]UV %\Q ^Z__Z`UV# TZY"[QV%]%UZV ^ZS $Uj
XQ]S$ ^SZ[&%\Q T]%Q Z^ U%$ YSQ]%UZV ZS %\Q T]%Q U% `]$ _]$% UV Q^^QY%
O`\UY\QWQS&U$&_]%QSPe
!"#"$% '( )*'+
)E
& & &
&
&& & & & & &
& & & & &
&& & & & & &
&
&& & & & & &
&
&
&& & & & & & & & & &
& & & & & & & & & &
& & & & &
& & & & & & & &
&
&
& &
&
&
& & & & & & &
& & & & & &
&
& & & & & & & & & & &
&
&
)
& & & & & & & & &
&
&
&
& & & &&
&
& & && & & & & & & & & &
& & & & & & & & & & &
&& & & & & & &
&& & & & & & & & &
&
& & & & & & & & &
& & & & && & & & &
& & & &
& & & & & & & & &&
o Policies&and&Procedures. Any policy or procedural documentation,
including&notice&of&privacy&practices,&consents&(if&any)&and&
authorizations, and other standard forms.
o Patient &Requests. Patient requests for access, amendment,&or
accounting&of &disclosures.
o Complaints. The&handling of any individual’s complaints.
o Workforce &Training.&&The&processes&for &and content &of&workforce&
training.
o Sanctions. The handling of any sanctions against members of its
workforce who fail to comply with the privacy policies and
procedures of the covered component.
Ø If &state&laws require longer retention periods, the state requirements
control.
3. Applicable Regulation
45&C.F.R.&§ 164.530(j).
J. Research
1. Policy
HIPAA&establishes privacy protections from&human subjects research and
establishes&the&conditions&under&which&protected&health information may be used or
disclosed&by&Pepperdine&University&for&research&purposes.& This&policy&and&
procedure&should &be&followed &in&addition&to&any&applicable&federal&or&state&
regulations governing the protection of human subjects research, as well as any&
applicable &Institutional&Review&Board &(“IRB”) &policies and &procedures.
2. Procedure
Research
Ø Pepperdine University may use or disclose protected health information
for&research,&regardless&of&the&source&of&the&funding&of&the&research,& in& the&
following&circumstances:
o Individual Authorization.&&The&individual&has&signed&a&valid&
authorization;
o Board Approval of Waiver. The&IRB &has&approved&a &proper&waiver&
of&the&need&to&obtain&the&individuals&authorization;
o Limited Data Set. The health information is used or disclosed in a
limited data set in accordance with a valid Data Use Agreement;
o De-identification. The health information has been de-identified;
o Preparatory&to&Research. PHI may be used or disclosed to a
researcher&as&necessary&to&prepare&a&research&protocol&or for
similar purposes preparatory to research if the University obtains
the following representations from&the researcher: (a) the use or
disclosure&is&sought solely&to&review PHI as&necessary&to&p repare&a
research protocol or for similar purposes preparatory to research:
August 1, 2014
27
& & &
&
& & & & & & & & & & &
&
& && & & & & & & & &
&
& & && & & & & & & &
& &
& & & & & & & &
& & & &
&
& & & & & & & & & & & & &
&
&
) ) ) ) )
& & & & & & & & & &
& & & &
& & & & &
& & & & & & &
& & & & & & & & & & &
& & & &
&
& & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & &
&
& & &
&
& & & & & & & & & & &
&
&
)
& & & & & & & &
& & & & & & & & & &
& &
&
&
) ) )
& & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & & &
&
& & & &
& & & & & & & & & &
&
(b) no PHI will be removed from&the University by the researcher
in&the&course&of&the&review;&and&(c)&the&PHI&for&which&use&or&access&
is&sought &is&necessary&for&the&research&purposes;
o Decedent’s Research. PHI may be used or disclosed to a
researcher&for&research&on decedents&if&the&University&obtains&the&
following from&the researcher: (a) a representation that the use or
disclosure&sought is&solely&for&research&on&the&PHI of&decedents;&
(b)&documentation of the death of such individual(s) and/or
research&subject(s);&(c)&a representation that the&PHI for&which&use&
or&disclosure&is&sought &is&necessary&for&research&purposes.
Ø If the University is also the researcher, the University must still obtain the
proper &authorization&or &fit&within&one&of &the&other exceptions &before&
using&PHI&for &research&purposes.
Research Pursuant to an Authorization
Ø Research authorizations must contain the same core elements as other
authorizations &(Authorization to Use or Disclose&Protected&Health&
Information on pages 9 and &10),&except &for&the&following&differences:
o The University may condition the provision of research-relat ed&
treatment on a provision of authorization for the use or disclosure
of protected health information&for &such&research;
o An authorization&for&use&and&disclosure&of&protected&health&
information for a research study may be combined with any other
type of written permission for the same research study, including
another &authorization&for &the &use &or &disclosure&of&protected&health&
information for such research or consent to participate in such
research;
o A research&aut horiza tion does&not need&to&contain&an&expiration&
date&or&event as&is&required&for&other&authorizations&(the&language&
“end of the research study” or “none” or similar language is
sufficient).
Revocation
Ø A&research authorization may be revoked by an individual.
Ø If &an&authorization is revoked, the University may continue its use or
disclosure&of&the&PHI already&obtained&pursuant to&the&valid&authorization&
to &the &extent&necessary to &preserve &the &integrity &of &the &research &study.
IRB Waiver Approval
Ø For&a use&or&disclosure&to&be permitted upon IRB approval, the IRB must
document that all of the following criteria have been met:
o The use or disclosure of PHI involves no more than a minimal risk
to &the &privacy &of &individuals,&based &on&the &presence &of &the
following elements: (i) an&adequate&plan&to&protect the&identifiers&
from&improper use and disclosure; (ii) an adequate plan to destroy
the &identifiers &at&the &earliest&opportunity &consistent&with &the
August 1, 2014
28
& & &
&
& &
& & & & & & & & & &
&
&
& & & & & & &
& & &
&
& & & & &
& & & &
& & & & & & & & & &
&
& & & & & &
& & & & & & & & & & & & &
& & & & & & & & & &
&
& & & & & & & & & & & & & &
& &
&
& &
&
&
& & & & & & & & && & & &
&
& & & & & & && & & & & & &
& & & & & & & & & &
& & & & & & & && & & & &
& & & & & & & & & && & & & &
& & & & & &
&
&
) ) )
& & & & & & & &
& & & & & & & & & & &
&
&
& & & & & & & & & & & &
&
conduct &of&research,&unless&there&is&a&health&or&research&
justification&for &retaining the &identifiers &or &such &retention&is
otherwise&required&by&law;&and&(iii)&adequate&written&assurances&
that the protected health information will not be reused or
disclosed&to&any&other&person&or&entity,&except as&required&by&law,&
for&authorized&oversight of&t he&resea rch&study,&or&for&other&
research&for&which&the&use&or&disclosure&of&protected&healt h&
information would be permitted under this policy;
o The research&could&not be&conducted&withou t the&waiver&or&
alteration; and
o The research&could&not be&conducted without&access to &and use&of
the protected health information.
Ø The documentation should include a statement identifying the IRB and
the &date &on&which &the &alteration&or &waiver &of &authorization&was &approved.
Ø The documentation should include a brief description&of&the&PHI&for&
which use or access has been determined to be necessary by the IRB.
Ø The documentation should include a statement that the alteration or
waiver &of &authorization&has &been&reviewed.
Ø The Chair of the IRB or other member designated by the Chair must sign
the document.
3. Applicable Regulations
45&C.F.R.&§§ 164.501,&164.508,&164.512.
K. Right to Request Access to Protected Health Information
1. Policy
Individuals &have&the&right&to&request&access &to&inspect&or &copy&their &protected health&
information that is maintained in a designated record set. The University will
address &an&individual’s &request&to &inspect&or &copy&his &or &her &protected &health
information in a timely and professional manner. Individuals do not have the right
to &access &certain&types &of information (set forth below), and in those situations, the
University may deny an individual’s request to access. In certain circumstances, an
individual may have the right to have a denial reviewed. The University will adhere
to &the &procedures &set&forth&below when addressing, denying, or&reviewing an
individual’s&request &to&access.&
2. Procedure
Requests for Access
Ø A&Sample Request for Access Form&is set forth on&page&47&of&this&Manual.
Ø Each covered component must designate the title of the person(s) or
office&responsible for&receiving& and&processing&requests&for&access&by&
individuals.
Ø Individuals must be instructed to direct their request for access to the
designated&person&responsible&for&receiving&such&requests.
August 1, 2014
29
& & &
&
& & & & & & &
& & & & & & & &
& & & & & & & & & & & & &
& & & & & & & &
& & & & & & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & & & &
& & && & & & & & &
&
& & & & & & & & & &
& & & & & & & & & &
& & & & & &
& & &
& & & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & &
&
&
) )
& & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & &
& & & & & && & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
&
&
) ) )
& & & & & & & & &
& & & & & & & & & & &
&& & & & & & & & &
& & & & & & & & & &
&
&
& &
& && & & & & & & & & &
& & & & & & & & & & &
& & & &
&& & & & & & & & & &
& & & & & & & & & &
Ø Individuals may be instructed to make their&request &for&access&in&writing.
Ø The&person&responsible&for processing the request may discuss the scope,
format, and other aspects of the request for access with the individual as
necessary to facilitate a timely provision of access.
Ø The&parties&can&agree in advance that a summary of the requested
protected health information will be provided in lieu of access to the
information.
Ø Upon receipt of a proper request, the covered component will act on the
request by either: (1) informing the individual of acceptance and
providing&the&access &requested; or &(2)&providing&the&individual&with&a&
written&denial&in&accordance &with &the &procedure &set&forth.
Ø If the covered component does not maintain the requested protected
health information, but it knows where the requested information is
maintained, the covered component will inform&the individual &where&to&
direct the&requ est for&access.
Ø An individual’s request for access must be acted upon no later than 30
days after the request is made; or, if the request is for protected&health&
information that is not maintained or accessible on-sit e,&no&later&that 60&
days&after&the&request.
Providing Access
Ø If &a&request&for &access is &granted,&the&individual&will&be&given&access &to&the&
protected health information in a secure and confidential manner.
Ø The covered component will provide the individual with access to the
protected health information in the form&or format requested by the
individual,&if&it is&readily producible in such form&or format. If it is not
readily&producible&in such format, the covered component will provide
the access in such other form&as agreed to by the individual.
Ø In instances where the protected health information is in more than one
record set, or at more than one location, the covered component will only&
produce the protected health information once in response to the request
for&access.
Denial of Access
Ø A&Sample Denial of Access Form&is set forth on&page&45 of&this&Manual.
Ø A&written denial of access may be issued in the following circumstances:
o Psychotherapy&Notes. An individual does not have the right to
access psychotherapy notes relating to him&or herself except (a) to
the &extent&the &patient’s &treating&professional&approves to &such
access &in&writing; &or &(b) &the &patient&obtains &a&court&order
authorizing such&access.
o Legal Information. An individual does not have the right to access
information compiled in reasonable anticipation of, or for use in, a
civil, criminal, or administrative&action&or &proceeding.
o Endangerment. An individual does not have the right to access
information in the event that a licensed health care professional
August 1, 2014
30
& & &
&
& & & & & & & & & &
&
&
& & && & & & & & &
& & & & & & & & & &
& & & & & & & & & &
& & &
& & & & & &
&& & & & & & & &
& & & & & & & & &
& &
& & & & & &
& &
& & & & &
&& & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
& & & & &
& & & & & & & &
&
&& & & & & & & &
& & & & & & & & &
& & & & & && & & &
&
& &
& &
& & & & & & & & & & & &
&
& & && & & & &
& & & & & & & & & &
& & & & & & & && & &
& & & & & & & & & &
& & &
& &
& & & & & & & & & &
& & & & & & & & & &
&
& & & & & & & & & & &
& & & & & &
& & & & & & & & & & &
&
& & & & & & & & & & & &
& & & & & & &
& & & & & &
&
has determined, in the exercise of professional judgment, that the
access &requested &is &reasonably&likely&to &endanger &the &life &or
physical&safety&of&the&individual &or&another&person.
o Obtained from&Someone Else. An individual does not have the
right to access information if the protected health information was
obtained from&someone other than a health care provider under a
promise of confidentiality&and &the &access &requested &would be
reasonably&likely&to&reveal the source of the information.
o Reference&to&Other People. An individual does not have the right
to access information if the protected health information makes
reference&to&another&person and &a&licensed &health &care
professional has determined, in the exercise&of&professional
judgment, that access &requested&is&reasonabl y&l ikely&to&cause&
substantial harm&to such other person.
o Personal &Representative. An individual does not have the right to
access information if the request for access is made by the
individual’s&personal &representative&and&a &licensed&health&care&
professional has determined, in the exercise of professional
judgment, that the provision of&access&to&such&personal
representative is reasonably likely to cause substantial harm&to
the&individual &or&another&person.
o Research. The University may temporarily suspend an individual’s
access to protected health information created or obtained in the&
course of research that includes treatment. The suspension may
last&for as &long&as &the &research &is &in&progress,&provided &that&the
individual &agreed&to&the&denial &of&access when&consenting&to
participate in&the&research,&and&the&individual &has&been&informed
that the right of access will be reinstated upon completion of the
research.
o Other Limited Circumstances. There are other limited
circumstances when an individual does not have the right to
access protected health information, listed in 45 C.F.R. § 164.524.
Ø When denying an individual access to protected health information, the
denial wil l be&written&in&plain&language&and
o Contain the &basis &for &the &denial;
o If applicable, contain a statement of the individual’s review rights,
including a description of how the individual may exercise such
rights;&and
o Contain a description of how the individual may complain to the
University pursuant to the University’s complaint&process &(and
include the title and telephone number of the contact person), or
to &the &appropriate &OCR&Regional&office.
Ø The University must, to the extent possible, grant the individual access to
any other protected health information requested after excluding&the&
protected health information that was denied.
August 1, 2014
31
& & &
&
) ) ) ) )
& & & & & & & & & & & &
& & & & &
&
& & & & & & & & & & & &
& &
&
& & & & & & & &
& &
& & & & & & & & & & &
& & & & & & & &
&
&
&
) ) )
& & & & & & &
&
& & & & & & & & & &
& & & & & &
& &
&
)
& & & & & &
&
&
&
& &
&
&
& & & & & & & & & & & &
& & & & & && & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & && &
& & & & & & & & &
& & & & & & & & & &
&
& & & & &
& & & & & & &
Reviewing a Denial of Access
Ø If access is denied based on (1) Endangerment; (2) Reference