Fill - Free fillable HIPPA Policies, Procedures, And Forms Manual (Pepperdine University) PDF form

& & &

& &

August 1, 2014

PEPPERDINE UNIVERSITY

HIPAA Policies Procedures and Forms

Manual

& & &

& * * &

& & & & &

& & & &

& * * &

& * * * * * &

& & & & & & & &

& ) ) &

& ) ) ) &

& & & & &

& ) ) &

& ) ) ) &

& & & &

& ) ) &

& ) ) ) &

& & & & & &

& ) ) &

& ) ) ) &

& & & & &

& ) ) &

& ) ) ) &

& & & & & & & & & &

& ) ) &

& ) ) ) &

& & & & & & &

& ) ) &

& ) ) ) &

& & & & & & & &

& ) ) ) &

& & & & &

& ) ) &

& ) ) ) &

& & & &

& ) ) &

& ) ) ) &

Table of Contents

I. INTRO D U C TIO N ...............................................................................................................................4

A. GENERAL POLICY ..............................................................................................................................................4

B. SCOPE ..................................................................................................................................................................4

II. DEFINITIONS...................................................................................................................................5

III. GENERAL POLICIES AND PROCEDURES ................................................................................9

A. AUTHORIZATION&TO&USE OR DISCLOSE PROTECTED&HEALTH INFORMATION ......................................9

1. Policy ................................................................................................................................................................ 9

2. Procedure ....................................................................................................................................................... 9

3. Applicable Regulations...........................................................................................................................10

B. B

USINESS ASSOCIATES ..................................................................................................................................10

1. Policy ..............................................................................................................................................................10

2. Procedure .....................................................................................................................................................11

3. Applicable Regulations...........................................................................................................................11

C. C

OMPLAINT .....................................................................................................................................................11

1. Policy ..............................................................................................................................................................11

2. Procedure .....................................................................................................................................................11

3. Applicable Regulations...........................................................................................................................12

D. DE-IDENTIFICATION&OF PROTECTED&HEALTH INFORMATION..............................................................12

1. Policy ..............................................................................................................................................................12

2. Procedure .....................................................................................................................................................12

3. Applicable Regulations...........................................................................................................................13

E. LIMITED DATA&SHEETS ................................................................................................................................13

1. Policy ..............................................................................................................................................................13

2. Procedure .....................................................................................................................................................14

3. Applicable Regulations...........................................................................................................................14

F. MINIMUM NECESSARY&USE AND DISCLOSURE OF PROTECTED&HEALTH INFORMATION .................15

1. Policy ..............................................................................................................................................................15

2. Procedure .....................................................................................................................................................15

3. Applicable Regulations...........................................................................................................................16

G. NOTICE OF PRIVACY PRACTICES .................................................................................................................16

1. Policy ..............................................................................................................................................................16

2. Procedure .....................................................................................................................................................16

3. Applicable Regulation.............................................................................................................................23

H. PRIVACY OFFICIAL, SECURITY&OFFICER, AND&PRIVACY COORDINATORS ............................................23

1. Privacy Official ...........................................................................................................................................23

2. Security Official ..........................................................................................................................................23

3. Privacy Coordinators ...............................................................................................................................24

4. Applicable Regulation.............................................................................................................................26

I. RECORDS RETENTION....................................................................................................................................26

1. Policy ..............................................................................................................................................................26

2. Procedure .....................................................................................................................................................26

3. Applicable Regulation.............................................................................................................................27

J. RESEARCH ........................................................................................................................................................27

1. Policy ..............................................................................................................................................................27

2. Procedure .....................................................................................................................................................27

3. Applicable Regulations...........................................................................................................................29

August 1, 2014

& & &

& & & & & & & &

& ) ) &

& ) ) ) &

& & & & & & & &

& ) ) &

& ) ) ) &

& & & & & & & & & &

& ) ) &

& ) ) ) &

& & & & & & &

& ) ) &

& ) ) ) &

& & & & & & & & & &

& & &

& ) ) &

& ) ) ) &

& & & & &

& ) ) &

& ) ) ) &

& & & &

& ) ) &

& ) ) ) &

* * & & & * * &

& & & & & & & & &

& & & & & &

& & & & & & & &

& & & & & & &

& & & & &

& & & & & & &

& & & & & &

& & & & & & & &

& & & & & & & & &

* *

K. RIGHT TO REQUEST&ACCESS&TO PROTECTED&HEALTH INFORMATION ................................................29

1. Policy ..............................................................................................................................................................29

2. Procedure .....................................................................................................................................................29

3. Applicable Regulation.............................................................................................................................32

L. RIGHT TO REQUEST&AN ACCOUNTING OF&DISCLOSU RE S ........................................................................32

1. Policy ..............................................................................................................................................................32

2. Procedure .....................................................................................................................................................33

3. Applicable Regulation.............................................................................................................................34

M. RIGHT TO REQUEST&AN AMENDMENT TO PROTECTED&HEALTH INFORMATION ................................34

1. Policy ..............................................................................................................................................................34

2. Procedure .....................................................................................................................................................34

3. Applicable Regulation.............................................................................................................................36

N. RIGH T TO REQUEST&CONFIDENTIAL COMMUNICATION..........................................................................36

1. Policy ..............................................................................................................................................................36

2. Procedure .....................................................................................................................................................36

3. Applicable Regulation.............................................................................................................................36

O. RIGH T TO REQUEST&RESTRICTIONS ON THE&USE AND DISCLOSUR E OF PROTECTED&HEALTH

INFORMATION .........................................................................................................................................................37

1. Policy ..............................................................................................................................................................37

2. Procedure .....................................................................................................................................................37

3. Applicable Regulation............................................................................................................................. 37

P. S

AFEGUARDING&PROTECTED&HEALTH INFORMATION............................................................................37

1. Policy ..............................................................................................................................................................37

2. Procedure .....................................................................................................................................................38

3. Applicable Regulation.............................................................................................................................38

Q. TRAINING.........................................................................................................................................................38

1. Policy ..............................................................................................................................................................38

2. Procedure .....................................................................................................................................................39

3. Applicable Regulation.............................................................................................................................39

HIPAA SAMPLE FORMS [SEE FOLLOW ING PAGES] ..................................................................... 40

A. ACCOUNTING FOR DIS CL O SU RE S OF PROTECTED&HEALTH INFORMATION .........................................41

B. AUTHORIZATION&TO&USE/DISCLO S E PROTECTED&HEALTH INFORMATION&(HIPAA) .....................42

C. B

USINESS ASSOCIATE AGREEMENT............................................................................................................44

D. DENIAL OF REQUEST&FOR AN AMENDMENT..............................................................................................48

E. DENIAL OF REQUEST&FOR ACCESS..............................................................................................................49

F. PRIVACY COMPLAINT ....................................................................................................................................50

G. REQUEST&FOR ACCESS&TO PROTECTED&HEALTH INFORMATION ...........................................................51

H. REQUEST&FOR ACCOUNTING OF&DISCLOSURES ......................................................................................... 52

I. REQUEST&FOR AMENDMENT TO PROTECTED&HEALTH INFORMATION.................................................53

J. ACKNOW LEDGEM ENT OF&RECEIPT&OF NOTICE OF PRIVACY PRACTICES ..............................................54

August 1, 2014

& & &

& & & & & & & & & & &

& & & & & & & & &

& & & & & & & & & && & &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & &

& &

& && & & & &

& & & & & &

& & &

& & & & &

& & & &

& & &

& &

& & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & &

& & & && & & & & & &

& & & & & && & &

& & & & & & & & & & &

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

& & & & & & & & & & && & & & & &

& & & & & & && & & & & & & & & & &

I. Introduction

A. General Policy

Pepperdine University is committed to protecting the privacy of individual health

information in compliance with the Health Insurance Portability and Accountability&

Act of 1996 (HIPAA) and the regulations promulgated there under. These policies

and procedures apply to protected health information created, acquired, or

maintained by the designated covered components of the University after April 14,

2003.& The statements in this Manual&represent&the &University’s &general&operating&

policies and &procedures.&&For &further &details &regarding&these&policies and &procedures

see 45&C.F.R.&Parts& 160& and&164.

B. Scope

Pepperdine&University&is&a&hybrid&entity&as&defined&in&45&C.F.R.&§164.103 and

includes&both&covered&and&non-covered components. These policies and procedures

apply&only&to&the&University’s designated covered components, which include:

• Athletic Training Center;

• Boone Center for the Family;

• Disability&Services&Office;

• Human Resources, Benefits Department;

• Pepperdine Community Counseling Center;

• Pepperdine&Jerry&B.H. Union Rescue&Clinic;

• Pepperdine&Psychology&and&Education&Clinic;

• Student&Counseling; and

• Student&Health&Center.

Certain administrative and/or support offices may also be designated as covered&

components.

The designated covered components may not share protected health information

with &the &non-covered components of the University, unless specifically permitted by

the &privacy &regulations.&&It&is &the &responsibility &of &each &designated &covered&

component to assure that their employees, students, volunteers, etc. comply with

these policies and procedures. A&designated covered component may develop and

incorporate&additional &policies&and&procedures&if&doing&so&is&necessary&and&

appropriate to &comply with more stringent state laws.

However, a designated&

covered component may not delete sections of these policies and procedures

without&first&consulting&the &Privacy &Official&or &the &Security &Official.

HIPAA ensures a federal standard (a “floor”) of privacy protections. State privacy laws may be

more stringent than th e HIPAA priva cy rule. In those cases, the m ore stringent state law will apply.

August 1, 2014

& & &

) & & &

& & & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & &

& && & & & & & & & & &

& & & &

& & & & &

& & & & & & & & & &

& & & & & & &

&& & & & & & & & & & & &&

& &&

) ) & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& &

) & & & & & & & & & & &

& & & & & & & & & & & & &

& &

) ) ) ) ) & & & & &

& & & & & & & & & & & &&

& & & & & & & & & & & & & &

) ) & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & & & & & &

& & & & &

) ) & & & & & & & &

& & & & & & & & & & && & && &

& & & & & & & & & & & & &

& & & & & & && & && & &

) & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & &&

II. Definitions

E/9&8-99 199$'&37-)means a person or&entity&who,&on&behalf&of&a &covered&entity,&

performs or assists in performance of a function or activity involving the use or

disclosure of individually identifiable health information, or any other function or

activity regulated by the HIPAA&Administrative Simplification Rules, including the

Privacy Rule. Business Associates are also persons or entities performing legal,

actuarial,&accounting,&consulting,&data aggregation, management, administrative,

accreditation,&or &financial&services to &or &for a&covered entity where performing those

services involves disclosure of individually identifiable health information by the

covered&entity&or&another&business&associate&of&the&covered&entity&to&that &person&or&

entity.&&A&member of a covered entity’s workforce is not&one&of&its&business&

associates. A&covered entity may be a business associate of another covered entity.

45&C.F.R.& §&160.103.&

B$>-,-. F87&7( means a health plan, a health care clearinghouse, or a health care

provider who transmits health information in electronic form&in connection with a

transaction for which the U.S. Department of Health and Human Services has

adopted &a&standard.&&45 &C.F.R.&&§ 160.103.

B$>-,-. G/8'7&$89 means those functions of a covered entity the performance of

which makes the entity a health plan, health care provider, or health care

clearinghouse.&&45&C.F.R.&&§ 160.103.

H-9&6837-. B$>-,-. B$I2$8-879 J$, B$>-,-. B$I2$8-879K means a component or

combination of components designated by the University, which is a Hybrid Entity.

The designated covered components of the University are listed in Section I.B. of this

Manual.

H-9&6837-. 5-'$,. A-7 means a group of records maintained&by&or&for&a covered&

entity that includes medical and billing records about individuals, or a group of

records that are used in whole or in part by or for the covered entity to make

decisions&about individuals.& 45&C.F.R.& § 164.501.

H&,-'7 L,-37I-87 5-%37&$89M&2 means a treatment relationship between an individual

and a healthcare provider that is not an indirect treatment relationship. 45 C.F.R. §

164.501.&

H&9'%$9/,- means the release, transfer, access to, or divulging of information in any

other&manner outside the entity holding the information. 45 C.F.R. § 160.103.

F%-'7,$8&' N-.&3 means electronic storage media including memory devices in

computers (hard drives) and any removable/transportable digital memory medium,

such as magnetic tape or disk, optical disk, or digital memory card; or transmission

media used to exchange information already in electronic storage media.

August 1, 2014

& & &

& & & & &

& & & & & &

& & & & & && &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & && & && &

& & & & & & & & & &

) & & & & & & & & & & & & &

& & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & && & && & &

) & & & & & & & & & &

& & & & & & &

& & & & &

& &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & & &

& & & & & & & & & &

& & & & & & & & && & && & &

) ) & & & & & &

& & & & &

& & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & &

& & & & & & && & && & &

) & & & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & &

Transmission media includes,&for&example, the Internet (wide-open),&extranet (using

Internet technology to &link&a&business &with information accessible only to

collaborating&parties),&leased&lines,&dial-up&lines,&private&networks,&and &the&physical&

movement of removable/transportable electronic storage media. Certain

transmissions, including of paper via facsimile, and of voice via &telephone,&are&not

considered to be transmissions via electronic media because the information being

exchanged did not exist in electronic form&before the transmission. 45 C.F.R. §

160.103.

HHS stands for the Department of Health and Human Services.

Health Care means care, services, or supplies related to the health of an individual,

including (1) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or

palliative care, and counseling, services, assessment, or procedure with respect to

the physical or mental condition, or functional status, of an individual that affects

the &structure &or &function&of &the &body; and &(2) &sale &or &dispensing&of &a&drug,&device,&

equipment, or other item&in accordance with a prescription. 45 C.F.R. § 160.103.

Health Care)Clearinghouse means a public or private entity, including a billing

service,&re-pricing company, community health management information system&or

community health information system, and “value-added”&networks and &switches,&

that&does &either &of the &following&functions: &(1) processes or &facilitates the&

processing of health information received from&another entity in a nonstandard

format or containing nonstandard data content into standard data elements or a

standard&transaction;&(2)&receives&a standard transaction from&another entity and

processes or facilitates the processing of health information into nonstandard

format or nonstandard data content for the receiving entity. 45 C.F.R. § 160.103.

Health Care)Operations means any of the following activities &of &the &covered &entity&to

the &extent&that&the &activities &are &related to &covered &functions: &(1) &conducting&quality

assessment and improvement activities, population-based &activities,&and &related

functions that do not include treatment; (2) reviewing the competence of

qualifications&of&health&care&professionals,&evaluating&practitioner,&provider,&and&

health plan performance, conducting training programs where students learn to

practice or improve their skills as health care providers, training of professionals&

that&are &not&health &care &providers,&accreditation,&certification,&licensing,&or&

credentialing activities; (3) underwriting, premium&rating, and other activities

relating to the creation, renewal, or replacement of a contract of health insurance&or&

benefits; (4) conducting or arranging for medical review, legal services, and auditing

functions; (5) business planning and development, and (6) business management

and general administrative activities of the entity. 45 C.F.R. § 164.501.

Health Care)Provider means a provider of services (as defined in section 1861 (u) of

the Act, 42 U.S.C. § 1395x(u)),&a provider of medical or health services (as defined&in&

section 1861(s) of the Act, 42 U.S.C. §&1395x(s)), and &any&other &person&or

August 1, 2014

& & &

& & & & & & & & & & & & &

& & &

)

) & & & & & & & & & & &

& & & & & & & & & & & & & & &

& &

& & & & & & & & & & &

& & & & & & & & & & & & & & &&

& & &

) & & & & & & & & & & &

& & & & & & & & & & & & & & &

& & & & & & & & &

) & & & & & & & &

& & & & & & & & && & && & &

) ) & & &

& &

) & & & & & & & &

& & & & & & &

& & & & & & & & & & & & & & &

& &

& & & & & & & & & & & & & &

& & & & & & & & & & & & & & &

& & &

& & & & & & & & & &

& &

) ) ) ) ) & & & &

& & & & & & & & & & &

& & & && & & & & & & & &

& & & & & & & & & &

& & && & & & & & & &

& & & & & & && & & & &

organization&who&furnishes, bills, or is paid for health care in the normal course of

business.&&45&C.F.R.& § 160.103.

O-3%7M P8@$,I37&$8 means any information whether oral or recorded in any form&or

medium, that (1) is created or received by a health care provider, health plan, public

health authority, employer,&life &insurer,&school&or &university,&or &health&care&

clearinghouse;&and&(2) relates to the past, present, or future physical or mental

health&or&condition&of&an&individual;&the&provision&of&health&care&to&an&individual;&or&

the past, present for future payment for the provision of health care to an individual.

45&C.F.R.& § 160.103.

O-3%7M #%38 means, with certain exceptions, an individual or group plan that

provides or pays the cost of medical care (as defined in section 2791(a)(2) of the

PHS Act, 42 U.S.C. § 300gg-91(a)(2)).& 45&C.F.R.& § 160.103.

O(4,&. F87&7( means a single legal entity&that is&a &covered&entity,&performs business

activities &that&include &both &covered and &non-covered&functions,&and&designates&its&

health care components as provided in the Privacy Rule. 45 C.F.R. § 164.103.

P8.&,-'7 L,-37I-87 5-%37&$89M&2 means a relationship&between&an&individual&and a&

health&care&provider&in&which&(1)&the&health&care&provider&delivers&health&care&to&the&

individual &based&on&the&orders&of&another&health&care&provider;&and&(2)&the&health&

care&provider&typically&provides&services&or&products,&or&reports&the&diagnosis&or&

results&associated&with&the&health&care, directly&to&another&health&care&provider, who&

provides &the&services or &products or &reports &to&the&individual.&&45&C.F.R.&&§ 164.501.

P8.&>&./3%%()P.-87&@&34%-)O-3%7M P8@$,I37&$8 means information that is a subset of

health&information, including demographic information collected from&an individual,

and (1) is created or received by a health care provider, health plan, employer, or

health&care&clearinghouse;&and&(2)&relates&to&the past,&present,&or &future&physical&or

mental health or condition of an individual; the provision of health care to an

individual; or the past, present, or future payment for the provision of health care of

an&individual; and&(a) &that&identifies &the &individual; &or &(b)&with&respect&to&which&

there is a reasonable basis to believe the information can be used to identify the

individual.&&45&C.F.R.& § 160.103.

#-,9$8 means any natural person, trust or estate, partnership, corporation,

professional&association&or corporation,&or&other&entity,&public&or&private.&&45&C.F.R.&&

§ 160.103.

#,$7-'7-. O-3%7M P8@$,I37&$8 J$, #OPK means individually identifiable information

transmitted or maintained in electronic media (ePHI), or transmitted or maintained

in any form&or medium. PHI excludes education records covered by the Family

Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g,&records&

described&at 20&U.S.C.& § 1232g(a)(4)(B)(iv), and employment records held by a

covered entity in its role as employer. 45&C.F.R.& § § 164.501,&160.103.

August 1, 2014

& & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & &

& & & & & & & & & & & &

&& & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & &

&& & &

& & & & & & & & &

& &

& & & & & & & & & & &

& & & & & & & & & & & & &

& & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & & &

& & &

& & & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & & &

&& & & & &

& & & & & & & & & & & & &

& & &

& & & & & & & & & &

& & & & & & & & & & & & & & &

& &

Psychotherapy)Notes means notes recorded (in any medium) by a health care

provider who is a mental health professional documenting or analyzing the contents

of&conversation&during&a &private&counseling&session&or&a &group,&joint, or family

counseling session and that are separated from&the rest of the individual’s medical

records. Psychotherapy notes excludes medication prescription and monitoring,

counseling session start and stop times, the modalities and frequencies of treatment

furnished, results of clinical tests, and any summary of the following items:

diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress

to &date. 45&C.F.R&§ 164.501.

Research means a systematic investigation, including research development, testing,

and &evaluation&designed to &develop&or &contribute to &generalizable &knowledge.&&45

C.F.R. § 164.501.

Treatment means the provision, coordination, or management of health care and

related services by one or more health care providers, including the coordination or

management of health care by a health care provider with a third party;

consultation&between&health&care&provider relating to&a patient;&or&the&referral of&a

patient&for &health care from&one health care provider to another 45 C.F.R. § 164.501.

Secretary means the Secretary of the U.S. Department of Health and Human Services

or any other officer or employee of HHS to whom&the authority involved has been

delegated.& 45&C.F.R.&§ 160.103.

Use means, with respect to individually identifiable health information, the sharing,

employment, application, utilization, examination, or analysis of such information

within the entity or health care component (for hybrid entities) that maintains &such

information. 45 C.F.R. § 160.103.

Violation or&violate means, as the context may require, failure to comply with an

administrative simplification provision.

Workforce means employees, volunteers, trainees, or other persons whose conduct

in&the performance of work for a covered entity is under the direct control of such

entity,&whether&or&not &they&are&paid&by&the&covered&entity.&&45&C.F.R.&§ 160.103.&

August 1, 2014

& & &

& & & & & & & & &&

& & & & & & & & & & &

& & & & & &

& & & & & & & & & & & &

& & & & &

& & & & & & & & & &&

) )

& & & & & & & & & & &&

& &

& & &

& & & & & & &

& & & & & & & &

& &

& & & &&

& & & & & & & & & & &

& & & & &

& & & & & &

& & & & & & & & & &

& & & & & & & & &

& &

III. General Policies and Procedures

A. Authorization to Use or Disclose Protected Health

Information

1. Policy

Pepperdine&University&will &obtain&an&individual’s&authorization&to&use&or&disclose&

protected health information in accordance with HIPAA&and its regulations.

Generally, designated covered components do not need to obtain an individual’s

authorization when&using&and &disclosing&protected health information for routine

purposes (e.g. treatment, payment, or health care operations), or for other limited

purposes,&as &described &in&Pepperdine&University’s &Notice&of &Privacy&Practices.&&

Otherwise, designated covered components must obtain&an&individual’s&valid&

authorization for the use or disclosure of protected health information.

2. Procedure

Authorization Form

Ø A&Sample Authorization may be found on page 36 of this Manual.

Ø The&authorization&shall &be&written&in&plain&langua ge&a nd&sha ll &contain&the&

following information:

o A description&of&t he& PHI to&be&used/disclosed&that ident ifies& the&

information in a specific and meaningful fashion;

o A description&of&ea ch& p urpose&of&the&requested&use&or&disclosure,&

for example, the statement “at the request of&the&individual” is&a&

sufficient descript ion& of&the&purpose&when&an&individual initiates&

the &authorization&and &does &not,&or &elects &not&to,&provide a&

statement of the purpose;

o The name of the person or organization authorized to disclose the

PHI;

o The name of the person or organization authorized to receive the

PHI;

o A statement that the individual has the right to revoke the

authorization&in&writing;

o A statement listing the &exceptions &to &an&individual’s right to&

revoke;

o A statement that information used or&disclosed&pursuant &to&the&

authorization may be subject to re-disclosure&by&the&recipient and&

no&longer &protected;

o A statement that the individual may refuse to sign the

authorization;

o A statement that the covered component will not condition

treatment, payment, enrollment or eligibility for benefits in a

health&plan,&based&on&the&individual &providing&authorization&for&

the &requested &use &or &disclosure;

o An expiration&dat e&(or&ex pira t ion&event);&and

August 1, 2014

& & &

& &

& & & & & & & & & & & &

)

& & & & &

& & & & & & & & &

& &

& & & & & & & & & & &

& & & & & & & &

& & & & & & & & &

& & & & & &

& & & & & & & & & & & &

) ) )

& & & & & & & & & & & &

& & &

& & & & & & & & & &

& & & & &

)

& & & & & & & & & &

& & &

& & & & & & & & & &

& & &

& & & & & & & & & & & & &

& && & & & & & & & & &

& & & & & &

o The signature&of&the&individual and&date&(or& t he& signature&of&an&

individual’s&personal &representative).

Ø The University must provide the individual with a signed copy of the

authorization.

Psychotherapy)Notes

Ø The&University&will &obtain&an&individual’s&authorization&to&use&or&disclose&

psychotherapy&notes,&except&in the circumstances listed below.

Ø The&University&does&not &need&to&obtain&an&individual’s&authorization&to&

use&or &disclose&psychotherapy&notes:

o To carry out treatment, payment, or health care operations;

o For use&by&the&originator&of&the&psychotherapy&notes for&

treatment;

o For use or disclosure by the designated covered component for its

own training programs in which students, trainees, or

practitioners in mental health learn under supervision to practice

or improve their skills in counseling;

o For use&or &disclosure&by&the&covered&entity&to&defend&itself&in&a&

legal&action&or &proceeding&brought&by &the &individual; and

o For other limited uses and disclosures as described in 45 C.F.R. §

508(a)(2).

Revocation of Authorization

Ø An individual may revoke an authorization at any time, provided that the

revocation is& in writing.

Ø If &the&University&has &already&taken&action&in&reliance&on&the&authorization,&

the University will stop providing the protected health information based

on&the&revoked&authorization&with&a reasonable period of time.

Documentation

Ø The University must document and retain any signed authorization under

this &section.

3. Applicable Regulations

45&C.F.R. §§ 164.508,&164.512.

B. Business Associates

1. Policy

From&time to time, covered components may share protected health information

with &external&parties,&known&as&business&associates.&&Protected health information

generally may only be shared with business associates pursuant to a valid Business

Associate Agreement. A&Business Associate Agreement can be in the form&of a

written amendment to an existing agreement.

August 1, 2014

& & &

) )

& & & & & & & &

& & & & & & & & & & & &

& & & &

& & & & & & & & & &

& & & & & & &

& & & & & & & & &

& & & & &

& &

)

& & & & & & & & & & & & &

& & & & &

& & & & & & & & & & && &

& & & & & & & & & & &

) ) )

& & & & & &

& & & & & & & & & & &

& && & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & & &

2. Procedure

Business Associate)Agreement

Ø A&Sample Business Associate Agreement is set forth on&page&38 of&this&

Manual.

Ø Generally, PHI may only be shared with business associates pursuant to a

valid Business Associate Agreement.

Ø It is the responsibility of each designated covered component contracting

with &business &associates to assure that valid Business Associates

Agreements&are&executed.

Ø Business Associate Agreements must be in writing and must contain&

certain language that is HIPAA&compliant.

3. Applicable Regulations

45&C.F.R.&§§ 164.502(e),&164.504(e),&164.532,& 160.402.

C. Complaint

1. Policy

An individual who believes his or her HIPAA&privacy rights have been violated may

file a complaint regarding the&alleged&privacy&violation with&the&University’s&Privacy&

Official of the appropriate Office of Civil Rights (OCR) Regional office. Complaints

submitted to the University’s Privacy Official will be documented, reviewed, and

acted &upon,&if &necessary.

2. Procedure

Filing a Complaint

Ø A&Sample Complaint Form&is set forth on&page&46&of&this&Manual.

Ø If &an&individual&believes his or her &privacy&rights &have&been&violated,&an&

individual may file a complaint with the appropriate OCR Regional office,

or&with &the &University’s &Privacy &Official&located &in&the &office &of &the &Chief

Business &Officer,&Pepperdine &University,&24255 &Pacific&Coast&Highway,&

Malibu, CA&90263. Each designated covered component must develop

and implement a process for receiving complaints and reporting them&to

the University’s Privacy Official (this process can be as simple as

instructing individuals who wish to file a complaint to contact the

University’s&Privacy&Official).

Ø Individuals must file complaints in writing, either paper or electronically.

Ø A&complaint must be filed 180 days from&when the individual knew or

should have known of the circumstance that led to the complaint, unless

this time limit is waived for “good cause” shown.

Ø A&complaint must name the entity that is the subject of the complaint and

describe the acts or omission believed to be in violation of the HIPAA&

requirements.

Ø OCR may prescribe additional procedures for the filing of complaints, as

well as the place and manner of filing, by notice in the Federal Register.

August 1, 2014

& & &

& & & & & & & & &

) )

& & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & & &

& & &

& & & & & &

) ) )

& & & & & & &

& & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & &

& & & & & & & & & & & &

& & & & & & & & &

& & & & & & &

& & & & &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & & &

& & & & & & & & & & &

& &

& & &

Ø Individuals may not be penalized for filing a complaint.

Investigation, Sanctions

Ø The Privacy Official will investigate alleged complaints to determine if a

breach &of &privacy &has &occurred.

Ø If the Privacy Official determines that a violation occurred, the Privacy&

Official&will&apply&appropriate &sanctions &against&the &person&or &entity&who

failed to comply with the privacy policies and procedures and instruct the

person&or &entity&to&take&the&corrective&actions,&if &necessary.&&The&Privacy&

Official will document any sanctions imposed.

3. Applicable Regulations

45&C.F.R. §§ 160.304,&160.306,&160.308,&160.310,&160.410,&164.530.

D. De-Identification of Protected Health Information

1. Policy

The University may use or disclose de-identified&PHI&without &obtaining&an&

individual’s&authorization.&&PHI&shall &be&considered&de-identified&if&either&of&the&two&

de-identification&procedures&set &forth&below &are&followed.

2. Procedure

Removal of Identifiers

Ø De-identified PHI is rendered anonymous when identifying

characteristics&are completely removed and when the University does not

have any actual knowledge that the information could be used alone or in

combination with other information to identify and individual.

Ø De-identification&requires the elimination not only of primary or obvious&

identifiers, such as the individual’s name, address, and date of birth, but

also &of &secondary&identifiers &through &which &a&user &could &deduce &the

individual’s&identity.

Ø For information to be de-identified the following identifiers must be&

removed:

o Names;

o All address information except for the state;

o Names of relatives and employers;

o All elements of dates (except year), including date of birth,

admission date, discharge date, date of death; and all ages over 89

and all elements of dates including year&indicative&of&such&age&

except that such ages and elements may be aggregated into a

single&category&of&age&90&or&older;

o Telephone numbers;

o Fax numbers;

o E-mail addresses;

o Social security numbers;

August 1, 2014

& & &

& & & &

& &

& & & & & &

& & & & &

& &

& & & & & & & &

& & & &

)

) )

& & & & & &

&& & & & & & & & & & &

& & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & & &

)

& & & & & & & & & & &

& & & & & & &

& & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & &

& &

& & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & && & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & & & &

& & &

o Medical record numbers;

o Health plan beneficiary numbers;

o Account numbers;

o Certificate/license numbers;

o Vehicle identifiers, including license plate numbers;

o Device ID’s and serial numbers;

o Web&Universal &Resource&Locators&(URL);

o Internet Protocol &(IP)&addresses;

o Biometric identifiers;

o Full face photographic images and other comparable images;

o Any other unique identifying number characteristics (except as

otherwise permitted for re-identification&purposes).

Statistical Method

Ø PHI&is&considered&de-identified&if&a &person&with&appropriate&knowledge &of

and &experience &with &generally&accepted &statistical&and &scientific&

principles and methods for rendering information not&individually

identifiable: (a) determines that the risk is very small that the

information could be used, alone or in combination&w it h&other&reasonably&

available information, by an anticipated recipient to identify an individual

who &is a&subject of the information; and (b) documents the methods and

results of the analysis to justify such determination.

Re-identification

Ø A&covered component may assign a code or other means of record

identification&to&allow &information de-identified&under&this&section&to&be&

re-identified by the covered component, provided that&(a) &the &code &or

other means of record identification is not derived from&or&related&to&

information about the individual and (b) the covered component does not

use or disclose the code or other means of record identification for any

other purpose, and does not disclose the mechanism&for re-identification.

3. Applicable Regulations

45&C.F.R.&§§ 164.502(d),&164.514(a)& a nd& (b)

E. Limited Data Sheets

1. Policy

Covered components may use and disclose a limited data set without an individual’s

authorization&for &the &purposes &of &research,&public&health,&or &health &care &operations &if

the &covered component enters into a Data Use Agreement with the intended

recipient of the limited data set. A&designated covered component may use

protected health information to create a limited data set, or to disclose protected

health information to a Business Associate to create a limited data set on behalf of

the covered component.

August 1, 2014

& & &

) ) )

& & & & & & & & & & & &

& & & & & & & & & &

& &

& & &

& & & &

& &

& & & & & & & &

& & & & &

& & & & & & &

& & &

) && & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & &

& & & & & & & & & &

& & & &

& &

& & & & & &

& &

& & & & & & & & & &

& &

& & & & & & & & & &

& & & & & & & &

& &

2. Procedure

Limited Data Set

Ø A&limited data set is PHI that excludes the following direct identifiers of

the individual or relatives, employers, or household members of the

individual:

o Names;

o Postal address information, other than town, city, state, and zip

codes;

o Telephone numbers;

o Fax numbers;

o Electronic mail addresses;

o Social security numbers;

o Medical record numbers;

o Health plan beneficiary numbers;

o Account numbers;

o Certificate/license numbers;

o Vehicle identifiers and serial numbers (including license plate

number);

o Web&Universal&Resource &Locators &(URLs);

o Internet Protocol (IP) address numbers;

o Biometric identifiers, including finger and voiceprints; and

o Full fa ce& photographs&and&comparable images.

Data Use)Agreements.& Data use agreements must:

Ø Establish the permitted uses and disclosures of the limited data set;

Ø Establish who is permitted to use or receive the limited data set;&and

Ø Provide that the recipient of the information will:

o Not use or further disclose the information other than as

permitted by the agreement;

o Use appropriate &safeguards to &prevent&use &or &disclosure &other

than as permitted by the agreement;

o Report to &the &University any &uses &or &disclosures &that&recipient&is

aware of that is not provided for by the agreement;

o Ensure that&the &recipient’s &agents &who &have &access to &the

information agree to the same restrictions as imposed on the

recipient;&and

o Not identify the information or contact the individuals.

3. Applicable Regulations

45&C.F.R.&§ 164.514(e).

August 1, 2014

& & &

F. Minimum Necessary Use and Disclosure of Protected

Health Information

& & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & && & & &

& & & & & & & & &

& &

&& & & & & & & &

& & & &&

&& & &

& & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& &&

& & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & && & &

& & & & & & & & & & & & & &

& & & & & & & & & & &

& & & &

& & & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

&& &

& & & & & & & & & & &

& & & & & & & & & &

1. Policy

When using or disclosing PHI or when requesting PHI from&another entity covered

by the HIPAA&privacy regulations, the University shall make a reasonable&effort to&

limit itself to the minimum&amount of protected health information necessary to

accomplish the intended purpose of the use, disclosure or request. The University is

not required to apply the minimum&necessary standard under the following&

circumstances:

For Treatment.&&Disclosure&to&or &requests&by&a&health&care&provider for

purposes of &diagnosing&or &treating&an&individual.

To&the&Individual. Uses or disclosures made to the individual.

Ø Pursuant to Patient’s Authorization. Uses&or&disclosures&pursuant &to&a&

valid&authorization.

Ø To&the&HHS. Disclosures&to&the&Office&for&Civil Rights&of&the&U.S.

Department of Health and Human Services for HIPAA&compliance

purposes.

Required&by&Law. Uses&or&disclosures&that &are&required&by&law&(i.e.,&a&

mandate that is contained in law that compels the University to use or

disclose protected health information and that is enforceable in a court of

law,&e.g.,&court&orders,&court-ordered&subpoenas,&civil &or&authorized&

investigative demands).

2. Procedure

The University recognizes that each designated covered component that uses or

discloses protected health information has a unique organizational structure and

that employees of the unit may perform&various functions for the unit that require

different levels of access to protected health information. Further, the

responsibilities&designated&to&these&functions&va ry& across&each&designated&covered&

component at the University and cannot be determined solely based on job title or

description.& For&these&reasons&it &is&the&responsibility&of&each&designated&covered&

component that uses and discloses protected health information to determine those

persons or &classes of &persons,&as&appropriate,&in&its&workforce&who&need&access&to&

protected health information to &carry &out&their &duties; and &for &each &such &person&or

class of persons, the category or categories of protected health information to which

access &is &needed &and &any&conditions &appropriate to &such &access.

For any type of disclosure that it makes on a routine&and&recurring&basis,&a covered&

component must implement policies and procedures (which may be standard

protocols) that limit the protected health information disclosed to the amount

reasonably&necessary&to&achieve&the&purpose&of&t he& disclosure. For&all&other

disclosures, the covered component must develop criteria designed to limit the

protected health information disclosed to the information reasonably necessary to

August 1, 2014

& & &

& & & & & & & & & & & &

& & & & &

& & & & & & & &

& && & &

& & & & & & & & & &

& & & &

& & & & & & &

&& & & & & & & & & &

& & & & & & & & & &

& & && & & &

& &

& & & & & &

) )

& &

& & &

& & & & & &

& & & & & & & &

) ) ) )

& & & & & & && &

& & &

& & & && & & & & & & &

& & & & & & & & &

& && & & & &

& & & & & & & &

& & & & & & & & & &

& & & & & &

& & & & & & & &

& && & & &

& & & & & & & &

& & & & & & & & & & & &

accomplish the purpose for which disclosure is sought and review requests for

disclosure&on&an&individual &basis&in&accordance&with&such&criteria.

3. Applicable Regulations

45 C.F.R. §§&164.502, and 164.514(d).

G. Notice of Privacy Practices

1. Policy

Pepperdine University is committed to maintaining and protecting&the

confidentiality&of&the&individual’s PHI. This&Notice&of&Privacy&Practices applies to

Pepperdine University (Athletics, Boone Center for the Family, Counseling Center,

Disability&Services&Office, Graduate&School of&Education and&Psychology&(PRYDE,

Union&Rescue&Mission,&Clinics), Human Resources, and Student Health Center)

(“Departments”). Pepperdine University is required by federal and state law,

including the Health Insurance Portability and Accountability Act (“HIPAA”), to

protect&the&individual’s PHI&and&other&personal information. Pepperdine is required

to&provide &the &individual&with &this &Notice&of&Privacy&Practices about&the &University’s

policies,&safeguards,&and &practices.&&When&Pepperdine&University&uses&or discloses&

an&individual’s PHI,&Pepperdine&University&is&bound&by the terms of this Notice&of&

Privacy&Practices,&or &the&revised&Notice&of&Privacy&Practices,&if&applicable.

The)University’s Obligations:

Pepperdine&is&required&by&law to:

Ø Maintain&the &privacy &of &PHI&(with &certain&exceptions)

Ø Give&the&individual this &notice &of &the &University’s legal&duties and &privacy

practices &regarding health information about the individual

Ø Follow the terms of the University’s Notice&of&Privacy&Practice that&is

currently&in&effect

2. Procedure

How the)University may)use)and disclose)PHI:

The following&describes&the&ways&the&University may use and disclose PHI. Except

for&the &purposes &described &below,&the &University will&use and &disclose &PHI&only&with

the individual’s written permission. The individual may revoke such permission at

any time by writing to Pepperdine University’s Compliance Officer.

Ø For Treatment. The&University&may use and disclose&PHI for&the&individual’s&

treatment and to provide the individual with treatment-rel ated&health care&

services.& For&example, the University may disclose PHI to doctors, nurses,

technicians,&or &other &personnel,&including&people&outside&the&University’s

office,&who&are&involved&in&the&individual’s medical care and need the

information to provide the individual with medical care.

Ø For Payment. The&University may use&and &disclose&PHI&so&that&the&University

or others may bill and receive payment from&the individual,&an&insurance&

company or a third party for the treatment and services the individual

August 1, 2014

& & &

&& & & & & &

& & & & & & & & & &

& & & & & & &&&

&& & & & & & & &

& & & & & & & &

& & & & & && & & & & &

& & & & & & & & &

& & & & & &

& &

& & & & & & &

& * & & &

& & & & & & & & & &

& & &

& & & & & &

& & & & & & & & &

& & & & & & & & & & & &

** & & & & & & &

& & & &

& & & & & & & & && & & & &

& & & & & & &

& & & & & & & & & & &

&& & & & & & & &

& & && & & & & & & & & &

& & & & & & & & &

& & & & && & & & & & & &

& & &

& & && & & & &

& & & & & & & &

& && & & & & &

& & & & & & & & &

& & & & & &

& &

& & & & & & &

)

& && & &

& & & & & & & & & & &

& & &

received. For&ex a mple,&the&University may tell the individual’s insurance&

company about a treatment the individual is going&to&receive to determine

whether &the &individual’s insurance company will cover the treatment.

Ø For&Health&Care&Operations. The&University may use and disclose PHI for

health&care&operations&purposes.&&These&uses&and&disclosures&are&necessary&

to make sure that all of the University’s patients &receive&quality&care&and&to&

operate and manage the University’s office. For example, the University may

share information with doctors, residents, nurses, technicians, clerks, and

other&personnel &for&quality&assurance&and&educational &purposes.&&The&

University also may share information with other entities that &have&a

relationship with&the&individual (for example, the individual’s insurance&

company&and&anyone&other&than&the&individual who &pays &for &the &individual’s

services)&for&the&individual’s health&care&operation&activities.

Ø Appointment Reminders, Treatment Alternatives, and Health Related

Benefits &and Services.& The&University may use and &disclose &PHI&to &contact&

the &individual to remind them that they &have an appointment with the

University.&&The&University also may use&and &disclose&PHI&to&tell&the&

individual about treatment alternatives or health-related &benefits and

services that may be of interest to the individual.

Ø Third Parties Involved in an Individual’s Care or Payment for an Individual’s

Care. When&appropriate,&the &University may share PHI with a person&who&is

involved&in&the&individual’s&medical&care &or &payment for the individual’s care,&

such as the individual’s family or a close friend. The University also may

notify the individual’s family about the individual’s location&or &general&

condition or disclose such information to an entity (such as the &Red &Cross)

assisting&in&a&disaster &relief &effort.

Ø Research. Under&certain circumstances, the&University may use and disclose

PHI for research. For example, a research project may involve comparing the

health of patients who received one treatment to those &who &received

another, for the same condition. The University will generally ask for the

individual’s written authorization&before &using&the &individual’s PHI&or&

sharing&it w it h&others&to&conduct research. Under limited circumstances, the

University may use and disclose PHI for research purposes &without&the&

individual’s permission. Before the University uses or&discloses PHI&for&

research&without the&individual’s permission, the project will go through a

special a pproval process&to&ensure&tha t research&conducted poses minimal

risk to&t he& individual’s&privacy. The&individu al’s&information&will&be &de-

identified. Researchers may contact the individual to &see &if &the &individual&is

interested&in&or&eligible&to&participate&in&a &study.

SPECIAL )SITUATIONS:

Ø As Required&by&Law. The&University will&disclose &PHI&when&required to &do &so

by &international,&federal,&state &or &local&law.

Ø To Avert a Serious Threat to Health or Safety.**The&University&may use and

disclose&PHI when&necessary&to&prevent&a&serious &threat&to the &individual’s

health&and&safety&or&the&health&and&safety&of&others.&&Disclosures,&however,&

August 1, 2014

& & &

& & & & & & & & & & & & & & & &

& & & & & & & & & && & & &

& & & & & & & & & & &

& & & & & & &&&

& && & & & &

& & & & & & &

& & & & & & & & & &

& & && & & & & & & & &

& & & & & & && &

& &

& & & & & & & & & & & &

& & &

& & & & & & & & &

** & & & & & & & &

& & & & & & & & & &&

& & & & & & & & & &

& & & & & & &

& ** & & & & & &

& & & && & & & & &

** & & & & & & & &

& &&

& & &

& & & &

& & & & & & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & &

& & && & & & & & & &

& & & & & & & & & & &

& & && & & & & & & &

& & & & & & & & &

& & & & & &

& & ** & & & & & & &

** &

& & & & & & & & & & &

will be made only to someone who may be able to help prevent or respond to

the threat, such as law enforcement or a potential victim. For example, the

University may need to disclose information to law enforcement when a

patient reveals participation in a violent crime.

Ø Business Associates. The&University may disclose&PHI to&the&University’s

business &associates that perform&functions on the University’s behalf or&

provide&the&University with services if the information is necessary for such

functions or services. For example, the University may use another company

to perform&billing services on the University’s behalf. All&of &the &University’s

business &associates&are&obligated&to&protect the&privacy&of&the&individual’ s

information and are not allowed to use or disclose any information other

than&as &specified &in&our &contract.

Ø Organ&and &Tissue &Donation. If &the&individual&is &an&organ&donor,&the&

University may use or&release&PHI&to&organizations&that &handle&organ&

procurement or other entities engaged in procurement, banking or

transportation&or &organs,&eyes &or &tissues to &facilitate &organ,&eye &or &tissue

donation&and&transplantation.

Ø Military and &Veterans. If &the&individual &is a member of the armed forces, the

University may release PHI as required by military command authorities.

The&University also may release PHI to the appropriate foreign military

authority&if &the &individual&is a member of a foreign military.

Ø Workers’ Compensation. The&University may release PHI for workers’

compensation or similar programs. These programs provide benefits for

work-related&injuries&or&illness.

Ø Public&Health&Risks. The&University may disclose PHI for public health risks

or&certain occu rrences. These&risks&and&occurrences&generally&include&

disclosures&to&prevent or&control disease,& inju ry&or&disability;&report births&

and &deaths; &report&child,&elder &or &dependent&adult&abuse &or &neglect; &report&

reactions to medications or problems&with&products;&notify&people&of&recalls&

of products they may be using; a person who may have been exposed to a

disease or may be at risk for contracting or spreading a disease or condition;

and the appropriate government authority if we believe a patient has&been&

the victim&of abuse, neglect, or domestic violence (we will only make this

disclosure&when&required&or&authorized&by&law).

Ø Health Oversight Activities. The&University may disclose PHI to a health

oversight agency, such as the California Department of Health and Human

Services&or &Center for &Medicare&and&Medical&Services,&for activities&

authorized by law. These oversight activities include, for example, audits,

investigations,&inspections,&and&licensure.&&These&activities&are&necessary&for&

the &government to monitor the health care system, government programs,

and compliance with civil rights laws.

Ø Data Breach&Notification Purposes. The University may use or disclose the

individual’s PHI&to&provide&legal l y&required&not ices&of&unauthorized&access&to&

or&disclosure&of&PHI.

Ø Lawsuits&and&Disputes. If &the&individual&is involved&in&a &lawsuit &or&a &dispute,&

the &University may disclose PHI in response to a court or administrative

August 1, 2014

& & &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & &

& & & &

& &

& ** & & & & & & & & &

& & & & & && & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & &

& & &

& & & & & ** & &

& & & & & & & && & & & & &

& & & & & & & & & & & && &

& & & & & & & & & & & &

& & & & ** & & & &

** & &

& & & & & & & & & & & &

& & & & ** & & & & &

& & & & &

& & & & & & & & & &

& &

) ) ) ) ) ) ) ) ) )

) )

& & & & & & &

** & & & & & & &

& & & & &

& & & & & & && & & & &

& & & &

& & & & & & & & & & & &

& & **

order.&&The&University also may disclose PHI in response to a subpoena,

discovery request, or other lawful request by someone else involved in the

dispute,&but only&if&efforts&have been made to tell the individual about&the

request or&t o&allow the&individual to &obtain&an&order &protecting&the

information requested.

Ø Law Enforcement. The&University may release PHI if asked by a law

enforcement official if the information is: (1) in response to a court order,

subpoena, warrant, summons or similar process; (2) limited information to

identify or locate a suspect, fugitive, material witness, or missing person; (3)

about the victim&of a crime even if, under certain very limited circumstances,

the University is unable to obtain the individual’s agreement; (4) about a

death&the&University believes may be the result of criminal conduct; (5)&about

criminal conduct on the University’s premises; and (6) in an emergency to

report a crime, the location of the crime or victims, or the identity,

description&or&location&of&the&person&who&committed the crime.

Ø Coroners, Medical Examiners and Funeral Directors. The&University may

release PHI to a coroner or medical examiner. This may be necessary, for

example, to identify a deceased person or determine the cause of death. The

University also may release PHI to funeral directors as necessary for their

duties.

Ø National Security and Intelligence Activities. The&University may release PHI

to &authorized &federal&officials &for &intelligence,&counter-intell igence,&a nd&other&

national&security&activities &authorized by law.

Ø Protective&Services&for&the&President &and&Others. The&University may

disclose PHI to authorized federal officials so they may provide protection to

the &President,&other &authorized &persons &or &foreign&heads &of &state,&or to

conduct &special &investigations.

Ø Inmates or Individuals in Custody. If &the&individual&is an inmate of a

correctional &institution&or&under&the&custody&of a law enforcement official,

the &University may release PHI to the correctional institution or law

enforcement official.&&This&release&woul d&b e&necessa ry&if:&&(1)&for&the&

institution&to&provide&the&individual with health&care;&(2)&to&protect &the&

individual’s healt h&and&safety&or&the&health&and&safety&of&others;&or&(3)&the&

safety&and&security&of&the&correctional institution.

USES AND DISCLOSURES THAT REQUIRES THE UNIVERSITY TO GIVE THE

INDIVIDUAL AN )OPPORTUNITY )TO )OBJECT/OPT )OUT:

Ø Third&Parties Involved &in&the&Individual’s Care or Payment for Individual’s

Care. Unless&the&individual objects,&the&University may disclose to a member

of&the&individual’s family, a relative, a close&friend&or&any&other&person&the&

individual &identifies,&the&individual’s PHI&that &directly&relates&to&that &third&

party’s involvement in the individual’s health care. If the individual is unable&

to agree &or &object&to&such &a&disclosure,&the&University may disclose such&

information as necessary if the University determines that it is in the

individual’s&best &interest &based&on&the&University’s professional judgment.

August 1, 2014

& & &

** & & &

& & & & & & & & &

& &

* & & & & & &

)

& & & & & & & & & & & & & &

& &

& & & & & & & &

& & &

& & & & & & & & & & & & & & &

& & &

& & & & & & & &

& & & & & & & & &

& & &

& & & &

) ) ) )

** & & & &

& & & & & & & & & & & & &

& && & & & & & & &

& & & & & & & & & &

& && & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & & & && & & & & & &

& & & & & & & &

& & & & & & & & & & & &

&& & & & & & & & &

& && & & &

& &

& & &

& & & & & & & & & &

& & & &

& & &

Ø Disaster&Relief. The University may&disclose&the&individual’s PHI&to&disast er&

relief&organizations&that seek &the&individual’s&PHI&to&coordinate&the&

individual’s care,&or&notify family and friends of the individual’s location&or

condition&in&a&disaster.&&The&University&will &provide&the&individual with an&

opportunity&to&agree&or&object to &such &a&disclosure &whenever &the &University

practically&can&do&so.

Ø Fundraising. The University may notify the individual about&fundraising&

events&that &support &Pepperdine&University.

INDIVIDUAL’S)WRITTEN AUTHORIZATION )IS)REQUIRED)FOR)OTHER)USES)AND)

DISCLOSURES:

The&following uses and disclosures of the individual’s PHI will be made only with the

individual’s written&authorization:

1. Uses and disclosures of PHI for marketing purposes;

2. Disclosures&that constitute&a&sale&of &the&individual’s PHI;&and

3. Disclosures&of&psychotherapy&notes.

Ø Other &uses and &disclosures &of &PHI&not&covered &by&this Notice&of&Privacy&

Practice or the laws that apply to the University will be made only with the

individual’s written authorization.&&If &the &individual gives&us&authorization,&

the &individual may revoke it at any time by submitting&a&written&revocation&

to &Pepperdine &University Compliance Officer and we will no longer disclose

PHI&under&the&authorization.&&But &disclosure&that&the &University made in

reliance&on&an&individual’s authorization&before &the &individual revoked&it w il l

not&be&affected&by&the&revocation.

INDIVIDUAL’S RIGHTS REGARDING PHI:

Ø Right&to&Inspect&and&Copy. The&individual &has&a right to&inspect and&copy&PHI

that may be used to make decisions about the individual’s care or payment

for&the&individual’s care. This includes medical and billing records, other

than&psychotherapy notes.&&To&inspect&and&copy&the&individual’s&PHI,&the&

individual must make their request,&in&writing, to the Department in which

their care&was&provided. The University has up to 30 days to make the

individual PHI available to the individual and the University may charge the

individual a reasonable fee for the costs of copying, mailing or other&supplies&

associated with the individual’s request. The University may not charge the

individual &a &fee&if&the&individual needs the information for a claim&for benefits

under the Social Security Act or any other state or federal needs-based

benefit&program. The University may deny the individual’s request in certain&

limited circumstances. If the University does&deny&the&individual’s&request,&

the &individual&has the &right&to &have &the &denial&reviewed &by &a&licensed

healthcare&professional that was &not&directly&involved&in the&denial &of&the&

individual’s request, and&the&University will comply with the outcome of the

review.

Ø Right&to&Get&Notice&of&a&Breach. Pepperdine&University&is committed to

safeguarding&the&individual’s&PHI.& If&a breach&of&the&individual’s PHI&occurs,&

August 1, 2014

& & &

& &

& & & & & & & ** & &

& & & & & & & & &

& & & & &

& & & & & & & & & & & & & & &

& && & & & & & & & & &

& & & & && & & & & & & &

& & & & & & & & & & &

& & & &&

& & &

& &

& & &&&&

& & & & & ** & &

& & & & & & & & &

& & & & & & & &

& &

& & &

& & & & & & & & & &

&& & & & & & & & &

& &

& && & & & & & & & & & & &

& & & & & & & & &&&

** & &

& & & & & & & & &

& & & & &

& & & & & & & & & & & & & & &

& & & & & & & & & & & &

&& & & & & &

& & & & & & & & & & &

& && & & & & & & & & &

& & & & & & & &&

& &

& & & & & & & & & & & & &

& & & & &

& & & & & & & & & &

& & & & & & & &

& & & & & & &

& & & & & & & & && & & &

& &

** & & &

& & & & & &

& & & & & & &

the &University &will&notify &the &individual in&accordance&with&state&and&federal

law.

Ø Right to Amend, Correct or Add an Addendum. If &the&individual feels&that the&

PHI&the&University&has is incorrect, incomplete, or the individual wishes to

add an addendum&to the &individual’s &records,&the &individual&has the &right&to

make such request for as long as the information is kept by or for the

University’s office. The individual must make their request in writing to&the

Department in which their care&was&provided. In the case of claims that the

information is incorrect, incomplete, or if the record was not created by

Pepperdine&University,&the&University may deny&the&individual’s request.

However, if&the&University denies&any&part of&the&individual’s&request,&the&

University&will &provide&the&individual with &a&written&explanation&of &the

reasons&for doing&so&within&60&days&of&the&individual’s request.

Ø Right to an Accounting of Disclosures. Individuals have&the&right &to&request a&

list&of &certain disclosures&the&University made of PHI for purposes other than

treatment, payment, health care operations, certain other purposes

consistent with& l aw,&or&for&which&the&individual provided &written&

authorization.&&To &request&an&accounting&of &disclosure,&individuals must make

their request, in writing, to&the Department in which the individual’s care&

was &provided. The&individual may request an accounting of disclosures for

up&to&the&previous &six&years of &services &provided &before the &date &of &the

individual’s request. If more than one request is made during a 12 month

period, Pepperdine University may charge a cost based fee.

Ø Right&to&Request&Restrictions. Individuals ha ve&t he&right &to&request a

restriction or limitation on the PHI Pepperdine University uses or&disclose&

for treatment, payment, or&health&care&operations.&&Individuals also &have &the

right to request a limit on the PHI we disclose to someone involved in the

individual’s care or the payment for the individual’s care, like a family

member &or &friend. For example, the individual could&ask &that&the &University

not share information about a particular diagnosis or treatment with the

individual’s spouse. To request a restriction, the individual must make their

request, in writing, to&the Department in which &their care&was&provided. The&

University is not&required&to&agree&to&the&individual’s&request&unless&the&

individual &is asking&us to &restrict&the &use and &disclosure &of &the &individual’s

PHI to a health plan for payment or health care operation purposes and &such

information the individual wishes to &restrict&pertains &solely &to &a&health &care

item&or service for which the individual has paid the University out-of-pocket&

in&full.&&If&the&University agrees, the University will comply with the

individual’s request&unless &the&information is needed to provide the

individual with emergency treatment or to comply with law. If the University

does&not&agree,&the&University will&provide &an&explanation&in&writing.&&

Ø Out-of-Pocket-Payments. If &the&individual pays out-of-pocket&(or &in&other

words,&the &individual&has &requested &that&the &University &not&bill&the

individual’s healt h&plan)&in&full &for&a &specific item&or service, the individual

has&the&right &to&ask &that &the&individual’s PHI with respect to that item&or

August 1, 2014

& & &

& & & & & & & & & & & &

& &

& & & & **

& & & & & & & & & & &

& && & & & & & &

& & & & & && & &

& & & & & & &

& & & & & &&

& & & & & &

& & & & &

& & & & & & & && & &

& & & & & & & & & & &

& & & & &

& &

& & & &

** &

&& & &

& &

& & & && & & & & &

& & &

& & & & & & &

& &

& & & & & &

) ) ) ) )

& &

& & & & & & &

& & & & &

& & &

& & & & & & & & & & & & & &

& & & & &

& & & &

& & & & & & & & &

& & & & & & & && &

& & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & &

service not be disclosed to a health plan for purposes of payment or&health&

care&operations,&and&the&University will&honor &that&request.

Ø Right to Request Confidential Communications. Individuals &have&the&right&to&

request that the University communicate with them about medical matters in

a&certain&way&or &at&a&certain location. For example, the individual can ask

that&the &University &only &contact&individuals by mail or at work. To request

confidential communications,&individuals must make their request, in

writing,&to&the Department in which their care&was&provided. The&

individual’s request must specify&how or&where&the&individual wishes to be

contacted.&&The&University will accommodate reasonable requests.

Ø Right&to Choose Someone to Act for the Individual. If &the&individual gives

someone medical power of attorney or if someone is the individual’s legal&

guardian,&that&person&can&exercise&the&individual’s rights and make choices

about&the &individual’s &PHI.&&The &University will&use &our &best&efforts to &verify

that&person&has&authority&to&act for&the&individual before&the&University takes

any&action.&&

Ø Right&to&a&Paper &Copy&of&This&Notice&of&Privacy&Practices. Individuals have&

the &right&to&a &paper&copy&of&this&N otice&of&Privacy&Practices. Individuals may

ask&the University&to&give&the&individual a&copy&of &this&Notice&of&Privacy&

Practices at any time. Even if the individual has agreed to &receive&this&Notice&

of&Privacy&Practices electronically,&individuals are &still&entitled &to &a&paper

copy&of&this&Notice&of&Privacy&Practices.&&Individuals may obtain a copy of this

Notice&of&Privacy&Practices on&our&web &site&at,&

http://www.pepperdine.edu/provost/content/policies/hipaa_manual_5_201

2.pdf.&&To&obtain&a&paper &copy&of&this&Notice&of&Privacy&Practices,&contact&the

Department in which the individual’s care&was&provided.

CHANGES TO THIS NOTICE OF)PRIVACY)PRACICES:

Ø Pepperdine&University reserves the &right&to &change &this &Notice&of&Privacy&

Practices and make the new Notice&of&Privacy&Practices apply&to &PHI&the

University&already&has as well as any information&the&University&receives&in&

the &future.&The University will&post&a&copy &of &the &University’s current &Notice&

of&Privacy&Practice at&our office.&&The&Notice&of&Privacy&Practices will&contain&

the&effective&date&on&the&first &page,&in&the&top&right-hand&corner.&Individuals

will be sent information regarding the changes via e-mail or via mail on how

they &can&obtain&a&new&copy.&&Individuals will&be &asked to &sign&off &on&the &new&

Notice&of&Privacy&Practices at&the &individual’s next scheduled appointment.

COMPLAINTS:

Ø If an&individual believes their privacy&rights&have&been&violated,&the&

individual may file a complaint with Kim&Miller, HIPAA&Compliance Officer,

24255 Pacific Coast Highway, Malibu, CA& 90263, 310.506.4208. All

complaints must be made in&writing.&&Individuals may also contact the

Secretary of the Department of Health and Human Services or Director, Office

of Civil Rights of the U.S. Department of Health and Human&Services.&&Please

contact the &University Compliance Officer if an&individual needs assistance

August 1, 2014

& & &

& & && & &

& & & & & &

& & &

& & & & & & & & &

& & & & &

& & & & & &

& & & & & & & & &

& &

& & & & & &

& & & & & & & &

& & & & &

& & & & & & &

& & & & & & & & & &

& & & & & & & &

& &

& & &

& &

& & & & & &

& & & &

& & & & & &

locating&current contact information. Individuals will&not&be &penalized &or

retaliated against for filing a complaint.

3. Applicable Regulation

45 C.F.R. §&164.520

H. Privacy Official, Security Officer, and Privacy

Coordinators

1. Privacy Official

The&University&has&designated&a &Privacy&Official &who&is&responsible&for&the&

development and implementation of the University’s policies and procedures

related&to&the&privacy&and&security&of&protected health information under HIPAA.

Responsibilities&of&the&Privacy&Official&include:

Ø Maintain ongoing communication with the Security Official&and all&

Privacy&Coordinators.

Ø Coordinate training programs for the designated covered components in

cooperation with &the &Privacy &Coordinators.

Ø Maintain ongoing communications with the IRB&regarding&research &use &of

PHI.

Ø Respond to complaints regarding University policies, procedures, and

practices &related &to&the privacy of health information.

Ø Respond&to,&or &refer &to the appropriate covered component, requests by

individuals for access and amendment, an accounting of disclosures, or

requested&restrictions&to&the&use&and&disclosure&of&t he& individual’s&PHI.

The contact information for the Privacy Official is:

Kim&Miller

Pepperdine&University

24255&Pacific&Coast Highway

Malibu, CA& 90263

E-mail: kim.miller@pepperdine.edu

Telephone:&(310)&506-4208

This&information is subject to change and &will&be &revised &accordingly.

2. Security Official

The&University&has&designated&a&Security&Official&to &assist&the &Privacy&Official&and

Privacy&Coordinators&in&carrying&out &University&adopted&policies&and&procedures

related&to&the&privacy&and&security&of&individuals’ ePHI under HIPAA.

Responsibilities&of&the&Security&Official&include:

Ø Maintain ongoing communication with the Privacy Official&and &all&Privacy&

Coordinators.

August 1, 2014

& & &

& & & & & & & & & & &

& &

& & & & & & & &

& & & & & & & & &

& & & & &

& & & & & & & & & &

& & & & & & & & & & & & &

& & & & &

& & & & & & & &

& &

& & &

& &

& & & & & & & & & & & & &

& & & & &

& & & & & & & & & &

& & & & & & & & & & &

& &

& & & & &

& & & & & &

& & & &

& & & & & & & & &

& & & & & & &

& & & & & &

& & & & & & & & &

& &

& & & & & &

& & & & & & & & & & &

& & & &

Ø Assist in the development of policies and procedures of each covered

component related&t o& the&security&of&ePHI.

Ø Assist in the development and implementation of ongoing security&

awareness and training programs for the workforce of covered

components, researchers, and students with&respect &to&ePHI.

Ø Monitor &the &use &of &security measures to protect ePHI.

Ø Assist in revising the University’s policies and procedures related to the&

privacy and security of ePHI as required to comply with changes in any

applicable laws and document any&changes.

The contact information for the Security Official is:

Kim&Cary

Pepperdine&University

24255&Pacific&Coast Highway

Malibu, CA& 90263

E-mail: kim.cary@pepperdine.edu

Telephone:&(310)&506-6655

3. Privacy Coordinators

The&University&has&designated&Privacy&Coordinators&within&each&of&the&covered&

components to assist the Privacy Official and the Security Officer in carrying out

University&adopted&policies&and&procedures &related &to&the&privacy&and &security&of

protected health information under HIPAA.

Responsibilities&of&the&Privacy&Coordinators&include:

Ø Perform&the role of liaison and maintain ongoing communication with the

Privacy&Official &and&the&Security&Official.

Ø Communicate with the Privacy Official and the Security Official regarding

the privacy and security policies of the covered component within which

the Privacy&Coordinator&is&located.

Ø Develop and maintain procedures consistent with&the&policy&for&

protection&of PHI in the covered component.

Ø Maintain&all&policies and &procedures &in&written or electronic form.

Ø Inform&members of the covered component about the policies and

procedures through various mechanisms, including staff meetings,

orientation for new workforce members, and&ongoing&education.

Ø Monitor the process for identifying workforce members within the

covered component &who&require&access&to&PHI.

Ø Monitor compliance with the policies and procedures&of&the&covered&

component.

Ø Report to the Privacy Official violations that result in an impermissible

use&of &disclosure&of &PHI,&and &report&to&the&Security&Official&violations that&

result in an impermissible&use&of&disclosure&of&ePHI.

August 1, 2014

& & &

& & & & & &

& & & & & & & & & &

&& &

& & &

& & & &

&& &

& & &

&& &

& & & & &

& & & &

&& &

& & & &

& & &

& & & &

&& &

& & & &

&& &

Ø ;Q_R QV$"SQ YZV%UV"QT YZ[R_U]VYQ `U%\ ;42!!&]VT &9VUWQS$U%X&RZ_UYUQ$

]VT &RSZYQT"SQ$,

:\Q YZV%]Y% UV^ZS[]%UZV ^ZS Q]Y\ Z^ %\Q 2SUW]YX 5ZZSTUV]%ZS$ U$e

8%"TQV%&;Q]_%\&5QV%QS

0QaQYY]&0Z_T]V

.A[]U_e SQaQYY],SZ_ T] VnRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&C*EA+B'E&O3R%UZV&oB&^ZS&7"$UVQ$$&4Vb"USUQ$P

!%\_Q%UY :S]UVUV# 5QV%QS

HQWUV LSU#\%( !%\_Q%UY :S]UVQS

.A[]U_e iQWUV,`SU#\%nRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&C*EA+E*)

8%"TQV%&5Z"V$Q_UV#&5QV%QS

=S, /UW_] >U%kR]%SUYi

.A[]U_e VUW_],^U%kR]%SUYinRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&C*EA+)'*

2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#UY]_ &p&.T"Y]%UZV]_ &5_UVUY

LQ$% 1Z$ !V#Q_Q$ -S]T"]%Q 5][R"$

=S, !]SZV !WUQS]( =USQY%ZS

.A[]U_e&&]]SZV,]WUQS]nRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&CEJACGC)

2QRRQSTUVQ 5Z[["VU%X 5Z"V$Q_UV# 5QV%QS

3S]V#Q 5Z"V%X -S]T"]%Q 5][R"$

=S, ="VY]V LU##( =USQY%ZS

.A[]U_e T"VY]V,` U##n RQRRQSTUVQ,QT"

:Q_QR\ZVQe&&O@+@P&))BA)C))

2QRRQSTUVQ 5Z[["VU%X 5Z"V$Q_UV# 5QV%QS

.VYUVZ -S]T"]%Q 5][R"$

=S, !V]% 5Z\QV( =USQY%ZS

.A[]U_e ]V]%,YZ\QVnRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OJ'JP&C*'A'EE*

2QRRQSTUVQ&FQSSX&7,;,&9VUZV&0Q$Y"Q&5_UVUY

=S, !]SZV !WUQS]( =USQY%ZS

2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#X&p&.T"Y]%UZV]_ &5_UVUY

.A[]U_e ]]SZV,]WUQS]nRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&CEJACGC)

!"#"$% '( )*'+

& & &

&& &

& &

&& &

& & & & &

& &

& & & & & & & & & & &

& &

& & & & & & & &

& & & & & &

& & & & & & & & &

& & & & & & & & & & & & & &

2QRRQSTUVQ&FQSSX&7,;,&9VUZV&0Q$Y"Q&5_UVUY

=S, 5]SX&?U%Y\Q__( =USQY%ZS

2QRRQSTUVQ&9VUWQS$U%X&2$XY\Z_Z#X&p&.T"Y]%UZV]_ &5_UVUY

.A[]U_e Y]SX,[U%Y\Q__nRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&C*EAJCCB

;"[]V 0Q$Z"SYQ$

!V#UQ 2QTQS$QV

.A[]U_e ]V#UQ,RQTQS$QVnRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&OB'*P&C*EA+'@*

206=.&O2QRRQSTUVQ&0Q$Z"SYQ(&6Z"%\&=UWQS$UZV(&]VT&

.T"Y]%UZVP

HQVVQ%\ &LZZ#(&!$$ZYU]%Q&=USQY%ZS

-S]T"]%Q&8Y\ZZ_ &Z^&.T"Y]%UZV&]VT&2$XY\Z_Z#X

.A[]U_e iQVVQ%\,`ZZ#nRQRRQSTUVQ,QT"

:Q_QR\ZVQe&&O@+@P&)JBA**+'

7ZZVQ 5QV%QS ^ZS %\Q >][U_X

;Z__X&.aSU#\%

-S]T"]%Q&8Y\ZZ_ &Z^&.T"Y]%UZV&]VT&2$XY\Z_Z#X

.A[]U_e \Z__X,Qa SU#\% n RQRRQSTUVQ,QT"

:Q_QR\ZVQe&OB'*P&C*EA+GG'

=U$]aU_U%X&8QSWUYQ$&3^^UYQ

."VUYQ&5\ZV#

.A[]U_e Q"VUYQ,Y\ZV#nRQRRQSTUVQ,QT"

:Q_QR\ZVQe&OB'*P&C*EAEC**

:\U$ UV^ZS[]%UZV U$ $"alQY% %Z Y\]V#Q ]VT `U__ aQ SQWU$QT ]YYZSTUV#_X,

4. Applicable Regulation

+C&5,>,0,&d 'E+,CB*O]P,

I. Records Retention

1. Policy

:\Q 9VUWQS$U%X `U__ []UV%]UV YQS%]UV TZY"[QV%]%UZV SQ#]STUV# U%$ ;42!!&

YZ[R_U]VYQ( UV `SU%%QV ZS Q_QY%SZVUY ^ZS[,

2. Procedure

Ø 5ZWQSQT YZ[RZVQV%$ ["$% SQ%]UV %\Q ^Z__Z`UV# TZY"[QV%]%UZV ^ZS $Uj

XQ]S$ ^SZ[&%\Q T]%Q Z^ U%$ YSQ]%UZV ZS %\Q T]%Q U% `]$ _]$% UV Q^^QY%

O`\UY\QWQS&U$&_]%QSPe

!"#"$% '( )*'+

& & &

&& & & & & &

& & & & &

&& & & & & &

&& & & & & & & & & &

& & & & & & & & & &

& & & & &

& & & & & & & &

& &

& & & & & & &

& & & & & &

& & & & & & & & & & &

)

& & & & & & & & &

& & & &&

& & && & & & & & & & & &

& & & & & & & & & & &

&& & & & & & &

&& & & & & & & & &

& & & & & & & & &

& & & & && & & & &

& & & &

& & & & & & & & &&

o Policies&and&Procedures. Any policy or procedural documentation,

including&notice&of&privacy&practices,&consents&(if&any)&and&

authorizations, and other standard forms.

o Patient &Requests. Patient requests for access, amendment,&or

accounting&of &disclosures.

o Complaints. The&handling of any individual’s complaints.

o Workforce &Training.&&The&processes&for &and content &of&workforce&

training.

o Sanctions. The handling of any sanctions against members of its

workforce who fail to comply with the privacy policies and

procedures of the covered component.

Ø If &state&laws require longer retention periods, the state requirements

control.

3. Applicable Regulation

45&C.F.R.&§ 164.530(j).

J. Research

1. Policy

HIPAA&establishes privacy protections from&human subjects research and

establishes&the&conditions&under&which&protected&health information may be used or

disclosed&by&Pepperdine&University&for&research&purposes.& This&policy&and&

procedure&should &be&followed &in&addition&to&any&applicable&federal&or&state&

regulations governing the protection of human subjects research, as well as any&

applicable &Institutional&Review&Board &(“IRB”) &policies and &procedures.

2. Procedure

Research

Ø Pepperdine University may use or disclose protected health information

for&research,&regardless&of&the&source&of&the&funding&of&the&research,& in& the&

following&circumstances:

o Individual Authorization.&&The&individual&has&signed&a&valid&

authorization;

o Board Approval of Waiver. The&IRB &has&approved&a &proper&waiver&

of&the&need&to&obtain&the&individuals&authorization;

o Limited Data Set. The health information is used or disclosed in a

limited data set in accordance with a valid Data Use Agreement;

o De-identification. The health information has been de-identified;

o Preparatory&to&Research. PHI may be used or disclosed to a

researcher&as&necessary&to&prepare&a&research&protocol&or for

similar purposes preparatory to research if the University obtains

the following representations from&the researcher: (a) the use or

disclosure&is&sought solely&to&review PHI as&necessary&to&p repare&a

research protocol or for similar purposes preparatory to research:

August 1, 2014

& & &

& & & & & & & & & & &

& && & & & & & & & &

& & && & & & & & & &

& &

& & & & & & & &

& & & &

& & & & & & & & & & & & &

) ) ) ) )

& & & & & & & & & &

& & & &

& & & & &

& & & & & & &

& & & & & & & & & & &

& & & &

& & & & & & & & & & &

& & & & & & & & & &

& & &

& & & & & & & & & & &

)

& & & & & & & &

& & & & & & & & & &

& &

) ) )

& & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & & &

& & & &

& & & & & & & & & &

(b) no PHI will be removed from&the University by the researcher

in&the&course&of&the&review;&and&(c)&the&PHI&for&which&use&or&access&

is&sought &is&necessary&for&the&research&purposes;

o Decedent’s Research. PHI may be used or disclosed to a

researcher&for&research&on decedents&if&the&University&obtains&the&

following from&the researcher: (a) a representation that the use or

disclosure&sought is&solely&for&research&on&the&PHI of&decedents;&

(b)&documentation of the death of such individual(s) and/or

research&subject(s);&(c)&a representation that the&PHI for&which&use&

or&disclosure&is&sought &is&necessary&for&research&purposes.

Ø If the University is also the researcher, the University must still obtain the

proper &authorization&or &fit&within&one&of &the&other exceptions &before&

using&PHI&for &research&purposes.

Research Pursuant to an Authorization

Ø Research authorizations must contain the same core elements as other

authorizations &(Authorization to Use or Disclose&Protected&Health&

Information on pages 9 and &10),&except &for&the&following&differences:

o The University may condition the provision of research-relat ed&

treatment on a provision of authorization for the use or disclosure

of protected health information&for &such&research;

o An authorization&for&use&and&disclosure&of&protected&health&

information for a research study may be combined with any other

type of written permission for the same research study, including

another &authorization&for &the &use &or &disclosure&of&protected&health&

information for such research or consent to participate in such

research;

o A research&aut horiza tion does&not need&to&contain&an&expiration&

date&or&event as&is&required&for&other&authorizations&(the&language&

“end of the research study” or “none” or similar language is

sufficient).

Revocation

Ø A&research authorization may be revoked by an individual.

Ø If &an&authorization is revoked, the University may continue its use or

disclosure&of&the&PHI already&obtained&pursuant to&the&valid&authorization&

to &the &extent&necessary to &preserve &the &integrity &of &the &research &study.

IRB Waiver Approval

Ø For&a use&or&disclosure&to&be permitted upon IRB approval, the IRB must

document that all of the following criteria have been met:

o The use or disclosure of PHI involves no more than a minimal risk

to &the &privacy &of &individuals,&based &on&the &presence &of &the

following elements: (i) an&adequate&plan&to&protect the&identifiers&

from&improper use and disclosure; (ii) an adequate plan to destroy

the &identifiers &at&the &earliest&opportunity &consistent&with &the

August 1, 2014

& & &

& &

& & & & & & & & & &

& & & & & & &

& & &

& & & & &

& & & &

& & & & & & & & & &

& & & & & &

& & & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & & & &

& &

& & & & & & & & && & & &

& & & & & & && & & & & & &

& & & & & & & & & &

& & & & & & & && & & & &

& & & & & & & & & && & & & &

& & & & & &

) ) )

& & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

conduct &of&research,&unless&there&is&a&health&or&research&

justification&for &retaining the &identifiers &or &such &retention&is

otherwise&required&by&law;&and&(iii)&adequate&written&assurances&

that the protected health information will not be reused or

disclosed&to&any&other&person&or&entity,&except as&required&by&law,&

for&authorized&oversight of&t he&resea rch&study,&or&for&other&

research&for&which&the&use&or&disclosure&of&protected&healt h&

information would be permitted under this policy;

o The research&could&not be&conducted&withou t the&waiver&or&

alteration; and

o The research&could&not be&conducted without&access to &and use&of

the protected health information.

Ø The documentation should include a statement identifying the IRB and

the &date &on&which &the &alteration&or &waiver &of &authorization&was &approved.

Ø The documentation should include a brief description&of&the&PHI&for&

which use or access has been determined to be necessary by the IRB.

Ø The documentation should include a statement that the alteration or

waiver &of &authorization&has &been&reviewed.

Ø The Chair of the IRB or other member designated by the Chair must sign

the document.

3. Applicable Regulations

45&C.F.R.&§§ 164.501,&164.508,&164.512.

K. Right to Request Access to Protected Health Information

1. Policy

Individuals &have&the&right&to&request&access &to&inspect&or &copy&their &protected health&

information that is maintained in a designated record set. The University will

address &an&individual’s &request&to &inspect&or &copy&his &or &her &protected &health

information in a timely and professional manner. Individuals do not have the right

to &access &certain&types &of information (set forth below), and in those situations, the

University may deny an individual’s request to access. In certain circumstances, an

individual may have the right to have a denial reviewed. The University will adhere

to &the &procedures &set&forth&below when addressing, denying, or&reviewing an

individual’s&request &to&access.&

2. Procedure

Requests for Access

Ø A&Sample Request for Access Form&is set forth on&page&47&of&this&Manual.

Ø Each covered component must designate the title of the person(s) or

office&responsible for&receiving& and&processing&requests&for&access&by&

individuals.

Ø Individuals must be instructed to direct their request for access to the

designated&person&responsible&for&receiving&such&requests.

August 1, 2014

& & &

& & & & & & &

& & & & & & & &

& & & & & & & & & & & & &

& & & & & & & &

& & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & &

& & && & & & & & &

& & & & & & & & & &

& & & & & &

& & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & &

) )

& & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & &

& & & & & && & & & &

& & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

) ) )

& & & & & & & & &

& & & & & & & & & & &

&& & & & & & & & &

& & & & & & & & & &

& &

& && & & & & & & & & &

& & & & & & & & & & &

& & & &

&& & & & & & & & & &

& & & & & & & & & &

Ø Individuals may be instructed to make their&request &for&access&in&writing.

Ø The&person&responsible&for processing the request may discuss the scope,

format, and other aspects of the request for access with the individual as

necessary to facilitate a timely provision of access.

Ø The&parties&can&agree in advance that a summary of the requested

protected health information will be provided in lieu of access to the

information.

Ø Upon receipt of a proper request, the covered component will act on the

request by either: (1) informing the individual of acceptance and

providing&the&access &requested; or &(2)&providing&the&individual&with&a&

written&denial&in&accordance &with &the &procedure &set&forth.

Ø If the covered component does not maintain the requested protected

health information, but it knows where the requested information is

maintained, the covered component will inform&the individual &where&to&

direct the&requ est for&access.

Ø An individual’s request for access must be acted upon no later than 30

days after the request is made; or, if the request is for protected&health&

information that is not maintained or accessible on-sit e,&no&later&that 60&

days&after&the&request.

Providing Access

Ø If &a&request&for &access is &granted,&the&individual&will&be&given&access &to&the&

protected health information in a secure and confidential manner.

Ø The covered component will provide the individual with access to the

protected health information in the form&or format requested by the

individual,&if&it is&readily producible in such form&or format. If it is not

readily&producible&in such format, the covered component will provide

the access in such other form&as agreed to by the individual.

Ø In instances where the protected health information is in more than one

record set, or at more than one location, the covered component will only&

produce the protected health information once in response to the request

for&access.

Denial of Access

Ø A&Sample Denial of Access Form&is set forth on&page&45 of&this&Manual.

Ø A&written denial of access may be issued in the following circumstances:

o Psychotherapy&Notes. An individual does not have the right to

access psychotherapy notes relating to him&or herself except (a) to

the &extent&the &patient’s &treating&professional&approves to &such

access &in&writing; &or &(b) &the &patient&obtains &a&court&order

authorizing such&access.

o Legal Information. An individual does not have the right to access

information compiled in reasonable anticipation of, or for use in, a

civil, criminal, or administrative&action&or &proceeding.

o Endangerment. An individual does not have the right to access

information in the event that a licensed health care professional

August 1, 2014

& & &

& & & & & & & & & &

& & && & & & & & &

& & & & & & & & & &

& & &

& & & & & &

&& & & & & & & &

& & & & & & & & &

& &

& & & & & &

& &

& & & & &

&& & & & & & & & &

& & & & & & & & & & &

& & & & & & & &

& & & & &

& & & & & & & &

&& & & & & & & &

& & & & & & & & &

& & & & & && & & &

& &

& & & & & & & & & & & &

& & && & & & &

& & & & & & & & & &

& & & & & & & && & &

& & & & & & & & & &

& & &

& &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & &

& & & & & &

has determined, in the exercise of professional judgment, that the

access &requested &is &reasonably&likely&to &endanger &the &life &or

physical&safety&of&the&individual &or&another&person.

o Obtained from&Someone Else. An individual does not have the

right to access information if the protected health information was

obtained from&someone other than a health care provider under a

promise of confidentiality&and &the &access &requested &would be

reasonably&likely&to&reveal the source of the information.

o Reference&to&Other People. An individual does not have the right

to access information if the protected health information makes

reference&to&another&person and &a&licensed &health &care

professional has determined, in the exercise&of&professional

judgment, that access &requested&is&reasonabl y&l ikely&to&cause&

substantial harm&to such other person.

o Personal &Representative. An individual does not have the right to

access information if the request for access is made by the

individual’s&personal &representative&and&a &licensed&health&care&

professional has determined, in the exercise of professional

judgment, that the provision of&access&to&such&personal

representative is reasonably likely to cause substantial harm&to

the&individual &or&another&person.

o Research. The University may temporarily suspend an individual’s

access to protected health information created or obtained in the&

course of research that includes treatment. The suspension may

last&for as &long&as &the &research &is &in&progress,&provided &that&the

individual &agreed&to&the&denial &of&access when&consenting&to

participate in&the&research,&and&the&individual &has&been&informed

that the right of access will be reinstated upon completion of the

research.

o Other Limited Circumstances. There are other limited

circumstances when an individual does not have the right to

access protected health information, listed in 45 C.F.R. § 164.524.

Ø When denying an individual access to protected health information, the

denial wil l be&written&in&plain&language&and

o Contain the &basis &for &the &denial;

o If applicable, contain a statement of the individual’s review rights,

including a description of how the individual may exercise such

rights;&and

o Contain a description of how the individual may complain to the

University pursuant to the University’s complaint&process &(and

include the title and telephone number of the contact person), or

to &the &appropriate &OCR&Regional&office.

Ø The University must, to the extent possible, grant the individual access to

any other protected health information requested after excluding&the&

protected health information that was denied.

August 1, 2014

& & &

) ) ) ) )

& & & & & & & & & & & &

& & & & &

& & & & & & & & & & & &

& &

& & & & & & & &

& &

& & & & & & & & & & &

& & & & & & & &

) ) )

& & & & & & &

& & & & & & & & & &

& & & & & &

& &

)

& & & & & &

& &

& & & & & & & & & & & &

& & & & & && & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & && &

& & & & & & & & &

& & & & & & & & & &

& & & & &

& & & & & & &

Reviewing a Denial of Access

Ø If access is denied based on (1) Endangerment; (2) Reference to Other

People;&or&(3)&Personal &Representative&(these&exceptions&are&all set &forth&

above), the individual must be&given&the&opportunity&to&have&the&denial

reviewed.

Ø If an individual has requested a review of denial, the University must

designate&a l icensed&health&care&professional,&who&was&not directly&

involved&in&the&denial,&to&review &the&decision&to&deny&access.

Ø The&reviewing&official must determine whether or not to confirm&the

denial ba sed& on&the&standards&set forth&in&45& C.F.R.&164.524(a)(3).&&The&

reviewing official must review the denial of access within a reasonable

period of time and then must promptly notify &the &individual&of &the

decision&and&take&any&necessary&action&to&carry&out the&reviewing&officials&

decision.

Costs and Fees

Ø The University may impose a reasonable, cost-based &fee &for &copying&costs

and &postage &in&response &to &a&request&for &access.

Ø If &the individual agrees in advance, the University may impose a

reasonable&cost-based fee for preparing a summary of&the&protected&

health information.

Documentation

Ø The University must document and retain:

o The&designated&record&sets&that &are&subject &to&access&by&

individuals;&and&

o The&titles&of&the&persons&or&offices&responsible&for&receiving&and&

processing&requests &for &access &by&individuals.

3. Applicable Regulation

45&C.F.R.&§ 164.524.

L. Right to Request an Accounting of Disclosures

1. Policy

The University will permit individuals to request and receive an accounting of

disclosures of their protected health information. An individual may request an

accounting for disclosures that have been made up to six years prior &to&the&date&of

his&or&her&request;&however,&the&University&is&not &required&to&account &for&any&

disclosures that occurred prior to the HIPAA&compliance date of April 14, 2003. The

accounting must include all disclosures except for the following:

Ø Disclosures made to carry out treatment, payment, or health care

operations;

Ø Disclosures made to the individual;

Ø Disclosures made pursuant to an individual’s authorization;

August 1, 2014

& & &

& &

& & & & & & & & & & &

& &

& & & & & & & &

& & & & & & & & &

& & & & & & & & &&

& & & & & & & & & & &

) ) )

& & & & & & & & & & &

& & & & & &

& & & & & & & & &

& & & & &

& & & & & & & & &

& &

) )

& & & & & & & &

& & & & & & & & & & &

& & & &

& &

& & & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & &

& & &

& & & & & & & & & &

& & & & & & & & &

& & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

&& & & & & & & & & & &

Ø Disclosures&for&a facility&directory;

Ø Disclosures&to&persons&directly&involved&in the& individu a l’s&care&or&

payment or disclosures for notification purposes pursuant to 45 C.F.R. §

164.510(b);

Ø Disclosures&for&national security&or&intelligence&purposes;

Ø Disclosures to correctional facilities or law enforcement officials;

Ø Disclosures made as part of a limited data set;

Ø Disclosures that occurred prior to the compliance date; and

Ø Other limited disclosures as set forth in 45 C.F.R. § 164.528.

2. Procedure

Request for Accounting

Ø Individuals will be permitted to request and receive an accounting of

disclosures of their protected health information.

Ø Designated covered components may require requests for an accounting

to be submitted in writing.

Ø A&Sample Request for Accounting of Disclosures Form&is set forth on&page&

35 of&this&Manual.

Accounting Requirements

Ø A&Sample Accounting for Disclosures Form&is set forth on&page&48 of&this&

Manual.

Ø An individual must receive a written accounting of disclosures and the

written accounting must include:

o The date&of&disclosure;

o The name of the entity or person who received the protected

health information, if known, the address of such entity or person;

o A brief description of the protected health information disclosed;

and

o A brief statement of the purpose of the disclosure; or in lieu&of&

such statement, a copy of a written request for a disclosure, if any.

Ø If the University has made multiple disclosures of the protected health

information to the same person or entity for a single purpose, or pursuant

to &a&single &authorization,&the &accounting may, with respect to such

multiple disclosures, provide:

o The information required above for the first disclosure during the

accounting&period;

o The frequency or number of disclosures made during the

accounting&period; and

o The date&of&the&last such&disclosure&during&the&accou nting&period.

Ø The University must act on the individual’s request for an accounting no

later &than&60 &days &after &receipt&of &such &a&request.&&If &the &University &is

unable to provide the accounting within this time frame, it may extend&

the time to provide the accounting by no more than 30 days, provided

that: (1) the University provides the individual with a written statement

of&the&reasons&for&delay&and&the&date&by&which&the&University&will provide&

August 1, 2014

& & &

& &

& & & & & & & & & &

) ) ) ) )

& & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & &

) ) )

& & &

& & & & & & & &

& & & & & & & & & &

& & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & &

& & & & & & & & & & & & &

& && & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & && &

& & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & &

) ) ) )

& & & & & & & & &

& & & & & & & & & & & &

& & & &

& & & & & & & & & & &

the &accounting; and &(2) &the &University may have&only&one&such&extension&

of time for action on a request for an accounting.

Suspension of Accounting of Disclosures

Ø An accounting of disclosures may be suspended at the request of a health

oversight agency or law enforcement official if certain conditions are met.

Ø If a designated health care component receives a request to suspend an

individual’s&right &to&receive&an&accounting&of&disclosures,&the&designated&

covered component should contact the University’s Privacy Official.

Costs and Fees

Ø The first accounting&of&disclosures&to&an&individual in&any&twelve&(12)

month period must be provided at no charge.

Ø A&reasonable cost-based fee may be imposed for each subsequent request

for&an&accounting&by&the&same individual within the 12-month&period,&

provided that the University informs the individual in advance of the fee

and provides the individual with an opportunity to withdraw or modify

the &request.

3. Applicable Regulation

45&C.F.R.& § 164.528.

M. Right to Request an Amendment to Protected Health

Information

1. Policy

Individuals have the right to request an amendment or correction to their protected

health information. The University will permit an individual to request an

amendment to his or her protected health information in their designated record set

for as long as the information is maintained in the designated record set. An

individual can request an amendment to his or her protected health information

that was not created by the University, but the individual must provide the

University&with&a reasonable basis to believe that the originator of the information is

no&longer &available&to&act&on&the&request.&&The&University&has&the&right&to&deny&the&

request to amend in certain circumstances.

2. Procedure

Requests for an Amendment

Ø A&Sample Request for an Amendment Form&is set forth on&page&49 of&this&

Manual.

Ø Each covered component of the University must designate the title of the

person(s)&or &office&responsible&for &receiving&and &processing&requests for&

an amendment by individuals.

Ø Individuals must be instructed to direct their requests for an amendment

to &the &designated &person&responsible &for &receiving&such &request.

August 1, 2014

& & &

& & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & &

& & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & & &

&& & & & & & & & & & &

& & & & & & & & & & & & &

) ) ) ) )

& & & & & &

& & & & & & & & & &

& &

& & & & & & & & & & &

& & & & & & & &

& & & & & & & & & &

& & & &

) ) ) ) )

& & & & & & & & & &

& &

& & & & & & & & & & & &

& & & & & & & & &

& &

& & & & &

& & &

& & & & & & & & & & & &

& & & &

& & & & & & & & & &

& & & & & &

& &

Ø A&covered component may instruct individuals to make their requests in

writing and may require the individual to provide a reason to support the

requested amendment, as long as the designated covered component

informs the individual in advance of such requirements.

Ø The University must act upon an individual’s request for amendment no

later &than&60 &days &after &receipt&of &the &request.&&If &the &covered&entity&is&

unable to act on the amendment within this time period, the University

may extend the time for such action by no more than 30 days, provided

that: (1) the University provides the individual with a written statement

of&the&reasons&for&the&delay&and&the&date&by&which&the&University&will

complete its action on the request; and (2) the University may have only

one such extension of time for action on a request for an amendment.

Accepting a Request to Amend

Ø If the requested amendment is accepted,&in&whole &or &in&part,&the &covered

component shall inform&the individual of the acceptance and make the

appropriate amendment.

Ø At a minimum, the covered component shall amend the information by

identifying the affected information in the designated record&set and&

appending&or &otherwise &providing&a&link&to &the &location&of &the

amendment.

Ø The covered component and the individual should identify the relevant

persons or &entities,&including&business &associates,&who&need &to&be&

informed about the amendment.

Denying a Request to Amend

Ø A&Sample Denial of Request for an Amendment Form&is set forth on&page&

44 of&this&Manual .

Ø An individual’s request for an amendment may be denied if the covered

component determines that the protected health information or record

that&is &the &subject&of &the &request:

o Was not&created&by&the&University,&unless&the&individual&provides&a&

reasonable&basis&to&believe&that the&originator&of&the&protected

health information is no longer &available to &act&on&the &requested

amendment;

o Is not&part of&the&individual’s&designated&record&set;

o Is not&available&for &inspection&by&the&individual&pursuant&to&the&

Access to Right to Request Access to PHI policy, set forth herein;

and

o Is accurate and complete.

Ø If a covered component denies the requested amendment, the covered

component shall inform&the individual in writing.

Ø The&denial &shall &be&written&in&plain&language&and&contain&the&following:

o The basis &for &the &denial;

August 1, 2014

& & &

& & & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & &

& & & & & & & & & & & &

& & & & & & & & &

& & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& &

& & & & & & &

& & & & & & & &

& & & & & & & & & & & &

& & & & & & & &

) ) )

& & & & & & & & & & &

& & &

& & & & & & & & & &

& &

)

& & & & & & & & & &

& & & & & & & & & & & && &

& & & & & & & &

& & & & & & & & & & &

& & & & &

& & & & & &

& && & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & &

& & &

o A statement notifying the individual that he or she has the right to

submit a written statement of disagreement and a description of

how the individual may file such a statement;

o A statement notifying the individual that if he or she does not

submit a statement of disagreement, the individual may request

that the designated covered component provide&the&individual’s

request for amendment and the denial with any future disclosures

of the protected health information that is the subject of the

amendment; and

o A description&of&how the&individual may file a complaint pursuant&

to &the &Privacy Complaint Policy and Procedure, set forth above.

Ø If the University denies a request for an amendment, the individual has

the right to file a statement of disagreement.

Statement of Disagreement

Ø If the University denies an individual’s request for an amendment, the

individual will have the right to submit a statement of disagreement.

Ø The University may then prepare a written rebuttal to the individual’s

statement of disagreement.

Ø A&copy of the rebuttal must be provided to the individual.

3. Applicable Regulation

45&C.F.R.&§ 164.526.

N. Right to Request Confidential Communication

1. Policy

Individuals may request to receive communications of protected health information

in a confidential manner (e.g., by alternative means or in alternative locations). The

University shall accommodate reasonable requests to receive confidential

communications.

2. Procedure

Ø A&covered component may require an individual to make a request to

receive confidential communications in writing.

Ø Covered components may condition the provision&of&a reasona ble&

accommodation on: (1) information as to how payment (if any) will be

handled; and (2) specification of an alternative address or other method

of&contact.

Ø A&covered component may not require an explanation from&the individual

as to &the basis &for &the &request&as &a&condition&of &providing&confidential&

communications.

3. Applicable Regulation

45 C.F.R. §&164.522(b)

August 1, 2014

& & &

& & & &

& && & & & & & & & & & & &

& & & & & & & & & & & & & & &

& & & & & & & & & && &

) ) ) ) ) ) ) )

& & & & & & & & & & & & & &

& & & &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& &

& & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & &

& & & & & & & &

) ) )

& & & & &

& & & & & & & & &

& & & & & & & & & & &

& & & & & & & &

& & &

& & & & & & & &

& &

& & && & & & & &

& & & & & & & & & & & &

O. Right to Request Restrictions on the Use and Disclosure

of Protected Health Information

1. Policy

Individuals may request restrictions&on the&use&and&disclosure&of&their&protected&

health information. Requests for restriction do not have to be granted; however, if

the University agrees to a restriction, it may not use or disclose the protected health

information in violation of the restriction, except in emergency situations. Further,

any&agreed-to &restriction&will&not&be &effective to &prevent&uses and &disclosures to &the

individual &or&as&required&by&law.

2. Procedure

Request to Restrict Use)or Disclosure)of Protected Health Information

Ø An individual may request a restriction on the use and disclosure of his or

her protected health information.

Ø A&covered component does not have to agree to requests for restrictions;

however, if it does agree, the covered component may not use or disclose&

the protected health information in violation of such restriction, except in

emergency situations.

Ø The covered component should discuss with the individual whether the

restriction should be communicated to others (i.e., other covered

components of the University or business associates who may be sending

the individual communications on behalf of the University).

Terminating a Restriction

Ø A&restriction can be terminated if:

o The individual &requests&the&restriction&in&writing&or&orally&(if&the&

termination is requested orally, it should be documented; or

o The designated covered component informs the individual that it

is terminating the agreement to a restriction, in which case the

termination will only apply to protected health information

created&or&received&after&the&individual &has&been&notified&of&the&

termination.

3. Applicable Regulation

45 C.F.R §&164.522(a).

P. Safeguarding Protected Health Information

1. Policy

Pepperdine University will implement appropriate administrative, technical, and

physical&safeguards,&which will&reasonably &safeguard &the &confidentiality &of

protected health information. Designated covered components may develop

additional policies and procedures that are stricter than the parameters set forth

August 1, 2014

& & &

& & & & & & & & & & & & & &

& & & & & & &

& & & & & & & & & & &

& & & & & & & &

& & & && & & & & & & &

& & & & & & & & &

& & & & &

& & & & & & &

& & & & & & & & &

&& & & & & & & &

& & & & & & & & & & &

& & & & & &

&& & & & & & & & & & &

& & & & & & &

& & &

& & & &

& && & & & & &

& & & & & & & & &

& && & & & & &

& & & & & & & &

& & & &

& && & & &

& & & & & & & & & & & & &

& & & & & & &

& & &

& & & & & & & & & &

below in order to maximize the privacy of protected health information in light of

the unique circumstances of a particular component.

2. Procedure

The University recognizes that each designated covered component has a unique

organizational &structure.&&For&this&reason,&it &is&the&responsibility of&each&designated&

covered component to determine and implement reasonable administrative,

technical, and physical safeguards. The following list of guidelines contains some

suggestions of administrative, technical, and physical safeguards that covered

components may wish to adopt:

Ø Oral Communications.&&Exercising&due&care&to&avoid&unnecessary&

disclosures of protected health information through oral

communications, such as avoiding such conversations in public areas.

Ø Telephone&Messages. Limiting messages left on answering machines and

voicemails to appointment reminders and messages that do not link an

individual’s name to protected health information.

Ø Faxes. Placing fax machines in secure areas not readily accessible to

visitors,&clients,&patients,&etc. and/or &using&a&cover &sheet&with a&

confidentiality notice when faxing protected health information.

Ø Paper&Records. Storing&paper &records&and&charts&in&a&way&that&avoids&

access &by&unauthorized &persons,&such as&in&locked &filing&cabinets.

Ø Desks and Working Areas.&&&Securing&desks&and&working&areas&that&

contain protected health information.

Ø Computer Monitors. Positioning computer monitors away from&common

areas &or &installing&a&privacy&screen&to &prevent&unauthorized &viewing,&

and/or &creating&password &protected &screen&savers.

Ø Disposal of&Paper&records. Disposing of documents containing protected

health information in a secure manner, e.g., by shredding.

Ø Disposal of&Electronic&Materials. Disposing of electronic material that

contains&unencrypted protected health information in a secure method.

Ø E-mails.&&Sending&e-mails that contain protected health information with a

confidentiality&notice,&and/or&sending&such&e-mails in encrypted form.

Ø Electronic Documents. Securing protected health information&that is&

stored on a hard disk drive or other internal component of a personal

computer, such as by password or encryption.

3. Applicable Regulation

45 C.F.R. §&164.530(c).

Q. Training

1. Policy

Each designated covered component is responsible for training its workforce

(including employees, students, volunteers, etc.) with respect to the University’s

August 1, 2014

& & &

& &

& & & & & & & & & &

)

& & & & & & & & & & &

& & & & & & & & & & && &

& & & & & & & & & & &

& & & & & &

& & & & & & & & & & & & & &

& & & & & & & & &

& & & & & & & & & & & &

& & & &

)

& & & & & & & & & &

& &

HIPAA&policies and &procedures &on&the &use and &disclosure &of &PHI&as &necessary&and

appropriate &for &the members of the workforce to carry out their function.

2. Procedure

Training

Ø It will be the responsibility of each designated covered component to

ensure&that &its&workforce&receives&training.

Ø Each employee must be trained no later than April 14, 2003. Each&new

employee must receive training within a reasonable period of time after

the person becomes an employee, etc.

Ø If there is a material change in the policies and procedures and, as a

result, certain employees are affected, those employees must receive

training on the material change within a reasonable period of time after

the change becomes effective.

Documentation

Ø A&covered entity must document that the training has been provided.

3. Applicable Regulation

45&C.F.R.&§ 164.530(b).

August 1, 2014

& & &

& & & & & & &

& & & & & &

& & &

& & & & &

& &

& & & & & & &

& & & & &

& & & & & & &

& & & & & & & &

& &

HIPAA Sample Forms [see following pages]

A. Accounting for Disclosures of Protected Health Information

B. Authorization to Use/Disclose Protected Health Information

C. Business Associate Agreement

D. Denial of Request for Amendment

E. Denial of Request for Access

F. Privacy Complaint

G. Request for Access to Protected Health Information

H. Request for Accounting of Disclosures

I. Request for Amendment to Protected Health Information

J. Acknowledgement of Receipt of Notice of Privacy Practices

August 1, 2014

& & &

* *

& &

A. Accounting for Disclosures of Protected Health

Information

Date*of

Disclosure

Name*and*

Address*of

Person who

Received PHI

Reason for

Disclosure

Description

of*PHI

Disclosed

Persons*or

Offices*

Processing*

the*

Accounting

August 1, 2014

& & &

&& &

&& && & && &

& & & & & & & & & & & & &&

& & & & && & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & &

& & & & &

& & & & & & & &

& & & & & & & & & & & & )

) ) ) ) ) ) ) &

& & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& && ) ) ) ) ) ) ) ) &

& & & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & & &

& && & & & & & & & & & & &

& & & &

_______________________________________________________________________________________________________________

B. Authorization to Use/Disclose Protected Health

Information (HIPAA)

Name: _____________________________________________

Location: __________________________________________

Telephone Number: (____)______________________

I&hereby a

uthorize the use and/or disclosure of my health inform a tion as de scrib ed below. I&

understand that this authorization&is voluntary. I also understand that if the person&or organization&

authorized to&receive the information is not a&health plan or&health care provider, the released

informat ion may be re-disclosed&and&may no&longer be protected&by the federal privacy regulations.

1. Person&or o

rganization&authorized&to disclose the health&information:

2. Person&or o

rganization&authorized&to receive the health&information:

3. Description o

f health information that may be used/disclosed:

4. Description o

f each purpose for which the hea lth information will be used/disclosed (Note:&&Not

required if disclosure is requested by the individual):

5. I&understand th

at&the person or organization that&I am authorizing to use/ disclose the

informat ion may receive compen sa tio n in exchange for the health information described above.

6. I&understand th

at&I&may refuse to sign this authorization and that&my refusal to sign will n o t&

affect my&ability&to&enroll in a&health plan, obtain&health care treatment or payment or my

eligibility&for benefits.* (Note:&&Not required if disclosure is requested by the individual).

7. I&understand th

at&I&may revoke this authorization at&any time by p rov iding written notice to:

I&understand th

at&my revocation w il l not affect any actio n s already taken in reliance on th is

authorization.

8. I&understand I&

may inspect&or cop y any information to be used or disclosed under this

authorization.

9. Unless o

therwise revoked in writing, this authorization will expire ________ days from the date

signed below. If this&date is&left blank, the authorization will automatically expire one year&from

the date I&sign below.

August 1, 2014

& & &

& & & & & & & & & &

& & &

& & & & & & && & & &

& & & & & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

& &

8U#V]%"SQ Z^ 4VTUWUT"]_ OZS 1Q#]_ 0QRSQ$QV%]%UWQP =]%Q

4VTUWUT"]_c$ /

][Q O2SUV%P

/][Q Z

^ 1Q#]_ 0QRSQ$QV%]%UWQ( U^ ]RR_UY]a_Q O2SUV%P 0Q_]%UZV$\UR

q! \

Q]_%\ R _]V []X YZVTU%UZV QVSZ__[QV% ZS Q_U#UaU_U%X ^ZS aQVQ^U%$ ZV ]V UVT UWUT"]_ RSZWUTUV# ]V

]"%\ZSUk]%UZV RSUZS %Z&QVSZ__[QV% U^ %\Q ]"%\ZSUk]%UZV $Z"#\% U$ ^ZS %\Q R_]Vc$ Q_U#UaU_U%X&ZS QVSZ__[QV%

TQ%QS[UV]%UZV$ SQ_]%UV# %Z&%\Q UVTUWUT"]_ ZS ^ZS U%$ "VTQS`SU%UV# SU$i&ZS SU$i&S]%UV# TQ%QS[UV]%UZV$

]VT %\Q ]"%\ZSUk]%UZV U$ VZ% ^ZS ]&"$Q ZS TU$Y_Z$"SQ Z^ R$XY\Z%\QS]RX&VZ%Q$ O+C 5,>,0,

'E+,

C*JOaPO+POUUPO!p7PP,

!"#"$% '( )*'+

& & &

* *

& & & & & & & & & & & & & &

& & & && & & & & & &

& & & & & &

& & & & & & & & & &

& & & & & & & & &

& & & & & &

* *

& & && & & & & & & & &

& & & & & & & & & & & & & & &

& & & & * * *

& & && & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & &

& && & & & & & & &

& & & & & & & & & & & &

* * *

& & & &

& & & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & & & & &

& & & & &

& & & &

& & & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & &&

C. Business Associate Agreement

Pepperdine University

Business*Associate Agreement

Definitions:

The following terms used in this Agreement shall have the same meaning as those

terms in the HIPAA&Rules: Breach, Data Aggregation, Designated Record Set,

Disclosure, Health&Care&Operations, Individual, Minimum&Necessary, Notice of

Privacy Practices, Protected Health Information, Required By Law, Secretary of

Department of Health and Human Services, Security Incident, Subcontractor,

Unsecured Protected Health Information, and Use.

Specific Definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning

as the term&“business associate” at 45 CFR 160.103, and in reference to the party to

this agreement, shall mean _______________________________________ [Insert name*of

Business*Associate].

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the

term&“covered entity” at 45 CFR 160.103, and in reference to the party to this

agreement, shall mean Pepperdine University.

Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Obligations*and Activities*of Business*Associate:

Business Associate agrees to:

(a) Not use or disclose protected health information (“PHI”) other than as permitted

or required by the Agreement or as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 64 with

respect to& electronic&PHI, to&prevent use&or&disclosure&of&PHI other&than as&provided&

for by the Agreement;

(c)&Report &to&Covered&Entity&any&use&or&disclosure&of&PHI&not &provided&for&by&the&

Agreement of which it becomes aware, including breaches of unsecured PHI as

required at 45 CFR 164.410, and any security incident of which it becomes aware

within&seven&(7) &business &days;

(d)&In&accordance&with&45&CFR&164.502(e)(1)(ii)&and&164.308(b)(2),&if&applicable,&

ensure that any subcontractors that create, receive, maintain, or transmit PHI on

behalf of the Business Associate agree to the same restrictions, conditions, and&

requirements that apply to the Business Associate with respect to such information;

August 1, 2014

& & &

& & & & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & & &

& & &

* * * *

& & & & & & & & & & & & &

& & & &

& & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & & & & & & &

* * * * * * * * * *

* *

& & & & & & & & & & & & & &

& & & & & & &

& & & & & & & & & &

& & & & & & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & &

& &

& & & & & & & & & & & &

(e)&Make&available&PHI&in&a &designated&record&set &to&Covered&Entity&as&necessary&to&

satisfy&Covered&Entity’s&obligations&under&45&CFR&164.524;

(f) Make any amendment(s) to PHI in a designated record set as directed or agreed

to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as

necessary&to&satisfy&Covered&Entity’s&obligations&under &45&CFR&164.526;

(g) Maintain and make available the information required to provide an accounting

of&disclosures&to&Covered&Entity&as&necessary&to&satisfy&Covered&Entity’s&obligations&

under &45 &CFR&164.528;

(h) To the extent the Business Associate is to carryout one or more of Covered

Entity’s obligation(s) under Subpart E or 45 CFR Part 164, comply with the

requirements of Subpart E that apply to the Covered Entity in the performance of

such&obligation(s);&and

(i)&Make&its&internal &practices,&books,&and&records&available&to&the&Secretary&of&

Department of Health and Human Services for purposes of determining compliance

with the HIPAA&Rules.

Permitted Uses*and Disclosures*by Business*Associate:

(a) Business Associate may only use or disclose PHI as necessary to perform&the

services&set forth&in Service Agreement.

(b) Business Associate may use or disclose PHI as required by law.

consistent with Covered Entity’s minimum&necessary policies and procedures.

(d)&Business Associate may not use or disclose protected health information in a

manner that would violate Subpart E or 45 CFR Part 164 if done by Covered Entity.

Provisions*for Covered Entity to Inform Business*Associate of Notice of Privacy

Practices*and Restrictions*(“NPP”):

(a) Covered Entity shall notify Business Associate of any limitation(s) in the NPP of

Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect

Business Associate’s use or disclosure of PHI.

(b)&Covered&Entity&shall notify Business Associate of any changes in, or revocation

of, the permission by an individual to use or disclose his or her PHI, to the extent

that such changes may affect Business Associate’s use or disclosure of PHI.

(c)&Covered&Entity&shall &notify&Business Associate of any restriction on the use or

disclosure&of&PHI that Covered&Entity&has&agreed&to&or&is&required&to&abide&by&under&

45 CFR 164.522, to the extent that such restriction may affect Business Associate’s&

use&or &disclosure&of &PHI.

August 1, 2014

& & &

& && & & & & & & & & &

* * & & & & &

* * *

& & & & & & & & & & &

& & & && & & & & & &

& & & & & & & & & & &

& & & & & &

& && & & & & & & & & & &

& & & & & & & & & & &&

& & & & & & & & & & & & & &

& & & & & & & &

& & & & & &

& & & & & & & & & & &&&

& && & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & & & &

& & &&&

& & & & & & && & & & &

& & & & & & & & &

& & & & & & & & & & & &

& & & & & & & & && &

& &

& && & & & & & & & & & &

& & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & &

& &

& & & & & & & & & & & & &

Term*and*Termination:

(a) Term. The Term&of this Agreement shall be effective as of

___________________________________[Insert effective date], and shall terminate on

____________________________________________[Insert termination date] or&on&the&date&

Covered&Entity&terminates for cause as authorized in paragraph (b) of this Section,

whichever &is &sooner.

(b) Termination for Cause. Business Associate authorizes termination of this

Agreement by Covered Entity, if Covered Entity determines Business Associate has

violated a material term&of the Agreement.

Miscellaneous:

(a) Injunctions. Covered Entity and Business Associate agree that any violation of

the provisions of this Agreement may cause irreparable harm&to Covered Entity.

Accordingly, in addition to any other remedies available to Covered Entity at law, in

equity, or under this Agreement, in the event of any violation by Business Associate

of any of the provisions of this Agreement, or any explicit threat thereof, Covered

Entity&shall&be&entitled &to&an&injunction or other decree of specific performance with

respect to& such&violation or&explicit threat thereof, without any&bond&or&other&

security being required and without the necessity of demonstrating actual damages.

(b) Indemnification. Business Associate shall indemnify, hold harmless, and defend

Covered Entity from&and against any and all claims, losses, liabilities, costs and other

expenses resulting from, or relating to, the acts or omissions of Business Associate&

in connection with the representations, duties and obligations of Business Associate

under this Agreement.

Agreement for any reason, Business Associate shall return to Covered&Entity,&or&if&

agreed to by Covered Entity destroy, all PHI received from&Covered Entity, or

created, maintained, or received by Business Associate on behalf of Covered Entity,

that the Business Associate still maintains in any form. Business Associate &shall&

retain no&copies&of&the&PHI.

(d) Survival. The obligations of Business Associate under this Section shall survive

the termination of this Agreement.

(e) The parties agree that the Business Associate Agreement may need to be

amended as necessary to accommodate changes to HIPAA&or other privacy laws and

regulations&in the&future.

(f) The parties further agree that the Business Associate (and its subcontractors if

applicable) &is &acting&as &an&independent&contractor and &not&as &an&agent&of &the

Covered&Entity.

August 1, 2014

& & &

& & & & & & & &

& & & & & & & & &

& & &

& & & & &

* * * & & & & & & & & &

& &

&& &

&&&&& &

&& &

&&&&& & &

(g) For questions regarding Pepperdine University’s HIPAA&compliance, please

contact Kim&Miller, HIPAA&Compliance Officer, 24255 Pacific Coast Highway, Malibu,

CA& 90263, 310.506.4208.

IN &WITNESS& WHEREOF, PEPPERDINE UNIVERSITY AND ____________________________*

[Insert name of Business*Associate] have executed this Agreement as of the date

first written&above.

ATTEST:

by_____________________________________________________

PEPPERDINE&UNIVERSITY

ATTEST:

by_____________________________________________________

BUSINESS ASSOCIATE

Date__________________________

August 1, 2014

& & &

&& &

&&&&&&&&& & & &

& & & & & & & & & & &

) ) &

&&&&&&&&&&&&&&&& &

& & & & & & & &

) ) ) ) ) ) ) ) )

)

& & & & & & & & & & & && & & &

& & & & & & & & & & & &

& & &

& & & & & & & & & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & &

& & & & & & & & & & & & &

& & && & & & & & & & &

& &

&& &

& & & & & & & & & & &

& &

_________________________________________________________________________________________________

_____________________________________________________

D. Denial of Request for an Amendment

To: ____________________________________________________________________________

Name of Individual

Your request to amend your Protected Health Information to Pepperdine University

has&been&denied&because&(9737-)439&9 @$, .-8&3%):

______________________________________________________& ________________________________

Responsible Party’s Name (#,&87) Date

L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86 38. 2,$'-99&86 7M-),-c/-97

You may have the right to submit a written statement of disagreement. If you have

the right to submit a written statement of disagreement, submit it to:

Name of Department

If you do not submit a written statement disagreeing with the denial, you may

request, in writing, that we provide your request for amendment and our denial

with any &future &disclosures of the Protected Health Information that is the subject of

your&request.

You may make a complaint to the University’s Privacy Official regarding the denial

of your amendment. The contact information for the Privacy Official is:

Kim&Miller

Pepperdine&University

24255&Pacific&Coast Highway

Telephone:&&(310)&506-4208

E-mail: kim.miller@pepperdine.edu

You may also submit a written complaint to the appropriate Office&of&Civil Rights&

Regional&Office.

August 1, 2014

& & &

)

& & & & & & & & & & & & & &

& & & &

& & & & & & & & &

) ) ) ) ) ))

)

& & & &

) &

& & & & & & & & & &

) ) ) &

& & & & & & & & & & & & & & &

& & & & & & &

& & & & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & &

& & &

& & & & &

_________________________________________________________________________________________________

_________________________________________________ ________________________

E. Denial of Request for Access

Your request to access or obtain a copy of your Protected Health Information has

been&denied &for &the &following&reasons:

Responsible Party’s Name (#,&87) Date

L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86

In&accordance&with&applicable&law&and Pepperdine University’s HIPAA&privacy

policies,&you&_____ &do&_____ &do&not&(2%-39-)'M-'U $8-)&have&the&right &to&have&this&denial

reviewed&by&Pepperdine.

If this &denial&is &subject&to&review&as &indicated &above&and &you&desire&to&have&the&

decision&reviewed,&please check the box below and return this form&within 30

calendar&days&to:

[83I-)$@ .-23,7I-87 38. 3..,-99]

If you desire to register a complaint regarding this denial, you may file a complaint

with Pepperdine University’s HIPAA&Privacy Official or with the&appropriat e&O ffice&

of&Civil &Rights&Regional &Office.

To file a complaint with the University’s Privacy Official, contact Kim&Miller at 24255

Pacific&Coast&Highway,&Malibu,&California 90263,&(310)&506-4208&or&

kim.miller@pepperdine.edu.

*&*&*&*&*

� I hereby request a review of Pepperdine University’s denial of my request to

access or obtain a copy of my Protected Health Information.

Signature&of&Individual&or &Legal&Representative Date

Name of Individual&or &Legal&Representative (#,&87)

August 1, 2014

& & &

& &

& & & & & & &

& &

& & & &

& & & & & & & & & & &

& & & & & & &

& & & & & & & & & & &

& &

& & &

& & & & & & & & &&

& & & & &

& & & & & & &

& & & & & & & & & & & & & &

& &

_________________________________________________________________________________________________

________________________________________________________________________________________________

F. Privacy Complaint

Name:________________________________________ Date:_____________________

Telephone Number:_________________________

Please describe the nature of the complaint:

Date&of&Occurrence:_______________________ Information Affected:_______________

Please name the entity that is the subject of the complaint:______________________________

Signature Date

Please mail this form&to the University’s Privacy Official at the following&address:

Kim&Miller

HIPAA&Privacy Official

24255&Pacific&Coast Highway

Malibu, CA& 90263

You may also submit the complaint electronically to kim.miller@pepperdine.edu. A&

complaint must be filed within&180 &days &of &when&you&knew&or &should &have &known&of

the circumstances that led to the complaint.

You also may submit a written complaint to the appropriate Office of Civil Rights

Regional&Office.

August 1, 2014

& & &

& & & & & & & & & & & & & & & & &

&& & & & & & & & & & &

& & & & && & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & & && &

& & & & & & & & & & & & & & &

& &

& & &

& &

& & & & & & & & & & & & &

& & & & & & & &

) &

&&& &

&& &

& & & & & & & & & & &

& & & & & & & & & & & & & &

& & & & & & & & & & & & &

) ) & & & &

& & & & & &

& & & & ) & & &

) &

& & & & & & & &

& &

& & & & & & & & & & & & & &

__________________________________________________________________________________________________________

G. Request for Access to Protected Health Information

I understand that I have the right to inspect or receive a copy of my Protected Health

Information. I understand that the University may impose a reasonable cost-based

fee for copying and postage. I further understand that the University may impose a

reasonable&cost-based fee for preparing a summary of the Protected Health

Information if the parties agreed to such summary and fees in advance. I

understand that my request to access or inspect my records may be subject to some

legal limitations.

Name:_______________________________________________ Date:__________________________

Telephone Numbers:______________________________

I hereby request access of the Protected Health Information in my designated record

set from&________________________ to _________________________ maintained or created by

Pepperdine&University,&___________________________________________ (83I-)$@ .-23,7I-87).

1. Identify&the&records &you&wish&to&inspect.

2.& Please&state&how &you&would&like&to&inspect&or &review&your &records.&&For

example, do you want to inspect them&during regular business hours at

Pepperdine University, or do you want copies mailed to you, or do you want

to pick up copies at a time and place designated by Pepperdine, etc.

Signature&of&Individual&($, Y-63% 5-2,-9-8737&>-) Date

Individual’s Name (#,&87)

Name of Legal Representative (&@ 322%&'34%-) Relationship&to&Individual

_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&_&

(@$, $@@&'-)/9-)$8%()

_____Request Den ied _____Approved as Requested_____Approved per Comments

Comments:

Responsible&Party:______________________________________ Date:__________________________

If the request for access is denied, the individual must be informed in writing.

August 1, 2014

& & &

& & & & & & & & & & & & & & & &

& & & & & & & & & &

& & & & & & & & & & &

& & & & & & && & & & & & & & & & &

& &

& & & &

& & & & & & & & & & & &

& & & ) ) ) ) )

& ) &

& & & & & & & & & & &

& & & & & & & & & & & & & & & &

& & & & & & & & &

) ) & & &

& & )

)

& & & & ) & & &

& & & &

) ) ) ) ) ) ) ) )

& &

____________________________________________________________________________________________________________________

H. Request for Accounting of Disclosures

I understand that I have the right to an accounting of uses and disclosures of my

Protected Health Information for purposes other than treatment, payment, and

health&care&operations.&&I&understand&that &the&University’s&responsibility&for&such&an&

accounting became effective April 14, 2003, and that accounting for disclosures

prior to that date is not available. I understand that a fee may be charged for more

than&one &accounting&in&a&12-month period.

Name:________________________________________ Date:__________________________

I hereby request an accounting of disclosures of my Protected Health Information

from&____________________ to ____________________ (&@ U8$\8W 83I-)38. 3..,-99 $@ -87&7()

maintained by&Pepperdine&University,&____________________&(83I-)$@ .-23,7I-87).

Please provide a brief description of the Protected Health Information disclosed:

Please provide a brief statement of the purpose of the disclosure; or in lieu of such

statement, a copy of a written request for disclosure,&if&any.

Signature&of&Individual&($, Y-63% 5-2,-9-8737&>-) Date

Individual’s Name (#,&87K

Name of Legal Representative, &@ 322%&'34%- (#,&87) Relationship&to&Individual

Responsibility Party’s Name (#,&87)

L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86 38. 2,$'-99&86 7M-),-c/-97

Date

August 1, 2014

& & &

& &

& & & & & &

& & & & & & &&&&&&&&&&&&&& ) &

& & & & &

& & & & & & & &

) ) & & &

& & )

)

& & & & ) & & &

& & & &

) ) ) ) ) ) ) ) )

____________________________________________________________________________________________________________________

_________________________________________________________________________________________________

____________________________________________________________________________________________________________________

_________________________________________________________________________________________________

____________________________________________________________________________________________________________________

_________________________________________________________________________________________________

I. Request for Amendment to Protected Health Information

Name:_______________________________________________ Date:__________________________

Telephone Numbers:______________________________

I&hereby&request that Pepperdine University ____________________________________, amend:

(Q3I-)$@ .-23,7I-87)

Please&identify&the&relevant &persons&or&entities&who&need&to be informed about the

amendment:

Please state the reason(s) supporting the requested amendment:

Signature&of&Individual&($, Y-63% 5-2,-9-8737&>-) Date

Individual’s Name (#,&87K

Name of Legal Representative, &@ 322%&'34%- (#,&87)

Responsibility Party’s Name (#,&87)

Relationship&to&Individual

L&7%-)$@ 7M-)2-,9$89 $, $@@&'-9 ,-92$89&4%-)@$, ,-'-&>&86 38. 2,$'-99&86 7M-),-c/-97

Date

August 1, 2014

& & &

& &

) & & & & & &

& & & & & & & & & & & && & & & &

& & & & & & & & & & & &

* * * * * * * * * * * *

& &&&&&&& & & & & & & & &

& &

) ) ) ) ) ) )

) )

)

* * * ** * * * * * * * * *

) )

& & &

)

J. Acknowledgement of Receipt of Notice of Privacy

Practices

Name:_________________________________________________________________________________________

Address:_______________________________________________________________________________________

Facility Name:________________________________________________________________________________

I&acknowledge&that&I&have&received &or &been&offered &a&copy&of &Pepperdine&

University’s&NPP which describes how my PHI is&used&and&shared.&&I&understand&that

Pepperdine University has the right to change this NPP at any time. I may obtain a

current copy by contacting the Department in which my care was provided or&by&

visiting&Pepperdine&University’s&website&at

http://www.pepperdine.edu/provost/content/policies/hipaa_manual_5_2012.pdf.&

My signature below acknowledges*that I have been offered a copy or provided

with *a*copy *of*the *NPP:

Signature of&Patient Date

Print Name

Personal &Representative’s&Title&J-"6"W _/3,.&38W Fd-'/7$, $@ F9737-W O-3%7M B3,-)#$\-,

$@ 177$,8-(K

For Department Use Only: Complete this*section if you are unable to obtain a

signature.

Ø If &the&patient&or &personal&representative&is &unable&or &unwilling&to&sign&this

1'U8$\%-.6-I-87W or&the&1'U8$\%-.6-I-87 is&not &signed&for&any&other&reason,&

state&the&reason:

Ø Describe&the&steps&taken to&obtain the&patient’s&(or&personal representative’s)&

signature&on&the&1'U8$\%-.6-I-87[

August 1, 2014

Download
Save PDF to desktop

Email
Email completed PDF

Send for Signing
Email for others to sign

Print
Print document

NAME

HIPPA Policies, Procedures, And Forms Manual (Pepperdine University)

View Audit Log
Print With Audit Log
Duplicate Document

Fill Online, Printable, Fillable, Blank HIPPA Policies, Procedures, And Forms Manual (Pepperdine University) Form

Related forms

Fillable HIPPA Policies, Procedures, And Forms Manual (Pepperdine University)

Fill Online, Printable, Fillable, Blank HIPPA Policies, Procedures, And Forms Manual (Pepperdine University) Form

Related forms

First 20 documents completely FREE!