HIPAA Policy-01

Scope

This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and Critical Health Data Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all of the above will be referred to as workforce members.

Policy Statement

Workforce members will appropriately use and disclose PHI for purposes permitted or required under the HIPAA and HITECH Acts, and other applicable rules, regulations, and laws. In some circumstances, Indiana State law may be more stringent and may preempt HIPAA.

When using or disclosing PHI or when requesting PHI from another covered entity or business associate, workforce members will make reasonable efforts to limit the PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request. It is important to note: Minimum necessary does not apply to uses and disclosures for treatment purposes.

A. Permitted uses and disclosures

Workforce members may generally use and disclose PHI for treatment, payment, and health care operations without the individual’s authorization and without providing the individual with an opportunity to agree or object.

1. Treatment. Workforce members may use and disclose PHI to provide, coordinate or manage health care and related services to carry out treatment functions.
   
   
2. Payment. Workforce members may use and disclose PHI to bill and collect payment for the treatment and services provided to the patient. Payment includes, but is not limited to, actions relating to eligibility or coverage determinations, billing, claims management, collection activities, reviews for medical necessity determinations and appropriateness of care, utilization review and pre-authorizations.
   
   
3. Health Care Operations. Workforce members may use and disclose PHI in order to conduct its normal business operations. Health care operations may include:
   1. Conducting quality assessment and improvement activities;
   2. Activities relating to improving or reducing health care costs;
   3. Contacting patients with information regarding treatment alternatives;
   4. Conducting audits; and
   5. Reviewing the competence or qualifications of health care professionals.

B. Uses and disclosures for which an authorization or opportunity to agree or object is not required.

Workforce members may use and/or disclose PHI when permitted or required to do so by federal, state or local law. This may be done in the following circumstances without the individual’s authorization and without providing the individual an opportunity to agree or object.

1. Judicial & Administrative Proceedings. Workforce members may disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized) or in certain conditions in response to a subpoena, discovery request or other lawful process.
   
   
2. Law Enforcement Purposes. Workforce members may disclose PHI for certain law enforcement purposes, such as:
   1. In response to a court order, subpoena, warrant, summons or similar process;
   2. To identify or locate a suspect, fugitive, material witness or missing person;
   3. About the victim of a crime, if under certain limited circumstances, we are unable to obtain the person’s agreement;
   4. About a death we believe may be the result of criminal conduct;
   5. About criminal conduct at the hospital; and
   6. In emergency circumstances, to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.
      
      
3. Report Abuse, Neglect or Domestic Violence. Workforce members may disclose PHI to a public health authority that is permitted by law to receive reports of child abuse or neglect, and to notify the appropriate government authority if the Critical Health Data Area believes the individual has been the victim of abuse, neglect, or domestic violence. Such disclosures will only be made when required or authorized by law.
   
   
4. Public Health Activities. Workforce members may disclose PHI for public health activities and purposes to a public health authority that is permitted by law to receive the information. These activities generally include the following:
   1. To prevent or control disease, injury, or disability;
   2. To report births and deaths;
   3. To report child abuse or neglect
   4. To report reactions to medications or problems with products;
   5. To notify people of recalls of products they may be using; and
   6. To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
      
      
5. Health Oversight Activities. Workforce members may disclose PHI to a health oversight agency for activities that are authorized by law. Such activities include, but are not limited to, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
   
   
6. Disclosures about Decedents. Workforce members may disclose PHI about deceased individuals to:
   1. Coroners and medical examiners for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. If the Critical Health Data Area also performs the duties of a coroner or medical examiner the Critical Health Data Area may use PHI for the purposes described in this paragraph.
   2. Funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary, the Critical Health Data Area may disclose the PHI prior to, and in reasonable anticipation of, the individual’s death.
      
      
7. Cadaveric organ, eye or tissue donations. Workforce members may disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.
   
   
8. To avert a serious threat to health or safety. Workforce members may disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Any disclosure would be to someone who is able to help prevent the threat.
   
   
9. Specialized government functions. Workforce members may use and/or disclose PHI for national security and intelligence purposes authorized by the National Security Act, for protective services of the President and for certain military functions related to federal military personnel as required by military command authorities. IU may also release PHI about foreign military personnel to the appropriate foreign military authority.
   
   
10. Workers’ compensation. Workforce members may disclose PHI for workers' compensation or other similar programs. These programs provide benefits for work-related injuries or illnesses.
    
    
11. Workforce Member in a Whistleblower Action. In limited circumstances, a workforce member may use and disclose PHI for a whistleblower action, subject to the following criteria: the workforce member believes in good faith that IU has engaged in unlawful conduct or that the care endangers one or more patients, workers, or the public and the disclosure is to:
    1. A health oversight agency authorized to investigate those claims; or
    2. An attorney retained on the Workforce Member’s behalf.
       
       
12. Workforce Members Who Are Victims of a Crime. A member of IU’s workforce, who is a victim of a crime, may disclose PHI to a law enforcement official provided that the PHI disclosed is about the suspected perpetrator of the crime. IU will only disclose the limited information as set forth by
    §164.512(f)(2)(i), which includes:
    1. Name and Address
    2. Date and Place of Birth
    3. Social Security Number
    4. ABO Blood Type
    5. Type of Injury
    6. Date and Time of Treatment
    7. Date and time of death, if applicable
    8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence, or absence of facial hair (beard or moustache), scars, and tattoos.

C. Uses and disclosures for which an authorization is required.

A signed authorization shall be obtained from an individual before using or disclosing that individual’s PHI, unless otherwise permitted or required as described in this policy. Authorizations shall also be obtained prior to using and disclosing PHI for research purposes, except for very limited circumstances permitted by HIPAA and IU Human Research Protection Program Policy Use of Protected Health Information (PHI) in Research.

1. Marketing. An individual’s PHI shall not be used or disclosed for marketing purposes without obtaining an authorization from the individual who is the subject of the PHI, or their personal representative.
   
   
2. Psychotherapy Notes. Use and disclosure of psychotherapy notes is subject to a heightened level of privacy/security under HIPAA/HITECH. Certain disclosures of your psychotherapy notes and mental health records may require your prior written authorization.

D. Uses and disclosures requiring an opportunity for the individual to agree or to object.

Individuals will be given the opportunity to agree or object to the following uses/disclosures of their PHI:

1. Individuals Involved in the Patient’s Care. Unless the patient indicates otherwise, workforce members may disclose to a relative, a close friend or any other person designated by the patient, PHI which directly relates to that person’s involvement in the patient’s healthcare. If the patient is unable to agree or object to such a disclosure, the Critical Health Data Area may disclose such information as necessary for healthcare, if, based on professional judgment, it is determined to be in the patient’s best interest.
   
   
2. Notification. We may disclose PHI to notify or assist in notifying a family member or personal representative (or any other person who is responsible for the patient’s care) of the patient’s location, general condition, or death.
   
   
3. Disaster-Relief Efforts. Workforce members may disclose PHI to an authorized public or private entity to assist in disaster-relief efforts.

E. Other requirements relating to uses and disclosures of protected health information.

1. Required Disclosures. Workforce members will disclose PHI to an Individual, when requested for access or accounting of disclosures; and when required by the Secretary of HHS for investigations of compliance.
   
   
2. Business Associates. Workforce members may disclose PHI to business associates and allow business associates to receive, create, use, obtain, or transmit PHI to perform covered functions or activities, provided that the Critical Health Data Areas obtains and documents reasonable assurances that the business associate will appropriately safeguard the PHI. The reasonable assurance must be documented in the form of a business associate agreement.
   
   
3. Minimum Necessary Requirements. When using or disclosing PHI or when requesting PHI from another covered entity or business associate, workforce members will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. *Minimum necessary does not apply to uses and disclosures for treatment purposes.
   
   
4. Minimum Necessary Requirements. When using or disclosing PHI or when requesting PHI from another covered entity or business associate, workforce members will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. *Minimum necessary does not apply to uses and disclosures for treatment purposes.
   
   
5. Limited Data Sets. A limited data set may be used or disclosed only for the purposes of research, public health or health care operations, so long as the IU Critical Health Data Area enters into a data use agreement with the recipient prior to the use or disclosure of the limited data set. As further described in IU Policy HIPAA-P06, the workforce members may use or disclose PHI to a Business Associate for the creation of a limited data set.
   
   
6. Research purposes. Workforce members may use or disclose certain PHI for the purpose of research in accordance with IU Human Research Protection Program policy Use of Protected Health Information (PHI) in Research.
   
   
7. Fundraising. Workforce members may use or disclose certain PHI for the purpose of raising funds for the benefit of HIPAA covered entities, without an authorization, in accordance with IU Policy HIPAA-P04.
   
   
8. Underwriting. PHI may be disclosed to IU’s health plan as necessary to carry out administrative functions of the Plan, such as underwriting, premium rating or other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefit; however, if such health insurance or health benefits are not placed with the health plan, then the plan may not use or disclose such PHI for any other purpose except as may be required by law.
   
   
9. Verification Requirements. Prior to disclosing PHI pursuant to this policy, the IU Critical Health Data Area must reasonably verify the identity of the person requesting the information and the authority of that person to have access to the protected information. See identity verification procedures for more information.

Reason for the Policy

The purpose of this policy is to provide guidance regarding the use and disclosure of protected health information in accordance with Indiana University’s policies and procedures and applicable state and federal laws.

Definitions

Disclosure: Release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.

Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or medium, whether electronic, on paper or oral.

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

See Glossary of HIPAA Related Terms for complete list of terms.

Sanctions

Knowledge of a violation or potential violation of this policy shall be reported in accordance with the Information and Information System Incident Reporting, Management, and Breach Notification Policy ISPP-26. Failure to comply with this policy can result in significant consequences to the individual as well as Indiana University, including violations of law, investigations, and criminal proceedings. Accordingly, individuals who violate this policy may be subject to a full range of sanctions, including disciplinary action, suspension, termination of employment and legal action.

History

07/01/2013 – Effective Date
01/21/2015 – Updated policy
10/13/2015 – Update to clarify Minimum Necessary, page 2, Section V.C.
08/01/2016 – Added link to Glossary & updated or removed bad links
11/10/2016 – Added links to IU policies
06/xx/2017 – Published on University policy site
12/13/2021 – Updated policy contacts and links
04/02/2025 – Updated the term "HIPAA Affected Areas" to "Critical Health Data Areas"

Related Information

HIPAA Regulations
45 CFR §164.502
45 CFR §164.504
45 CFR §164.506
45 CFR §164.508
45 CFR §164.510
45 CFR §164.512
45 CFR §164.514 

HITECH Regulations
42 CFR: Part 412
42 CFR: Part 413
42 CFR: Part 422
42 CFR: Part 495
45 CFR: Subtitle A Subchapter D 

Related IU Policies
HIPAA-P02 – Minimum Necessary
HIPAA-P04 – IU Fundraising
IT-12 – Security of Information Technology Resources
IT-12.1 – Security of Mobile Devices