Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.
History: First Issued: April 14, 2003.
NCSU REG01.25.09 – Privacy/Confidentiality, Release and Security of Protected Health Information
NCSU REG01.25.08 – Research Activities and HIPAA
NCSU REG11.00.01 – Family Educational Rights and Privacy (FERPA)
Business Associate Form
Health Insurance Portability and Accountability Act (HIPAA)
Family Educational Rights and Privacy Act (FERPA)
NCSU Health Care Components Notice of Privacy Practices
Contact Info: Director of Student Health Services; Director of the Counseling Center; Director of Sports Medicine; University Privacy Officer.
1.1 Federal and state laws protect the privacy and confidentiality of individually identifiable health information (“protected health information” or “PHI”). The federal Family Educational Rights and Privacy Act (FERPA) governs student medical records and the Health Insurance Portability and Accountability Act (HIPAA) governs non-student medical records. To ensure compliance with these laws, the University has established regulations governing access to and disclosure of (1) student records, including medical records, and (2) non-student personally identifiable health information (PHI). The regulation authorizes each covered health care component to establish rules to implement the regulation.
1.2 This joint rule implements the University’s regulation by establishing operating procedures for the university’s covered health care components: Student Health Services, Counseling Center, and Sports Medicine. See Section II of the Regulation for definition of the following terms that are used in the Regulation and this joint rule: Covered Health Care Component, Protected Health Information, Individual, Designated Record Set, Consent, and Authorization.
1.3 To the extent feasible and not inconsistent with FERPA, the university health care components will treat student medical records similarly to non-student PHI except that disclosures of PHI for students will be treated in accordance with FERPA. Except where otherwise noted or required by the context, the term PHI as used in this joint rule includes student medical records.
2. DISCLOSURE OF CONFIDENTIAL INFORMATION
2.1 Permitted Disclosures. In accordance with the procedures in this rule, disclosures of PHI may be made (1) to the Individual, (2) for treatment, payment and health care operations activities with the consent of the patient, (3) pursuant to a valid, signed authorization, and (4) as otherwise permitted by this rule, approved by the Privacy Officer, or approved by the Office of General Counsel.
2.2 Designated Official. Each Covered Health Care Component will designate a staff person (hereinafter Designated Official) with responsibility to respond requests for access to PHI, amendment of PHI, and accounting of PHI disclosures. This person may also be the same person who processes insurance forms and responds to requests for release of PHI pursuant to an Authorization. The name and title of the designated official may be obtained from the University Privacy Officer or the Head of the Covered Health Care Component. Except for Authorizations to release PHI to another treating physician or medical facility or authorizations to release x-ray copies, the Designated Official will notify the relevant NCSU health care provider of a Individual’s request for access to PHI and a Authorization for release of PHI to a third party.
2.3 DISCLOSURE TO THE INDIVIDUAL
2.3.1 Right of Access. Individuals have a right of access to inspect and obtain a copy of their PHI in a Designated Record Set for as long as the information is maintained except as noted in subsections 2 and 3, below. A Designated Record Set contains original records in any form or medium that are the medical and billing records that are used in whole or in part to make decisions about the individual. Excluded are psychotherapy notes, quality improvement records, risk management records, and appointment schedules.
2.3.1a Individual’s request. The Individual must make the request in writing. Identification of the Individual must be verified. Verification can be from a photo ID card, a driver’s license, or other appropriate documentation. If someone other than the patient picks up the PHI, there must be a signed Authorization from the Individual to release the PHI to that person. Staff must verify the identity of the person as the person authorized to pick up the PHI. Authorizations must be filed in the Individual’s record. When fax and/or email Authorizations are received, staff will compare the signature on the Authorization Form with the signature on file. If staff can verify the signature, the PHI will be released. If the signature cannot be verified, staff will send the NCSU Authorization Form to the Individual and ask that the form be returned.
2.3.1b Response time. The Designated Official must respond within 30 days of receipt of the request if the information is maintained and accessible on site, or within 60 days otherwise. The time to respond may be extended one time only by no more than 30 days if the Designated Official is unable to respond within the specified time provided the Designated Official gives the Individual a written statement of the reason for the delay and the date upon which access will be provided.
2.3.1c Form of Response Where Access is Granted. The Designated Official must provide the Individual with access to the PHI in the form or format requested if it is readily available, or in readable hard copy or such other form as mutually agreed upon. The Designated Official may provide the individual with a summary of the PHI in lieu of providing access, or an explanation of the PHI if the Individual agrees in advance and to the fees imposed if any for such summary or explanation.
2.3.1d Review of Denial of Access. If access is denied based on any of the circumstances listed in subsection II.B.3 below, the Individual has a right to have the denial reviewed. The Director of the applicable Covered Health Care Component shall conduct the review or designate another licensed health care professional who did not participate in the original decision to deny, to do the review. A written notice of the decision will be provided to the Individual and placed in the Individual’s record.
2.3.2 No right of Access. An Individual has no right of access to the following PHI:
2.3.2a Psychotherapy Notes. Notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the Individual’s medical record.
2.3.2b Legal information. PHI compiled in reasonable anticipation of, or for use in a civil, criminal or administrative action or proceeding.
2.3.2c PHI subject to the Clinical Laboratory Improvement Act (CLIA). PHI that is subject to the Clinical Laboratory Improvement ACT (CLIA) to the extent that CLIA would prohibit Individual access and records that are exempt from CLIA, pursuant to 42 CFR 493.3(a)(2).
2.3.3 Access may be denied but denial subject to review. An Individual may also be denied access to PHI under the following circumstances:
2.3.3a Endangerment. If a licensed health care professional has determined that the access is reasonably likely to endanger the life or physical safety of the Individual or another person, including emotional or psychological harm.
2.3.3b PHI from other sources. PHI obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
2.4 USE AND DISCLOSURES OF PHI FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS ACTIVITIES
2.4.1 General Consent, Notice of Privacy Practices and Communication with the Individual.
2.4.1a Consent. Each Covered Health Care Component should obtain a general written consent to use and disclose PHI prior to providing services. The SHS encounter form, the Counseling Center General Consent form, and the Sports Medicine General Consent form are used to obtain general consent to use and disclose PHI for treatment, payment and health care operation activities of the respective covered health care components and when executed by the Individual provide written evidence of the individual’s consent. The appropriate form should be signed and obtained from the Individual prior to providing services.
2.4.1b Notice of Privacy Practices and Acknowledgment of Receipt.
- Non-student patients. At the time general Consent is obtained a non-student patient must be provided with a copy of the Covered Health Care Components Notice of Privacy Practices and a signed acknowledgement of receipt of the Notice must be obtained from the Individual.
- Student patients. Student patients need not be provided a copy of the Notice of Privacy Practices unless it is requested. The Notice of Privacy Practices will be posted in an appropriate location where it is readily available to all patients.
2.4.1c Confidential Communication. Individuals may request in writing how, where, and by what means they may be contacted about their PHI. For example, patients may request that the University contact them at their work address, by phone, by fax or by email. At the initial encounter with the Individual, such information shall be obtained and documented.
2.4.2 Individual’s Right to Restrict Use of PHI.
2.4.2a Individual’s may request in writing, restrictions on the use and disclosure of their PHI, but the Covered Health Care Component is not required to agree to the requested restriction.
2.4.2b If the Covered Health Care Component agrees to a requested restriction it must abide by it except in emergency situation. The University may terminate its agreement to a restriction if the Individual agrees to or requests the termination in writing, the I orally agrees to the termination and the oral agreement is documented, or the Covered Health Care Component informs the Individual that it is terminating the agreement to the restriction, except that such termination is only effective with respect to PHI created or received after it has so informed the Individual.
2.4.3 Disclosures pursuant to general consent. Each Covered Health Care Component may disclose PHI for treatment, payment, and health care operation activities pursuant to the Individual’s Consent.
2.4.3a Disclosures to University Counsel, Risk Management or Professional Liability Carrier. In cases where the University or one of its employees may be a party to a lawsuit, Risk Management and the University Counsel must be notified. The medical records may be released to University Counsel, Risk Management, or the professional liability carrier to protect the University’s interests.
2.4.3b Disclosures to Business Associates. PHI may be released to business associates who have signed a Business Associate Agreement.
2.5 DISCLOSURES PURSUANT TO A VALID, SIGNED AUTHORIZATION
2.5.1 Contents of Valid Authorization. An Authorization is a specialized written permissionunder HIPAA for use and/or disclosure of an individual’s PHI for certain purposes other than treatment, payment and healthcare operations. NCSU authorization forms will be HIPAA compliant for non-student PHI. For student PHI, authorizations need not be HIPAA compliant but must meet FERPA requirements.
2.5.1a NCSU’s approved authorization form(s) should be used wherever possible. To release information pursuant to any other entity’s form, the form must meet the requirements of Section III. B. 2 of NCSU’s Regulation – Privacy and Confidentiality of Individually Identifiable Health Care Information if the release of PHI relates to non-student PHI. If the form does not meet the requirements of Section III.B.2, or is not fully completed, the form will not be considered valid. Authorizations for release of student PHI must meet the following requirements of FERPA: identify the specific records that may be disclosed, state the purpose of the disclosure, and identify the party or class of parties to whom the disclosure may be made. NCSU staff may provide an approved authorization form to non-NCSU providers.
2.5.1b NCSU requested Authorizations to use or disclose PHI must be completely filled out to be valid. Non-student patients must be provided a copy of the signed authorization.
2.5.1c An Authorization will not be considered valid if the signature date is more than one year old.
2.5.1d An original Authorization is preferred, although copies and faxes are acceptable if clear and legible and signatures can be verified.
2.5.1e Authorizations to provide PHI to NCSU supervisors and occupational safety for occupational safety examinations must be on the NCSU’s Environmental Health and Safety Authorization form.
2.5.1f All Authorizations must be retained for six years and must be documented and retrievable.
2.5.2 Person Who May Sign an Authorization For Release of PHI:
2.5.2a Adult persons (18 years of age and older) who are mentally competent.
2.5.2b The legal guardian or other person with lawful authority to act on the Individual’s behalf, for an individual who is not mentally competent.
2.5.2c If the Individual is under 18 years of age, the parent or guardian’s written authorization is required to release PHI.
2.5.2d Minors (17 years of age or younger) under the following conditions:
- When seeking services for the prevention, diagnosis, and of sexually transmitted disease, pregnancy, abuse of controlled substances or alcohol, and emotional disturbance
- When a member of the armed forces
- When married or divorced
- When consenting for release of information to his/her own attorney
- When emancipated by a decree issued by a court of competent jurisdiction
2.5.2e A personal representative (administrator, executor, or executrix) of a deceased individual if the estate is being settled, or next of kin of a deceased individual in the case of an unadministered estate. If several siblings are the next of kin, all signatures are required. Probate Court documents designating the administrator, executor or executrix is required prior to the release of PHI if an estate is being settled. In the event the estate is unadministered, a notarized statement designating the next of kin will be required.
2.5.3 Parent’s Requests
2.5.3a Parents do not have a right to their child’s PHI if the child is 18 years and older and is competent.
2.5.3b If parents call without a signed Authorization, staff should tell the parent that PHI of their child cannot be released without a an Authorization from the child. If there is an Authorization for release of an Individual’s PHI to the Individual’s parent, the staff may release the PHI.
Exception: Except for the situations specified in 2.d.i – v, above, PHI will be provided to the parent or legal guardian of a patient under the age of 18.
2.5.4 Sports Medicine Authorizations to release PHI
2.5.4a Release to Athletic Department Personnel. Each year all student athletes will be asked to sign a FERPA compliant consent form authorizing the Sports Medicine staff to release PHI to specific Athletic Department Personnel who have responsibility for decisions about the individual’s participation in the athletic program.
2.5.4b Release to the Media. Student athletes will also be asked to sign a FERPA compliant consent form authorizing for the Sports Medicine staff and coaches to release information about injuries and health conditions as they relate to the student athlete’s participation in team practice and intercollegiate athletic competition to the news media and to North Carolina State Media Relations Office for purposes of press releases. No such information may be released to the media or the Media Relations Office without a signed form.
2.5.4c No release of PHI may be provided unless the relevant NCSU approved Sports Medicine forms are completed and signed by the student-athlete. If the student-athlete is under the age of 18, a parent or legal guardian must sign the appropriate forms.
2.6 OTHER PERMITTED DISCLOSURES
2.6.1 Any release of information for any purpose other than treatment, payment, or health care operation activities without a signed authorization must be reviewed and approved by NCSU’s Privacy Officer or the Office of General Counsel, except
2.6.1a Release to the individual patient. Upon request of the Individual, PHI may be released as noted above.
2.6.1b Statistical Information: Information that does not identify an Individual may be reported for statistical purposes.
2.6.1c Court Orders. Upon an order of a court of competent jurisdiction, PHI may be released as ordered by the Court.
2.6.1d In the following cases where release is required by law
- Report of child abuse and neglect or domestic violence to the county department of social services.
- Report of certain communicable diseases to the Commission for Health Services as specified by the Commission.
- Report to law enforcement wounds or illness from gunshot, knives, poison, or other apparent acts of criminal violence where grave bodily harm has been caused.
- Report of deaths to the state medical examiner where the death was caused by suicide or homicide or other suspicious, unusual or unnatural circumstances.
- To licensing boards where the board has ordered the production of records in connection with the investigation of a complaint received by the licensing board or an inquiry or investigation conducted by the licensing board in connection with its health oversight activities.
2.6.2 North Carolina and Federal Court Orders and Subpoenas
2.6.2a The courts are empowered to authorize disclosures that would otherwise be prohibited. Court orders are different from subpoenas. Any request for release of PHI through a subpoena without an accompanying consent from the patient must be referred to the Office of General Counsel. All out-of-state subpoenas and court orders must be referred to the Office of General Counsel. Instate court orders should be referred to the Office of General Counsel if there is any question about the validity or the scope of the order.
2.6.2b If the court order or authorization says to release all the individual’s record, this means all records regardless of whether they come from another provider. If it says release all records created by NCSU in course of treating the individual, only University created records should be sent. If the order is unclear, the Office of General Counsel should be consulted. If outside providers’ records are requested, the outside providers should be contacted in advance so they have time to challenge it.
2.6.2c Disclosure of records for substance abuse (alcohol or drugs) may occur only in response to a court order and a subpoena as specified in 42 CFR section 2.61 and 42 CFR section 2.2.
2.6.2d Copies of the records if mailed to the court must be by certified mail, return receipt, and should be accompanied by an affidavit from the records custodian that states the records are true and accurate copies of authentic PHI maintained by University in the course of its business. No original records may be mailed. If the court orders that the original record must be produced, the University staff member who takes the subpoenaed record to the court must comply with the following:
- Every effort shall be made to have the court accept a copy of the original record.
- If the judge orders the original be submitted as evidence, receipt must be procured from the Clerk of Court.
- When in court, the record shall not be reviewed by anyone until submitted as evidence, unless the presiding judge so authorizes.
2.7 Record Keeping
2.7.1 Retention of Consents. Written Consent forms must be placed in the medical record and maintained for the period required by state law.
2.7.2 Retention of Authorizations. Authorizations for release of PHI must be placed in the medical record and a notation made as to what information was sent, to whom it was sent, the amount charged, the date sent, and the name of the employee answering the request.
2.7.3 Retention of Notice of Privacy Practices. Documentation of the Notice of Privacy Practices and any revised Notices of Privacy Practices shall be kept for a six-year period.
2.7.4 Retention of Non-student Patient Acknowledgements of Receipt of Notice of Privacy Practices. Retention of non-student patient Acknowledgements of Receipt of Notice of Privacy Practices shall be kept for a six-year period.
2.7.5 Accounting of Disclosures. Upon request of the Individual, the patient will be provided an accounting of disclosures of their PHI made by the Covered Health Care Component for six years prior to the date on which the accounting is requested except for certain disclosures as specified in Section V.C.1 of NCSU’ Regulation – Privacy and Confidentiality of Individually Identifiable Health Care Information. A patient may request an accounting of disclosures for periods of less than the six years. Requests must be in writing and delivered to the applicable Covered Health Care Component’s Designated Official (see Section II.B above).
3. AMENDING PHI
3.1 Health Record Correction/Amendment Policy
3.1.1 Individuals have the right to request an amendment or correction to their PHI to which they have a right of access for so long as the information is maintained.
3.1.2 A Covered Health Care Component may deny an individual’s request for amendment if it determines that the PHI that is subject to the request:
3.1.2a Was not created by a Health Care Component of NCSU unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment. Amendment of health records obtained from an outside provider are handled in accordance with Section III.B.2.c. Individuals should be directed to the outside provider.
3.1.2b Is not part of the Designated Record Set as defined above in section II.B.1, above.
3.1.2c Is not available for inspection by the Individual as provided in section II.B. 2 and 3, above.
3.1.2d Is accurate and complete.
3.2 Procedure for amending PHI
3.2.1 Submission of Request. Individuals requesting a correction or amendment to PHI must complete the NCSU Health Record Correction/Amendment Form and return the form to the NCSU covered component in possession of the medical record. Individuals must provide a reason to support a requested correction or amendment. The Designated Official of the applicable Covered Health Care Component shall determine whether a particular request will be granted. The specific health care provider responsible for recording the PHI, if available, shall be consulted prior to making an amendment decision.
3.2.2 Action on the Request. The Designated Official must act on the request no later than sixty (60) days after receipt of a request. On occasions where more than 60 days are needed to complete its review, the time period for the action will be extended one time only by no more than 30 days, provided that the component informs the Individual by written statement of the reasons for the delay and the date by which he/she will complete the action on the request.
3.2.2a Accepting the amendment.
- If the requested amendment is accepted, in whole or part, the Designated Official will make the appropriate amendment to the PHI by appending the amendment to the designated record set and shall inform the requesting Individual of the amendment.
- The Designated Official will obtain the Individual’s identification of persons having received PHI about the individual and who need to be notified of the amendment. The Designated Official will make reasonable effort to inform and provide the amendment within a reasonable time to such entities or persons identified by the individual and to any business associates of the Covered Health Care Component who the Component knows have the PHI.
3.2.2b Denying the amendment.
If the requested amendment is denied, the Designated Official will provide the Individual with a written denial. The Individual may provide a written statement of disagreement, which in turn, may be rebutted in writing by the pertinent health care provider. The Designated Official will provide the Individual with a copy of the written rebuttal. The Designated Official will place all of the above, including the original request for amendment or correction, in the Individual’s Designated Record Set. If the individual is a student the Designated Official will inform the student of the right to a formal hearing. See Family Educational Rights and Privacy (FERPA or Buckley Amendment) .
3.2.2c Health records from outside provider.
An Individual’s medical record maintained at NCSU may include PHI received from an outside provider that may be used to treat the Individual. In that case, the Individual must contact the outside provider directly to amend or correct that information and request that any such amendment or correction be provided to NCSU. NCSU providers will not amend PHI in the Individual’s medical record from an outside provider unless the correction is provided by the outside provider or the Individual provides a reasonable basis to believe the originator of the PHI is no longer available to act on the requested amendment and provides a reasonable basis for amendment and / or correction.
4. STAFF CONFIDENTIALITY
4.1 Training. Employees will be oriented to the importance of maintaining confidentiality of medical records and PHI. Training will emphasize the importance of confidentiality practices when handling records, answering the phone, faxing, etc. All employees will sign a confidentiality statement.
4.2 Confidential Handling of PHI. When PHI is released, a cover letter or form should be sent with the information stating it is confidential PHI and may not be disclosed to any other than the person(s) listed. PHI received from other health facilities are treated confidentially under the same guidelines that apply to records created at NC State.
4.3 Sanctions for Violations of Policy, Regulations and Rules. Any staff member who is found in violation of University policies, regulations, or rules regarding the privacy and confidentiality of medical information is subject to disciplinary action up to and including discharge in accordance with University employment policies.
5. ACCESS TO PHI BY STAFF AND AFFILIATED PERSONNEL
Each Covered Health Care Component will establish systems to limit the use or disclosure of PHI to the staff necessary to carry out the treatment, payment and health care activities of the component. The following categories of staff and affiliated personnel (e.g., student trainees and assistants) are identified as those that will have access to PHI in order for the University to carry out their health care delivery services and associated functions.
5.1 Student Health Services
Physicians, physician extenders, registered nurses, licensed practical nurses, medical office assistants, pharmacists, pharmacy technicians, registered dietician, health educators, health educator interns, physical therapists, physical therapy aide, laboratory technicians, director, assistant director, administrative floater, lab record assistant, medical record supervisor, medical record coordinators, gynecology receptionists, immunization coordinator, cashier,
5.2 Sports Medicine
Licensed athletic trainers, graduate assistant trainers, athletic training interns, student assistants, the SHS registered dietician, the sports medicine transcriptionist and the sports medicine administrative coordinator.
5.3 Counseling Center
Psychiatrists, psychologists, counselors, counseling center interns, counseling center office manager, counseling center office assistant III.
6. RELEASE OF PHI FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
6.1 Under HIPAA, PHI may be released without an Authorization for treatment, payment, and health care operations activities. As a matter of practice, if PHI is requested by a third party Provider not associated with a Covered Health Care Component, the Covered Health Care Component will not release PHI without a signed Authorization, except in an emergency situation involving treatment of the patient. In emergency situations, where PHI is requested for treatment, the covered health care component will record the name and title of the person requesting the PHI and the date of release of the PHI in the medical record. If the request is by telephone, staff must call the facility back for proper identification and verification and then release the requested PHI that is necessary to treat the patient.
7. RECORDS RELEASED BY FACSIMILE TRANSMITTAL
7.1 Records should only be faxed when mailing would not meet the immediate needs of Individual care. Faxing is to be discouraged in situations where time is not of the essence, but it is permissible as long as the Individual consents to the fax transmission in writing. The Authorization signed by the Individual should mention that the records are to be released by fax and that there are inherent risks in faxing records. The confirmation of the fax should be reviewed to verify the records were sent to the correct fax number.
8. EXCUSES TO INSTRUCTOR
8.1 University providers do not provide written excuses for class absences. Should university officials need to know about a student visit to Counseling or Student Health Services, information can only be released with the student’s written consent or if there is a health or safety emergency.
9. ORIGINAL MEDICAL RECORD IS TO REMAIN ON UNIVERSITY PREMISES
9.1 The original or parts of an original medical record shall not be removed from University premises except in response to a court order.
9.2 Inactive records may be stored at a secure off site location.
10. CHARGES FOR COPIES OF THE MEDICAL RECORD
10.1 A covered health care component may charge an Individual a reasonable cost based fee for a copy of the Individual’s PHI which includes only the cost of copying, including the cost of supplies for and labor of copying, the PHI requested by the Individual, and the postage, when the Individual has requested the copy be mailed. There is no charge for copies sent to other medical facilities or treating providers or for copies of immunization records.
11. COMPLAINTS AND CONCERNS
11.1 University staff are encouraged to report areas of potential non-compliance with the HIPAA Privacy regulations to their supervisor or Department Director or the University Privacy Officer. The University will not intimidate, threaten, coerce, discriminate or retaliate against an individual or employee for submitting a complaint or expressing concerns.
Individuals who have complaints and concerns regarding release of PHI should contact:
Jim Semple, Privacy Officer
Raleigh, North Carolina 27695
Non-student patients have the right to file a complaint with the Secretary of HHS or University Privacy Officer and the complaint will not interfere with their healthcare. Student patients have the right to file a complaint with the Department of Education or file a grievance pursuant to the University’s FERPA regulation. Staff will cooperate fully with any investigation.