Home : Academic/Research : Health Sciences

Individuals have a right to notice of the uses and disclosures of PHI that may be made by a health care component, the individual's rights and the health care component's legal duties with respect to PHI. Health care components of the University will provide a Notice of Privacy Practices ("Notice") in accordance with this procedure.

PERSONS TO WHOM NOTICE IS PROVIDED
The Notice must be available to any person upon request.

Notice must be provided to the individual or the individual's personal representative.

Provider components must provide the Notice to all individuals with whom the provider component has a direct treatment relationship. Note: A direct treatment relationship does not include delivery of health care based on the orders of another health care provider, when the services, products or reports are provided directly to that provider rather than to the individual.

The health plan component must provide notice to the health plan participants. The health plan need not provide notice to each covered dependent.

WHEN PROVIDED
Provider components who have a direct treatment relationship with the individual must provide the Notice at the time of first service delivery except where providing the Notice at that time is not practicable under the circumstances, e.g. patient is unable to respond or delay in providing treatment would be detrimental to the health and welfare of the patient. In such situations, the Notice should be provided as soon as is reasonably practicable thereafter.

When the first service delivery is electronic, the Notice must be provided automatically and contemporaneously in response to the request for service. In addition, all electronic communications of PHI with patients must be accompanied by an appropriate disclaimer giving the patient notice of the security risks associated with communications via email.

When the first service delivery is via telephone, the Notice and acknowledgement form must be sent promptly (i.e. within 2 business days of the date that telephone service is delivered). The form must be sent by mail unless the individual's approval has been obtained to send the Notice in electronic format.

The health plan component must provide the relevant Notice at time of enrollment and will notify participants at least every 3 years of the availability of, and how to obtain the Notice.

ACCEPTABLE FORMATS FOR NOTICE
Notice may be provided in paper format or electronic format.

The Notice may be provided in electronic format only if the individual's approval is first obtained. If the health care component knows that an electronic transmission of the Notice failed, the Notice must be provided in paper format. If the Notice is initially provided via electronic mail format, a paper copy must be provided upon request by the individual.

NOTICE POSTING AND AVAILABILITY AT SERVICE FACILITIES
Provider components must post the Notice in any physical facility at which health care services are provided. The Notice must be posted in a clear and prominent location where it is reasonable to expect individuals seeking health care services will be able to read the Notice.

Provider components who have a direct treatment relationship with the individual must make a paper copy of the Notice available at any physical facility at which health care services are provided for individuals to take with them upon request.

ELECTRONIC POSTING REQUIREMENTS
All health care components who maintain a website providing information about its customer services or benefits must make available and prominently post the Notice in electronic format on that website.

ACKNOWLEDGEMENT REQUIREMENT FOR DIRECT TREATMENT PROVIDERS
When the Notice is given to the individual at the time of the first service delivery at a provider component, the provider component must make a good faith effort to obtain the individual's written acknowledgement of receipt of the Notice.

If the provider component is unable to obtain the acknowledgement, it should document the effort made and the reason acknowledgement was not obtained.

In emergency situations, the provider component must make a good faith effort to obtain the written acknowledgement and if it is not possible, the provider component must document the efforts made and the reason the acknowledgement was not obtained.

When the Notice is sent by mail or email, the good faith effort to obtain acknowledgement is satisfied by requesting that the individual complete and return the acknowledgement form. This effort should be documented by the provider component.

CHANGES TO THE NOTICE
Health care components must promptly revise and distribute the Notice whenever there is a material change to the uses or disclosures covered by the Notice, the individual's rights, the health care components legal duties, or other privacy practices stated in the Notice.

A material change to any term of the Notice must not be implemented prior to the effective date of the Notice in which the material change is reflected, except when required by law.

Health care components must make the revised Notice available to individuals upon request, and ensure that all postings, including website postings and copies of the Notice provided to individuals reflect changes to the Notice.

The health plan component must provide a revised notice to individuals then covered by the health plan within 60 days of a material revision.

NOTICE CONTENT REQUIREMENTS
The Notice of Privacy Practices must be written in plain language and must include the following:

1. Header: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

2. Description of Permitted Uses and Disclosures, including:
   1. At least one example each for uses and disclosures permitted for treatment, payment, and health care operations.
   2. Description of all other purposes for which the health care component is required or permitted to use or disclose PHI without written authorization.
   3. A separate statement for certain uses and disclosures if the health care component intends to engage in such activities, including
      • Contacting the individual to provide appointment reminders.
      • Contacting the individual to provide information about treatment alternatives or other health-related benefits or services that may interest the individual.
      • Contacting the individual to raise funds for the health care component.
      • Disclosing PHI to the plan sponsor
   4. Statement that other uses or disclosures will be made only with written authorization and such authorization may be revoked by the individual at any time, except to the extent that the authorization has been relied upon by the health care component or obtained as a condition of insurance coverage.
   5. May include any limitation to an otherwise permitted use or disclosure.

3. Statement giving the individual notice of the security risks associated with communications via electronic mail, that email communications are not considered secure, and email communications of PHI between providers and patients will require the individual's acknowledgment of the risks and agreement to communicate via email despite such risks before PHI will be exchanged via email.

4. A statement and description of how to exercise each of the following individual rights, including whether the requests must be made in writing:
   1. Right to request restrictions on certain uses and disclosures, including a statement that the health care component is not required to agree to the restriction.
   2. Right to receive confidential communication of PHI.
   3. Right to inspect and copy individual health information that is part of the designated records set.
   4. Right to request amendment to information that is part of the designated records set.
   5. Right to receive an accounting of disclosures upon request.
   6. Right of an individual, including an individual who has agreed to receipt of the Notice electronically, to receive a paper copy upon request.

5. An explanation of health care component responsibilities including:
   1. A statement that the health care component is required by law to maintain the privacy of PHI and provide individuals with notice of its legal duties and privacy practices related to protected health information.
   2. A statement that the health care component is required to abide by the terms of the Notice currently in effect.
   3. Description of the how the Notice and future revised Notices will be provided.
   4. Statement reserving the right to change the terms of the Notice and to make such new Notice provisions effective for all PHI that the health care component maintains, including PHI created or received prior to issuing the revised Notice.
   5. Statement that individuals may complain to the Privacy Officer or the Secretary if they believe their privacy rights have been violated, including a brief description of how to file a complaint with the Privacy Officer and statement that the individual will not be retaliated against for filing a complaint.

6. Contact information, including name or title and telephone number of the person or office to contact for further information regarding the health care component's practices related to the privacy of health information.

7. Effective date of the Notice.

DOCUMENTATION
The health care components must document and retain copies of all Notices for no less than 6 years beyond the effective date of the Notice.