AAMC Home   Tomorrow's Doctors Tomorrow's Cures
  Home  Government Affairs   Newsroom   Meetings   Publications Shopping Cart   Site Map    

GIR Home

About GIR

Resources

GIR Members Only
AAMC Login required

Contact

AAMC/UHC - Convergent Validity: A forum for AMC’s to Discuss HIPAA Implementation

Education Issues: As academic health centers, what do we do about…

  1. Exchange of PHI between two covered entities for teaching purposes?
  2. Exchange of patient information between a covered entity and non-covered entity for teaching purposes?
  3. Training of students who rotate through multiple covered entities?
  4. Disclosure of PHI to covered and non-covered entities where there is no teaching relationship but in a setting-e.g., CME-that is a learning environment?

Draft Policy #1:
When two covered entities have a teaching relationship with the patient as demonstrated through an affiliation agreement (or other such agreement that describes the teaching relationship between covered teaching entities), PHI may be exchanged for teaching purposes so long as:

  • The Notice for each covered entity describes the use and disclosure of PHI between the two institutions for teaching purposes;
  • The minimum necessary standard applies; and
  • All trainees have received HIPAA Privacy Rule training.

Draft Policy #2:
When a covered entity (e.g., the University of California) provides training opportunities for students from a non-covered sponsoring school (e.g., a state college's nursing school), a data use agreement must be in place between the covered entity and the non-covered entity. This agreement must restrict the use and disclosure of the covered entity's patient PHI to only what can be provided in a limited data set, if and when the student is required to provide some health information to the non-covered sponsoring school as part of the student's educational process. Moreover, the data use agreement requires that all students from a non-covered entity must receive the covered entity's HIPAA Privacy Training.

Draft Policy #3:
When a trainee's sponsoring educational institution (a covered entity) requires that the trainee rotates through multiple affiliated covered entities, the trainee will only have to take part in one (1) HIPAA Privacy training so long as:

  • All covered entities have amended their affiliation agreements to certify that training by one entity meets the training requirements of all entities;
  • All entities certify that their respective training programs are comparable in their training objectives and, in many cases, may be the same training program; and
  • The trainee's sponsoring institution takes responsibility for documenting that the training requirements have been met either by the sponsoring institution or one of the affiliated institutions.

Institutional Advancement (IA) Issues: Fundraising, Media, External Relations

  1. How do we develop mailing lists for fundraising purposes?
  2. Does HIPAA "grandfather-in" AHCs' data bases created prior to April 2003 that contain disease or diagnosis specific information?
  3. What do we do when a cancer center wants to raise funds and the Institutional Advancement Office can assume or guess a disease based on fact that the list of patients is from one source?
  4. How do we handle requirements for "narrative journalism" where health professions students writes a narrative regarding a patient that will later be used for external relations purposes?
  5. How does the news office pitch a patient or service-related story?
  6. How does IA respond to a reporter's request for a story?
  7. How does IA create a database for future stories and communications?
    8. Draft Policy #1: University faculty physicians can use their patients' demographic information and dates of health care service for purposes of raising funds that benefit the University (either within the department or with the IA or Development Office) so long as:
    a. Disease diagnosis is not used as the criterion for developing a Fundraising mailing list;
    b. All fundraising material provides the recipient with a way to opt out from receiving any additional information; and
    c. All fundraising efforts are coordinated with the IA or Development Office.

Draft Policy #2:
The patient's provider or provider team must obtain the patient's written authorization to provide disease or treatment specific information to the IA or Development Office for fundraising and:

  • All fundraising material must provide the recipient with a way to opt out from receiving any additional information; and
  • The IA or Development Office or other designated record keeping office must keep a copy of the patient's signed authorization.

Draft Policy # 3:
If IA staff want to contact a patient regarding the use of their PHI for a communication, the patient's health care provider or provider team must make the initial contact with the patient and seek the patient's agreement for contact by IA staff. Prior to any disclosure to outside entities or contact of the patient by outside entities, the patient must sign a HIPAA Authorization form. The University must retain a copy of the signed authorization

Draft Policy #4:
For the purpose of developing an IA database for future media or IA stories, a signed authorization must be obtained from the patient. The University may seek written authorization from the patient at the time of admission or discharge.

Draft Policy #5:
HIPAA does not grandfather-in existing databases unless the covered entity has obtained the required legal permissions that would permit databases to continue to operate after April 2003. For fundraising purposes, databases that contain disease or diagnosis specific information should be updated with the patient's authorization, if previous legal permission was not obtained. IA should consult with either the Privacy Officer (campus or system) or the Office of the General Counsel regarding existing databases, information contained and purposes for which it will be used and by whom in order to determine if additional legal permissions are necessary.

Employer Role and Employee Records

  1. How do we define employee records for purposes of HIPAA since the Final Rule did not provide a specific definition?

Draft Policy #1:
The University's employment records include those records held by the University in its role as employer or information used by the employer to take appropriate action as permitted or required by other state or federal law relative to an employee's health or well being in the workplace and include, but are not limited to, medical information needed for an employer to carry out its obligations under:

  • Family Medical Leave Act, ADA, OSHA, Workers' Comp
  • Files or records related to occupational injury
  • Disability insurance eligibility
  • Sick leave requests, justifications and doctor's statement
  • Drug screening results
  • Workplace medical surveillance
  • Fitness-for-duty employee tests

Moreover, those employer entities and workforce members who carry out the workforce functions that access, use or disclose an individual's health information in order to create these records are not subject to HIPAA when carrying out those employer functions.

Research Function and Research Records

  1. Is research a covered function and part of the health care component?
  2. Are research records PHI and/or part of the designated record set?

Draft Policy #1:
 Research is not a part of the University's Single Health Care Component because research is not a covered function and only components that perform covered functions may be included in the health care component.

A covered entity and a third party researcher are distinct entities; HIPAA allows the covered entity to only release information to a research entity under certain specific circumstances-authorization or waiver of authorization, when the information is de-identified or when there is a Data Use Agreement providing for a release of a Limited Data Set. Research may create PHI, which should become a part of the individual's medical record and designated record set. However, HIPAA recognizes that there is a distinction in the function of researchers and health care providers and PHI obtained by a provider in the course of research.

The CE is not required to provide access to PHI that has been created or obtained by a covered health care provider in the course of research that includes treatment, if in the course of the research consent process, the individual has agreed he or she will not be allowed access to that PHI so long as research is in progress.

Supporting Privacy Rule comments or regulations:

"Disclosures from a covered entity to a researcher for research purposes as permitted by the Rule do not require a business associate contract. This remains true even in those instances where the covered entity has hired the researcher to perform research on the covered entity's own behalf because research is not a covered function or activity…. Research recruitment is neither a marketing nor a health care operations activity…Only a component that performs covered function may be included in the health care component. " Preamble to the Final Rule, August 2002.

"Researchers in and of themselves are not covered entities….researchers may also be health care providers if they provide health care and…in their role as health care providers may be covered entities." Preamble to 12/2000 Final Rule

Contact Us    © 1995-2009 AAMC    Terms and Conditions    Privacy Statement