REG 01.25.09 – Privacy/Confidentiality, Release and Security of Protected Health Information

Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.

History: First Issued: April 14, 2003. Last Revised: August 9, 2011.

Additional References:
NCSU Office of General Counsel
Health Information Portability and Accountability Act (HIPAA)
Family Educational Rights and Privacy Act (FERPA)
NCSU Covered Health Care Components
Federal Policy for the Protection of Human Subjects (“Common Rule”)[FDA Regulations governing clinical trials for new drugs and medical devices] Food and Drug Administration (Clinical trials of new drugs and medical devices)
20 U.S.C. § 1232g – Family Educational And Privacy Rights
20 U.S.C. § 1232g(a)(4)(B)(iv) – Family Educational and Privacy Rights
45 CFR. Part 46 – Protection of Human Subjects
45 CFR 164.501 – Public Welfare

Contact Info:
NCSU Security Officer (919-513-7482)
NCSU Privacy Officer (919-515-6122)
Associate Vice Chancellor and Director for Research Administration – SPARCS (919-513-2148)
Associate Vice Chancellor and Director, Student Health Services (919-515-2563)
Director, Counseling Center (919-515-2423)
Associate Athletics Director for Sports Medicine (919-515-2111)

1. INTRODUCTION

1.1 This regulation addresses: (1)the privacy/confidentiality of individually identifiable protected health information (PHI) created or received by NCSU covered health care components that are required to comply with The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) and other federal law, (2) security procedures for PHI held in electronic form and (3) researcher access to PHI maintained by NCSU covered health care components. The term ‘researcher’ includes employees and students who conduct research, assist with the performance of research, or are otherwise involved in research activities at NCSU.

1.2 Under HIPAA, NCSU covered health care components and those internal functional units that provide support services to these components (collectively “covered health care components”) are required to protect the privacy, as well as the physical and electronic security of individually identifiable protected health information (PHI) in any form, and to use certain standardized formats, data content and code sets when conducting electronic transactions. When PHI is maintained electronically, NCSU covered health care components must make reasonable efforts to (1) ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit, (2) protect it against any reasonably anticipated threats or hazards to the security or integrity of such information, (3) protect it against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA privacy regulations, and (4) ensure security compliance by NCSU employees.

1.3 Generally, researchers desiring access to PHI maintained by NCSU covered health care components must obtain patient authorization or a waiver of authorization from the Institutional Review Board (IRB) or Privacy Board to obtain and use PHI for research purposes. The HIPAA Privacy Rule supplements and does not supersede the Common Rule applicable to federally sponsored research or the Food and Drug Administration regulations governing clinical trials of new drugs and medical devices, both of which protect the confidentiality of human subjects in research.

1.4 PHI under HIPAA excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g and records described at 20 U.S.C. § 1232g(a)(4)(B)(iv). See NCSU REG11.00.01 – Family Educational Rights and Privacy (FERPA). The privacy and confidentiality of individually identifiable student health care information is governed by FERPA and its implementing regulations.

1.5 Covered health care components, defined below, are delegated authority to establish rules within their defined areas of responsibility in order to implement this regulation in accordance with the requirements of HIPAA and FERPA. To the extent feasible and not inconsistent with FERPA, covered health care components may treat student health care records similarly to non-student PHI for specified situations, such as access to or amendment of PHI. The treatment of student health care information by NCSU covered health care components shall be addressed by rules adopted by these units either individually or jointly.

1.6 NCSU’s Privacy Officer must approve rules issued by a covered health care component that impacts the component’s compliance with HIPAA, where applicable. The Privacy Officer, Security Officer and Associate Vice Chancellor and Director for Research Administration – SPARCs shall develop and propose regulations and/or rules to address their respective responsibilities for HIPAA compliance.

2. DEFINITIONS

2.1 “Activities Preparatory to Research”: Activities designed to aid in planning or preparing a research protocol or proposal (e.g. record and chart reviews, population analyses, recruitment planning, etc.), but not to include preliminary research activities such as pilot studies or focus groups.

2.2 “Authorization”: An authorization is specialized written, verbal or electronically initiated permission for use and/or disclosure of an individual’s PHI for purposes other than treatment, payment or health care operations. Student Health Services provides authorization forms for student and non-student patients. Student Health Services accepts authorization forms received from external sources. When used to disclose student PHI, the authorization must comply with FERPA. When used to disclose non-student PHI, the authorization must comply with HIPAA.

2.3 “Business Associate”: A person or entity:

2.3.1 Who performs, or assists in the performance of, a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing;

2.3.2 Who performs, or assists in the performance of any other function or activity regulated by the federal HIPAA laws or regulations; or

2.3.3 Who provides, other than in the capacity of a member of the workforce of such covered entity, legal, information technology, actuarial, accounting, consulting, data aggregation (as defined in 45 CFR 164.501), data transmission, management, administrative, accreditation, or financial support and similar services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the regular and routine access to and/or disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

2.4 “Consent”: Permission for use and disclosure of PHI for treatment, payment or health care operations.2.5 “Covered entity”: A health plan, health care clearinghouse or health care provider that engages in certain electronic transactions as specified by HIPAA. A covered entity may be a hybrid entity in which case only its covered health care components are subject to the HIPAA Privacy Rule. NCSU is a hybrid entity.

2.5 “Covered entity”: A health plan, health care clearinghouse or health care provider that engages in certain electronic transactions as specified by HIPAA. A covered entity may be a hybrid entity in which case only its covered health care components are subject to the HIPAA Privacy Rule. NCSU is a hybrid entity.

2.6 “Covered Health Care Component(s)”: Student Health Services, the Counseling Center, Sports Medicine, and functional units that provide support services to these covered health care components as well as their contract and subcontract employees not otherwise defined as ‘business associates’. The following units are included within this definition to the extent they assist Student Health Services, the Counseling Center, or Sports Medicine with health care functions (includes billing, payment and other aspects of management of PHI):

2.6.1 Office of Information Technology (OIT)

2.6.2 Enterprise Application Systems (EAS)

2.6.3 ComTech network services

2.6.4 Technology Support Services (TSS)

2.6.5 Infrastructure, Systems & Operations (ISO)

2.6.6 Security and Compliance Unit (S&C)

2.6.7 Internal Audit

2.6.8 General Counsel

2.6.9 Risk Management

2.6.10 University Cashier

2.6.11 Accounts Receivable

2.6.12 Human Resources

2.6.13 Registration and Records

2.6.14 Environmental Health and Safety

2.6.15 College of Veterinary Medicine

2.6.16 Office of Disability Services

2.6.17 University Housing (Conference and Guest Services)

2.6.18 NC State Dining

2.7 “Designated Record Set”: Medical and billing records used in part or in whole to make decisions about the patient. Excluded from this definition are psychotherapy notes and other records which under the law may not be accessed by the patient. When applicable under HIPAA, individuals have a right of access to and amendment of PHI contained in a designated record set.

2.8 “Individual”: Means the person who is the subject of the PHI. ‘Patient’ and ‘Individual’ may be read synonymously in this regulation.

2.9 “Limited Data Set”: PHI that excludes specific identifiers, containing only de-identified PHI. See Sections 5.1 and 5.7 below for expanded discussion of this topic.

2.10 “Disclosure”: The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

2.11 “Electronic media”: Electronic storage media and transmission media which are further described below:

2.11.1 Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

2.11.2 Transmission media used to exchange information already in electronic form. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper via facsimile, and of voice via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

2.12 “Electronic Health Record”: An electronic record of an individual’s PHI that is created, gathered, managed and consulted by health care clinicians and staff.

2.13 “Protected Health Information”: PHI is (1) health information, including demographic information, (2) created or received by a health care provider (3) which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and (4) that identifies or can be used to identify any individual. PHI does not include de-identified PHI. In this context, “De-identified” means PHI that cannot be identified to the patient. De-identified PHI must have specific identifiers (described in HIPAA) removed with respect to the individual, his or her relatives, employers and household members to be no longer considered PHI.

2.14 “Research”: A systematic investigation, including research development, testing, and evaluation designed to develop or contribute to generalized knowledge.

2.15 “Security Incident” means an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

3. GENERALLY PERMITTED USES AND DISCLOSURES OF PHI

3.1 Treatment, payment and health care operations. Covered health care components may use and disclose PHI for treatment, payment, and health care operation activities with the individual’s consent. However, consistent with HIPAA, covered entities must first consider whether limited data sets could be used to accomplish their objectives and must limit their uses and disclosures to limited data sets if possible.

3.1.1 Individuals may bar covered health care components from disclosing PHI to their health plans if the individual pays for the health care item or service in full out of pocket.

3.2 Disclosures other than for treatment, payment and health care operations. Covered Health Care Components may use and disclose PHI for purposes other than treatment, payment and health care operation activities pursuant to an authorization, or as otherwise permitted by this regulation. See paragraphs 5.3 and 5.4 for discussion related to NCSU’s Institutional Review Board.

3.2.1 Each covered health care component shall designate a person or persons to handle requests governing the release of PHI. Such designees shall consult with the Privacy Officer, the Security Officer and/or the Office of General Counsel as appropriate to ensure compliance with this regulation, HIPAA, FERPA and other applicable law or regulation.

3.2.2 Authorizations submitted to covered health care components must be HIPAA-complaint and contain the following specific information:

3.2.2.1 A specific description of the information to be used or disclosed;

3.2.2.2 The name of the person(s) or class of persons authorized to make the use or disclosure;

3.2.2.3 Name of the person(s) or class of person(s) to whom the disclosure may be made;

3.2.2.4 The purpose of the requested use or disclosure;

3.2.2.5 An expiration date or event that relates to the individual or the purpose of the use or disclosure;

3.2.2.6 Signature of the individual (or authorized representative and relationship to the Individual) and date;

3.2.2.7 Statements adequate to place the individual on notice as to:

i.) The individual’s right to revoke the authorization in writing, exceptions to the right to revoke and how the individual may revoke the authorization;

ii.) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on signing the authorization (state consequences if conditional); and

iii.) The potential for the information disclosed to be subject to re-disclosure by the recipient and no longer protected by the HIPAA privacy rule.

3.3 Individual’s Right to Request Restrictions on Use and Disclosure of PHI.

3.3.1 An individual has a right to request restrictions on the uses and disclosures of PHI to carry out treatment, payment or health care operations; as well as restrictions on disclosures made to the individual’s family, friends, or relatives under certain circumstances allowed by HIPAA. The covered health care component is not required to agree to the requested restriction. However, if it does agree, it must abide by the restriction except in emergencies and in situations where use or disclosure is permitted by HIPAA without an authorization.

3.3.2 An agreed-upon restriction may be terminated by the individual or by the covered health care component provided that the termination is only effective for PHI created or received after the date of notification.

3.3.3 Restrictions that are agreed to and terminations of agreed upon restrictions must be documented and retained for a period of six (6) years from the date of its creation or from the date it was last in effect whichever is later.

3.4 De-identified PHI. De-identified PHI may be used or disclosed without consent or authorization as long as no means of re-identification are applied. Release of de-identified data must receive the prior approval of NCSU’s Privacy Officer.

3.5 Marketing. The use or disclosure of PHI for marketing purposes (communication intended to encourage the purchase or use of products or services) requires an authorization, except for face to face communications to the individual by the covered health care component: (a) to describe health related products or services that are provided by or included in a plan of benefits of the covered entity making the communication; (b) for treatment of the patient; or (c) for case management or care coordination or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to that individual. Subject to limited exceptions as identified in applicable federal law, the previously described communications will require patient authorization if the covered entity receives direct or indirect payment for making them.

3.6 Business Associates. PHI may be used and disclosed to a business associate of a covered health care component provided the business associate has signed and is in compliance with a business associate agreement in a form approved by the Office of General Counsel. Examples of ‘business associates’ include health information exchange organizations, regional health information organizations and vendors that contract with covered entities to provide personal health records.

3.7 Research. Use or disclosure of PHI for research purposes generally requires the individual’s permission . See paragraph 5 below for expanded discussion of this topic.

3.8 Disclosures under HIPAA not requiring authorization. The disclosures set forth below are permitted by HIPAA without an authorization. In certain situations there may be more restrictive requirements (e.g., mental health information, alcohol/drug abuse information, HIV information, and student health information). To ensure compliance with federal and/or state law, as applicable, disclosures under this section may only be made after review and approval of the Privacy Officer except (1) where the release is to the individual, (2) where delay in seeking such approval would impair response to a health or safety emergency, or (3) where such release is permitted by rules issued by a covered health care component or the IRB. The Privacy Officer may seek assistance from the Office of General Counsel when reviewing requests to release information without an authorization.

3.8.1 Disclosures required by law. PHI may be disclosed to the extent required by law.

3.8.2 Public Health Activities. PHI may be used and disclosed to a public health authority that is authorized by law to collect or receive such information for preventing or controlling disease, injury or disability, including public health issues, vital records, child or adult abuse or neglect; adverse food or drug events, and investigations of work-related illnesses or injuries as required by law.

3.8.3 Victims of Abuse, Neglect or Domestic Violence. PHI may be used or disclosed to a government authority that is investigating a report of abuse, neglect or domestic violence to the extent disclosure is required or permitted by law.

3.8.4 Health Oversight Activities. With certain exceptions, PHI may be used or disclosed to a health oversight agency for oversight activities authorized by law, including audits, civil, administrative or criminal investigations or proceedings, inspections, licensure or disciplinary actions.

3.8.5 Judicial and Administrative Proceedings. PHI may be disclosed in the course of a judicial or administrative proceeding in response to an order of court.

3.8.6 Law enforcement purposes. PHI may be disclosed for law enforcement purposes under certain conditions.

3.8.7 Deceased Individuals. PHI regarding deceased individuals may be disclosed to coroners, medical examiners, and funeral directors if necessary to carry out their duties. In addition, legally authorized executors or administrators of the deceased individual’s estate, or a person who is otherwise legally authorized to act on their behalf, may access the deceased individual’s PHI. Under North Carolina state law, a deceased individual’s next-of-kin is also allowed access to the deceased individual’s PHI if their estate is unadministered.

3.8.8 Serious Threats to Health or Safety. PHI may be used or disclosed under certain circumstances if a covered component believes in good faith that the use or disclosure is necessary to protect a person or the public from serious harm.

3.8.9 Specialized Government functions. PHI may be used or disclosed for specialized government functions such as military and veterans activities, security and intelligence activities, protective services for officials, medical suitability, and correctional institutions and other law enforcement custodial situations.

3.8.10 Workers Compensation. PHI may be used or disclosed to the extent required to comply with workers’ compensation laws and similar programs.

4. SECURITY REQUIREMENTS AND PROCEDURES FOR ELECTRONICALLY-MAINTAINED PHI

4.1 Administrative Safeguards

4.1.1 Security Management Process

4.1.1.1 The Security Officer and the covered health care components shall assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic health record (EHR) held by the covered health care components.

4.1.1.2 The Security Officer and the covered health care components shall implement measures to reduce risks and vulnerabilities to a reasonable level.

4.1.1.3 The Security Officer shall notify supervisors if any employees are discovered failing to comply with the University’s security requirements for EHR. Any employee who is found in violation of University policies, regulations, or rules regarding the privacy and confidentiality of medical information may be subject to disciplinary action up to and including discharge in accordance with University employment policies.

4.1.1.4 The Security Officer and covered health care components shall periodically review records of information system activity.

4.1.2 Workforce Security

4.1.2.1 The head of each covered health care component is responsible for deciding which employees shall receive authorization to access EHR, and for supervising that access. Authorization shall be consistent with paragraph 4.1.3 below.

4.1.2.2 The head of each covered health care component shall provide the Security Officer with a list, during annual review, of all employees who should be authorized to access EHR for work purposes. The list shall be promptly updated during the year to account for employees who should be added or removed from the list.

4.1.2.3 When an authorized employee leaves the University workforce or otherwise no longer has a work-related justification for access to EHR, that employee’s authorization and access shall be terminated by the covered health care component supervisor by promptly entering a PeopleSoft action, or taking equivalent action, so that IT administrators will know to immediately terminate the computer account of that employee, or terminate the access to EHR if the account is to otherwise remain active.

4.1.3 Information Access Management. The Security Officer and the heads of the covered health care components shall authorize access to EHR only where the person receiving access has a need to access the information on the University’s behalf, and where the person can be trusted to maintain appropriate confidentiality. The type of access may vary according to the role of the person receiving access, and shall be modified by the Security Officer or heads of covered health care components if the person’s role changes to require greater or less access. All access rights shall be documented.

4.1.4 Security Awareness and Training

4.1.4.1 The Security Officer and/or the covered health care components shall periodically remind and communicate good security practices to covered health care component employees.

4.1.4.2 The Security Officer, Privacy Officer and/or the covered health care components shall periodically provide training and procedures to covered health care component employees, which will include the following topics:

4.1.4.2a Protect against malicious software;

4.1.4.2b Monitor log-in attempts; and

4.1.4.2c Creation and management of passwords.

4.1.4.3 The reminders, trainings, and procedures noted in this subsection shall be posted by the Security Officer on a website accessible to all employees who have access to EHR, provided that no information shall be posted if its disclosure could weaken security.

4.1.5 Security Incidents. The Security Officer and covered health care components shall make reasonable efforts to identify, prevent, remedy or mitigate, and document security incidents. The covered health care components shall report any security incidents they discover to the Security Officer, who shall maintain a central record describing threats to or breaches of security for EHR, and the response taken.

4.1.6 Contingency Plan

4.1.6.1 The Security Officer and covered health care components shall establish:

4.1.6.1a A data backup plan;

4.1.6.1b A disaster recovery plan;

4.1.6.1c An emergency mode operation plan; and

4.1.6.1d Periodic testing and revision of the foregoing plans.

4.1.6.2 The Security Officer and covered health care components shall rank the importance of specific applications and data when making contingency plans.

4.1.7 Business Associate Requirements

4.1.7.1 Business associates may work with EHR on the University’s behalf, provided they safeguard the information. Satisfactory assurances must be documented in a written contract or comparable arrangement with the business associate.

4.1.7.2 University agreements with business associates must require the business associates to:

4.1.7.2a Implement the Administrative Safeguards, Physical Safeguards, and Technical Safeguards of the HIPAA regulations;

4.1.7.2b Impose the same HIPAA security requirements on any subcontractors who will receive EHR from the business associate;

4.1.7.2c Report any security incident to the University; and

4.1.7.2d Authorize the University to terminate the contract if there is a material breach by the business associate.

4.1.7.3 Where the business associate is a government entity, there may be a memorandum of understanding with the University, or legally binding regulations or statutes, in lieu of a written contract, provided that the MOU or regulations impose the same requirements on the business associate as specified above for contracts, except that authority to terminate is not required if inconsistent with statutory requirements.

4.1.7.4 If the Security Officer, Privacy Officer, or a representative of a covered health care component knows of a material breach or violation of a business associate’s duties under this regulation, the University must:

4.1.7.4a Assure that the breach is cured or the violation is ended, as applicable;

4.1.7.4b Terminate the contract or comparable arrangement; or

4.1.7.4c If termination is not feasible, report the problem to the U.S. Department of Health and Human Services.

4.2 Physical Safeguards.

4.2.1 Facility Access Controls. The Security Officer and covered health care components, in consultation with NCSU Division of Environmental Health and Public Safety, shall create guidelines on physical access to electronic information systems and the facilities in which they are housed. Those guidelines shall include (i) procedures for facility access to restore lost data under disaster recovery plan and under emergency operations plan; (ii) a facility security plan to protect facility and equipment from unauthorized access, tampering, and theft; and (iii) a procedure to control and validate a person’s access to facilities, based on their role or job function, including visitor control and control of access to software programs for testing and revision.

4.2.2 Facility Maintenance. The Security Officer and covered health care components, in consultation with the facilities department, shall create guidelines for documenting repair and modifications to the physical components of facilities, related to security, that house PHI.

4.2.3 Workstation Controls. The Security Officer and covered health care components shall create guidelines on physical safeguards for workstations that access EHR to restrict access to authorized users where feasible.

4.2.4 Device and Media Controls.

4.2.4.1 Any disposal of EHR, and the hardware and electronic media on which it is stored, must be handled according to HIPAA media guidelines as developed by the Security Officer and covered health care components.

4.2.4.2 If electronic media are made available for re-use, any EHR must be removed from the media according to HIPAA media guidelines.

4.2.4.3 The covered health care components must maintain a record of the location and any transfer of EHR other than PHI residing solely on University network servers.

4.2.4.4 The Security Officer and covered health care components shall create guidelines for making backup copies of EHR whenever the equipment on which the EHR resides is being moved.

4.3 Technical Safeguards.

4.3.1 Access Control.

4.3.1.1 The Security Officer and covered health care components shall ensure that each user has a unique name and/or number for tracking user identity.

4.3.1.2 The Security Officer and covered health care components shall create procedures for obtaining EHR needed in an emergency.

4.3.1.3 The Security Officer and covered health care components shall create procedures for disconnection of access to EHR after a period of inactivity.

4.3.1.4 The Security Officer and covered health care components shall develop guidelines on the encryption of EHR.

4.3.2 Audit Controls. The Security Officer and covered health care components shall record and examine activity on information systems that contain or use EHR.

4.3.3 Integrity and Authentication of Data. The Security Officer and covered health care components shall protect EHR from unauthorized alteration or destruction. They shall implement means of authenticating that EHR has not been altered or destroyed without authorization.

4.3.4 Transmission Security. The Security Officer and covered health care components shall encrypt EHR during transmission when appropriate. They shall implement means of verifying that EHR has not been improperly modified during transmission.

4.4 Annual Review and Report.

4.4.1 Representatives from Student Health Services, the Counseling Center, and Sports Medicine shall confer with the Security Officer at least once annually to review the security of EHR, and to make changes needed in response to environmental or operational changes or other factors.

4.4.2 The Security Officer shall deliver a report to the Provost and to the Vice Chancellor for Finance & Business, with a copy to the Office of General Counsel, by June 30 of each year that includes the following information:

4.4.2.1 Title and location (including any electronic location) of all University regulations, rules, and procedures related to HIPAA compliance. If there are past versions, they should be archived and the location of the archive should be noted.

4.4.2.2 A description of all recommended actions, activities and assessments related to HIPAA compliance (such as changes noted in part 4.4.1 above), a timeframe for estimated completion, and the date of actual completion.

4.4.2.3 A statement describing the annual review and updating of all requirements for Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

4.5 Delegation of Rule-Making Authority. The covered health care components and the Security Officer are delegated joint authority to establish rules within their defined areas of responsibility to further implement this regulation.

4.6 Exclusions and Best Practices.

4.6.1 Paragraph 4 does not apply to PHI that is not in electronic form prior to transmission.

4.6.2 However, the security practices described in Paragraph 4 may, in the discretion of the covered health care component, be applied to non-electronic PHI and student PHI.

5. RESEARCH-RELATED USES AND DISCLOSURES OF PHI

5.1 Obtaining PHI for research purposes from covered health care components. The HIPAA Privacy Rule generally requires an individual’s authorization, or waiver by the Institutional Review Board ( IRB) or a special privacy board, for the disclosure of PHI from covered health care components. Exceptions to this general requirement exist for activities preparatory to research, research on PHI of deceased individuals, and disclosure of limited data sets to an employee of a covered entity (or in the case of a hybrid entity, its covered health care component) pursuant to a data use agreement. De-identified health information may be used or disclosed for research purposes without an authorization or IRB waiver.

5.2 Individual Authorization. A valid HIPAA-compliant authorization must contain specific elements. See paragraph 3.2.2 for those items necessary for a valid authorization. The requested PHI must be limited to that information necessary to carry out the applicable research protocol, consistent with HIPAAs ‘minimum necessary’ standard. A copy of the authorization must be provided to the individual.

5.2.1 Generally, an individual who participates in research has a right to access his/her own PHI maintained at NCSU.

5.2.2 Generally, an individual may revoke his/her authorization, in writing to the principal investigator, at any time. However, the researcher may continue to use and disclose, for research integrity, any PHI collected from the individual pursuant to such authorization before it was revoked.

5.3 Waiver by an IRB. A covered entity is permitted to disclose PHI for research purposes without an authorization if an IRB has either waived the authorization requirement or has approved a modified authorization.

5.3.1 A request for waiver of authorization must be completed by the researcher and submitted to the IRB along with an IRB submission for prior review and approval. A request for a Waiver of Authorization is not the same as a request for Waiver of Consent for Research under 45 CFR Part 46.

5.3.2 The Request for Waiver of Authorization must contain the following:

5.3.2.1 A plan to protect personal identifiers from improper use and disclosure;

5.3.2.2 A plan to destroy the personal identifiers as soon as possible, consistent with the purposes of the research, unless there is a compelling health or research justification for retaining the identifiers or the retention is required by law; and

5.3.2.3 Adequate written assurances that PHI will not be reused or re-disclosed to any other person or entity, except where required by law, for oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted under HIPAA.

5.4 Criteria for IRB approval. To approve a waiver, the IRB must find that disclosure poses a minimal risk to privacy based on the adequacy of plans submitted by the researcher with regard to the matters addressed in Section 5.3.2. above, and that the research could not be done practicably without the waiver and without access to and use of the PHI.

5.4.1 The IRB shall maintain the following documentation regarding the waiver of authorization:

5.4.1.1 A statement identifying the IRB and the date on which the waiver request was approved;

5.4.1.2 A description of the PHI for which access has been determined to be necessary;

5.4.1.3 A statement that the IRB determined that the waiver satisfied the criteria for waiver;

5.4.1.4 A statement that the waiver has been reviewed and approved under either normal or expedited review procedures following requirements of the Common Rule; and

5.4.1.5 The documentation signed by the IRB chair or his/her designee.

5.5 Activities preparatory to research. PHI may be used or disclosed without an authorization or IRB waiver for the preparation for, or development of a research protocol, provided that the researcher: 1) is an employee of a covered health care component, and 2) documents that all the following criteria are satisfied:

5.5.1 The use or disclosure of PHI is solely to prepare a research protocol, or to identify prospective research participants for purposes of seeking an Authorization;

5.5.2 The researcher shall not record or remove the PHI from the covered health care component; and

5.5.3 The PHI sought is necessary for the purposes of the research.

5.5.4 The head of the covered health care component, or his/her designee, shall review, approve and maintain the above documentation.

5.5.5 Researchers who are not employees of a covered health care component must obtain an authorization or waiver of authorization prior to accessing PHI for activities that are preparatory to research.

5.6 Research on PHI of deceased individuals. HIPAA permits disclosure of PHI of deceased individuals to researchers if they provide documentation to the covered entity of the individual’s death, that the PHI is necessary for research purposes, and that the PHI will only be used for the research on the PHI of the deceased individual.

5.7 Disclosure of limited data sets. Under HIPAA, a researcher may use a limited data set for any research purpose without an authorization or Waiver of Authorization if the covered entity agrees to provide limited data sets.

5.7.1 A limited data set must exclude all of the following direct identifiers of the individual or of the individual’s relatives, employers, or household members of the individual: names; postal address information other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other number, characteristic or code that could be used to identify the individual.

5.7.2 A researcher must sign a HIPAA-compliant data use agreement. The agreement includes 1) provisions limiting use of the data only for the research for which it was received, 2) agreeing to use appropriate safeguards to prevent use or disclosure of the data other than as permitted by the HIPAA Privacy Rule, and 3) agreeing not to re-identify the data or contact the individual. In requesting a limited data set, the requestor must specify the purposes of the limited data set and the categories of data elements requested to satisfy the minimum necessary standard of HIPAA.

5.8 Use or Disclosure of “De-Identified” Health Information. De-identified health information is exempt from HIPAA and may be used or disclosed for research purposes without an authorization or IRB waiver.

5.8.1 Researchers must provide documentation to the IRB that the health information has been de-identified by one of the following two methods:

5.8.1.1 Statistical Method. The IRB may determine that health information is de-identified for purposes of this regulation, if an independent, qualified statistician: (1) determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and (2) documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. The expert must not be the researcher or anyone directly involved in the research study.

5.8.1.2 Removal of All Identifiers. All identifiers reflected in paragraph 5.7.1 concerning the individual, and the individual’s employer, relatives and household members, must be removed.

5.8.2 Re-identification Code. The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to use or disclose the de-identified health information. Other uses of code numbers to identify data are not considered de-identified under HIPAA.

5.8.3 Responsibility for provisions to protect the security and privacy of identifiable PHI rests with the principal investigator for the research.

5.9 Use and Disclosure of PHI for the Purpose of Contacting and/or Recruiting Potential Research Participants. Physicians, and other health care providers of a covered health care component, may contact their own patients for purposes of recruiting them to participate in a research study without an authorization, provided all requirements of paragraph 5.5 are satisfied.

5.9.1 Individuals responding to an advertisement regarding participation in a research study may be given an explanation of the study (including, but not limited to, the name of the principal investigator and description of the study) prior to granting an authorization.

5.9.2 An authorization must be obtained from an individual who has indicated interest in participating in a research study prior to asking the individual any screening questions that involve PHI.

5.9.3 All other uses and disclosures of PHI by a covered health care component for the purpose of contacting and/or recruiting potential research participants requires an authorization or waiver of authorization.

6. RIGHTS OF INDIVIDUALS TO RECEIVE A NOTICE OF PRIVACY PRACTICES, TO ACCESS PHI, TO REQUEST AMENDMENT OF PHI AND TO RECEIVE AN ACCOUNTING OF DISCLOSURES OF PHI

6.1 Right to Notice of Privacy Practices. Covered health care components shall develop a HIPAA-compliant notice of privacy practices containing a description of (a) the uses and disclosures of PHI that may be made by the covered health care component; (b) the component’s legal duties with regard to PHI, including a statement that the component is required by law to maintain the privacy of PHI; (c) the individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the component; and (d) whom the individual can contact for further information about the component’s privacy policies . The notice of privacy practices must be posted by each covered component and provided to students upon request. The notice must be provided to all patients other than students no later than the date of the first service delivery or in an emergency situation, as soon as reasonably practicable after the emergency treatment situation.

6.2 Right to Access PHI. Under federal law, an individual has a right of access to inspect and obtain a copy of his or her PHI in a designated record set for as long as NCSU maintains the information, except for information specifically exempted from disclosure to the patient by HIPAA. Students’ right of access to PHI may be more limited under FERPA. Components may by rule elect to provide student patients the same right of access provided by HIPAA. Requests for access must be made to the applicable covered health care component.

6.2.1 If maintaining EHRs, covered health care components shall provide an individual (or their designee) upon request with a copy of the information in such EHR in electronic format.

6.3 Right to Request an Amendment of PHI. Under HIPAA, a patient has a right to request an amendment of PHI contained in a designated record set. A covered health care component is not required to grant the request and may deny the request as permitted by HIPAA. Requests to amend PHI must be made in writing to the applicable covered health care component.

6.4 Right to Receive an Accounting of Disclosures.

6.4.1 Under applicable federal law, an individual has the general right to receive an accounting of disclosures of PHI made in the six (6) years prior to the date on which the accounting is requested except for disclosures:

6.4.1.1 To carry out treatment, payment, and health care operations activities of the covered health care components or another provider;

6.4.1.2 To individuals of PHI about them;

6.4.1.3 Pursuant to an authorization;

6.4.1.4 Incident to a use or disclosure otherwise permitted by HIPAA;

6.4.1.5 For national security or intelligence purposes,

6.4.1.6 To correctional institutions or law enforcement officials,

6.4.1.7 As part of a limited data set, and

6.4.1.8 That occurred prior to the HIPAA compliance date for the covered entity.

6.4.2 If using or maintaining EHR, the disclosure accounting must include those disclosures identified in paragraph 6.4.1 above, with the disclosures described in such paragraph identified during only the three (3) years prior to the date on which the accounting is requested. The covered health care component must either (1) include in the disclosure those of its business associates for TPO activities on behalf of covered health care component or (2) provide to the individual requesting the disclosure a list and contact information of all business associates which would enable the individual to contact each business associate for an accounting of the business associate’s disclosures.

6.4.3 Each covered health care component shall keep an accounting of all disclosures, other than those excepted by HIPAA, so that an accounting of disclosures can be made to the individual when requested. Accounting documentation must be maintained for no less than six (6)years. The accounting must include the following information:

6.4.3.1 The date of the disclosure,

6.4.3.2 The name of the entity or persons who received the PHI and, if known, the address of such entity,

6.4.3.3 A brief description of the PHI disclosed, and

6.4.3.4 A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.

6.5 Requests for an accounting of disclosures must be made to the applicable covered health care component.

6.6 Procedures. Each covered health care component shall establish rules addressing procedures to be followed by individual’s requesting (1) access to PHI, (2) amendment of PHI and (3) accounting of disclosures of PHI. Each covered component shall designate an individual to receive and process these requests and shall maintain documentation of the names and titles of such designees for a period of no less than six (6) years.

6.7 Documentation and Records Retention. Each covered health care component must maintain documentation of the notice of privacy practices in effect for a period of no less than six (6) years. Documentation of requests for access to PHI, amendment of PHI, and accounting of disclosures of PHI, together with each covered health care components response must be maintained for a period of no less than six (6) years.

7. BREACHES OF PRIVACY AND SECURITY

7.1 Breaches of privacy or security of PHI are to be reported to NCSU’s Privacy and/or Security officers, as applicable.

7.2 Covered health care components must, upon the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI information has been, or is reasonably believed by the covered health care component to have been, accessed, acquired, used, or disclosed as a result of such breach. The notification must be written in plain language and must include (a) a brief description of what happened, if known; (b) a description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, etc., were involved; (c) any steps individuals should take to protect themselves from potential harm resulting from the breach; (d) a brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (e) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website or postal address.

7.2.1 Business associates shall, following the discovery of a breach of unsecured PHI, notify the covered health care component of such a breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. The business associate shall further provide any other information that the covered health care component is required to include in its notice as identified in paragraph 7.2. Upon notification, the covered health care component will notify those identified individuals per paragraph 7.2.

7.2.2 For a breach of unsecured PHI involving more than 500 individuals, the covered health care component must notify prominent media outlets serving the area. In addition, the covered health care component will also notify the Secretary of Health and Human Services in the manner specified by the Department of Health and Human Services.

7.2.3 For a breach of unsecured PHI involving less than 500 individuals, the covered health care component shall maintain a log or other documentation of such breaches and, no later than sixty (60) days after the end of the calendar year, provide notification to the Secretary of Health and Human Services in a manner specified by the Department of Health and Human Services.

8. COMPLAINTS

8.1 Individuals have a right to complain if they believe their privacy rights have been violated. The Privacy Officer shall develop procedures for the documentation, investigation and resolution of complaints. Neither NCSU nor any of its employees, or business associates may intimidate, threaten, coerce, discriminate against or take any other retaliatory action against any person for legally exercising his or her rights under this policy or HIPAA. Students who have complaints may also file a grievance if their complaint is not resolved by the Privacy Officer.

9. PENALTIES AND ENFORCEMENT

9.1 Employees and business associates who violate HIPAA may be subject to federal and state enforcement, potentially resulting in both civil and criminal penalties under HIPAA regulations. Employees who violate this regulation and/or rules established pursuant to this regulation are subject to discipline, up to and including dismissal from employment. Existing disciplinary procedures shall be followed.

10. TRAINING

10.1 Covered health care components shall ensure that staff having access to PHI receive appropriate training regarding the requirements of HIPAA and FERPA. Documentation of training shall be maintained by each covered health care component for a period of no less than six (6) years.