& & &
&
&
!
!
!
!
!
!
!
&
&
&
& &
August 1, 2014
1
PEPPERDINE UNIVERSITY
HIPAA Policies Procedures and Forms
Manual
& & &
&
&
&
& * * &
& & & & &
& & & &
& * * &
& * * * * * &
& & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & &
& ) ) ) &
& ) ) ) &
& ) ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & &
& ) ) &
& ) ) &
& ) ) ) &
Table of Contents
I. INTRO D U C TIO N ...............................................................................................................................4
A. GENERAL POLICY ..............................................................................................................................................4
B. SCOPE ..................................................................................................................................................................4
II. DEFINITIONS...................................................................................................................................5
III. GENERAL POLICIES AND PROCEDURES ................................................................................9
A. AUTHORIZATION&TO&USE OR DISCLOSE PROTECTED&HEALTH INFORMATION ......................................9
1. Policy ................................................................................................................................................................ 9
2. Procedure ....................................................................................................................................................... 9
3. Applicable Regulations...........................................................................................................................10
B. B
USINESS ASSOCIATES ..................................................................................................................................10
1. Policy ..............................................................................................................................................................10
2. Procedure .....................................................................................................................................................11
3. Applicable Regulations...........................................................................................................................11
C. C
OMPLAINT .....................................................................................................................................................11
1. Policy ..............................................................................................................................................................11
2. Procedure .....................................................................................................................................................11
3. Applicable Regulations...........................................................................................................................12
D. DE-IDENTIFICATION&OF PROTECTED&HEALTH INFORMATION..............................................................12
1. Policy ..............................................................................................................................................................12
2. Procedure .....................................................................................................................................................12
3. Applicable Regulations...........................................................................................................................13
E. LIMITED DATA&SHEETS ................................................................................................................................13
1. Policy ..............................................................................................................................................................13
2. Procedure .....................................................................................................................................................14
3. Applicable Regulations...........................................................................................................................14
F. MINIMUM NECESSARY&USE AND DISCLOSURE OF PROTECTED&HEALTH INFORMATION .................15
1. Policy ..............................................................................................................................................................15
2. Procedure .....................................................................................................................................................15
3. Applicable Regulations...........................................................................................................................16
G. NOTICE OF PRIVACY PRACTICES .................................................................................................................16
1. Policy ..............................................................................................................................................................16
2. Procedure .....................................................................................................................................................16
3. Applicable Regulation.............................................................................................................................23
H. PRIVACY OFFICIAL, SECURITY&OFFICER, AND&PRIVACY COORDINATORS ............................................23
1. Privacy Official ...........................................................................................................................................23
2. Security Official ..........................................................................................................................................23
3. Privacy Coordinators ...............................................................................................................................24
4. Applicable Regulation.............................................................................................................................26
I. RECORDS RETENTION....................................................................................................................................26
1. Policy ..............................................................................................................................................................26
2. Procedure .....................................................................................................................................................26
3. Applicable Regulation.............................................................................................................................27
J. RESEARCH ........................................................................................................................................................27
1. Policy ..............................................................................................................................................................27
2. Procedure .....................................................................................................................................................27
3. Applicable Regulations...........................................................................................................................29
August 1, 2014
2
& & &
&
&
& & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & & & & & & &
& & &
& ) ) &
& ) ) &
& ) ) ) &
& & & & &
& ) ) &
& ) ) &
& ) ) ) &
& & & &
& ) ) &
& ) ) &
& ) ) ) &
* * & & & * * &
& & & & & & & & &
& & & & & &
& & & & & &
& & & & & & & &
& & & & & & &
& & & & &
& & & & & & &
& & & & & &
& & & & & & & &
& & & & & & & & &
*&
* *
K. RIGHT TO REQUEST&ACCESS&TO PROTECTED&HEALTH INFORMATION ................................................29
1. Policy ..............................................................................................................................................................29
2. Procedure .....................................................................................................................................................29
3. Applicable Regulation.............................................................................................................................32
L. RIGHT TO REQUEST&AN ACCOUNTING OF&DISCLOSU RE S ........................................................................32
1. Policy ..............................................................................................................................................................32
2. Procedure .....................................................................................................................................................33
3. Applicable Regulation.............................................................................................................................34
M. RIGHT TO REQUEST&AN AMENDMENT TO PROTECTED&HEALTH INFORMATION ................................34
1. Policy ..............................................................................................................................................................34
2. Procedure .....................................................................................................................................................34
3. Applicable Regulation.............................................................................................................................36
N. RIGH T TO REQUEST&CONFIDENTIAL COMMUNICATION..........................................................................36
1. Policy ..............................................................................................................................................................36
2. Procedure .....................................................................................................................................................36
3. Applicable Regulation.............................................................................................................................36
O. RIGH T TO REQUEST&RESTRICTIONS ON THE&USE AND DISCLOSUR E OF PROTECTED&HEALTH
INFORMATION .........................................................................................................................................................37
1. Policy ..............................................................................................................................................................37
2. Procedure .....................................................................................................................................................37
3. Applicable Regulation............................................................................................................................. 37
P. S
AFEGUARDING&PROTECTED&HEALTH INFORMATION............................................................................37
1. Policy ..............................................................................................................................................................37
2. Procedure .....................................................................................................................................................38
3. Applicable Regulation.............................................................................................................................38
Q. TRAINING.........................................................................................................................................................38
1. Policy ..............................................................................................................................................................38
2. Procedure .....................................................................................................................................................39
3. Applicable Regulation.............................................................................................................................39
HIPAA SAMPLE FORMS [SEE FOLLOW ING PAGES] ..................................................................... 40
A. ACCOUNTING FOR DIS CL O SU RE S OF PROTECTED&HEALTH INFORMATION .........................................41
B. AUTHORIZATION&TO&USE/DISCLO S E PROTECTED&HEALTH INFORMATION&(HIPAA) .....................42
C. B
USINESS ASSOCIATE AGREEMENT............................................................................................................44
D. DENIAL OF REQUEST&FOR AN AMENDMENT..............................................................................................48
E. DENIAL OF REQUEST&FOR ACCESS..............................................................................................................49
F. PRIVACY COMPLAINT ....................................................................................................................................50
G. REQUEST&FOR ACCESS&TO PROTECTED&HEALTH INFORMATION ...........................................................51
H. REQUEST&FOR ACCOUNTING OF&DISCLOSURES ......................................................................................... 52
I. REQUEST&FOR AMENDMENT TO PROTECTED&HEALTH INFORMATION.................................................53
J. ACKNOW LEDGEM ENT OF&RECEIPT&OF NOTICE OF PRIVACY PRACTICES ..............................................54
August 1, 2014
3
& & &
&
&
&
& & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & && & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & &
&
& &
&
& &
& && & & & &
& & & & & &
&
& & &
& & & & &
&
& & & &
& & & &
& & &
&
& &
&
&
& & & & & & & & & &
&
&
& & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & &
& & & && & & & & & &
& & & & & && & &
& & & & & & & & & & &
&
&
&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
& & & & & & & & & & && & & & & &
& & & & & & && & & & & & & & & & &
I. Introduction
A. General Policy
Pepperdine University is committed to protecting the privacy of individual health
information in compliance with the Health Insurance Portability and Accountability&
Act of 1996 (HIPAA) and the regulations promulgated there under. These policies
and procedures apply to protected health information created, acquired, or
maintained by the designated covered components of the University after April 14,
2003.& The statements in this Manual&represent&the &University’s &general&operating&
policies and &procedures.&&For &further &details &regarding&these&policies and &procedures
see 45&C.F.R.&Parts& 160& and&164.
B. Scope
Pepperdine&University&is&a&hybrid&entity&as&defined&in&45&C.F.R.&§164.103 and
includes&both&covered&and&non-covered components. These policies and procedures
apply&only&to&the&University’s designated covered components, which include:
Athletic Training Center;
Boone Center for the Family;
Disability&Services&Office;
Human Resources, Benefits Department;
Pepperdine Community Counseling Center;
Pepperdine&Jerry&B.H. Union Rescue&Clinic;
Pepperdine&Psychology&and&Education&Clinic;
Student&Counseling; and
Student&Health&Center.
Certain administrative and/or support offices may also be designated as covered&
components.
The designated covered components may not share protected health information
with &the &non-covered components of the University, unless specifically permitted by
the &privacy &regulations.&&It&is &the &responsibility &of &each &designated &covered&
component to assure that their employees, students, volunteers, etc. comply with
these policies and procedures. A&designated covered component may develop and
incorporate&additional &policies&and&procedures&if&doing&so&is&necessary&and&
appropriate to &comply with more stringent state laws.
1
However, a designated&
covered component may not delete sections of these policies and procedures
without&first&consulting&the &Privacy &Official&or &the &Security &Official.
1
HIPAA ensures a federal standard (a “floor”) of privacy protections. State privacy laws may be
more stringent than th e HIPAA priva cy rule. In those cases, the m ore stringent state law will apply.
August 1, 2014
4
& & &
&
&
*
) & & &
& & & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & &
& && & & & & & & & & &
& & & &
& & & & &
& & & & & & & & & &
& & & & & & &
&& & & & & & & & & & & &&
& &&
&
) ) & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& &
&
) & & & & & & & & & & &
& & & & & & & & & & & & &
& &
&
) ) ) ) ) & & & & &
& & & & & & & & & & & &&
& & & & & & & & & & & & & &
&
&
) ) & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & & & & & &
& & & & &
&
) ) & & & & & & & &
& & & & & & & & & & && & && &
&
&
& & & & & & & & & & & & &
& & & & & & && & && & &
&
) & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & & & &&
II. Definitions
E/9&8-99 199$'&37-)means a person or&entity&who,&on&behalf&of&a &covered&entity,&
performs or assists in performance of a function or activity involving the use or
disclosure of individually identifiable health information, or any other function or
activity regulated by the HIPAA&Administrative Simplification Rules, including the
Privacy Rule. Business Associates are also persons or entities performing legal,
actuarial,&accounting,&consulting,&data aggregation, management, administrative,
accreditation,&or &financial&services to &or &for a&covered entity where performing those
services involves disclosure of individually identifiable health information by the
covered&entity&or&another&business&associate&of&the&covered&entity&to&that &person&or&
entity.&&A&member of a covered entity’s workforce is not&one&of&its&business&
associates. A&covered entity may be a business associate of another covered entity.
45&C.F.R.& §&160.103.&
B$>-,-. F87&7( means a health plan, a health care clearinghouse, or a health care
provider who transmits health information in electronic form&in connection with a
transaction for which the U.S. Department of Health and Human Services has
adopted &a&standard.&&45 &C.F.R.&&§ 160.103.
B$>-,-. G/8'7&$89 means those functions of a covered entity the performance of
which makes the entity a health plan, health care provider, or health care
clearinghouse.&&45&C.F.R.&&§ 160.103.
H-9&6837-. B$>-,-. B$I2$8-879 J$, B$>-,-. B$I2$8-879K means a component or
combination of components designated by the University, which is a Hybrid Entity.
The designated covered components of the University are listed in Section I.B. of this
Manual.
H-9&6837-. 5-'$,. A-7 means a group of records maintained&by&or&for&a covered&
entity that includes medical and billing records about individuals, or a group of
records that are used in whole or in part by or for the covered entity to make
decisions&about individuals.& 45&C.F.R.& § 164.501.
H&,-'7 L,-37I-87 5-%37&$89M&2 means a treatment relationship between an individual
and a healthcare provider that is not an indirect treatment relationship. 45 C.F.R. §
164.501.&
H&9'%$9/,- means the release, transfer, access to, or divulging of information in any
other&manner outside the entity holding the information. 45 C.F.R. § 160.103.
F%-'7,$8&' N-.&3 means electronic storage media including memory devices in
computers (hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or transmission
media used to exchange information already in electronic storage media.
August 1, 2014
5
& & &
&
&
& & & & &
& & & & & &
& & & & & && &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & && & && &
&
&
& & & & & & & & & &
&
) & & & & & & & & & & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & && & && & &
&
) & & & & & & & & & &
& & & & & & &
& & & & &
& &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & &
& & & & & & & & & &
& & & & & & & & && & && & &
&
) ) & & & & & &
&
& & & & &
& & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & &
& & & & & & && & && & &
&
) & & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & &
Transmission media includes,&for&example, the Internet (wide-open),&extranet (using
Internet technology to &link&a&business &with information accessible only to
collaborating&parties),&leased&lines,&dial-up&lines,&private&networks,&and &the&physical&
movement of removable/transportable electronic storage media. Certain
transmissions, including of paper via facsimile, and of voice via &telephone,&are&not
considered to be transmissions via electronic media because the information being
exchanged did not exist in electronic form&before the transmission. 45 C.F.R. §
160.103.
HHS stands for the Department of Health and Human Services.
Health Care means care, services, or supplies related to the health of an individual,
including (1) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or
palliative care, and counseling, services, assessment, or procedure with respect to
the physical or mental condition, or functional status, of an individual that affects
the &structure &or &function&of &the &body; and &(2) &sale &or &dispensing&of &a&drug,&device,&
equipment, or other item&in accordance with a prescription. 45 C.F.R. § 160.103.
Health Care)Clearinghouse means a public or private entity, including a billing
service,&re-pricing company, community health management information system&or
community health information system, and “value-added”&networks and &switches,&
that&does &either &of the &following&functions: &(1) processes or &facilitates the&
processing of health information received from&another entity in a nonstandard
format or containing nonstandard data content into standard data elements or a
standard&transaction;&(2)&receives&a standard transaction from&another entity and
processes or facilitates the processing of health information into nonstandard
format or nonstandard data content for the receiving entity. 45 C.F.R. § 160.103.
Health Care)Operations means any of the following activities &of &the &covered &entity&to
the &extent&that&the &activities &are &related to &covered &functions: &(1) &conducting&quality
assessment and improvement activities, population-based &activities,&and &related
functions that do not include treatment; (2) reviewing the competence of
qualifications&of&health&care&professionals,&evaluating&practitioner,&provider,&and&
health plan performance, conducting training programs where students learn to
practice or improve their skills as health care providers, training of professionals&
that&are &not&health &care &providers,&accreditation,&certification,&licensing,&or&
credentialing activities; (3) underwriting, premium&rating, and other activities
relating to the creation, renewal, or replacement of a contract of health insurance&or&
benefits; (4) conducting or arranging for medical review, legal services, and auditing
functions; (5) business planning and development, and (6) business management
and general administrative activities of the entity. 45 C.F.R. § 164.501.
Health Care)Provider means a provider of services (as defined in section 1861 (u) of
the Act, 42 U.S.C. § 1395x(u)),&a provider of medical or health services (as defined&in&
section 1861(s) of the Act, 42 U.S.C. §&1395x(s)), and &any&other &person&or
August 1, 2014
6
& & &
&
&
& & & & & & & & & & & & &
& & &
)
) & & & & & & & & & & &
& & & & & & & & & & & & & & &
& &
& & & & & & & & & & &
& & & & & & & & & & & & & & &&
& & &
&
) & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & & & & & & & &
&
) & & & & & & & &
& & & & & & & & && & && & &
&
) ) & & &
& &
& &
&
) & & & & & & & &
& & & & & & &
& & & & & & & & & & & & & & &
& &
& & & & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & &
&
& & & & & & & & & &
&
& &
&
) ) ) ) ) & & & &
& & & & & & & & & & &
& & & && & & & & & & & &
& & & & & & & & & &
& & && & & & & & & &
& & & & & & && & & & &
organization&who&furnishes, bills, or is paid for health care in the normal course of
business.&&45&C.F.R.& § 160.103.
O-3%7M P8@$,I37&$8 means any information whether oral or recorded in any form&or
medium, that (1) is created or received by a health care provider, health plan, public
health authority, employer,&life &insurer,&school&or &university,&or &health&care&
clearinghouse;&and&(2) relates to the past, present, or future physical or mental
health&or&condition&of&an&individual;&the&provision&of&health&care&to&an&individual;&or&
the past, present for future payment for the provision of health care to an individual.
45&C.F.R.& § 160.103.
O-3%7M #%38 means, with certain exceptions, an individual or group plan that
provides or pays the cost of medical care (as defined in section 2791(a)(2) of the
PHS Act, 42 U.S.C. § 300gg-91(a)(2)).& 45&C.F.R.& § 160.103.
O(4,&. F87&7( means a single legal entity&that is&a &covered&entity,&performs business
activities &that&include &both &covered and &non-covered&functions,&and&designates&its&
health care components as provided in the Privacy Rule. 45 C.F.R. § 164.103.
P8.&,-'7 L,-37I-87 5-%37&$89M&2 means a relationship&between&an&individual&and a&
health&care&provider&in&which&(1)&the&health&care&provider&delivers&health&care&to&the&
individual &based&on&the&orders&of&another&health&care&provider;&and&(2)&the&health&
care&provider&typically&provides&services&or&products,&or&reports&the&diagnosis&or&
results&associated&with&the&health&care, directly&to&another&health&care&provider, who&
provides &the&services or &products or &reports &to&the&individual.&&45&C.F.R.&&§ 164.501.
P8.&>&./3%%()P.-87&@&34%-)O-3%7M P8@$,I37&$8 means information that is a subset of
health&information, including demographic information collected from&an individual,
and (1) is created or received by a health care provider, health plan, employer, or
health&care&clearinghouse;&and&(2)&relates&to&the past,&present,&or &future&physical&or
mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health care of
an&individual; and&(a) &that&identifies &the &individual; &or &(b)&with&respect&to&which&
there is a reasonable basis to believe the information can be used to identify the
individual.&&45&C.F.R.& § 160.103.
#-,9$8 means any natural person, trust or estate, partnership, corporation,
professional&association&or corporation,&or&other&entity,&public&or&private.&&45&C.F.R.&&
§ 160.103.
#,$7-'7-. O-3%7M P8@$,I37&$8 J$, #OPK means individually identifiable information
transmitted or maintained in electronic media (ePHI), or transmitted or maintained
in any form&or medium. PHI excludes education records covered by the Family
Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g,&records&
described&at 20&U.S.C.& § 1232g(a)(4)(B)(iv), and employment records held by a
covered entity in its role as employer. 45&C.F.R.& § § 164.501,&160.103.
August 1, 2014
7
& & &
&
&
&
& & & & & & & & & & &
& & & & & & & & & & & &
& & &
& & & & & & & & & & & &
&& & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & &
&& & &
&
& & & & & & & & &
&
& &
&
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & &
&
& & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & &
&& & & & &
&
& & & & & & & & & & & & &
& & &
&
& & & & & & & & & &
& & & & & & & & & & & & & & &
& &
& &
Psychotherapy)Notes means notes recorded (in any medium) by a health care
provider who is a mental health professional documenting or analyzing the contents
of&conversation&during&a &private&counseling&session&or&a &group,&joint, or family
counseling session and that are separated from&the rest of the individual’s medical
records. Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies of treatment
furnished, results of clinical tests, and any summary of the following items:
diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress
to &date. 45&C.F.R&§ 164.501.
Research means a systematic investigation, including research development, testing,
and &evaluation&designed to &develop&or &contribute to &generalizable &knowledge.&&45
C.F.R. § 164.501.
Treatment means the provision, coordination, or management of health care and
related services by one or more health care providers, including the coordination or
management of health care by a health care provider with a third party;
consultation&between&health&care&provider relating to&a patient;&or&the&referral of&a
patient&for &health care from&one health care provider to another 45 C.F.R. § 164.501.
Secretary means the Secretary of the U.S. Department of Health and Human Services
or any other officer or employee of HHS to whom&the authority involved has been
delegated.& 45&C.F.R.&§ 160.103.
Use means, with respect to individually identifiable health information, the sharing,
employment, application, utilization, examination, or analysis of such information
within the entity or health care component (for hybrid entities) that maintains &such
information. 45 C.F.R. § 160.103.
Violation or&violate means, as the context may require, failure to comply with an
administrative simplification provision.
Workforce means employees, volunteers, trainees, or other persons whose conduct
in&the performance of work for a covered entity is under the direct control of such
entity,&whether&or&not &they&are&paid&by&the&covered&entity.&&45&C.F.R.&§ 160.103.&
August 1, 2014
8
& & &
&
&
&
&
& & & & & & & & &&
& & & & & & & & & & &
& & & & & &
& & & & & & & & & & & &
& & & & &
& & & & & & & & & &&
&
) )
& & & & & & & & & & &&
& &
& & &
& & & & & & &
&
& & & & & & & &
& &
& & & &&
& & & & & & & & & & &
&
& & & & & & & & & & &
&
& & & & & & & & & & &
&
& & & & &
&
& & & & &
& & & & & &
&
& & & & & & & & & &
&
& & & & & & & & &
& & & & & & & & &
&&
& &
III. General Policies and Procedures
A. Authorization to Use or Disclose Protected Health
Information
1. Policy
Pepperdine&University&will &obtain&an&individual’s&authorization&to&use&or&disclose&
protected health information in accordance with HIPAA&and its regulations.
Generally, designated covered components do not need to obtain an individual’s
authorization when&using&and &disclosing&protected health information for routine
purposes (e.g. treatment, payment, or health care operations), or for other limited
purposes,&as &described &in&Pepperdine&University’s &Notice&of &Privacy&Practices.&&
Otherwise, designated covered components must obtain&an&individual’s&valid&
authorization for the use or disclosure of protected health information.
2. Procedure
Authorization Form
Ø A&Sample Authorization may be found on page 36 of this Manual.
Ø The&authorization&shall &be&written&in&plain&langua ge&a nd&sha ll &contain&the&
following information:
o A description&of&t he& PHI to&be&used/disclosed&that ident ifies& the&
information in a specific and meaningful fashion;
o A description&of&ea ch& p urpose&of&the&requested&use&or&disclosure,&
for example, the statement “at the request of&the&individual” is&a&
sufficient descript ion& of&the&purpose&when&an&individual initiates&
the &authorization&and &does &not,&or &elects &not&to,&provide a&
statement of the purpose;
o The name of the person or organization authorized to disclose the
PHI;
o The name of the person or organization authorized to receive the
PHI;
o A statement that the individual has the right to revoke the
authorization&in&writing;
o A statement listing the &exceptions &to &an&individual’s right to&
revoke;
o A statement that information used or&disclosed&pursuant &to&the&
authorization may be subject to re-disclosure&by&the&recipient and&
no&longer &protected;
o A statement that the individual may refuse to sign the
authorization;
o A statement that the covered component will not condition
treatment, payment, enrollment or eligibility for benefits in a
health&plan,&based&on&the&individual &providing&authorization&for&
the &requested &use &or &disclosure;
o An expiration&dat e&(or&ex pira t ion&event);&and
August 1, 2014
9
& & &
&
& &
&
& & & & & & & & & & & &
&
&
)
& & & & &
&
& & & & & & & & &
& &
&
& & & & & & & & & & &
& & & & & & & &
& & & & & & & & &
& & & & & &
&
&&
& & & & & & & & & & & &
&
&
) ) )
& & & & & & & & & & & &
& & &
& & & & & & & & & &
& & & & &
&
)
& & & & & & & & & &
&
&
& & &
&
!
& & & & & & & & & &
& & &
& & & & & & & & & & & & &
& && & & & & & & & & &
& & & & & &
&
o The signature&of&the&individual and&date&(or& t he& signature&of&an&
individual’s&personal &representative).
Ø The University must provide the individual with a signed copy of the
authorization.
Psychotherapy)Notes
Ø The&University&will &obtain&an&individual’s&authorization&to&use&or&disclose&
psychotherapy&notes,&except&in the circumstances listed below.
Ø The&University&does&not &need&to&obtain&an&individual’s&authorization&to&
use&or &disclose&psychotherapy&notes:
o To carry out treatment, payment, or health care operations;
o For use&by&the&originator&of&the&psychotherapy&notes for&
treatment;
o For use or disclosure by the designated covered component for its
own training programs in which students, trainees, or
practitioners in mental health learn under supervision to practice
or improve their skills in counseling;
o For use&or &disclosure&by&the&covered&entity&to&defend&itself&in&a&
legal&action&or &proceeding&brought&by &the &individual; and
o For other limited uses and disclosures as described in 45 C.F.R. §
508(a)(2).
Revocation of Authorization
Ø An individual may revoke an authorization at any time, provided that the
revocation is& in writing.
Ø If &the&University&has &already&taken&action&in&reliance&on&the&authorization,&
the University will stop providing the protected health information based
on&the&revoked&authorization&with&a reasonable period of time.
Documentation
Ø The University must document and retain any signed authorization under
this &section.
3. Applicable Regulations
45&C.F.R. §§ 164.508,&164.512.
B. Business Associates
1. Policy
From&time to time, covered components may share protected health information
with &external&parties,&known&as&business&associates.&&Protected health information
generally may only be shared with business associates pursuant to a valid Business
Associate Agreement. A&Business Associate Agreement can be in the form&of a
written amendment to an existing agreement.
August 1, 2014
10
& & &
&
) )
& & & & & & & &
&
& & & & & & & & & & & &
& & & &
& & & & & & & & & &
& & & & & & &
&
& & & & & & & & &
& & & & &
&
& &
)
&
& & & & & & & & & & & & &
& & & & &
& & & & & & & & & & && &
& & & & & & & & & & &
&
&
) ) )
& & & & & &
& & & & & & & & & & &
&
& && & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & &
&
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & &
& & & & & & & & & & & & & &
2. Procedure
Business Associate)Agreement
Ø A&Sample Business Associate Agreement is set forth on&page&38 of&this&
Manual.
Ø Generally, PHI may only be shared with business associates pursuant to a
valid Business Associate Agreement.
Ø It is the responsibility of each designated covered component contracting
with &business &associates to assure that valid Business Associates
Agreements&are&executed.
Ø Business Associate Agreements must be in writing and must contain&
certain language that is HIPAA&compliant.
3. Applicable Regulations
45&C.F.R.&§§ 164.502(e),&164.504(e),&164.532,& 160.402.
C. Complaint
1. Policy
An individual who believes his or her HIPAA&privacy rights have been violated may
file a complaint regarding the&alleged&privacy&violation with&the&University’s&Privacy&
Official of the appropriate Office of Civil Rights (OCR) Regional office. Complaints
submitted to the University’s Privacy Official will be documented, reviewed, and
acted &upon,&if &necessary.
2. Procedure
Filing a Complaint
Ø A&Sample Complaint Form&is set forth on&page&46&of&this&Manual.
Ø If &an&individual&believes his or her &privacy&rights &have&been&violated,&an&
individual may file a complaint with the appropriate OCR Regional office,
or&with &the &University’s &Privacy &Official&located &in&the &office &of &the &Chief
Business &Officer,&Pepperdine &University,&24255 &Pacific&Coast&Highway,&
Malibu, CA&90263. Each designated covered component must develop
and implement a process for receiving complaints and reporting them&to
the University’s Privacy Official (this process can be as simple as
instructing individuals who wish to file a complaint to contact the
University’s&Privacy&Official).
Ø Individuals must file complaints in writing, either paper or electronically.
Ø A&complaint must be filed 180 days from&when the individual knew or
should have known of the circumstance that led to the complaint, unless
this time limit is waived for “good cause” shown.
Ø A&complaint must name the entity that is the subject of the complaint and
describe the acts or omission believed to be in violation of the HIPAA&
requirements.
Ø OCR may prescribe additional procedures for the filing of complaints, as
well as the place and manner of filing, by notice in the Federal Register.
August 1, 2014
11
& & &
&
& & & & & & & & &
&
) )
& & & & & & & & & & &
&
& & & & & & & & & &
&
& & & & & & & & & & & &
& & & & & &
&
& & &
&
&
& & & & & &
&
&
) ) )
& & & & & & &
& & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & &
& & & & & & & &
& & & & & & & & & & & &
&
&
& & & & & & & & &
&
&
& & & & & & &
& & & & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & &
& & & & & & & & & & &
&
& &
& &
& &
& & &
Ø Individuals may not be penalized for filing a complaint.
Investigation, Sanctions
Ø The Privacy Official will investigate alleged complaints to determine if a
breach &of &privacy &has &occurred.
Ø If the Privacy Official determines that a violation occurred, the Privacy&
Official&will&apply&appropriate &sanctions &against&the &person&or &entity&who
failed to comply with the privacy policies and procedures and instruct the
person&or &entity&to&take&the&corrective&actions,&if &necessary.&&The&Privacy&
Official will document any sanctions imposed.
3. Applicable Regulations
45&C.F.R. §§ 160.304,&160.306,&160.308,&160.310,&160.410,&164.530.
D. De-Identification of Protected Health Information
1. Policy
The University may use or disclose de-identified&PHI&without &obtaining&an&
individual’s&authorization.&&PHI&shall &be&considered&de-identified&if&either&of&the&two&
de-identification&procedures&set &forth&below &are&followed.
2. Procedure
Removal of Identifiers
Ø De-identified PHI is rendered anonymous when identifying
characteristics&are completely removed and when the University does not
have any actual knowledge that the information could be used alone or in
combination with other information to identify and individual.
Ø De-identification&requires the elimination not only of primary or obvious&
identifiers, such as the individual’s name, address, and date of birth, but
also &of &secondary&identifiers &through &which &a&user &could &deduce &the
individual’s&identity.
Ø For information to be de-identified the following identifiers must be&
removed:
o Names;
o All address information except for the state;
o Names of relatives and employers;
o All elements of dates (except year), including date of birth,
admission date, discharge date, date of death; and all ages over 89
and all elements of dates including year&indicative&of&such&age&
except that such ages and elements may be aggregated into a
single&category&of&age&90&or&older;
o Telephone numbers;
o Fax numbers;
o E-mail addresses;
o Social security numbers;
August 1, 2014
12
& & &
&
& & &
& & & &
& &
& &
& & & & & &
& & & & &
&
& &
& &
& & & & & & & &
& & & & & & & &
& & & &
)
) )
&
& & & & & &
&& & & & & & & & & & &
& & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
&
)
& & & & & & & & & & &
&
& & & & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & &
&
& &
&
&
& & & & & & & & & & & & &
&
& & & & & & & & & & &
& & & & & && & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & &
o Medical record numbers;
o Health plan beneficiary numbers;
o Account numbers;
o Certificate/license numbers;
o Vehicle identifiers, including license plate numbers;
o Device ID’s and serial numbers;
o Web&Universal &Resource&Locators&(URL);
o Internet Protocol &(IP)&addresses;
o Biometric identifiers;
o Full face photographic images and other comparable images;
o Any other unique identifying number characteristics (except as
otherwise permitted for re-identification&purposes).
Statistical Method
Ø PHI&is&considered&de-identified&if&a &person&with&appropriate&knowledge &of
and &experience &with &generally&accepted &statistical&and &scientific&
principles and methods for rendering information not&individually
identifiable: (a) determines that the risk is very small that the
information could be used, alone or in combination&w it h&other&reasonably&
available information, by an anticipated recipient to identify an individual
who &is a&subject of the information; and (b) documents the methods and
results of the analysis to justify such determination.
Re-identification
Ø A&covered component may assign a code or other means of record
identification&to&allow &information de-identified&under&this&section&to&be&
re-identified by the covered component, provided that&(a) &the &code &or
other means of record identification is not derived from&or&related&to&
information about the individual and (b) the covered component does not
use or disclose the code or other means of record identification for any
other purpose, and does not disclose the mechanism&for re-identification.
3. Applicable Regulations
45&C.F.R.&§§ 164.502(d),&164.514(a)& a nd& (b)
E. Limited Data Sheets
1. Policy
Covered components may use and disclose a limited data set without an individual’s
authorization&for &the &purposes &of &research,&public&health,&or &health &care &operations &if
the &covered component enters into a Data Use Agreement with the intended
recipient of the limited data set. A&designated covered component may use
protected health information to create a limited data set, or to disclose protected
health information to a Business Associate to create a limited data set on behalf of
the covered component.
August 1, 2014
13
& & &
&
&
) ) )
& & & & & & & & & & & &
& & & & & & & & & &
&
&
& & & & & & & & & &
&
& &
& &
& & &
& & &
& & &
& & & &
& &
& &
& & & & & & & &
&
&
& & & & &
& & & & & & &
& & &
&
) && & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & &
& & & & & & & & & &
& & & &
& &
& & & & & &
& &
& & & & & & & & & &
& &
& & & & & & & & & &
&
& & & & & & & &
&
& &
& &
2. Procedure
Limited Data Set
Ø A&limited data set is PHI that excludes the following direct identifiers of
the individual or relatives, employers, or household members of the
individual:
o Names;
o Postal address information, other than town, city, state, and zip
codes;
o Telephone numbers;
o Fax numbers;
o Electronic mail addresses;
o Social security numbers;
o Medical record numbers;
o Health plan beneficiary numbers;
o Account numbers;
o Certificate/license numbers;
o Vehicle identifiers and serial numbers (including license plate
number);
o Web&Universal&Resource &Locators &(URLs);
o Internet Protocol (IP) address numbers;
o Biometric identifiers, including finger and voiceprints; and
o Full fa ce& photographs&and&comparable images.
Data Use)Agreements.& Data use agreements must:
Ø Establish the permitted uses and disclosures of the limited data set;
Ø Establish who is permitted to use or receive the limited data set;&and
Ø Provide that the recipient of the information will:
o Not use or further disclose the information other than as
permitted by the agreement;
o Use appropriate &safeguards to &prevent&use &or &disclosure &other
than as permitted by the agreement;
o Report to &the &University any &uses &or &disclosures &that&recipient&is
aware of that is not provided for by the agreement;
o Ensure that&the &recipient’s &agents &who &have &access to &the
information agree to the same restrictions as imposed on the
recipient;&and
o Not identify the information or contact the individuals.
3. Applicable Regulations
45&C.F.R.&§ 164.514(e).
August 1, 2014
14
& & &
&
&
F. Minimum Necessary Use and Disclosure of Protected
Health Information
!
& & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & && & & &
& & & & & & & & &
&
& &
&
&& & & & & & & &
& & & &&
&
&& & &
& & & & & & & &
&
&&
& & & & & & & & & & & & &
& & & & & & & & & & & &
& &&
&
& & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & && & &
& & & & & & & & & & & & & &
&
& & & & & & & & & & &
& & & &
& & & & & & & & & & & & &
&
&
& & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
&& &
& & & & & & & & & & &
& & & & & & & & & &
1. Policy
When using or disclosing PHI or when requesting PHI from&another entity covered
by the HIPAA&privacy regulations, the University shall make a reasonable&effort to&
limit itself to the minimum&amount of protected health information necessary to
accomplish the intended purpose of the use, disclosure or request. The University is
not required to apply the minimum&necessary standard under the following&
circumstances:
Ø
Ø
For Treatment.&&Disclosure&to&or &requests&by&a&health&care&provider for
purposes of &diagnosing&or &treating&an&individual.
To&the&Individual. Uses or disclosures made to the individual.
Ø Pursuant to Patient’s Authorization. Uses&or&disclosures&pursuant &to&a&
valid&authorization.
Ø To&the&HHS. Disclosures&to&the&Office&for&Civil Rights&of&the&U.S.
Department of Health and Human Services for HIPAA&compliance
Ø
purposes.
Required&by&Law. Uses&or&disclosures&that &are&required&by&law&(i.e.,&a&
mandate that is contained in law that compels the University to use or
disclose protected health information and that is enforceable in a court of
law,&e.g.,&court&orders,&court-ordered&subpoenas,&civil &or&authorized&
investigative demands).
2. Procedure
The University recognizes that each designated covered component that uses or
discloses protected health information has a unique organizational structure and
that employees of the unit may perform&various functions for the unit that require
different levels of access to protected health information. Further, the
responsibilities&designated&to&these&functions&va ry& across&each&designated&covered&
component at the University and cannot be determined solely based on job title or
description.& For&these&reasons&it &is&the&responsibility&of&each&designated&covered&
component that uses and discloses protected health information to determine those
persons or &classes of &persons,&as&appropriate,&in&its&workforce&who&need&access&to&
protected health information to &carry &out&their &duties; and &for &each &such &person&or
class of persons, the category or categories of protected health information to which
access &is &needed &and &any&conditions &appropriate to &such &access.
For any type of disclosure that it makes on a routine&and&recurring&basis,&a covered&
component must implement policies and procedures (which may be standard
protocols) that limit the protected health information disclosed to the amount
reasonably&necessary&to&achieve&the&purpose&of&t he& disclosure. For&all&other
disclosures, the covered component must develop criteria designed to limit the
protected health information disclosed to the information reasonably necessary to
August 1, 2014
15
& & &
&
& & & & & & & & & & & &
&
&
& & & & &
&
!
& & & & & & & &
& && & &
& & & & & & & & & &
& & & &
& & & & & & &
&& & & & & & & & & &
& & & & & & & & & &
& & && & & &
& &
& & & & & &
&
&
) )
& &
&
& & &
& & & & & &
& & & & & & & &
&
&
) ) ) )
& & & & & & && &
& & &
& & & && & & & & & & &
& & & & & & & & &
& && & & & &
& & & & & & & &
& & & & & & & & & &
&
& & & & & &
& & & & & & & &
& && & & &
& & & & & & & &
& & & & & & & & & & & &
accomplish the purpose for which disclosure is sought and review requests for
disclosure&on&an&individual &basis&in&accordance&with&such&criteria.
3. Applicable Regulations
45 C.F.R. §§&164.502, and 164.514(d).
G. Notice of Privacy Practices
1. Policy
Pepperdine University is committed to maintaining and protecting&the
confidentiality&of&the&individual’s PHI. This&Notice&of&Privacy&Practices applies to
Pepperdine University (Athletics, Boone Center for the Family, Counseling Center,
Disability&Services&Office, Graduate&School of&Education and&Psychology&(PRYDE,
Union&Rescue&Mission,&Clinics), Human Resources, and Student Health Center)
(“Departments”). Pepperdine University is required by federal and state law,
including the Health Insurance Portability and Accountability Act (“HIPAA”), to
protect&the&individual’s PHI&and&other&personal information. Pepperdine is required
to&provide &the &individual&with &this &Notice&of&Privacy&Practices about&the &University’s
policies,&safeguards,&and &practices.&&When&Pepperdine&University&uses&or discloses&
an&individual’s PHI,&Pepperdine&University&is&bound&by the terms of this Notice&of&
Privacy&Practices,&or &the&revised&Notice&of&Privacy&Practices,&if&applicable.
The)University’s Obligations:
Pepperdine&is&required&by&law to:
Ø Maintain&the &privacy &of &PHI&(with &certain&exceptions)
Ø Give&the&individual this &notice &of &the &University’s legal&duties and &privacy
practices &regarding health information about the individual
Ø Follow the terms of the University’s Notice&of&Privacy&Practice that&is
currently&in&effect
2. Procedure
How the)University may)use)and disclose)PHI:
The following&describes&the&ways&the&University may use and disclose PHI. Except
for&the &purposes &described &below,&the &University will&use and &disclose &PHI&only&with
the individual’s written permission. The individual may revoke such permission at
any time by writing to Pepperdine University’s Compliance Officer.
Ø For Treatment. The&University&may use and disclose&PHI for&the&individual’s&
treatment and to provide the individual with treatment-rel ated&health care&
services.& For&example, the University may disclose PHI to doctors, nurses,
technicians,&or &other &personnel,&including&people&outside&the&University’s
office,&who&are&involved&in&the&individual’s medical care and need the
information to provide the individual with medical care.
Ø For Payment. The&University may use&and &disclose&PHI&so&that&the&University
or others may bill and receive payment from&the individual,&an&insurance&
company or a third party for the treatment and services the individual
August 1, 2014
16
& & &
&
&& & & & & &
& & & & & & & & & &
& & & & & & &&&
&& & & & & & & &
& & & & & & & &
& & & & & && & & & & &
& & & & & & & & &
& & & & & & & & &
& & & & & &
& &
& &
& & & & & & &
& * & & &
& & & & & & & & & &
& & &
& & & & & &
& & & & & & & & &
& & & & & & & & & & & &
** & & & & & & &
& & & &
& & & & & & & & && & & & &
& & & & & & &
& & & & & & & & & & &
&
&& & & & & & & &
& & && & & & & & & & & &
& & & & & & & & &
& & & & && & & & & & & &
& & &
& & && & & & &
& & & & & & & &
& && & & & & &
& & & & & & & & &
& & & & & &
& &
& & & & & & &
&
&
)
& && & &
&&
& & & & & & & & & & &
& & &
received. For&ex a mple,&the&University may tell the individual’s insurance&
company about a treatment the individual is going&to&receive to determine
whether &the &individual’s insurance company will cover the treatment.
Ø For&Health&Care&Operations. The&University may use and disclose PHI for
health&care&operations&purposes.&&These&uses&and&disclosures&are&necessary&
to make sure that all of the University’s patients &receive&quality&care&and&to&
operate and manage the University’s office. For example, the University may
share information with doctors, residents, nurses, technicians, clerks, and
other&personnel &for&quality&assurance&and&educational &purposes.&&The&
University also may share information with other entities that &have&a
relationship with&the&individual (for example, the individual’s insurance&
company&and&anyone&other&than&the&individual who &pays &for &the &individual’s
services)&for&the&individual’s health&care&operation&activities.
Ø Appointment Reminders, Treatment Alternatives, and Health Related
Benefits &and Services.& The&University may use and &disclose &PHI&to &contact&
the &individual to remind them that they &have an appointment with the
University.&&The&University also may use&and &disclose&PHI&to&tell&the&
individual about treatment alternatives or health-related &benefits and
services that may be of interest to the individual.
Ø Third Parties Involved in an Individual’s Care or Payment for an Individual’s
Care. When&appropriate,&the &University may share PHI with a person&who&is
involved&in&the&individual’s&medical&care &or &payment for the individual’s care,&
such as the individual’s family or a close friend. The University also may
notify the individual’s family about the individual’s location&or &general&
condition or disclose such information to an entity (such as the &Red &Cross)
assisting&in&a&disaster &relief &effort.
Ø Research. Under&certain circumstances, the&University may use and disclose
PHI for research. For example, a research project may involve comparing the
health of patients who received one treatment to those &who &received
another, for the same condition. The University will generally ask for the
individual’s written authorization&before &using&the &individual’s PHI&or&
sharing&it w it h&others&to&conduct research. Under limited circumstances, the
University may use and disclose PHI for research purposes &without&the&
individual’s permission. Before the University uses or&discloses PHI&for&
research&without the&individual’s permission, the project will go through a
special a pproval process&to&ensure&tha t research&conducted poses minimal
risk to&t he& individual’s&privacy. The&individu al’s&information&will&be &de-
identified. Researchers may contact the individual to &see &if &the &individual&is
interested&in&or&eligible&to&participate&in&a &study.
SPECIAL )SITUATIONS:
Ø As Required&by&Law. The&University will&disclose &PHI&when&required to &do &so
by &international,&federal,&state &or &local&law.
Ø To Avert a Serious Threat to Health or Safety.**The&University&may use and
disclose&PHI when&necessary&to&prevent&a&serious &threat&to the &individual’s
health&and&safety&or&the&health&and&safety&of&others.&&Disclosures,&however,&
August 1, 2014
17
& & &
&
& & & & & & & & & & & & & & & &
& & & & & & & & & && & & &
& & & & & & & & & & &
& & & & & & &&&
& && & & & &
& & & & & & &
& & & & & & & & & &
& & && & & & & & & & &
& & & & & & && &
& &
& & & & & & & & & & & &
&
**
& & &
& & & & & & & & &
&
&
** & & & & & & & &
& & & & & & & & & &&
& & & & & & & & & &
& & & & & & &
& ** & & & & & &
& & & && & & & & &
&
** & & & & & & & &
& &&
& & &
& & & &
& & & & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & &
&
& & && & & & & & & &
& & & & & & & & & & &
& & && & & & & & & &
& & & & & & & & &
& & & & & &
& & ** & & & & & & &
&
&
** &
& & & & & & & & & & &
will be made only to someone who may be able to help prevent or respond to
the threat, such as law enforcement or a potential victim. For example, the
University may need to disclose information to law enforcement when a
patient reveals participation in a violent crime.
Ø Business Associates. The&University may disclose&PHI to&the&University’s
business &associates that perform&functions on the University’s behalf or&
provide&the&University with services if the information is necessary for such
functions or services. For example, the University may use another company
to perform&billing services on the University’s behalf. All&of &the &University’s
business &associates&are&obligated&to&protect the&privacy&of&the&individual’ s
information and are not allowed to use or disclose any information other
than&as &specified &in&our &contract.
Ø Organ&and &Tissue &Donation. If &the&individual&is &an&organ&donor,&the&
University may use or&release&PHI&to&organizations&that &handle&organ&
procurement or other entities engaged in procurement, banking or
transportation&or &organs,&eyes &or &tissues to &facilitate &organ,&eye &or &tissue
donation&and&transplantation.
Ø Military and &Veterans. If &the&individual &is a member of the armed forces, the
University may release PHI as required by military command authorities.
The&University also may release PHI to the appropriate foreign military
authority&if &the &individual&is a member of a foreign military.
Ø Workers’ Compensation. The&University may release PHI for workers’
compensation or similar programs. These programs provide benefits for
work-related&injuries&or&illness.
Ø Public&Health&Risks. The&University may disclose PHI for public health risks
or&certain occu rrences. These&risks&and&occurrences&generally&include&
disclosures&to&prevent or&control disease,& inju ry&or&disability;&report births&
and &deaths; &report&child,&elder &or &dependent&adult&abuse &or &neglect; &report&
reactions to medications or problems&with&products;&notify&people&of&recalls&
of products they may be using; a person who may have been exposed to a
disease or may be at risk for contracting or spreading a disease or condition;
and the appropriate government authority if we believe a patient has&been&
the victim&of abuse, neglect, or domestic violence (we will only make this
disclosure&when&required&or&authorized&by&law).
Ø Health Oversight Activities. The&University may disclose PHI to a health
oversight agency, such as the California Department of Health and Human
Services&or &Center for &Medicare&and&Medical&Services,&for activities&
authorized by law. These oversight activities include, for example, audits,
investigations,&inspections,&and&licensure.&&These&activities&are&necessary&for&
the &government to monitor the health care system, government programs,
and compliance with civil rights laws.
Ø Data Breach&Notification Purposes. The University may use or disclose the
individual’s PHI&to&provide&legal l y&required&not ices&of&unauthorized&access&to&
or&disclosure&of&PHI.
Ø Lawsuits&and&Disputes. If &the&individual&is involved&in&a &lawsuit &or&a &dispute,&
the &University may disclose PHI in response to a court or administrative
August 1, 2014
18
& & &
&
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & &
& & & &
& &
& ** & & & & & & & & &
& & & & & && & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & & &
& & &
& & & & & ** & &
& & & & & & & && & & & & &
& & & & & & & & & & & && &
& & & & & & & & & & & &
&
& & & & ** & & & &
&
** & &
& & & & & & & & & & & &
&
&
& & & & ** & & & & &
& & & & &
& & & & & & & & & &
&
& &
&
& &
&
) ) ) ) ) ) ) ) ) )
) )
& & & & & & &
** & & & & & & &
& & & & &
&
& & & & & & && & & & &
& & & &
& & & & & & & & & & & &
& & **
order.&&The&University also may disclose PHI in response to a subpoena,
discovery request, or other lawful request by someone else involved in the
dispute,&but only&if&efforts&have been made to tell the individual about&the
request or&t o&allow the&individual to &obtain&an&order &protecting&the
information requested.
Ø Law Enforcement. The&University may release PHI if asked by a law
enforcement official if the information is: (1) in response to a court order,
subpoena, warrant, summons or similar process; (2) limited information to
identify or locate a suspect, fugitive, material witness, or missing person; (3)
about the victim&of a crime even if, under certain very limited circumstances,
the University is unable to obtain the individual’s agreement; (4) about a
death&the&University believes may be the result of criminal conduct; (5)&about
criminal conduct on the University’s premises; and (6) in an emergency to
report a crime, the location of the crime or victims, or the identity,
description&or&location&of&the&person&who&committed the crime.
Ø Coroners, Medical Examiners and Funeral Directors. The&University may
release PHI to a coroner or medical examiner. This may be necessary, for
example, to identify a deceased person or determine the cause of death. The
University also may release PHI to funeral directors as necessary for their
duties.
Ø National Security and Intelligence Activities. The&University may release PHI
to &authorized &federal&officials &for &intelligence,&counter-intell igence,&a nd&other&
national&security&activities &authorized by law.
Ø Protective&Services&for&the&President &and&Others. The&University may
disclose PHI to authorized federal officials so they may provide protection to
the &President,&other &authorized &persons &or &foreign&heads &of &state,&or to
conduct &special &investigations.
Ø Inmates or Individuals in Custody. If &the&individual&is an inmate of a
correctional &institution&or&under&the&custody&of a law enforcement official,
the &University may release PHI to the correctional institution or law
enforcement official.&&This&release&woul d&b e&necessa ry&if:&&(1)&for&the&
institution&to&provide&the&individual with health&care;&(2)&to&protect &the&
individual’s healt h&and&safety&or&the&health&and&safety&of&others;&or&(3)&the&
safety&and&security&of&the&correctional institution.
USES AND DISCLOSURES THAT REQUIRES THE UNIVERSITY TO GIVE THE
INDIVIDUAL AN )OPPORTUNITY )TO )OBJECT/OPT )OUT:
Ø Third&Parties Involved &in&the&Individual’s Care or Payment for Individual’s
Care. Unless&the&individual objects,&the&University may disclose to a member
of&the&individual’s family, a relative, a close&friend&or&any&other&person&the&
individual &identifies,&the&individual’s PHI&that &directly&relates&to&that &third&
party’s involvement in the individual’s health care. If the individual is unable&
to agree &or &object&to&such &a&disclosure,&the&University may disclose such&
information as necessary if the University determines that it is in the
individual’s&best &interest &based&on&the&University’s professional judgment.
August 1, 2014
19
& & &
&
** & & &
& & & & & & & & &
&
& &
&
* & & & & & &
&
&
)
)
& & & & & & & & & & & & & &
& &
& & & & & & & &
& & &
&
&
& & & & & & & & & & & & & & &
& & &
& & & & & & & &
& & & & & & & & &
& & &
& & & &
&
&
) ) ) )
** & & & &
& & & & & & & & & & & & &
& && & & & & & & &
&
& & & & & & & & & &
& && & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
& & & & && & & & & & &
& & & & & & & &
& & & & & & & & & & & &
&& & & & & & & & &
& && & & &
& &
& & &
& & & & & & & & & &
&
& & & &
& & &
Ø Disaster&Relief. The University may&disclose&the&individual’s PHI&to&disast er&
relief&organizations&that seek &the&individual’s&PHI&to&coordinate&the&
individual’s care,&or&notify family and friends of the individual’s location&or
condition&in&a&disaster.&&The&University&will &provide&the&individual with an&
opportunity&to&agree&or&object to &such &a&disclosure &whenever &the &University
practically&can&do&so.
Ø Fundraising. The University may notify the individual about&fundraising&
events&that &support &Pepperdine&University.
INDIVIDUAL’S)WRITTEN AUTHORIZATION )IS)REQUIRED)FOR)OTHER)USES)AND)
DISCLOSURES:
The&following uses and disclosures of the individual’s PHI will be made only with the
individual’s written&authorization:
1. Uses and disclosures of PHI for marketing purposes;
2. Disclosures&that constitute&a&sale&of &the&individual’s PHI;&and
3. Disclosures&of&psychotherapy&notes.
Ø Other &uses and &disclosures &of &PHI&not&covered &by&this Notice&of&Privacy&
Practice or the laws that apply to the University will be made only with the
individual’s written authorization.&&If &the &individual gives&us&authorization,&
the &individual may revoke it at any time by submitting&a&written&revocation&
to &Pepperdine &University Compliance Officer and we will no longer disclose
PHI&under&the&authorization.&&But &disclosure&that&the &University made in
reliance&on&an&individual’s authorization&before &the &individual revoked&it w il l
not&be&affected&by&the&revocation.
INDIVIDUAL’S RIGHTS REGARDING PHI:
Ø Right&to&Inspect&and&Copy. The&individual &has&a right to&inspect and&copy&PHI
that may be used to make decisions about the individual’s care or payment
for&the&individual’s care. This includes medical and billing records, other
than&psychotherapy notes.&&To&inspect&and&copy&the&individual’s&PHI,&the&
individual must make their request,&in&writing, to the Department in which
their care&was&provided. The University has up to 30 days to make the
individual PHI available to the individual and the University may charge the
individual a reasonable fee for the costs of copying, mailing or other&supplies&
associated with the individual’s request. The University may not charge the
individual &a &fee&if&the&individual needs the information for a claim&for benefits
under the Social Security Act or any other state or federal needs-based
benefit&program. The University may deny the individual’s request in certain&
limited circumstances. If the University does&deny&the&individual’s&request,&
the &individual&has the &right&to &have &the &denial&reviewed &by &a&licensed
healthcare&professional that was &not&directly&involved&in the&denial &of&the&
individual’s request, and&the&University will comply with the outcome of the
review.
Ø Right&to&Get&Notice&of&a&Breach. Pepperdine&University&is committed to
safeguarding&the&individual’s&PHI.& If&a breach&of&the&individual’s PHI&occurs,&
August 1, 2014
20
& & &
&
& &
&
& & & & & & & ** & &
& & & & & & & & &
& & & & &
& & & & & & & & & & & & & & &
& && & & & & & & & & &
& & & & && & & & & & & &
& & & & & & & & & & &
& & & &&
& & &
& &
& & &&&&
& & & & & ** & &
& & & & & & & & &
& & & & & & & &
& &
& & &
& & & & & & & & & &
&& & & & & & & & &
& &
& && & & & & & & & & & & &
& & & & & & & & &&&
** & &
& & & & & & & & &
& & & & &
& & & & & & & & & & & & & & &
& & & & & & & & & & & &
&& & & & & &
& & & & & & & & & & &
& && & & & & & & & & &
& & & & & & & &&
& &
& &
& & & & & & & & & & & & &
& & & & &
& & & & & & & & & &
& & & & & & & &
& & & & & & &
& & & & & & & & && & & &
& &
** & & &
&
& & & & & &
& & & & & & &
the &University &will&notify &the &individual in&accordance&with&state&and&federal
law.
Ø Right to Amend, Correct or Add an Addendum. If &the&individual feels&that the&
PHI&the&University&has is incorrect, incomplete, or the individual wishes to
add an addendum&to the &individual’s &records,&the &individual&has the &right&to
make such request for as long as the information is kept by or for the
University’s office. The individual must make their request in writing to&the
Department in which their care&was&provided. In the case of claims that the
information is incorrect, incomplete, or if the record was not created by
Pepperdine&University,&the&University may deny&the&individual’s request.
However, if&the&University denies&any&part of&the&individual’s&request,&the&
University&will &provide&the&individual with &a&written&explanation&of &the
reasons&for doing&so&within&60&days&of&the&individual’s request.
Ø Right to an Accounting of Disclosures. Individuals have&the&right &to&request a&
list&of &certain disclosures&the&University made of PHI for purposes other than
treatment, payment, health care operations, certain other purposes
consistent with& l aw,&or&for&which&the&individual provided &written&
authorization.&&To &request&an&accounting&of &disclosure,&individuals must make
their request, in writing, to&the Department in which the individual’s care&
was &provided. The&individual may request an accounting of disclosures for
up&to&the&previous &six&years of &services &provided &before the &date &of &the
individual’s request. If more than one request is made during a 12 month
period, Pepperdine University may charge a cost based fee.
Ø Right&to&Request&Restrictions. Individuals ha ve&t he&right &to&request a
restriction or limitation on the PHI Pepperdine University uses or&disclose&
for treatment, payment, or&health&care&operations.&&Individuals also &have &the
right to request a limit on the PHI we disclose to someone involved in the
individual’s care or the payment for the individual’s care, like a family
member &or &friend. For example, the individual could&ask &that&the &University
not share information about a particular diagnosis or treatment with the
individual’s spouse. To request a restriction, the individual must make their
request, in writing, to&the Department in which &their care&was&provided. The&
University is not&required&to&agree&to&the&individual’s&request&unless&the&
individual &is asking&us to &restrict&the &use and &disclosure &of &the &individual’s
PHI to a health plan for payment or health care operation purposes and &such
information the individual wishes to &restrict&pertains &solely &to &a&health &care
item&or service for which the individual has paid the University out-of-pocket&
in&full.&&If&the&University agrees, the University will comply with the
individual’s request&unless &the&information is needed to provide the
individual with emergency treatment or to comply with law. If the University
does&not&agree,&the&University will&provide &an&explanation&in&writing.&&
Ø Out-of-Pocket-Payments. If &the&individual pays out-of-pocket&(or &in&other
words,&the &individual&has &requested &that&the &University &not&bill&the
individual’s healt h&plan)&in&full &for&a &specific item&or service, the individual
has&the&right &to&ask &that &the&individual’s PHI with respect to that item&or
August 1, 2014
21
& & &
&
& & & & & & & & & & & &
& &
& & & & **
& & & & & & & & & & &
& && & & & & & &
& & & & & && & &
& & & & & & &
& & & & & &&
& & & & & &
& & & & &
& & & & & & & && & &
& & & & & & & & & & &
& & & & &
& &
& & & &
&
** &
&& & &
& &
& & & && & & & & &
& & &
& & & & & & &
& &
&
& & & & & &
&
) ) ) ) )
& &
& & & & & & &
& & & & &
& & &
& & &
&
& & & & & & & & & & & & & &
&
& & & & &
&
&
& & & &
& & & & & & & & &
& & & & & & & && &
& & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
service not be disclosed to a health plan for purposes of payment or&health&
care&operations,&and&the&University will&honor &that&request.
Ø Right to Request Confidential Communications. Individuals &have&the&right&to&
request that the University communicate with them about medical matters in
a&certain&way&or &at&a&certain location. For example, the individual can ask
that&the &University &only &contact&individuals by mail or at work. To request
confidential communications,&individuals must make their request, in
writing,&to&the Department in which their care&was&provided. The&
individual’s request must specify&how or&where&the&individual wishes to be
contacted.&&The&University will accommodate reasonable requests.
Ø Right&to Choose Someone to Act for the Individual. If &the&individual gives
someone medical power of attorney or if someone is the individual’s legal&
guardian,&that&person&can&exercise&the&individual’s rights and make choices
about&the &individual’s &PHI.&&The &University will&use &our &best&efforts to &verify
that&person&has&authority&to&act for&the&individual before&the&University takes
any&action.&&
Ø Right&to&a&Paper &Copy&of&This&Notice&of&Privacy&Practices. Individuals have&
the &right&to&a &paper&copy&of&this&N otice&of&Privacy&Practices. Individuals may
ask&the University&to&give&the&individual a&copy&of &this&Notice&of&Privacy&
Practices at any time. Even if the individual has agreed to &receive&this&Notice&
of&Privacy&Practices electronically,&individuals are &still&entitled &to &a&paper
copy&of&this&Notice&of&Privacy&Practices.&&Individuals may obtain a copy of this
Notice&of&Privacy&Practices on&our&web &site&at,&
http://www.pepperdine.edu/provost/content/policies/hipaa_manual_5_201
2.pdf.&&To&obtain&a&paper &copy&of&this&Notice&of&Privacy&Practices,&contact&the
Department in which the individual’s care&was&provided.
CHANGES TO THIS NOTICE OF)PRIVACY)PRACICES:
Ø Pepperdine&University reserves the &right&to &change &this &Notice&of&Privacy&
Practices and make the new Notice&of&Privacy&Practices apply&to &PHI&the
University&already&has as well as any information&the&University&receives&in&
the &future.&The University will&post&a&copy &of &the &University’s current &Notice&
of&Privacy&Practice at&our office.&&The&Notice&of&Privacy&Practices will&contain&
the&effective&date&on&the&first &page,&in&the&top&right-hand&corner.&Individuals
will be sent information regarding the changes via e-mail or via mail on how
they &can&obtain&a&new&copy.&&Individuals will&be &asked to &sign&off &on&the &new&
Notice&of&Privacy&Practices at&the &individual’s next scheduled appointment.
COMPLAINTS:
Ø If an&individual believes their privacy&rights&have&been&violated,&the&
individual may file a complaint with Kim&Miller, HIPAA&Compliance Officer,
24255 Pacific Coast Highway, Malibu, CA& 90263, 310.506.4208. All
complaints must be made in&writing.&&Individuals may also contact the
Secretary of the Department of Health and Human Services or Director, Office
of Civil Rights of the U.S. Department of Health and Human&Services.&&Please
contact the &University Compliance Officer if an&individual needs assistance
August 1, 2014
22
& & &
&
& & && & &
& & & & & &
&
& & &
&
&
& & & & & & & & &
& & & & &
&
& & & & & &
&
& & & & & & & & &
& &
& & & & & &
&
& & & & & & & &
& & & & &
& & & & & & &
& & & & & & & & & &
&
&
& & & & & & & &
&
&
&
& &
& & &
& &
&
&
& & & & & &
*
&
& & & &
&
&
& & & & & &
&
locating&current contact information. Individuals will&not&be &penalized &or
retaliated against for filing a complaint.
3. Applicable Regulation
45 C.F.R. §&164.520
H. Privacy Official, Security Officer, and Privacy
Coordinators
1. Privacy Official
The&University&has&designated&a &Privacy&Official &who&is&responsible&for&the&
development and implementation of the University’s policies and procedures
related&to&the&privacy&and&security&of&protected health information under HIPAA.
Responsibilities&of&the&Privacy&Official&include:
Ø Maintain ongoing communication with the Security Official&and all&
Privacy&Coordinators.
Ø Coordinate training programs for the designated covered components in
cooperation with &the &Privacy &Coordinators.
Ø Maintain ongoing communications with the IRB&regarding&research &use &of
PHI.
Ø Respond to complaints regarding University policies, procedures, and
practices &related &to&the privacy of health information.
Ø Respond&to,&or &refer &to the appropriate covered component, requests by
individuals for access and amendment, an accounting of disclosures, or
requested&restrictions&to&the&use&and&disclosure&of&t he& individual’s&PHI.
The contact information for the Privacy Official is:
Kim&Miller
Pepperdine&University
24255&Pacific&Coast Highway
Malibu, CA& 90263
E-mail: kim.miller@pepperdine.edu
Telephone:&(310)&506-4208
This&information is subject to change and &will&be &revised &accordingly.
2. Security Official
The&University&has&designated&a&Security&Official&to &assist&the &Privacy&Official&and
Privacy&Coordinators&in&carrying&out &University&adopted&policies&and&procedures
related&to&the&privacy&and&security&of&individuals’ ePHI under HIPAA.
Responsibilities&of&the&Security&Official&include:
Ø Maintain ongoing communication with the Privacy Official&and &all&Privacy&
Coordinators.
August 1, 2014
23
& & &
&
& & & & & & & & & & &
& &
& & & & & & & &
& & & & & & & & &
& & & & &
& & & & &
& & & & & & & & & &
& & & & & & & & & & & & &
& & & & &
&
& & & & & & & &
&
&
&
& &
& & &
& &
&
& & & & & & & & & & & & &
&
& & & & &
&
&
& & & & & & & & & &
&
& & & & & & & & & &
& & & & & & & & & & &
& &
& & & & &
& & & & & &
& & & &
& & & & & & & & &
& & & & & & &
& & & & & &
& & & & & & & & &
& &
& & & & & &
&
& & & & & & & & & & &
& & & &
Ø Assist in the development of policies and procedures of each covered
component related&t o& the&security&of&ePHI.
Ø Assist in the development and implementation of ongoing security&
awareness and training programs for the workforce of covered
components, researchers, and students with&respect &to&ePHI.
Ø Monitor &the &use &of &security measures to protect ePHI.
Ø Assist in revising the University’s policies and procedures related to the&
privacy and security of ePHI as required to comply with changes in any
applicable laws and document any&changes.
The contact information for the Security Official is:
Kim&Cary
Pepperdine&University
24255&Pacific&Coast Highway
Malibu, CA& 90263
E-mail: kim.cary@pepperdine.edu
Telephone:&(310)&506-6655
3. Privacy Coordinators
The&University&has&designated&Privacy&Coordinators&within&each&of&the&covered&
components to assist the Privacy Official and the Security Officer in carrying out
University&adopted&policies&and&procedures &related &to&the&privacy&and &security&of
protected health information under HIPAA.
Responsibilities&of&the&Privacy&Coordinators&include:
Ø Perform&the role of liaison and maintain ongoing communication with the
Privacy&Official &and&the&Security&Official.
Ø Communicate with the Privacy Official and the Security Official regarding
the privacy and security policies of the covered component within which
the Privacy&Coordinator&is&located.
Ø Develop and maintain procedures consistent with&the&policy&for&
protection&of PHI in the covered component.
Ø Maintain&all&policies and &procedures &in&written or electronic form.
Ø Inform&members of the covered component about the policies and
procedures through various mechanisms, including staff meetings,
orientation for new workforce members, and&ongoing&education.
Ø Monitor the process for identifying workforce members within the
covered component &who&require&access&to&PHI.
Ø Monitor compliance with the policies and procedures&of&the&covered&
component.
Ø Report to the Privacy Official violations that result in an impermissible
use&of &disclosure&of &PHI,&and &report&to&the&Security&Official&violations that&
result in an impermissible&use&of&disclosure&of&ePHI.
August 1, 2014
24
& & &
&
& & & & & &
&
&
& & & & & & & & & &
&
&
&
&& &
&
&
& & &
& & & &
&& &
&
&
&
& & &
&& &
&
&
&
& & & & &
& & & &
&
&
&
& & & &
& & & &
& & & &
&& &
&
&
& & & &
& & &
& & & &
&& &
&
&
&
& & & &
&
&& &
&
&
&
&
Ø ;Q_R QV$"SQ YZV%UV"QT YZ[R_U]VYQ `U%\ ;42!!&]VT &9VUWQS$U%X&RZ_UYUQ$
]VT &RSZYQT"SQ$,
:\Q YZV%]Y% UV^ZS[]%UZV ^ZS Q]Y\ Z^ %\Q 2SUW]YX 5ZZSTUV]%ZS$ U$e
8%"TQV%&;Q]_%\&5QV%QS
0QaQYY]&0Z_T]V
.A[]U_e SQaQYY],SZ_ T] VnRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+B'E&O3R%UZV&oB&^ZS&7"$UVQ$$&4Vb"USUQ$P
!%\_Q%UY :S]UVUV# 5QV%QS
HQWUV LSU#\%( !%\_Q%UY :S]UVQS
.A[]U_e iQWUV,`SU#\%nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+E*)
8%"TQV%&5Z"V$Q_UV#&5QV%QS
=S, /UW_] >U%kR]%SUYi
.A[]U_e VUW_],^U%kR]%SUYinRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+)'*
2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#UY]_ &p&.T"Y]%UZV]_ &5_UVUY
LQ$% 1Z$ !V#Q_Q$ -S]T"]%Q 5][R"$
=S, !]SZV !WUQS]( =USQY%ZS
.A[]U_e&&]]SZV,]WUQS]nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&CEJACGC)
2QRRQSTUVQ 5Z[["VU%X 5Z"V$Q_UV# 5QV%QS
3S]V#Q 5Z"V%X -S]T"]%Q 5][R"$
=S, ="VY]V LU##( =USQY%ZS
.A[]U_e T"VY]V,` U##n RQRRQSTUVQ,QT"
:Q_QR\ZVQe&&O@+@P&))BA)C))
2QRRQSTUVQ 5Z[["VU%X 5Z"V$Q_UV# 5QV%QS
.VYUVZ -S]T"]%Q 5][R"$
=S, !V]% 5Z\QV( =USQY%ZS
.A[]U_e ]V]%,YZ\QVnRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OJ'JP&C*'A'EE*
2QRRQSTUVQ&FQSSX&7,;,&9VUZV&0Q$Y"Q&5_UVUY
=S, !]SZV !WUQS]( =USQY%ZS
2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#X&p&.T"Y]%UZV]_ &5_UVUY
.A[]U_e ]]SZV,]WUQS]nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&CEJACGC)
!"#"$% '( )*'+
)C
& & &
&
&
& & &
&
&& &
&
&
& &
& &
&& &
&
&
&
&
&
&& &
&
&
& & & & &
&
&
& &
&
&
&
&
& &
&
&
&
& & & & & & & & & & &
& &
&
&
& & & & & & & &
& & & & & &
&
& & & & & & & & &
& & & & & & & & & & & & & &
&
2QRRQSTUVQ&FQSSX&7,;,&9VUZV&0Q$Y"Q&5_UVUY
=S, 5]SX&?U%Y\Q__( =USQY%ZS
2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#X&p&.T"Y]%UZV]_ &5_UVUY
.A[]U_e Y]SX,[U%Y\Q__nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EAJCCB
;"[]V 0Q$Z"SYQ$
!V#UQ 2QTQS$QV
.A[]U_e ]V#UQ,RQTQS$QVnRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&OB'*P&C*EA+'@*
206=.&O2QRRQSTUVQ&0Q$Z"SYQ(&6Z"%\&=UWQS$UZV(&]VT&
.T"Y]%UZVP
HQVVQ%\ &LZZ#(&!$$ZYU]%Q&=USQY%ZS
-S]T"]%Q&8Y\ZZ_ &Z^&.T"Y]%UZV&]VT&2$XY\Z_Z#X
.A[]U_e iQVVQ%\,`ZZ#nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&&O@+@P&)JBA**+'
7ZZVQ 5QV%QS ^ZS %\Q >][U_X
;Z__X&.aSU#\%
-S]T"]%Q&8Y\ZZ_ &Z^&.T"Y]%UZV&]VT&2$XY\Z_Z#X
.A[]U_e \Z__X,Qa SU#\% n RQRRQSTUVQ,QT"
:Q_QR\ZVQe&OB'*P&C*EA+GG'
=U$]aU_U%X&8QSWUYQ$&3^^UYQ
."VUYQ&5\ZV#
.A[]U_e Q"VUYQ,Y\ZV#nRQRRQSTUVQ,QT"
:Q_QR\ZVQe&OB'*P&C*EAEC**
:\U$ UV^ZS[]%UZV U$ $"alQY% %Z Y\]V#Q ]VT `U__ aQ SQWU$QT ]YYZSTUV#_X,
4. Applicable Regulation
+C&5,>,0,&d 'E+,CB*O]P,
I. Records Retention
1. Policy
:\Q 9VUWQS$U%X `U__ []UV%]UV YQS%]UV TZY"[QV%]%UZV SQ#]STUV# U%$ ;42!!&
YZ[R_U]VYQ( UV `SU%%QV ZS Q_QY%SZVUY ^ZS[,
2. Procedure
Ø 5ZWQSQT YZ[RZVQV%$ ["$% SQ%]UV %\Q ^Z__Z`UV# TZY"[QV%]%UZV ^ZS $Uj
XQ]S$ ^SZ[&%\Q T]%Q Z^ U%$ YSQ]%UZV ZS %\Q T]%Q U% `]$ _]$% UV Q^^QY%
O`\UY\QWQS&U$&_]%QSPe
!"#"$% '( )*'+
)E
& & &
&
&& & & & & &
& & & & &
&& & & & & &
&
&& & & & & &
&
&
&& & & & & & & & & &
& & & & & & & & & &
& & & & &
& & & & & & & &
&
&
& &
&
&
& & & & & & &
& & & & & &
&
& & & & & & & & & & &
&
&
)
& & & & & & & & &
&
&
&
& & & &&
&
& & && & & & & & & & & &
& & & & & & & & & & &
&& & & & & & &
&& & & & & & & & &
&
& & & & & & & & &
& & & & && & & & &
& & & &
& & & & & & & & &&
o Policies&and&Procedures. Any policy or procedural documentation,
including&notice&of&privacy&practices,&consents&(if&any)&and&
authorizations, and other standard forms.
o Patient &Requests. Patient requests for access, amendment,&or
accounting&of &disclosures.
o Complaints. The&handling of any individual’s complaints.
o Workforce &Training.&&The&processes&for &and content &of&workforce&
training.
o Sanctions. The handling of any sanctions against members of its
workforce who fail to comply with the privacy policies and
procedures of the covered component.
Ø If &state&laws require longer retention periods, the state requirements
control.
3. Applicable Regulation
45&C.F.R.&§ 164.530(j).
J. Research
1. Policy
HIPAA&establishes privacy protections from&human subjects research and
establishes&the&conditions&under&which&protected&health information may be used or
disclosed&by&Pepperdine&University&for&research&purposes.& This&policy&and&
procedure&should &be&followed &in&addition&to&any&applicable&federal&or&state&
regulations governing the protection of human subjects research, as well as any&
applicable &Institutional&Review&Board &(“IRB”) &policies and &procedures.
2. Procedure
Research
Ø Pepperdine University may use or disclose protected health information
for&research,&regardless&of&the&source&of&the&funding&of&the&research,& in& the&
following&circumstances:
o Individual Authorization.&&The&individual&has&signed&a&valid&
authorization;
o Board Approval of Waiver. The&IRB &has&approved&a &proper&waiver&
of&the&need&to&obtain&the&individuals&authorization;
o Limited Data Set. The health information is used or disclosed in a
limited data set in accordance with a valid Data Use Agreement;
o De-identification. The health information has been de-identified;
o Preparatory&to&Research. PHI may be used or disclosed to a
researcher&as&necessary&to&prepare&a&research&protocol&or for
similar purposes preparatory to research if the University obtains
the following representations from&the researcher: (a) the use or
disclosure&is&sought solely&to&review PHI as&necessary&to&p repare&a
research protocol or for similar purposes preparatory to research:
August 1, 2014
27
& & &
&
& & & & & & & & & & &
&
& && & & & & & & & &
&
& & && & & & & & & &
& &
& & & & & & & &
& & & &
&
& & & & & & & & & & & & &
&
&
) ) ) ) )
& & & & & & & & & &
& & & &
& & & & &
& & & & & & &
& & & & & & & & & & &
& & & &
&
& & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & &
&
& & &
&
& & & & & & & & & & &
&
&
)
& & & & & & & &
& & & & & & & & & &
& &
&
&
) ) )
& & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & & &
&
& & & &
& & & & & & & & & &
&
(b) no PHI will be removed from&the University by the researcher
in&the&course&of&the&review;&and&(c)&the&PHI&for&which&use&or&access&
is&sought &is&necessary&for&the&research&purposes;
o Decedent’s Research. PHI may be used or disclosed to a
researcher&for&research&on decedents&if&the&University&obtains&the&
following from&the researcher: (a) a representation that the use or
disclosure&sought is&solely&for&research&on&the&PHI of&decedents;&
(b)&documentation of the death of such individual(s) and/or
research&subject(s);&(c)&a representation that the&PHI for&which&use&
or&disclosure&is&sought &is&necessary&for&research&purposes.
Ø If the University is also the researcher, the University must still obtain the
proper &authorization&or &fit&within&one&of &the&other exceptions &before&
using&PHI&for &research&purposes.
Research Pursuant to an Authorization
Ø Research authorizations must contain the same core elements as other
authorizations &(Authorization to Use or Disclose&Protected&Health&
Information on pages 9 and &10),&except &for&the&following&differences:
o The University may condition the provision of research-relat ed&
treatment on a provision of authorization for the use or disclosure
of protected health information&for &such&research;
o An authorization&for&use&and&disclosure&of&protected&health&
information for a research study may be combined with any other
type of written permission for the same research study, including
another &authorization&for &the &use &or &disclosure&of&protected&health&
information for such research or consent to participate in such
research;
o A research&aut horiza tion does&not need&to&contain&an&expiration&
date&or&event as&is&required&for&other&authorizations&(the&language&
“end of the research study” or “none” or similar language is
sufficient).
Revocation
Ø A&research authorization may be revoked by an individual.
Ø If &an&authorization is revoked, the University may continue its use or
disclosure&of&the&PHI already&obtained&pursuant to&the&valid&authorization&
to &the &extent&necessary to &preserve &the &integrity &of &the &research &study.
IRB Waiver Approval
Ø For&a use&or&disclosure&to&be permitted upon IRB approval, the IRB must
document that all of the following criteria have been met:
o The use or disclosure of PHI involves no more than a minimal risk
to &the &privacy &of &individuals,&based &on&the &presence &of &the
following elements: (i) an&adequate&plan&to&protect the&identifiers&
from&improper use and disclosure; (ii) an adequate plan to destroy
the &identifiers &at&the &earliest&opportunity &consistent&with &the
August 1, 2014
28
& & &
&
& &
& & & & & & & & & &
&
&
& & & & & & &
& & &
&
& & & & &
& & & &
& & & & & & & & & &
&
& & & & & &
& & & & & & & & & & & & &
& & & & & & & & & &
&
& & & & & & & & & & & & & &
& &
&
& &
&
&
& & & & & & & & && & & &
&
& & & & & & && & & & & & &
& & & & & & & & & &
& & & & & & & && & & & &
& & & & & & & & & && & & & &
& & & & & &
&
&
) ) )
& & & & & & & &
& & & & & & & & & & &
&
&
& & & & & & & & & & & &
&
conduct &of&research,&unless&there&is&a&health&or&research&
justification&for &retaining the &identifiers &or &such &retention&is
otherwise&required&by&law;&and&(iii)&adequate&written&assurances&
that the protected health information will not be reused or
disclosed&to&any&other&person&or&entity,&except as&required&by&law,&
for&authorized&oversight of&t he&resea rch&study,&or&for&other&
research&for&which&the&use&or&disclosure&of&protected&healt h&
information would be permitted under this policy;
o The research&could&not be&conducted&withou t the&waiver&or&
alteration; and
o The research&could&not be&conducted without&access to &and use&of
the protected health information.
Ø The documentation should include a statement identifying the IRB and
the &date &on&which &the &alteration&or &waiver &of &authorization&was &approved.
Ø The documentation should include a brief description&of&the&PHI&for&
which use or access has been determined to be necessary by the IRB.
Ø The documentation should include a statement that the alteration or
waiver &of &authorization&has &been&reviewed.
Ø The Chair of the IRB or other member designated by the Chair must sign
the document.
3. Applicable Regulations
45&C.F.R.&§§ 164.501,&164.508,&164.512.
K. Right to Request Access to Protected Health Information
1. Policy
Individuals &have&the&right&to&request&access &to&inspect&or &copy&their &protected health&
information that is maintained in a designated record set. The University will
address &an&individual’s &request&to &inspect&or &copy&his &or &her &protected &health
information in a timely and professional manner. Individuals do not have the right
to &access &certain&types &of information (set forth below), and in those situations, the
University may deny an individual’s request to access. In certain circumstances, an
individual may have the right to have a denial reviewed. The University will adhere
to &the &procedures &set&forth&below when addressing, denying, or&reviewing an
individual’s&request &to&access.&
2. Procedure
Requests for Access
Ø A&Sample Request for Access Form&is set forth on&page&47&of&this&Manual.
Ø Each covered component must designate the title of the person(s) or
office&responsible for&receiving& and&processing&requests&for&access&by&
individuals.
Ø Individuals must be instructed to direct their request for access to the
designated&person&responsible&for&receiving&such&requests.
August 1, 2014
29
& & &
&
& & & & & & &
& & & & & & & &
& & & & & & & & & & & & &
& & & & & & & &
& & & & & & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & & & &
& & && & & & & & &
&
& & & & & & & & & &
& & & & & & & & & &
& & & & & &
& & &
& & & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & &
&
&
) )
& & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & &
& & & & & && & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
&
&
) ) )
& & & & & & & & &
& & & & & & & & & & &
&& & & & & & & & &
& & & & & & & & & &
&
&
& &
& && & & & & & & & & &
& & & & & & & & & & &
& & & &
&& & & & & & & & & &
& & & & & & & & & &
Ø Individuals may be instructed to make their&request &for&access&in&writing.
Ø The&person&responsible&for processing the request may discuss the scope,
format, and other aspects of the request for access with the individual as
necessary to facilitate a timely provision of access.
Ø The&parties&can&agree in advance that a summary of the requested
protected health information will be provided in lieu of access to the
information.
Ø Upon receipt of a proper request, the covered component will act on the
request by either: (1) informing the individual of acceptance and
providing&the&access &requested; or &(2)&providing&the&individual&with&a&
written&denial&in&accordance &with &the &procedure &set&forth.
Ø If the covered component does not maintain the requested protected
health information, but it knows where the requested information is
maintained, the covered component will inform&the individual &where&to&
direct the&requ est for&access.
Ø An individual’s request for access must be acted upon no later than 30
days after the request is made; or, if the request is for protected&health&
information that is not maintained or accessible on-sit e,&no&later&that 60&
days&after&the&request.
Providing Access
Ø If &a&request&for &access is &granted,&the&individual&will&be&given&access &to&the&
protected health information in a secure and confidential manner.
Ø The covered component will provide the individual with access to the
protected health information in the form&or format requested by the
individual,&if&it is&readily producible in such form&or format. If it is not
readily&producible&in such format, the covered component will provide
the access in such other form&as agreed to by the individual.
Ø In instances where the protected health information is in more than one
record set, or at more than one location, the covered component will only&
produce the protected health information once in response to the request
for&access.
Denial of Access
Ø A&Sample Denial of Access Form&is set forth on&page&45 of&this&Manual.
Ø A&written denial of access may be issued in the following circumstances:
o Psychotherapy&Notes. An individual does not have the right to
access psychotherapy notes relating to him&or herself except (a) to
the &extent&the &patient’s &treating&professional&approves to &such
access &in&writing; &or &(b) &the &patient&obtains &a&court&order
authorizing such&access.
o Legal Information. An individual does not have the right to access
information compiled in reasonable anticipation of, or for use in, a
civil, criminal, or administrative&action&or &proceeding.
o Endangerment. An individual does not have the right to access
information in the event that a licensed health care professional
August 1, 2014
30
& & &
&
& & & & & & & & & &
&
&
& & && & & & & & &
& & & & & & & & & &
& & & & & & & & & &
& & &
& & & & & &
&& & & & & & & &
& & & & & & & & &
& &
& & & & & &
& &
& & & & &
&& & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
& & & & &
& & & & & & & &
&
&& & & & & & & &
& & & & & & & & &
& & & & & && & & &
&
& &
& &
& & & & & & & & & & & &
&
& & && & & & &
& & & & & & & & & &
& & & & & & & && & &
& & & & & & & & & &
& & &
& &
& & & & & & & & & &
& & & & & & & & & &
&
& & & & & & & & & & &
& & & & & &
& & & & & & & & & & &
&
& & & & & & & & & & & &
& & & & & & &
& & & & & &
&
has determined, in the exercise of professional judgment, that the
access &requested &is &reasonably&likely&to &endanger &the &life &or
physical&safety&of&the&individual &or&another&person.
o Obtained from&Someone Else. An individual does not have the
right to access information if the protected health information was
obtained from&someone other than a health care provider under a
promise of confidentiality&and &the &access &requested &would be
reasonably&likely&to&reveal the source of the information.
o Reference&to&Other People. An individual does not have the right
to access information if the protected health information makes
reference&to&another&person and &a&licensed &health &care
professional has determined, in the exercise&of&professional
judgment, that access &requested&is&reasonabl y&l ikely&to&cause&
substantial harm&to such other person.
o Personal &Representative. An individual does not have the right to
access information if the request for access is made by the
individual’s&personal &representative&and&a &licensed&health&care&
professional has determined, in the exercise of professional
judgment, that the provision of&access&to&such&personal
representative is reasonably likely to cause substantial harm&to
the&individual &or&another&person.
o Research. The University may temporarily suspend an individual’s
access to protected health information created or obtained in the&
course of research that includes treatment. The suspension may
last&for as &long&as &the &research &is &in&progress,&provided &that&the
individual &agreed&to&the&denial &of&access when&consenting&to
participate in&the&research,&and&the&individual &has&been&informed
that the right of access will be reinstated upon completion of the
research.
o Other Limited Circumstances. There are other limited
circumstances when an individual does not have the right to
access protected health information, listed in 45 C.F.R. § 164.524.
Ø When denying an individual access to protected health information, the
denial wil l be&written&in&plain&language&and
o Contain the &basis &for &the &denial;
o If applicable, contain a statement of the individual’s review rights,
including a description of how the individual may exercise such
rights;&and
o Contain a description of how the individual may complain to the
University pursuant to the University’s complaint&process &(and
include the title and telephone number of the contact person), or
to &the &appropriate &OCR&Regional&office.
Ø The University must, to the extent possible, grant the individual access to
any other protected health information requested after excluding&the&
protected health information that was denied.
August 1, 2014
31
& & &
&
) ) ) ) )
& & & & & & & & & & & &
& & & & &
&
& & & & & & & & & & & &
& &
&
& & & & & & & &
& &
& & & & & & & & & & &
& & & & & & & &
&
&
&
) ) )
& & & & & & &
&
& & & & & & & & & &
& & & & & &
& &
&
)
& & & & & &
&
&
&
& &
&
&
& & & & & & & & & & & &
& & & & & && & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & && &
& & & & & & & & &
& & & & & & & & & &
&
& & & & &
& & & & & & &
Reviewing a Denial of Access
Ø If access is denied based on (1) Endangerment; (2) Reference to Other
People;&or&(3)&Personal &Representative&(these&exceptions&are&all set &forth&
above), the individual must be&given&the&opportunity&to&have&the&denial
reviewed.
Ø If an individual has requested a review of denial, the University must
designate&a l icensed&health&care&professional,&who&was&not directly&
involved&in&the&denial,&to&review &the&decision&to&deny&access.
Ø The&reviewing&official must determine whether or not to confirm&the
denial ba sed& on&the&standards&set forth&in&45& C.F.R.&164.524(a)(3).&&The&
reviewing official must review the denial of access within a reasonable
period of time and then must promptly notify &the &individual&of &the
decision&and&take&any&necessary&action&to&carry&out the&reviewing&officials&
decision.
Costs and Fees
Ø The University may impose a reasonable, cost-based &fee &for &copying&costs
and &postage &in&response &to &a&request&for &access.
Ø If &the individual agrees in advance, the University may impose a
reasonable&cost-based fee for preparing a summary of&the&protected&
health information.
Documentation
Ø The University must document and retain:
o The&designated&record&sets&that &are&subject &to&access&by&
individuals;&and&
o The&titles&of&the&persons&or&offices&responsible&for&receiving&and&
processing&requests &for &access &by&individuals.
3. Applicable Regulation
45&C.F.R.&§ 164.524.
L. Right to Request an Accounting of Disclosures
1. Policy
The University will permit individuals to request and receive an accounting of
disclosures of their protected health information. An individual may request an
accounting for disclosures that have been made up to six years prior &to&the&date&of
his&or&her&request;&however,&the&University&is&not &required&to&account &for&any&
disclosures that occurred prior to the HIPAA&compliance date of April 14, 2003. The
accounting must include all disclosures except for the following:
Ø Disclosures made to carry out treatment, payment, or health care
operations;
Ø Disclosures made to the individual;
Ø Disclosures made pursuant to an individual’s authorization;
August 1, 2014
32
& & &
&
& &
&
& & & & & & & & & & &
&
& &
& & & & & & & &
& & & & & & & & &
& & & & & & & & &&
& & & & & & & & & & &
&
) ) )
& & & & & & & & & & &
& & & & & &
& & & & & & & & &
& & & & &
& & & & & & & & &
& &
&
) )
& & & & & & & &
&
& & & & & & & & & & &
& & & &
& &
& & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & &
&
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & &
& & &
& & & & & & & & & &
&
& & & & & & & & &
&
& & &
& & & & & & & & & & & &
&
& & & & & & & & & & &
& & & & & & & & & & & & &
&& & & & & & & & & & &
Ø Disclosures&for&a facility&directory;
Ø Disclosures&to&persons&directly&involved&in the& individu a l’s&care&or&
payment or disclosures for notification purposes pursuant to 45 C.F.R. §
164.510(b);
Ø Disclosures&for&national security&or&intelligence&purposes;
Ø Disclosures to correctional facilities or law enforcement officials;
Ø Disclosures made as part of a limited data set;
Ø Disclosures that occurred prior to the compliance date; and
Ø Other limited disclosures as set forth in 45 C.F.R. § 164.528.
2. Procedure
Request for Accounting
Ø Individuals will be permitted to request and receive an accounting of
disclosures of their protected health information.
Ø Designated covered components may require requests for an accounting
to be submitted in writing.
Ø A&Sample Request for Accounting of Disclosures Form&is set forth on&page&
35 of&this&Manual.
Accounting Requirements
Ø A&Sample Accounting for Disclosures Form&is set forth on&page&48 of&this&
Manual.
Ø An individual must receive a written accounting of disclosures and the
written accounting must include:
o The date&of&disclosure;
o The name of the entity or person who received the protected
health information, if known, the address of such entity or person;
o A brief description of the protected health information disclosed;
and
o A brief statement of the purpose of the disclosure; or in lieu&of&
such statement, a copy of a written request for a disclosure, if any.
Ø If the University has made multiple disclosures of the protected health
information to the same person or entity for a single purpose, or pursuant
to &a&single &authorization,&the &accounting may, with respect to such
multiple disclosures, provide:
o The information required above for the first disclosure during the
accounting.
o The frequency or number of disclosures made during the
accounting. and
o The date&of&the&last such&disclosure&during&the&accou nting&period.
Ø The University must act on the individual’s request for an accounting no
later &than&60 &days &after &receipt&of &such &a&request.&&If &the &University &is
unable to provide the accounting within this time frame, it may extend&
the time to provide the accounting by no more than 30 days, provided
that: (1) the University provides the individual with a written statement
of&the&reasons&for&delay&and&the&date&by&which&the&University&will provide&
August 1, 2014
33
& & &
&
& &
& & & & & & & & & &
&
) ) ) ) )
& & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & &
&
) ) )
& & &
& & & & & & & &
& & & & & & & & & &
& & & &
& & & & & & & & & & & &
& & & & & & & & & & &
&
&
& & &
&
&
& & & & & & & & & & & & &
& && & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & && &
& & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & &
&
) ) ) )
& & & & & & & & &
&
& & & & & & & & & & & &
&
& & & &
& & & & & & & & & & &
&
the &accounting; and &(2) &the &University may have&only&one&such&extension&
of time for action on a request for an accounting.
Suspension of Accounting of Disclosures
Ø An accounting of disclosures may be suspended at the request of a health
oversight agency or law enforcement official if certain conditions are met.
Ø If a designated health care component receives a request to suspend an
individual’s&right &to&receive&an&accounting&of&disclosures,&the&designated&
covered component should contact the University’s Privacy Official.
Costs and Fees
Ø The first accounting&of&disclosures&to&an&individual in&any&twelve&(12)
month period must be provided at no charge.
Ø A&reasonable cost-based fee may be imposed for each subsequent request
for&an&accounting&by&the&same individual within the 12-month&period,&
provided that the University informs the individual in advance of the fee
and provides the individual with an opportunity to withdraw or modify
the &request.
3. Applicable Regulation
45&C.F.R.& § 164.528.
M. Right to Request an Amendment to Protected Health
Information
1. Policy
Individuals have the right to request an amendment or correction to their protected
health information. The University will permit an individual to request an
amendment to his or her protected health information in their designated record set
for as long as the information is maintained in the designated record set. An
individual can request an amendment to his or her protected health information
that was not created by the University, but the individual must provide the
University&with&a reasonable basis to believe that the originator of the information is
no&longer &available&to&act&on&the&request.&&The&University&has&the&right&to&deny&the&
request to amend in certain circumstances.
2. Procedure
Requests for an Amendment
Ø A&Sample Request for an Amendment Form&is set forth on&page&49 of&this&
Manual.
Ø Each covered component of the University must designate the title of the
person(s)&or &office&responsible&for &receiving&and &processing&requests for&
an amendment by individuals.
Ø Individuals must be instructed to direct their requests for an amendment
to &the &designated &person&responsible &for &receiving&such &request.
August 1, 2014
34
& & &
&
& & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & &
& & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & & & &
&& & & & & & & & & & &
&
& & & & & & & & & & & & &
& & & & & & & & & & & & &
&
) ) ) ) )
& & & & & &
& & & & & & & & & &
& &
& & & & & & & & & & &
& & & & & & & &
&
&
& & & & & & & & & &
& & & &
&
) ) ) ) )
& & & & & & & & & &
& &
& & & & & & & & & & & &
& & & & & & & & &
&
&
& &
& & & & &
&
& & &
&
& & & & & & & & & & & &
&
& & & &
& & & & & & & & & &
& & & & & &
&
& &
Ø A&covered component may instruct individuals to make their requests in
writing and may require the individual to provide a reason to support the
requested amendment, as long as the designated covered component
informs the individual in advance of such requirements.
Ø The University must act upon an individual’s request for amendment no
later &than&60 &days &after &receipt&of &the &request.&&If &the &covered&entity&is&
unable to act on the amendment within this time period, the University
may extend the time for such action by no more than 30 days, provided
that: (1) the University provides the individual with a written statement
of&the&reasons&for&the&delay&and&the&date&by&which&the&University&will
complete its action on the request; and (2) the University may have only
one such extension of time for action on a request for an amendment.
Accepting a Request to Amend
Ø If the requested amendment is accepted,&in&whole &or &in&part,&the &covered
component shall inform&the individual of the acceptance and make the
appropriate amendment.
Ø At a minimum, the covered component shall amend the information by
identifying the affected information in the designated record&set and&
appending&or &otherwise &providing&a&link&to &the &location&of &the
amendment.
Ø The covered component and the individual should identify the relevant
persons or &entities,&including&business &associates,&who&need &to&be&
informed about the amendment.
Denying a Request to Amend
Ø A&Sample Denial of Request for an Amendment Form&is set forth on&page&
44 of&this&Manual .
Ø An individual’s request for an amendment may be denied if the covered
component determines that the protected health information or record
that&is &the &subject&of &the &request:
o Was not&created&by&the&University,&unless&the&individual&provides&a&
reasonable&basis&to&believe&that the&originator&of&the&protected
health information is no longer &available to &act&on&the &requested
amendment;
o Is not&part of&the&individual’s&designated&record&set;
o Is not&available&for &inspection&by&the&individual&pursuant&to&the&
Access to Right to Request Access to PHI policy, set forth herein;
and
o Is accurate and complete.
Ø If a covered component denies the requested amendment, the covered
component shall inform&the individual in writing.
Ø The&denial &shall &be&written&in&plain&language&and&contain&the&following:
o The basis &for &the &denial;
August 1, 2014
35
& & &
&
& & & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & &
& & & & & & & & & & & &
& & & & & & & & &
& & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& &
& & & & & & &
& & & & & & & &
& & & & & & & & & & & &
& & & & & & & &
&
) ) )
& & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & &
& & &
& & & & & & & & & &
&
& &
)
&
& & & & & & & & & &
& & & & & & & & & & & && &
& & & & & & & &
&
&
& & & & & & & & & & &
& & & & &
& & & & & &
& && & & & & & & & & & &
& & & & & & & & & & &
&
& & & & & & & & &
&
&
&
& & &
o A statement notifying the individual that he or she has the right to
submit a written statement of disagreement and a description of
how the individual may file such a statement;
o A statement notifying the individual that if he or she does not
submit a statement of disagreement, the individual may request
that the designated covered component provide&the&individual’s
request for amendment and the denial with any future disclosures
of the protected health information that is the subject of the
amendment; and
o A description&of&how the&individual may file a complaint pursuant&
to &the &Privacy Complaint Policy and Procedure, set forth above.
Ø If the University denies a request for an amendment, the individual has
the right to file a statement of disagreement.
Statement of Disagreement
Ø If the University denies an individual’s request for an amendment, the
individual will have the right to submit a statement of disagreement.
Ø The University may then prepare a written rebuttal to the individual’s
statement of disagreement.
Ø A&copy of the rebuttal must be provided to the individual.
3. Applicable Regulation
45&C.F.R.&§ 164.526.
N. Right to Request Confidential Communication
1. Policy
Individuals may request to receive communications of protected health information
in a confidential manner (e.g., by alternative means or in alternative locations). The
University shall accommodate reasonable requests to receive confidential
communications.
2. Procedure
Ø A&covered component may require an individual to make a request to
receive confidential communications in writing.
Ø Covered components may condition the provision&of&a reasona ble&
accommodation on: (1) information as to how payment (if any) will be
handled; and (2) specification of an alternative address or other method
of&contact.
Ø A&covered component may not require an explanation from&the individual
as to &the basis &for &the &request&as &a&condition&of &providing&confidential&
communications.
3. Applicable Regulation
45 C.F.R. §&164.522(b)
August 1, 2014
36
& & &
&
&
&
& & & &
& && & & & & & & & & & & &
& & & & & & & & & & & & & & &
& & & & & & & & & && &
&
&
&
) ) ) ) ) ) ) )
& & & & & & & & & & & & & &
& & & &
& & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
& &
& & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
&
) ) )
& & & & &
&
& & & & & & & & &
& & & & & & & & &
& & & & & & & & & & &
& & & & & & & &
&
&
& & &
&
&
& & & & & & & &
& &
& & && & & & & &
& & & & & & & & & & & &
O. Right to Request Restrictions on the Use and Disclosure
of Protected Health Information
1. Policy
Individuals may request restrictions&on the&use&and&disclosure&of&their&protected&
health information. Requests for restriction do not have to be granted; however, if
the University agrees to a restriction, it may not use or disclose the protected health
information in violation of the restriction, except in emergency situations. Further,
any&agreed-to &restriction&will&not&be &effective to &prevent&uses and &disclosures to &the
individual &or&as&required&by&law.
2. Procedure
Request to Restrict Use)or Disclosure)of Protected Health Information
Ø An individual may request a restriction on the use and disclosure of his or
her protected health information.
Ø A&covered component does not have to agree to requests for restrictions;
however, if it does agree, the covered component may not use or disclose&
the protected health information in violation of such restriction, except in
emergency situations.
Ø The covered component should discuss with the individual whether the
restriction should be communicated to others (i.e., other covered
components of the University or business associates who may be sending
the individual communications on behalf of the University).
Terminating a Restriction
Ø A&restriction can be terminated if:
o The individual &requests&the&restriction&in&writing&or&orally&(if&the&
termination is requested orally, it should be documented; or
o The designated covered component informs the individual that it
is terminating the agreement to a restriction, in which case the
termination will only apply to protected health information
created&or&received&after&the&individual &has&been&notified&of&the&
termination.
3. Applicable Regulation
45 C.F.R §&164.522(a).
P. Safeguarding Protected Health Information
1. Policy
Pepperdine University will implement appropriate administrative, technical, and
physical&safeguards,&which will&reasonably &safeguard &the &confidentiality &of
protected health information. Designated covered components may develop
additional policies and procedures that are stricter than the parameters set forth
August 1, 2014
37
& & &
&
& & & & & & & & & & & & & &
& & & & & & &
&
& & & & & & & & & & &
&
& & & & & & & &
& & & && & & & & & & &
& & & & & & & & &
& & & & &
&
& & & & & & &
& & & & & & & & &
&& & & & & & & &
& & & & & & & & & & &
& & & & & &
&& & & & & & & & & & &
&
& & & & & & &
&&
&
& & &
& & & &
& && & & & & &
&
& && & & & & &
& & & & & & & & &
& && & & & & &
& & & & & & & &
& & & & & & & &
& & & &
& && & & &
& & & & & & & & & & & & &
& & & & & & &
&
& & &
&
&
& & & & & & & & & &
& & & & & & & & & &
below in order to maximize the privacy of protected health information in light of
the unique circumstances of a particular component.
2. Procedure
The University recognizes that each designated covered component has a unique
organizational &structure.&&For&this&reason,&it &is&the&responsibility of&each&designated&
covered component to determine and implement reasonable administrative,
technical, and physical safeguards. The following list of guidelines contains some
suggestions of administrative, technical, and physical safeguards that covered
components may wish to adopt:
Ø Oral Communications.&&Exercising&due&care&to&avoid&unnecessary&
disclosures of protected health information through oral
communications, such as avoiding such conversations in public areas.
Ø Telephone&Messages. Limiting messages left on answering machines and
voicemails to appointment reminders and messages that do not link an
individual’s name to protected health information.
Ø Faxes. Placing fax machines in secure areas not readily accessible to
visitors,&clients,&patients,&etc. and/or &using&a&cover &sheet&with a&
confidentiality notice when faxing protected health information.
Ø Paper&Records. Storing&paper &records&and&charts&in&a&way&that&avoids&
access &by&unauthorized &persons,&such as&in&locked &filing&cabinets.
Ø Desks and Working Areas.&&&Securing&desks&and&working&areas&that&
contain protected health information.
Ø Computer Monitors. Positioning computer monitors away from&common
areas &or &installing&a&privacy&screen&to &prevent&unauthorized &viewing,&
and/or &creating&password &protected &screen&savers.
Ø Disposal of&Paper&records. Disposing of documents containing protected
health information in a secure manner, e.g., by shredding.
Ø Disposal of&Electronic&Materials. Disposing of electronic material that
contains&unencrypted protected health information in a secure method.
Ø E-mails.&&Sending&e-mails that contain protected health information with a
confidentiality&notice,&and/or&sending&such&e-mails in encrypted form.
Ø Electronic Documents. Securing protected health information&that is&
stored on a hard disk drive or other internal component of a personal
computer, such as by password or encryption.
3. Applicable Regulation
45 C.F.R. §&164.530(c).
Q. Training
1. Policy
Each designated covered component is responsible for training its workforce
(including employees, students, volunteers, etc.) with respect to the University’s
August 1, 2014
38
& & &
&
& &
& & & & & & & & & &
&
)
& & & & & & & & & & &
&
& & & & & & & & & & && &
& & & & & & & & & & &
& & & & & &
& & & & & & & & & & & & & &
& & & & & & & & &
& & & & & & & & & & & &
& & & &
&
)
& & & & & & & & & &
&
& &
& &
HIPAA&policies and &procedures &on&the &use and &disclosure &of &PHI&as &necessary&and
appropriate &for &the members of the workforce to carry out their function.
2. Procedure
Training
Ø It will be the responsibility of each designated covered component to
ensure&that &its&workforce&receives&training.
Ø Each employee must be trained no later than April 14, 2003. Each&new
employee must receive training within a reasonable period of time after
the person becomes an employee, etc.
Ø If there is a material change in the policies and procedures and, as a
result, certain employees are affected, those employees must receive
training on the material change within a reasonable period of time after
the change becomes effective.
Documentation
Ø A&covered entity must document that the training has been provided.
3. Applicable Regulation
45&C.F.R.&§ 164.530(b).
August 1, 2014
39
& & &
&
&
& & & & & & &
&
& & & & & &
&
& & &
&
& & & & &
&
& & & & &
&
& &
&
& & & & & & &
&
& & & & &
&
& & & & & & &
&
& & & & & & & &
&
&
& &
HIPAA Sample Forms [see following pages]
A. Accounting for Disclosures of Protected Health Information
B. Authorization to Use/Disclose Protected Health Information
C. Business Associate Agreement
D. Denial of Request for Amendment
E. Denial of Request for Access
F. Privacy Complaint
G. Request for Access to Protected Health Information
H. Request for Accounting of Disclosures
I. Request for Amendment to Protected Health Information
J. Acknowledgement of Receipt of Notice of Privacy Practices
August 1, 2014
40
& & &
&
&
&
*
*
*
* *
* *
* *
*
*
*
*
*
*
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
& &
A. Accounting for Disclosures of Protected Health
Information
Date*of
Disclosure
Name*and*
Address*of
Person who
Received PHI
Reason for
Disclosure
Description
of*PHI
Disclosed
Persons*or
Offices*
Processing*
the*
Accounting
August 1, 2014
41
& & &
&
&
&& &
&& && & && &
&
& & & & & & & & & & & & &&
& & & & && & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & &
&
& & & & &
&
& & & & &
&
& & & & & & & &
&
& & & & & & & & & & & & )
) ) ) ) ) ) ) &
&
& & & & & & & & & & &
& & & & & & & & & & & &
&
& & & & & & & & & & & & &
& & & & & & & & & & & &
& && ) ) ) ) ) ) ) ) &
&
& & & & & & & & & & & &
&
& & & & & & & & & & & & & &
&
&
& & & & & & & & & & & & &
&
&
& & & & & & & & & & & & & &
& && & & & & & & & & & & &
& & & &
&
&
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
B. Authorization to Use/Disclose Protected Health
Information (HIPAA)
Name: _____________________________________________
Location: __________________________________________
Telephone Number: (____)______________________
I&hereby a
uthorize the use and/or disclosure of my health inform a tion as de scrib ed below. I&
understand that this authorization&is voluntary. I also understand that if the person&or organization&
authorized to&receive the information is not a&health plan or&health care provider, the released
informat ion may be re-disclosed&and&may no&longer be protected&by the federal privacy regulations.
1. Person&or o
rganization&authorized&to disclose the health&information:
2. Person&or o
rganization&authorized&to receive the health&information:
3. Description o
f health information that may be used/disclosed:
4. Description o
f each purpose for which the hea lth information will be used/disclosed (Note:&&Not
required if disclosure is requested by the individual):
5. I&understand th
at&the person or organization that&I am authorizing to use/ disclose the
informat ion may receive compen sa tio n in exchange for the health information described above.
6. I&understand th
at&I&may refuse to sign this authorization and that&my refusal to sign will n o t&
affect my&ability&to&enroll in a&health plan, obtain&health care treatment or payment or my
eligibility&for benefits.* (Note:&&Not required if disclosure is requested by the individual).
7. I&understand th
at&I&may revoke this authorization at&any time by p rov iding written notice to:
I&understand th
at&my revocation w il l not affect any actio n s already taken in reliance on th is
authorization.
8. I&understand I&
may inspect&or cop y any information to be used or disclosed under this
authorization.
9. Unless o
therwise revoked in writing, this authorization will expire ________ days from the date
signed below. If this&date is&left blank, the authorization will automatically expire one year&from
the date I&sign below.
August 1, 2014
42
& & &
&
&
& & & & & & & & & &
&
&
& & &
&
&
& & & & & & && & & &
&
& & & & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & & &
&
& &
8U#V]%"SQ Z^ 4VTUWUT"]_ OZS 1Q#]_ 0QRSQ$QV%]%UWQP =]%Q
4VTUWUT"]_c$ /
][Q O2SUV%P
/][Q Z
^ 1Q#]_ 0QRSQ$QV%]%UWQ( U^ ]RR_UY]a_Q O2SUV%P 0Q_]%UZV$\UR
q! \
Q]_%\ R _]V []X YZVTU%UZV QVSZ__[QV% ZS Q_U#UaU_U%X ^ZS aQVQ^U%$ ZV ]V UVT UWUT"]_ RSZWUTUV# ]V
]"%\ZSUk]%UZV RSUZS %Z&QVSZ__[QV% U^ %\Q ]"%\ZSUk]%UZV $Z"#\% U$ ^ZS %\Q R_]Vc$ Q_U#UaU_U%X&ZS QVSZ__[QV%
TQ%QS[UV]%UZV$ SQ_]%UV# %Z&%\Q UVTUWUT"]_ ZS ^ZS U%$ "VTQS`SU%UV# SU$i&ZS SU$i&S]%UV# TQ%QS[UV]%UZV$
]VT %\Q ]"%\ZSUk]%UZV U$ VZ% ^ZS ]&"$Q ZS TU$Y_Z$"SQ Z^ R$XY\Z%\QS]RX&VZ%Q$ O+C 5,>,0,
d
'E+,
C*JOaPO+POUUPO!p7PP,
!"#"$% '( )*'+
+B
& & &
&
&
* *
* *
&
*
& & & & & & & & & & & & & &
& & & && & & & & & &
& & & & & &
& & & & & & & & & &
& & & & & & & & &
& & & & & &
&
* *
& & && & & & & & & & &
& & & & & & & & & & & & & & &
& & & & * * *
*
&
& & && & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & &
&
& && & & & & & & &
& & & & & & & & & & & &
&
* * *
& & & &
& & & & & & & & & & & & &
& & & & & & & & & &
&
& & & & & & & & & & & & & & &
& & & & &
& & & &
&
& & & & & & & & & & & &
& & & & & & & & & & & & & &
&
&
& & & & & & & & & & & &
& & & & & & & & & & &
& & & & & & & & & & & &&
&
C. Business Associate Agreement
Pepperdine University
Business*Associate Agreement
Definitions:
The following terms used in this Agreement shall have the same meaning as those
terms in the HIPAA&Rules: Breach, Data Aggregation, Designated Record Set,
Disclosure, Health&Care&Operations, Individual, Minimum&Necessary, Notice of
Privacy Practices, Protected Health Information, Required By Law, Secretary of
Department of Health and Human Services, Security Incident, Subcontractor,
Unsecured Protected Health Information, and Use.
Specific Definitions:
(a) Business Associate. “Business Associate” shall generally have the same meaning
as the term&“business associate” at 45 CFR 160.103, and in reference to the party to
this agreement, shall mean _______________________________________ [Insert name*of
Business*Associate].
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the
term&“covered entity” at 45 CFR 160.103, and in reference to the party to this
agreement, shall mean Pepperdine University.
(c) HIPAA&Rules. “HIPAA&Rules” shall mean the Privacy, Security, Breach
Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Obligations*and Activities*of Business*Associate:
Business Associate agrees to:
(a) Not use or disclose protected health information (“PHI”) other than as permitted
or required by the Agreement or as required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 64 with
respect to& electronic&PHI, to&prevent use&or&disclosure&of&PHI other&than as&provided&
for by the Agreement;
(c)&Report &to&Covered&Entity&any&use&or&disclosure&of&PHI&not &provided&for&by&the&
Agreement of which it becomes aware, including breaches of unsecured PHI as
required at 45 CFR 164.410, and any security incident of which it becomes aware
within&seven&(7) &business &days;
(d)&In&accordance&with&45&CFR&164.502(e)(1)(ii)&and&164.308(b)(2),&if&applicable,&
ensure that any subcontractors that create, receive, maintain, or transmit PHI on
behalf of the Business Associate agree to the same restrictions, conditions, and&
requirements that apply to the Business Associate with respect to such information;
August 1, 2014
44
& & &
&
&
&
& & & & & & & & & & & & & & &
& & & & & & & & & & & & & & &
&
&
& & & & & & & & & & & &
&
&
& & & & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & & & &
&
&
& & & & & & & & & & &
& & &
&
* * * *
& & & & & & & & & & & & &
& & & &
&
& & & & & & & & & & & &
&
& & & & & & & & & & & & &
& & & & & & & &
&
& & & & & & & & & & & &
& & & & & & & & & & & & & & & &
&
* * * * * * * * * *
* *
& & & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & &
&
& & & & & & & & & &
& & & & & & & & & & & & & & & & &
& & & & & & & & & & & &
&
& & & & & & & & &
& &
& & & & & & & & & & & &
&
(e)&Make&available&PHI&in&a &designated&record&set &to&Covered&Entity&as&necessary&to&
satisfy&Covered&Entity’s&obligations&under&45&CFR&164.524;
(f) Make any amendment(s) to PHI in a designated record set as directed or agreed
to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as
necessary&to&satisfy&Covered&Entity’s&obligations&under &45&CFR&164.526;
(g) Maintain and make available the information required to provide an accounting
of&disclosures&to&Covered&Entity&as&necessary&to&satisfy&Covered&Entity’s&obligations&
under &45 &CFR&164.528;
(h) To the extent the Business Associate is to carryout one or more of Covered
Entity’s obligation(s) under Subpart E or 45 CFR Part 164, comply with the
requirements of Subpart E that apply to the Covered Entity in the performance of
such&obligation(s);&and
(i)&Make&its&internal &practices,&books,&and&records&available&to&the&Secretary&of&
Department of Health and Human Services for purposes of determining compliance
with the HIPAA&Rules.
Permitted Uses*and Disclosures*by Business*Associate:
(a) Business Associate may only use or disclose PHI as necessary to perform&the
services&set forth&in Service Agreement.
(b) Business Associate may use or disclose PHI as required by law.
(c) Business Associate agrees to make uses and disclosures and requests for PHI
consistent with Covered Entity’s minimum&necessary policies and procedures.
(d)&Business Associate may not use or disclose protected health information in a
manner that would violate Subpart E or 45 CFR Part 164 if done by Covered Entity.
Provisions*for Covered Entity to Inform Business*Associate of Notice of Privacy
Practices*and Restrictions*(“NPP”):
(a) Covered Entity shall notify Business Associate of any limitation(s) in the NPP of
Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect
Business Associate’s use or disclosure of PHI.
(b)&Covered&Entity&shall notify Business Associate of any changes in, or revocation
of, the permission by an individual to use or disclose his or her PHI, to the extent
that such changes may affect Business Associate’s use or disclosure of PHI.
(c)&Covered&Entity&shall &notify&Business Associate of any restriction on the use or
disclosure&of&PHI that Covered&Entity&has&agreed&to&or&is&required&to&abide&by&under&
45 CFR 164.522, to the extent that such restriction may affect Business Associate’s&
use&or &disclosure&of &PHI.
August 1, 2014
45
& & &
&
*
& && & & & & & & & & &
* * & & & & &
* * *
& & & & & & & & & & &
&
&
& & & && & & & & & &
& & & & & & & & & & &
& & & & & &
&
*
& && & & & & & & & & & &
& & & & & & & & & & &&
& & & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & &
& & & & & &
& & & & & & & & & & &&&
&
& && & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & &
& & &&&
&
& & & & & & && & & & &
& & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & & & & &
& & & & & & & & && &
& &
&
& && & & & & & & & & & &
& & & & &
&
& & & & & & & & & & & & &
& & & & & & & & & & & &
& &
&
& & & & & & & & & & & & &
&
&
&
Term*and*Termination:
(a) Term. The Term&of this Agreement shall be effective as of
___________________________________[Insert effective date], and shall terminate on
____________________________________________[Insert termination date] or&on&the&date&
Covered&Entity&terminates for cause as authorized in paragraph (b) of this Section,
whichever &is &sooner.
(b) Termination for Cause. Business Associate authorizes termination of this
Agreement by Covered Entity, if Covered Entity determines Business Associate has
violated a material term&of the Agreement.
Miscellaneous:
(a) Injunctions. Covered Entity and Business Associate agree that any violation of
the provisions of this Agreement may cause irreparable harm&to Covered Entity.
Accordingly, in addition to any other remedies available to Covered Entity at law, in
equity, or under this Agreement, in the event of any violation by Business Associate
of any of the provisions of this Agreement, or any explicit threat thereof, Covered
Entity&shall&be&entitled &to&an&injunction or other decree of specific performance with
respect to& such&violation or&explicit threat thereof, without any&bond&or&other&
security being required and without the necessity of demonstrating actual damages.
(b) Indemnification. Business Associate shall indemnify, hold harmless, and defend
Covered Entity from&and against any and all claims, losses, liabilities, costs and other
expenses resulting from, or relating to, the acts or omissions of Business Associate&
in connection with the representations, duties and obligations of Business Associate
under this Agreement.
(c) Obligations of Business Associate upon termination. Upon termination of this
Agreement for any reason, Business Associate shall return to Covered&Entity,&or&if&
agreed to by Covered Entity destroy, all PHI received from&Covered Entity, or
created, maintained, or received by Business Associate on behalf of Covered Entity,
that the Business Associate still maintains in any form. Business Associate &shall&
retain no&copies&of&the&PHI.
(d) Survival. The obligations of Business Associate under this Section shall survive
the termination of this Agreement.
(e) The parties agree that the Business Associate Agreement may need to be
amended as necessary to accommodate changes to HIPAA&or other privacy laws and
regulations&in the&future.
(f) The parties further agree that the Business Associate (and its subcontractors if
applicable) &is &acting&as &an&independent&contractor and &not&as &an&agent&of &the
Covered&Entity.
August 1, 2014
46
& & &
&
& & & & & & & &
& & & & & & & & &
& & &
*
& & & & &
* * * & & & & & & & & &
& &
&
&
&
&& &
&&&&& &
&
&
&
&
&& &
&&&&& & &
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
(g) For questions regarding Pepperdine University’s HIPAA&compliance, please
contact Kim&Miller, HIPAA&Compliance Officer, 24255 Pacific Coast Highway, Malibu,
CA& 90263, 310.506.4208.
IN &WITNESS& WHEREOF, PEPPERDINE UNIVERSITY AND ____________________________*
[Insert name of Business*Associate] have executed this Agreement as of the date
first written&above.
ATTEST:
by_____________________________________________________
PEPPERDINE&UNIVERSITY
ATTEST:
by_____________________________________________________
BUSINESS ASSOCIATE
Date__________________________
Date__________________________
August 1, 2014
47
& & &
&
&
&
&& &
&&&&&&&&& & & &
&
&
& & & & & & & & & & &
) ) &
&
&
&
&
&
&
&
&
&
&
&&&&&&&&&&&&&&&& &
& & & & & & & &
) ) ) ) ) ) ) ) )
)
& & & & & & & & & & & && & & &
& & & & & & & & & & & &
&
&
& & &
&
& & & & & & & & & & & & & &
& & & & & & & & & & & & &
& & & & & & & & & & &
&
&
& & & & & & & & & & & & &
& & && & & & & & & & &
&
&
&
& &
&
&& &
&
& & & & & & & & & & &
& &
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_____________________________________________________
D. Denial of Request for an Amendment
To: ____________________________________________________________________________
Name of Individual
Your request to amend your Protected Health Information to Pepperdine University
has&been&denied&because&(9737-)439&9 @$, .-8&3%):
______________________________________________________& ________________________________
Responsible Party’s Name (#,&87) Date
L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86 38. 2,$'-99&86 7M-),-c/-97
You may have the right to submit a written statement of disagreement. If you have
the right to submit a written statement of disagreement, submit it to:
Name of Department
If you do not submit a written statement disagreeing with the denial, you may
request, in writing, that we provide your request for amendment and our denial
with any &future &disclosures of the Protected Health Information that is the subject of
your&request.
You may make a complaint to the University’s Privacy Official regarding the denial
of your amendment. The contact information for the Privacy Official is:
Kim&Miller
Pepperdine&University
24255&Pacific&Coast Highway
Telephone:&&(310)&506-4208
E-mail: kim.miller@pepperdine.edu
You may also submit a written complaint to the appropriate Office&of&Civil Rights&
Regional&Office.
August 1, 2014
48
& & &
&
)
& & & & & & & & & & & & & &
&
&
&
&
&
&
&
&
&
&
&
& & & &
& & & & & & & & &
) ) ) ) ) ))
)
& & & &
) &
&
&
& & & & & & & & & &
&
&
) ) ) &
&
& & & & & & & & & & & & & & &
& & & & & & &
&
&
& & & & & & & & & & & & &
&
&
&
&
& & & & & & & & & & & & & &
& & & & & & & & & &
&
&
& & &
&
&
& & & & &
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________ ________________________
E. Denial of Request for Access
Your request to access or obtain a copy of your Protected Health Information has
been&denied &for &the &following&reasons:
Responsible Party’s Name (#,&87) Date
L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86
In&accordance&with&applicable&law&and Pepperdine University’s HIPAA&privacy
policies,&you&_____ &do&_____ &do&not&(2%-39-)'M-'U $8-)&have&the&right &to&have&this&denial
reviewed&by&Pepperdine.
If this &denial&is &subject&to&review&as &indicated &above&and &you&desire&to&have&the&
decision&reviewed,&please check the box below and return this form&within 30
calendar&days&to:
[83I-)$@ .-23,7I-87 38. 3..,-99]
If you desire to register a complaint regarding this denial, you may file a complaint
with Pepperdine University’s HIPAA&Privacy Official or with the&appropriat e&O ffice&
of&Civil &Rights&Regional &Office.
To file a complaint with the University’s Privacy Official, contact Kim&Miller at 24255
Pacific&Coast&Highway,&Malibu,&California 90263,&(310)&506-4208&or&
kim.miller@pepperdine.edu.
*&*&*&*&*
I hereby request a review of Pepperdine University’s denial of my request to
access or obtain a copy of my Protected Health Information.
Signature&of&Individual&or &Legal&Representative Date
Name of Individual&or &Legal&Representative (#,&87)
August 1, 2014
49
& & &
&
&
& & &
&
& &
&
& & & & & & &
& &
&
&
&
&
&
&
&
&
&
&
&
&
&
& & & &
&
& & & & & & & & & & &
&
&
&
& & & & & & &
&
&
&
& & & & & & & & & & &
&
&
& &
& &
& & &
&
& & & & & & & & &&
& & & & &
& & & & & & &
&
& & & & & & & & & & & & & &
&
& &
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
________________________________________________________________________________________________
F. Privacy Complaint
Name:________________________________________ Date:_____________________
Telephone Number:_________________________
Please describe the nature of the complaint:
Date&of&Occurrence:_______________________ Information Affected:_______________
Please name the entity that is the subject of the complaint:______________________________
Signature Date
Please mail this form&to the University’s Privacy Official at the following&address:
Kim&Miller
HIPAA&Privacy Official
24255&Pacific&Coast Highway
Malibu, CA& 90263
You may also submit the complaint electronically to kim.miller@pepperdine.edu. A&
complaint must be filed within&180 &days &of &when&you&knew&or &should &have &known&of
the circumstances that led to the complaint.
You also may submit a written complaint to the appropriate Office of Civil Rights
Regional&Office.
August 1, 2014
50
& & &
&
&
& & & & & & & & & & & & & & & & &
&& & & & & & & & & & &
& & & & && & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & & && &
& & & & & & & & & & & & & & &
& &
&
& & &
&
& &
&
& & & & & & & & & & & & &
& & & & & & & &
) &
&
&&& &
&
&& &
& & & & & & & & & & &
& & & & & & & & & & & & & &
& & & & & & & & & & & & &
&
&
&
) ) & & & &
&
&
& & & & & &
&
&
& & & & ) & & &
&
) &
&
& & & & & & & &
&
&
& &
&
& & & & & & & & & & & & & &
__________________________________________________________________________________________________________
__________________________________________________________________________________________________________
__________________________________________________________________________________________________________
__________________________________________________________________________________________________________
G. Request for Access to Protected Health Information
I understand that I have the right to inspect or receive a copy of my Protected Health
Information. I understand that the University may impose a reasonable cost-based
fee for copying and postage. I further understand that the University may impose a
reasonable&cost-based fee for preparing a summary of the Protected Health
Information if the parties agreed to such summary and fees in advance. I
understand that my request to access or inspect my records may be subject to some
legal limitations.
Name:_______________________________________________ Date:__________________________
Telephone Numbers:______________________________
I hereby request access of the Protected Health Information in my designated record
set from&________________________ to _________________________ maintained or created by
Pepperdine&University,&___________________________________________ (83I-)$@ .-23,7I-87).
1. Identify&the&records &you&wish&to&inspect.
2.& Please&state&how &you&would&like&to&inspect&or &review&your &records.&&For
example, do you want to inspect them&during regular business hours at
Pepperdine University, or do you want copies mailed to you, or do you want
to pick up copies at a time and place designated by Pepperdine, etc.
Signature&of&Individual&($, Y-63% 5-2,-9-8737&>-) Date
Individual’s Name (#,&87)
Name of Legal Representative (&@ 322%&'34%-) Relationship&to&Individual
_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&
(@$, $@@&'-)/9-)$8%()
_____Request Den ied _____Approved as Requested_____Approved per Comments
Comments:
Responsible&Party:______________________________________ Date:__________________________
If the request for access is denied, the individual must be informed in writing.
August 1, 2014
51
& & &
&
*
& & & & & & & & & & & & & & & &
& & & & & & & & & &
& & & & & & & & & & &
& & & & & & && & & & & & & & & & &
& &
&
& & & &
&
& & & & & & & & & & & &
& & & ) ) ) ) )
& ) &
&
& & & & & & & & & & &
&
& & & & & & & & & & & & & & & &
& & & & & & & & &
&
&
&
&
&
) ) & & &
&
&
&
& & )
)
)
& & & & ) & & &
&
&
& & & &
) ) ) ) ) ) ) ) )
&
&
&
&
& &
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
H. Request for Accounting of Disclosures
I understand that I have the right to an accounting of uses and disclosures of my
Protected Health Information for purposes other than treatment, payment, and
health&care&operations.&&I&understand&that &the&University’s&responsibility&for&such&an&
accounting became effective April 14, 2003, and that accounting for disclosures
prior to that date is not available. I understand that a fee may be charged for more
than&one &accounting&in&a&12-month period.
Name:________________________________________ Date:__________________________
I hereby request an accounting of disclosures of my Protected Health Information
from&____________________ to ____________________ (&@ U8$\8W 83I-)38. 3..,-99 $@ -87&7()
maintained by&Pepperdine&University,&____________________&(83I-)$@ .-23,7I-87).
Please provide a brief description of the Protected Health Information disclosed:
Please provide a brief statement of the purpose of the disclosure; or in lieu of such
statement, a copy of a written request for disclosure,&if&any.
Signature&of&Individual&($, Y-63% 5-2,-9-8737&>-) Date
Individual’s Name (#,&87K
Name of Legal Representative, &@ 322%&'34%- (#,&87) Relationship&to&Individual
Responsibility Party’s Name (#,&87)
L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86 38. 2,$'-99&86 7M-),-c/-97
Date
August 1, 2014
52
& & &
&
&
& & &
&
& &
&
& & & & & &
& & & & & & &&&&&&&&&&&&&& ) &
&
&
& & & & &
&
&
&
& & & & & & & &
&
&
&
&
&
&
&
&
) ) & & &
&
&
&
& & )
)
)
& & & & ) & & &
&
&
& & & &
) ) ) ) ) ) ) ) )
&
&
&
&
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
_________________________________________________________________________________________________
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
_________________________________________________________________________________________________
____________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________
_________________________________________________________________________________________________
I. Request for Amendment to Protected Health Information
Name:_______________________________________________ Date:__________________________
Telephone Numbers:______________________________
I&hereby&request that Pepperdine University ____________________________________, amend:
(Q3I-)$@ .-23,7I-87)
Please&identify&the&relevant &persons&or&entities&who&need&to be informed about the
amendment:
Please state the reason(s) supporting the requested amendment:
Signature&of&Individual&($, Y-63% 5-2,-9-8737&>-) Date
Individual’s Name (#,&87K
Name of Legal Representative, &@ 322%&'34%- (#,&87)
Responsibility Party’s Name (#,&87)
Relationship&to&Individual
L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86 38. 2,$'-99&86 7M-),-c/-97
Date
August 1, 2014
53
& & &
&
*
&
&
&
&
&
&
& &
&
) & & & & & &
& & & & & & & & & & & && & & & &
& & & & & & & & & & & &
&
&
&
* * * * * * * * * * * *
*
*
*
& &&&&&&& & & & & & & & &
&
&
& &
&
*
) ) ) ) ) ) )
) )
)
* * * ** * * * * * * * * *
*
&
) )
&
&
&
&
& & &
)
&
&
&
J. Acknowledgement of Receipt of Notice of Privacy
Practices
Name:_________________________________________________________________________________________
Address:_______________________________________________________________________________________
Facility Name:________________________________________________________________________________
I&acknowledge&that&I&have&received &or &been&offered &a&copy&of &Pepperdine&
University’s&NPP which describes how my PHI is&used&and&shared.&&I&understand&that
Pepperdine University has the right to change this NPP at any time. I may obtain a
current copy by contacting the Department in which my care was provided or&by&
visiting&Pepperdine&University’s&website&at
http://www.pepperdine.edu/provost/content/policies/hipaa_manual_5_2012.pdf.&
My signature below acknowledges*that I have been offered a copy or provided
with *a*copy *of*the *NPP:
Signature of&Patient Date
Print Name
Personal &Representative’s&Title&J-"6"W _/3,.&38W Fd-'/7$, $@ F9737-W O-3%7M B3,-)#$\-,
$@ 177$,8-(K
For Department Use Only: Complete this*section if you are unable to obtain a
signature.
Ø If &the&patient&or &personal&representative&is &unable&or &unwilling&to&sign&this
1'U8$\%-.6-I-87W or&the&1'U8$\%-.6-I-87 is&not &signed&for&any&other&reason,&
state&the&reason:
Ø Describe&the&steps&taken to&obtain the&patient’s&(or&personal representative’s)&
signature&on&the&1'U8$\%-.6-I-87[
August 1, 2014
54