HIPAA Procedure-03
About This Procedure
Effective: 09/01/2016
Last Updated: 12/13/2021
Responsible University Office:
Office of the Chief Privacy Officer
Responsible University Administrator:
Chief Privacy Officer
mawerlin@iu.edu
Procedure Contact:
HIPAA Privacy Officer
HIPAA Security Officer
hipaa@iu.edu
- Print or view a PDF of this procedure
- Many procedures are quite lengthy. Please check the page count before deciding whether to print.
Scope
This procedure applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and HIPAA Affected Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this procedure, all of the above will be referred to as workforce members.
This procedure specifically applies to any IU Human Resources workforce who are involved in the management of IU’s Health Plans. This procedure is in accordance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA).
Procedure Statement
- Requests for alternative means of confidential communications must be in writing and must contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.
- IU’s Health Plans should accommodate all reasonable requests to receive confidential communications by alternative means or at alternative locations if the individual clearly states that the disclosure of all or part of that information could endanger the individual.
- Reasonable requests include (but are not limited to) using alternative telephone numbers, alternative addresses, refraining from leaving messages on answering machines, and refraining from mailing information to the individual. Unreasonable requests are those that would be too difficult technologically or practically for IU’s Health Plans to accommodate.
- IU’s Heath Plans and/or designated staff will be responsible for receiving, processing, and responding to requests for confidential/alternative communications and for maintaining a copy of the request in the individual’s record.
- If the request is for an alternative address, telephone or e-mail, the designated staff member may approve it at the time of request.
- Agreed upon requests for alternative communication must be communicated to all who may be involved in the use or disclosure of the individual’s PHI which includes any business associates.
- If the request for alternative communication is denied, the reason for the denial must be documented on the request form.
- The designated staff member will contact the patient to inform them the request was denied and the reason for the denial.
- IU’s Health Plans will document the acceptance or denial of an individual’s request for confidential/alternative communications and maintain all documentation relating to the request in the individual’s record.
Reason for the Procedure
The Health Information Portability and Accountability Act (HIPAA) Privacy regulations require that a health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.
This procedure defines the process for complying with an individual’s reasonable request(s) for alternative communications.
History
04/06/2015 New procedure
09/01/2016 Finalized procedure
12/13/2021 Updated procedure contacts
Related Information
HIPAA Privacy Rule
45 C.F.R. §164.522