HIPAA
St. 竞技宝app下载安装在HIPAA(健康保险流通与责任法案)下被指定为混合实体的声明
介绍
《竞技宝app下载安装》(“HIPAA”)是一部消费者保护法,旨在保护与个人身体或精神健康有关的个人可识别信息, 向个人提供保健服务, or the 付款 for 向个人提供保健服务 ("Protected Health 信息rmation" or "PHI"). HIPAA适用于“受保实体”,其中包括医疗服务提供者, 以电子方式进行特定交易的健康计划和医疗保健信息交换中心("受保实体"或各为"受保实体"). St. 竞技宝app下载安装 is engaged in both Covered Entity activities and activities that are not Covered Entity functions. HIPAA允许从事承保实体职能和其他非承保实体职能活动的实体将自己指定为“混合实体”," with the result that the HIPAA regulations do not apply to the non-covered functions.
混合实体状态评估
A Task Force comprised of representatives from St. Ambrose administrative offices such as 信息rmation Technology, 健康与人类服务学院, 人力资源, and external resources including legal counsel was assembled to ascertain which St. Ambrose departments engage in activities to which the HIPAA privacy standards apply. Based on this guidance and review of HIPAA standards, St. Ambrose formally designates itself as a hybrid entity under HIPAA.
In determining which departments to include in the St. Ambrose Covered Entity (hereinafter "SACE"), St. Ambrose has been guided by the Department of Health and Human Services' amendments to the HIPAA regulations. 是否是St ?. Ambrose function or individual's activity on behalf of St. Ambrose is included in the SACE is determined based upon the data used and/or being disclosed, not based upon any particular overall departmental mission or activity. The following defined categories of data are critical to the determination of covered functions and activities:
1. IIHI:个人可识别健康信息是由医疗保健提供者创建或接收的从个人收集的信息, 雇主, 计划或票据交换所,与过去有关, present or future physical or mental health condition of an individual; the provision of health care to an individual; or the part, present or future 付款 for the provision of health care to an individual and identifies the individual, or can reasonably be used to identify the individual.
2. PHI:受保护的健康信息,即IIHI,由SACE内的相关功能以任何形式或媒介传输或维护. 这特别排除了教育记录, which are protected by other privacy regulations, 及圣. 竞技宝app下载安装作为雇主的角色. This also excludes research health information (see definition below), which is protected by other regulatory requirements.
3. RHI: Research Health 信息rmation is a term used by St. Ambrose to identify IIHI used for research purposes that is not PHI, and thus is not subject to the requirements of HIPAA. RHI is IIHI that is created in connection with research activity and is not created in connection with patient care activity. When a researcher is not also functioning as a health care provider, 并创建与纯研究活动(不涉及患者护理)相关的IIHI, IIHI不是PHI,不受HIPAA的隐私和安全规则的约束. 如果研究人员也是卫生保健提供者,并且IIHI是根据研究人员的卫生保健提供者活动而创建的, 那么IIHI就是受HIPAA约束的PHI. 根据IRB的批准流程,作为PHI创建并用于研究目的的IIHI可以向研究人员披露(同样是研究人员的个人医疗保健提供者可以向其本人披露PHI), which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed in the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA. In certain cases such as interventional clinical trials it is expected there will be two copies of some IIHI; a copy kept in the patient's medical record which is PHI and subject to HIPAA and a copy of the same data kept in the research record which is RHI and not subject to HIPAA.
4. 关键决定因素:决定信息是否属于IIHI而不受隐私规则或PHI保护而受保护的关键因素是:1)提供商或健康计划执行的功能,以及2)实体或工作人员接收信息的目的, created or maintained the medical information (treatment, 付款, 操作, 其他). Record keeping practices are not the determinant. 例如, the results of a fitness for duty exam are PHI when SAU and a provider and part of the SACE administers the test to a SAU employee. 当员工授权SAU时, 医疗保健提供者, 把情报交给特殊行动组, 用人单位, it is a part of the employee's employment record and no longer PHI. It is important to note that in most circumstances (exceptions include workplace injury, 疾病或医疗监视),员工必须向SAU医疗保健提供者提供签署的授权,以便向SAU发布信息, 用人单位.
卫生保健处根据《竞技宝app下载安装》的以下标准确定其哪些部门是卫生保健组成部分(涵盖单位), 修正案和卫生与公众服务部指南:
1. Health care or health plan use or disclosure: A component that would meet the definition of a "covered entity,“如果它是一个独立的法律实体, 必须包括在医疗保健部分吗. 当SAU工作人员使用或披露与医疗保健提供者或健康计划功能有关的个人可识别健康信息(IIHI)时, the individual's health information is defined as PHI, and HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;
2. 支持医疗保健或健康计划的职能:如果承保实体是独立的法人实体,则承保实体的另一个组成部分,其活动将使其成为执行承保职能的组成部分的业务伙伴. If these business associate -like functions are not designated as part of the health care component, 医疗保健信息的交换可能需要授权,因为所涵盖的实体本身不能有业务伙伴合同. When the use or disclosure of IIHI is carried out by business, 金融, legal or administrative functions on behalf of SAU's health care provider and health plan activities, 个人信息是PHI, HIPAA隐私和安全法规适用于这些职能和执行这些职能的员工;
3. 雇主和教育职能:当SAU以雇主或教育机构的身份使用和披露IIHI时, the information is not PHI and those SAU functions are not subject to the privacy or security regulations of HIPAA, but the confidentiality of the individual's health information is protected by other state and federal law, as well as by SAU policy; and
4. IRB功能:PHI仅可在与IRB批准或豁免协议相关并根据豁免或授权的情况下向研究人员披露. When a researcher requests access to PHI that has been created, 由SACE接收或维护, 隐私规则要求SACE得到具体保证,一旦将PHI披露给研究人员作为RHI使用,将受到保护, and SAU must account for certain disclosures as required by the HIPAA regulations. SAU's IRB will function as the Privacy Board as defined by HIPAA.
5. Examples of workforce members who may provide business, 金融, 适用职能部门的法律或其他服务:SAU以下部门的员工可以代表SACE(根据HIPAA的要求使用PHI)和代表SAU的非适用部门(IIHI不符合HIPAA的要求)提供行政职能:
a. 金融;
b. 信息技术;
c. 传播与营销;
d. 校友事务;
e. 安全;
f. 进步;
g. 合规办公室;
h. IRB和个别SAU研究人员;
i. Other departments as determined by the HIPAA Committee/Task Force.
以下部门被正式指定为符合HIPAA隐私规则和标准所需的医疗保健组件:
- Speech and Language Pathology - health care provider
- 辅助技术实验室-卫生保健提供者
- 学生健康服务——只有在学生健康服务为非学生提供治疗的情况下,医疗保健提供者才受HIPAA隐私标准的约束
- 跨专业健康诊所
Transfer of PHI Between Covered and Non-Covered Components
When workforce members who provide services to the SACE perform services on behalf of non-covered components of SAU, these non-covered functions are not part of the SACE. Workforce members must not disclose PHI to non-covered SAU components without the individual or patient's authorization, or waiver of authorization by the IRB in cases of disclosures for research purposes, 根据隐私规则的要求.
向SACE提供商和SAU健康计划提供商业和金融服务的员工不得在这些实体之间使用或披露个人隐私信息,除非隐私规则允许此类披露.