HIPAA
St. galaxy银河娱乐场app Statement on its Designation as a Hybrid Entity Under HIPAA (健康保险流通与责任法案)
介绍
The 健康保险流通与责任法案 of 1996 ("HIPAA") is a consumer protection law intended to protect individually identifiable information relating to the physical or mental health of an individual, 向个人提供保健服务, 或向个人提供医疗保健的费用(“受保护的健康信息”或“PHI”). HIPAA适用于“受保实体”,其中包括医疗服务提供者, health plans and health care clearinghouses that conduct specified transactions electronically ("Covered Entities" or each a "Covered Entity"). St. galaxy银河娱乐场app既参与涵盖实体的活动,也参与非涵盖实体的活动. HIPAA allows entities that are engaged in Covered Entity functions and other activities that are not Covered Entity functions to designate themselves as "Hybrid Entities,,结果是HIPAA规定不适用于未涵盖的功能.
混合实体状态评估
一个由圣公会代表组成的工作队. galaxy银河娱乐场app行政办公室等信息技术, 健康与人类服务学院, 人力资源, 以及包括法律顾问在内的外部资源,以确定圣. galaxy银河娱乐场app部门从事的活动适用于HIPAA隐私标准. 基于该指南和对HIPAA标准的审查,St. galaxy银河娱乐场app正式将自己指定为HIPAA下的混合实体.
在决定哪些部门包括在St. galaxy银河娱乐场app覆盖实体(以下简称“SACE”),St. galaxy银河娱乐场app一直受到卫生和人类服务部对HIPAA条例的修订的指导. 是否是St ?. galaxy银河娱乐场app的功能或个人活动代表圣. galaxy银河娱乐场app是否包含在SACE中是根据使用和/或披露的数据确定的, 不是基于任何特定的整体部门任务或活动. 下列已定义的数据类别对确定所涵盖的职能和活动至关重要:
1. IIHI: Individually Identifiable Health 信息rmation is information collected from an individual that is created or received by a health care provider, 雇主, 计划或票据交换所,与过去有关, present or future physical or mental health condition of an individual; the provision of health care to an individual; or the part, 为向个人提供医疗保健而支付的当前或未来费用,并确定个人身份, 或者可以合理地用来识别个人.
2. PHI: Protected Health 信息rmation that is IIHI that is transmitted or maintained in any form or medium by a covered function within the SACE. 这特别排除了教育记录, 哪些受其他隐私法规的保护, 及圣. galaxy银河娱乐场app作为雇主的角色. 这也不包括研究健康信息(见下文定义)。, 哪些受其他监管要求的保护.
3. RHI:研究健康信息是St. galaxy银河娱乐场app确定IIHI用于研究目的,而不是PHI, 因此不受HIPAA要求的约束. RHI是与研究活动相关的IIHI而不是与病人护理活动相关的IIHI. 当研究人员不同时充当卫生保健提供者时, and creates IIHI in connection with pure research activities (no patient care involved) the IIHI is not PHI and is not subject to the privacy and security rules of HIPAA. If a researcher is also a health care provider and IIHI is created in connection with the researcher's health care provider activities, 那么IIHI就是受HIPAA约束的PHI. IIHI that is created as PHI and is needed for research purposes may be disclosed to the researcher (the same individual healthcare provider who is also a researcher may disclose PHI to himself or herself in the research role) pursuant to the IRB approval process, 其中包括适当的患者授权或IRB放弃授权. 在研究环境中适当披露PHI之后, 转移到研究机构的IIHI变成了RHI, 哪些不再受HIPAA要求的约束. In certain cases such as interventional clinical trials it is expected there will be two copies of some IIHI; a copy kept in the patient's medical record which is PHI and subject to HIPAA and a copy of the same data kept in the research record which is RHI and not subject to HIPAA.
4. Key Determinants: The key determinants as to whether or not information is IIHI and not protected by the Privacy Rule or PHI and protected are: 1) the function being performed by the provider or health plan and 2) the purpose for which an entity or workforce member has received, 创建或维护医疗信息(治疗), 付款, 操作, 其他). 保存记录的做法并不是决定因素. 例如, 当SAU和供应商以及SACE的一部分对SAU员工进行测试时,适合工作的测试结果为PHI. 当员工授权SAU时, 医疗保健提供者, 把情报交给特殊行动组, 用人单位, 它是雇员雇佣记录的一部分,不再是PHI. 值得注意的是,在大多数情况下(例外情况包括工伤), illness or medical surveillance) the employee must provide a signed Authorization to the SAU health care provider to release the information to SAU, 用人单位.
SAU determined which of its departments are health care components (covered units) pursuant to the following criteria per the Privacy Rule, 修正案和卫生与公众服务部指南:
1. 医疗保健或健康计划的使用或披露:符合“受保实体”定义的组成部分,“如果它是一个独立的法律实体, 必须包括在医疗保健部分吗. When the use or disclosure of individually identifiable health information (IIHI) is carried out in connection with a health care provider or health plan function by SAU workforce members, 个人的健康信息定义为PHI, HIPAA隐私和安全法规适用于这些职能和执行这些职能的员工;
2. Functions that support health care or health plan: Another component of the covered entity the activities of which would make it a business associate of the component that performs covered functions if the two were separate legal entities may be included. 如果这些类似业务伙伴的功能没有被指定为医疗保健组件的一部分, the exchange of health care information probably would require an authorization because the covered entity cannot have a business associate contract with itself. 在商业活动中使用或披露IIHI时, 金融, 代表SAU的医疗保健提供者和健康计划活动的法律或行政职能, the individual's information is PHI and the HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;
3. Employer and education functions: When the use and disclosure of IIHI is carried out by SAU in its capacity as an 雇主 or an educational institution, 这些信息不是PHI,这些功能不受HIPAA的隐私或安全法规的约束, 但是个人健康信息的保密性受到其他州和联邦法律的保护, as well as by SAU policy; and
4. IRB functions: PHI may only be disclosed to a researcher for use in connection with an IRB-approved or exempt protocol and pursuant to a waiver or authorization. 当研究人员请求访问已创建的PHI时, 由SACE接收或维护, the Privacy Rule requires that the SACE receive specific assurances that the PHI will be protected once disclosed to the researcher for use as RHI, 和SAU必须解释HIPAA法规要求的某些披露. SAU的IRB将作为HIPAA定义的隐私委员会发挥作用.
5. 可能提供业务的劳动力成员的示例, 金融, legal or other services to covered functions: Workforce members of the following departments of SAU may provide administrative functions on behalf of the SACE (use of PHI subject to requirements of HIPAA) and on behalf of non-covered components of SAU (IIHI not subject to the requirements of HIPAA):
a. 金融;
b. 信息技术;
c. 传播与营销;
d. 校友事务;
e. 安全;
f. 进步;
g. 合规办公室;
h. IRB和个别SAU研究人员;
i. HIPAA委员会/专责小组确定的其他部门.
The following departments are officially designated as health care components required to comply with HIPAA's privacy rules and standards:
- 言语和语言病理学-卫生保健提供者
- 辅助技术实验室-卫生保健提供者
- Student Health Services - health care provider subject to HIPAA privacy standards only to the extent that Student Health Services provides treatment to non-students
- 跨专业健康诊所
承保组件和非承保组件之间PHI的转移
当向SACE提供服务的员工代表SAU未涵盖的组件执行服务时, 这些未涵盖的功能不属于SACE. 员工不得在未经个人或患者授权的情况下将PHI泄露给未涵盖的SAU组件, 或在为研究目的而披露的情况下放弃IRB的授权, 根据隐私规则的要求.
Workforce members who provide business and 金融 services to both the SACE providers and SAU health plans cannot use or disclose PHI between those entities unless such disclosure is allowed by the Privacy Rule.