UAMS ADMINISTRATIVE GUIDE

NUMBER: 3.1.39
DATE: 11/01/03
REVISION: 03/01/04

SECTION: ADMINISTRATION
AREA: GENERAL ADMINISTRATION
SUBJECT: CREATION or REVISION of UAMS POLICIES INVOLVING HIPAA ADMINISTRATIVE, SECURITY or PRIVACY REQUIREMENTS

 

SCOPE 

UAMS Workforce

 

PURPOSE 

 

To establish a system to review, prior to the final approval and publication, UAMS policies developed or revised after April 14, 2003 which involve, impact or affect the administrative, security and privacy requirements of HIPAA. 

 

DEFINITIONS  For purposes of this policy, the following definitions apply:

 

HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended, and the HIPAA regulations promulgated by the United States Department of Health and Human Services and published at 45 Code of Federal Regulations, Title A, Subchapter C, Parts 160, 162 (Administrative Requirements and Transaction Code Sets), and 164 (Security and Privacy).

 

Disclosure means the release, transfer, provision of access to, or divulging of information in any manner (verbally or in writing) by UAMS to persons who are not UAMS employees or students, or to any other person or entity OUTSIDE of UAMS.

 

Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual.  This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.

 

UAMS Workforce means for purposes of this Policy, physicians, employees, volunteers, trainees, visiting faculty, and other persons whose conduct, in the performance of work for UAMS, are under the direct control of UAMS, whether or not they are paid by UAMS.

 

POLICY 

 

Prior to final approval and publication of any policies which involve, impact or affect the requirements of HIPAA, such policies shall be submitted for review to the UAMS HIPAA Office.  The UAMS HIPAA Office shall make any revisions necessary to ensure compliance with the HIPAA regulations and to maintain consistency with other UAMS policies concerning the requirements of HIPAA. 

 

PROCEDURE                     

 

A.     In General – For All Policies:

 

            1.   When creating, developing or revising any UAMS policy, the person or committee in charge of creating, developing or revising such a policy must determine whether the policy has the potential to involve, impact or affect a requirement of HIPAA, including both the Security and Privacy aspects of HIPAA.  HIPAA regulates, for example, the disclosure of PHI; restrictions on disclosure of PHI; confidentiality of PHI; access to PHI; restriction of access to PHI; use of PHI for marketing, fundraising or research purposes; physical and technical safeguarding of PHI; and protection of the integrity and confidentiality of electronically stored PHI.

 

            2.   If the policy has the potential to involve, affect or impact a requirement of HIPAA, or if the person or committee in charge of the policy is unsure whether the policy has the potential to involve, affect or impact a requirement of HIPAA, the policy must be submitted to the UAMS HIPAA Office for review prior to the final approval and publication of the policy. 

 

3.      The UAMS HIPAA Office will review the proposed policy and make the revisions necessary to ensure compliance with the HIPAA regulations, and any other security or privacy laws at issue.  If revisions are made by the HIPAA Office, the HIPAA Office will provide the revisions to the appropriate person or chair of the committee submitting the policy.  After coordinated review between the HIPAA Office and the originators of the policy to discuss any revisions, the HIPAA Office will forward the final policy to the Office of Vice Chancellor for Finance or other appropriate areas or individuals responsible for publishing the particular policy at issue.  A copy of the final policy will be provided to the originators of the policy.  The HIPAA Office will include a signed Acknowledgment indicating that the policy has been reviewed by the HIPAA Office and whether revisions were made to the policy. 

 

            4.   If the Acknowledgment by the UAMS HIPAA Office is not included with the HIPAA-related policy sent to the Office of Vice Chancellor for Finance, the Office of Vice Chancellor for Finance must forward the policy to the UAMS HIPAA Office for review and completion of the Acknowledgment form before the policy can be published.

 

B.     Medical Center Policies:

 

For policies created, developed or revised for the UAMS Medical Center and submitted to the Hospital Compliance Office for approval, the Hospital Compliance Office shall forward the policies to the UAMS HIPAA Office if the Hospital Compliance Office determines that the policy has or may have the potential to involve, affect or impact a requirement of HIPAA. If the Hospital Compliance Office submitted the proposed policy for review by the UAMS HIPAA Office, a completed and signed Acknowledgment form from the HIPAA Office must be included with the policy before the policy can be published in the UAMS Medical Center policies.

 

C.     College Policies:

 

For policies created, developed or revised for the UAMS Colleges, such as the College of Medicine, College of Pharmacy, College of Nursing, College of Health Related Professions, and all other UAMS Colleges, policies shall be forwarded to the UAMS HIPAA Office if the College determines that the policy has the potential to involve, affect or impact a requirement of HIPAA.  If the College submitted the proposed policy for review by the UAMS HIPAA Office, a completed and signed Acknowledgment form from the HIPAA Office must be included with the policy before the policy can be published.

 

D.     Office of Research Policies:

 

For policies created, developed or revised for research purposes and submitted to the UAMS Office for Research and Sponsored Programs for approval, the Research Privacy Officer shall forward the policies to the UAMS HIPAA Office if the Research Privacy Officer determines that the policy has or may have the potential to involve, affect or impact a requirement of HIPAA. If the Research Privacy Officer submitted the proposed policy for review by the UAMS HIPAA Office, a completed and signed Acknowledgment form from the HIPAA Office must be included with the policy before the policy can be published.

 

E.     All Other UAMS Department Policies:

 

For policies created, developed or revised for all other UAMS Departments, including, but not limited to, the Area Health Education Centers (AHECs), the IT Department, the Office of Human Resources, the Purchasing Office, Business Development and Managed Care, these policies shall be forwarded to the UAMS HIPAA Office if the Department determines that the policy has the potential to involve, affect or impact a requirement of HIPAA.  If the Department submitted the proposed policy for review by the UAMS HIPAA Office, a completed and signed Acknowledgment form from the HIPAA Office must be included with the policy before the policy can be published.

 

F.      Acknowledgement:     

 

         An example of the Acknowledgment form is included with this policy.