HEALTH PROTECTED OF RULE: HIPAA PRIVACY HEALTH AND

University of Southern CaliforniaAdministrative and Business Practices

HIPAA PRIVACY RULE: USE OF PROTECTED HEALTHINFORMATIQNT'OR TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS

I. Policy

A. General Rule.

University of Southern California (USC) I is permitted to use and disclose anindividual's Protected Health Information 2 for treatment, payment and healthcare operations, provided:

USC gives patients a Notice of Privacy Practices (Notice), whichdescribes the ways in which USC may use patients' PHI;

USC makes a good faith effort to obtain written acknowledgement ofreceipt of the Notice; and

USC only uses and releases the minimum amount of health informationnecessary when doing so for payment or healthcare operations purposes.

Regardless of the general rule above, disclosures of HIV test results, certainmental health records, psychotherapy notes and alcohol and drug treatmentrecords may require a separate patient authorization or notice. Please refer toUSC HIPAA Policy CLIN-203 for information as to the disclosure of suchinformation.

t For purposes of the HIPAA Privacy Rule, USC includes those entities that comprise Keck Medicine ofUSC, including but not limited to, USC Norris Cancer Hospital, Keck Hospital of USC, USC'semployed physicians, nurses and other clinical personnel, those units of USC that provide clinicalservices within the Keck School of Medicine, School of Pharmacy, the Herman Ostrow School ofDentistry, Physical and Occupational Therapy as well as USC Care Medical Group, affiliated medicalfoundations of Keck and their physicians, nurses and clinical personnel, USC Verdugo Hills Hospital,its nurses and other clinical personnel, Verdugo Radiology Medical Group, Verdugo Hills Anesthesia,and Chandnish K. Ahluwalia, M.D., Inc. and those units that support clinical and clinical researchfunctions, including the Offìces of the General Counsel, Audit and Compliance.

2 Protected Health Information is identifiable information that relates to an individual's past, present orfuture physical or mental condition or to payment for health care.

I

2.

J

lssued by:

Date issued

MichaelQuickProvost and Senior Vice President, AcademicAffairs

November 30, 2016

University of Southern CaliforniaPaqe 1 ol 17

Todd R. DickeySenior Vice President, Administration


B. Minimum Necessary Standard.

When using or disclosing Protected Health Information or when requestingProtected Health Information from another covered entity or BusinessAssociate covered by the HIPAA privacy regulations, USC makes reasonableefforts to limit Protected Health Information to the minimum necessary toaccomplish the intended purpose of the use, disclosure or request, except as setforth below. The minimum necessary standard applies to uses and disclosuresfor payment and health care operations.

l. Exceptions to Minimum Necessary Standard. USC is notrequired to apply the minimum necessary standard underthe following circumstances:

a. For Treatment. Disclosures to or requests by ahealth care provider for pu{poses of diagnosing ortreating a patient.

To Patient. Uses or disclosures made to the patient.

to Patient's A Uses ordisclosures pursuant to a valid patient authorization.USC's use or disclosure of information must beconsistent with any limitations imposed by theauthorization.

To HHS. Disclosures to the Director, Office forCivil Rights of the U.S. Department of Health andHuman Services ("HHS") for HIPAA compliancepurposes.

e. Required by Law. Uses or disclosures that arerequired by law (i.e., a mandate that is contained inlaw that compels USC to use or disclose ProtectedHealth Information and that is enforceable in a courtof law, e.g., court orders, court-ordered subpoenas,civil or authorized investigative demands, Medicareconditions of participation).

f. Required for Compliance with HIPAA

b.

c.

d.

lssued by:

Date issued

MichaelQuickProvost and Senior Vice President, AcademicAffairsNovember 30, 2016University of Southern CaliforniaPage 2 of 17


C


Administrative Simplification Provisions. Uses ordisclosures that are required for compliance withthe regulations implementing the HIPAAtransactions and code sets standard, security andelectronic signature standards, etc.

Presence of

USC is permitted to disclose certain patient information to family members orcaregivers if the patient is given an opportunity to object or if the patient'sconsent to the disclosure can be clearly infened from the circumstances.

D. Disclosures over the telephone:

In general, USC employees should not give patient status information to a personover the telephone. Employees may release Protected Health Information overthe telephone only in very limited circumstances as described below.

II. Procedures

Use or Disclosure of Protected Health Information for Treatment

As a general rule, USC may use or disclose Protected Health Informationin connection with "treatment of a patient.

2. Definition.

"Treatment" means the provision, coordination, or management of healthcare and related services by one or more Health Care Providers, includingthe coordination or management of health care by a Health Care Providerwith a third party; consultation between Health Care Providers relating toa patient; or the referral of a patient for health care from one Health CareProvider to another.

B. Use or Disclosure of PHI for Payment

1. General Rule.

A

1

lssued by:

Date issued

MichaelQuickProvost and Senior Vice President, AcademicAffairsNovember 30, 2016

University of Southern Californiae 3 of 17



USC may use or disclose Protected Health Information for USC's ownpayment activities.

2. Definition of Pøyment Activities.

Payment activities shall mean activities to obtain or providereimbursement for the provision of health care. Examples of paymentactivities include:

Determinations of eligibility or coverage

Billing, claims management, collection activities,

Review of health care services with respect to medical necessity,coverage under a health plan, appropriateness ofcare, orjustification of charges;

Utilization review activities, including pre-certification and pre-authorization of services, concunent and retrospective review ofservices; and

Disclosure to consumer reporting agencies of any of the followingprotected health information relating to collection of premiums orreimbursement:

Name and address;

Date of birth;

Social Security number;

Payment history;

Account number; and

Name and address of the Health Care Provider and/orHealth Plan.

f. Only the minimum amount of information

a.

b.

c.

d.

e.

i.

ii

ll1.

iv.

v.

vi.

lssued by:

Date issued:


November 30, 2016University of Southern California

4 17

ïodd R. DickeySenior Vice President, Administration

J


necessary should be used or disclosed whenobtaining payment information. For example,diagnosis of patient should not be disclosed whenaccepting payment information from the insuranceholder.

Disclosure for Payment Actívities of Another Covered Entity or HeqlthCare Provider.

USC may disclose Protected Health Information to another Covered Entityor a Health Care Provider for the Payment activities of the entity thatreceives the Protected Health Information.

C Use or Disclosure of PHI for Health Care Operations

l. General Rule.

USC may use and disclose Protected Health Information for the purposeof USC's own health care operations.

2. Definition of Health Care Operations

Health Care Operations means any of the following activities:

Conducting quality assessment and improvement activities,including outcomes evaluation and development of clinicalguidelines, provided that the obtaining of generalizable knowledgeis not the primary purpose of any studies resulting from suchactivities; population-based activities relating to improving healthor reducing health care costs, protocol development, casemanagement and care coordination, contacting of Health CareProviders and patients with information about Treatmentalternatives; and related functions that do not include Treatment;

b. Reviewing the competence or qualifications of health carepro fes sionals, evaluating practitioner and provider performance,health plan performance, conducting training programs in whichstudents, trainees, or practitioners in areas ofhealth care learnunder supervision to practice or improve their skills as Health Care

a.

lssued by:

Date issued


University of Southern California5of17


d.

c.

f.


Providers, training of non-health care professionals, accreditation,certification, licensing, or credentialing activities;

Underwriting, premium rating, and other activities relating to thecreation, renewal or replacement of a contract of health insuranceor health benefits, and ceding, securing, or placing a contract forreinsurance of risk relating to claims for health care (includingstop-loss insurance and excess of loss insurance), provided that therequirements of $ rca5laþ) are met, if applicable;

Conducting or arranging for medical review, legal services, andauditing functions, including fraud and abuse detection andcompliance programs;

Business planning and development, such as conducting cost-management and planning-related analyses related to managingand operating the entity, including formulary development andadministration, development or improvement of methods ofPayment or coverage policies; and

Business management and general administrative activities of theentity, including, but not limited to:

l. Management activities relating to implementation of andcompliance with the requirements promulgated pursuant toHIPAA;

Customer service, including the provision of data analysesfor policy holders, plan sponsors, or other customers,provided that Protected Health Information is not disclosedto such policy holder, plan sponsor, or customer;

lll Resolution of internal grievances ;

1V. Due diligence in connection with the sale or transfer ofassets to a potential successor in interest, ifthe potentialsuccessor in interest is a Covered Entity or, followingcompletion of the sale or transfer, will become a CoveredEntity; and

e

11.

lssued by:

Date issued




University of Southern CaliforniaAdministrative and Busíness Practices

V Consistent with the applicable requirements of $ 164.514 ofthe Privacy Rule, creating de-identified health information,fundraising for the benefit of the Covered Entity, andmarketing for which an individual authorization is notrequired as described in $ l6a.5la@)Q).

3. Disclosureþr Health Care Operations of Another Covered Entity

USC may disclose Protected Health Information to another Covered Entityfor Health Care Operations of the entity that receives the Protected HealthInformation, if all of the following conditions are met:

Both USC and the receiving entity either has or had a relationshipwith the patient who is the subject of the Protected HealthInformation being requested;

The Protected Health Information pertains to such relationship; and

The disclosure is either:

For either purpose of health care fraud and abuse detectionor compliance; or

ll. For either of the following purposes:

(A) Conducting quality assessment and improvementactivities, including outcomes evaluation anddevelopment of clinical guidelines, provided thatthe obtaining of generalizable knowledge is not theprimary purpose of any studies resulting from suchactivities; population-based activities relating toimproving health or reducing health care costs,protocol development, case management and carecoordination, contacting of Health Care Providersand patients with information about Treatmentalternatives; and related functions that do notinclude Treatment;

a.

b

c

lssued by:

Date issued:


University of Southern CaliforniaPaseT of 17



(B) Reviewing the competence or qualifications ofhealth care professionals, evaluating practitionerand provider perfonnance, health plan performance,conducting training programs in which students,trainees, or practitioners in areas of health care learnunder supervision to practice or improve their skillsas Health Care Providers, training of non-healthcare professionals, accreditation, certification,licensing, or credentialing activities.

D General Procedures for Implementing Minimum Necessar)¡Standard

This policy recognizes that each USC department must limit the access toProtected Health Information and Electronic Protected Health Information("ePHI") by its Workforce Members to the minimum necessary toaccomplish the intended purpose of the use. Determinations regarding theuse of, and disclosures and requests for Protected Health Informationshould be consistent with this policy. As a general rule, USC should notuse, disclose or request an entire medical record of a patient unless theentire medical record is specifically justified as the amount that isreasonably necessary to accomplish the purpose of the use, disclosure orrequest. For example, access to the entire medical record is appropriatefor treating practitioners as well as fellows, residents and students who areperforming clinical functions as part of their training, whereas anindividual who performs the function of a receptionist who registerspatients most likely will not require access to that patient's entire medicalrecord to perform that responsibility.

This policy also recognizes that each department at USC that uses ordiscloses Protected Health Information has a unique organizationalstructure and that an employee of the unit may perform various functionsfor the unit that require different levels of access to Protected HealthInformation. Further, the responsibilities designated to these functionsvary across each department at USC and cannot be determined solelybased on job title or description.

For these reasons, it is the responsibility of department at USC that usesand discloses Protected Health Information to determine the level of

lssued by: Michael euick Todd R. Dickeyprovost and Senior Vice president, Academic Senior Vice President, Administration

AffairsDate issued: November 30, 2016

University of Southern CaliforniaPaqe 8 of 17


access required to perform particular functions and responsibilities withinthat unit.

When access, use, or disclosure is required outside of one's routine jobresponsibilities, a department supervisor must approve such non-recurringinstances based on the minimum necessary criteria.

Limitation of Access. Once persons within USC orBusiness Associates of USC who need access to ProtectedHealth Information and categories of information areidentified, USC must make reasonable efforts to limitaccess of such identified parties only to their respectiveidentified categories of Protected Health Information.

Type of Disclosure or Request. The type of use, disclosureor request dictates what procedures are required:

Recurring. When a use, disclosure or request is of the typethat occurs on a recurring basis, USC, through the relevantclinical departments, will implement a standard protocolthat limits the Protected Health Information disclosed orrequested to the amount reasonably necessary to achievethe purpose of the disclosure. Individual review of eachrecurring disclosure is not required.

For example, for billing purposes, the protocol may be to discloseonly records for service at issue. For outside billers, the protocolmay be to disclose only that portion of the medical record that thebiller needs to prepare the bill.

Each department should consider reasonable physical,administrative and technical security controls when using ordisclosing Protected Health Information, including the following:

Sign-In Sheets. The Privacy Rule does notrequire USC to abandon the practice ofusing sign-in sheets. However, ideally,

1

2

a.

lssued by:

Date issued;





patient intake should be handled to minimizepatient contact with another patient's healthinformation.

ll Waitine Rooms. USC employees should bemindful that waiting rooms are public areas,not clinical treatment spaces. Staff shouldbe mindful not to divulge clinicalinformation in the waiting room, such as

diagnoses or scheduled tests.

lll Records Use and ThePrivacy Rule requires clinical units to keepmedical records secure. For example, hardcopies records should be in locked cabinetsand not left in treatment rooms overnight.V/hen a patient is expected in the offrce,care should be taken to keep the medicalrecord shielded and inaccessible to otherpatients. Staff should avoid placing patientinformation on the outside of the patient file.Staff required as part of their job to moverecords outside of the hospital or HealthSciences Campus must safeguard andprotect the records.

For electronic medical records systems, departmentsshall shield computers from sight and staff musthave access codes that limit access to identifiedpersons and identified categories of ProtectedHealth Information. Staff members should alwayslog off computers when not attended.

iv. Treatment Rooms. Consistent withcommon sense and good clinical judgment,health care providers and their staff shouldseek to maintain privacy in patient treatmentrooms.

vlssued by: Michaeleuick Todd R. Dickey

provost and Senior Vice president, Academic Senior Vice President, Administration

AffairsDate issued: November 30, 2016

University of Southern Californiae10of17

If a practitioner


office uses a wallboard to track patientinformation, the practitioner and staff shouldconsider whether the wallboard is viewableby patients or visitors and should makereasonable efforts to minimize theinformation kept on public wallboards.Where information is highly sensitive, itshould not be placed on a wallboard.

b. Non-Recurring. Each clinical department at USCwill evaluate uses, disclosures and requests relatingto health care operations or billing that are outsidethe scope of the normal course of business, and willlimit the Protected Health Information disclosed tothe amount reasonably necessary to accomplish thepurpose ofthe disclosure or request.

Non-recurring requests for use or disclosure of Protected HealthInformation shall be evaluated and approved by the departmentsupervisor upon consultation with the Office of Compliance. Anyquestions regarding the Minimum Necessary Standardrequirements should be directed to the Office of Compliance.

Appropriate criteria for evaluating requests outside the ordinaryscope of business may include, without limitation, the following:

The purpose of the request, use or disclosure;The nature and extent of information requested, used ordisclosed;fne l¿entitv of tne otne Protecte¿ HeattThe extent to which the risk to the Protected Health

Information has been mitigated;The extent to which requested Protected HealthInformation can be extracted from the rest of the medicalrecord without undue burden and without viewingunnecessary parts ofthe record;

ll.

iii.

i¡Ë

V

lssued by:

Date issued


November 30, 2016University of Southern California

e11of17



J

vi. The location where Protected Health Information will beviewed or used and the limitation on removal of theProtected Health Information;

vii. The availability of physical, technical and other securitymeasures at the place of viewing or use; and

viii. The immediacy or urgency of the need for the requestedProtected Health Information

Responding to Requests for Disclosures. USC faculty,staff and other covered workforce may rely on a requesteddisclosure as the minimum necessary for the stated purpose(if reliance is reasonable under the circumstances) in thefollowing situations:

a. When making disclosures to public officials underUSC HIPAA Policy GEN - 103 [concerningdisclosures based on public policy considerationswithout a patient's authorization] if the requestingofficial represents that the information requested isthe minimum necessary for the stated purpose.

When the information is requested by anothercovered entity.

When the information is requested by a health careprofessional (e.g., a physician or nurse) who is a

member of USC's workforce or is a businessassociate of USC for the pu{pose of providingprofessional services to USC, if the professionalrepresents that the information requested is theminimum necessary for the stated purpose(s).

When the information is requested for researchpurposes and the person requesting the informationhas provided documentation or representations that

b

c

d.

lssued by:

Date issued

MichaelQuickProvost and Senior Vice President, AcademicAffairsNovember 30, 2016University of Southern California

12 oÍ 17



comply with USC HIPAA Policy RES - 301

Business Associates. USC's contract with a businessassociate may not authorize the business associate to use orfurther disclose the information in a manner that wouldviolate the HIPAA Privacy Rule if done by USC. Thus, abusiness associate contract must limit the businessassociate's uses and disclosures of, as well as requests for,Protected Health Information to be consistent with USC'sminimum necessary policies and procedures. Given that abusiness associate contract must limit a business associate'srequests for Protected Health Information on behalf of USCto that which is reasonably necessary to accomplish theintended purpose, USC is permitted to reasonably rely onsuch requests from a business associate or another coveredentity as the minimum necessary.

5. Minimum Necessary Violations.

a. USC Workforce Members should return or destroyany information beyond that which is permittedunder the minimum necessary standard.

The USC Office of Compliance will investigateany minimum necessary violation to determine theprobability that the Protected Health Informationhas been compromised and whether any breachnotification is required. Minimum necessaryviolations should be reported according to theBreach Notification Rule (See USC HIPAA PolicyPAr-608).

E. Disclosures to Family/ Patient Caregivers

4

b.

lssued by:

Date issued:


University of Southern California13 oÍ 17


1. General Rule.


Subject to the limitations below, the HIPAA Privacy Rule permits:a. Disclosure to family members, other relatives,

close friends, or any other person designated by thepatient of Protected Health Information directlyrelevant to that person's involvement with thepatient's healthcare;

Disclosure of the patient's Protected HealthInformation to public or private entities authorizedby law or its charter to assist in disaster reliefeffortsin order to coordinate the notification effortsdescribed in this Section3. This includes notifying afamily member, personal representative of thepatient, or another person responsible for the care ofthe patient of the patient's location, generalcondition, or death.

2. Limitations

a. USC employees may not disclose any portion of the ProtectedHealth Information that is not relevant to the patient's currentcondition or the caregiver's role.

b. USC employees should not assume that a patient's agreement orlack of objection implies agreement to disclose Protected HealthInformation indefinitely in the future.

3. Disclosure Permitted Where Patient Agrees to Disclosure.

3 Per OCR, "HIPAA allows health care professionals the flexibility to disclose limited health information tothe public or media in appropriate circumstances. These disclosures, which are made when it is determinedto be in the best interest of a patient, are permissible without a waiver to help identifu incapacitatedpatients, or to locate family members of patients to share information about their condition. Disclosures are

b

lssued by:

Date issued


University of Southern California14 of 17


to same as well as

a.

b.


Where a patient is present for and capable of agreeing to the disclosure,USC faculty and staff may disclose the patient's Protected HealthInformation only in the following situations:

Agreement. The patient agrees to the disclosure; or

No Objection. The patient does not express an objection to thedisclosure when given the opportunity to do so; or

Reasonable Inference. The USC faculty or staff memberreasonably infers from the circumstances, based on the exercise ofprofessional judgment that the patient does not object to thedisclosure.

Generally, when possible, a USC employee should ask thepatient (outside the presence of the family member, closepersonal friend, etc.) whether the patient objects to suchperson's presence during a procedure or discussion.

Reliance on inferences should be infrequent and based onsound clinical judgment.

Example of reasonable inference: if apatient's familymember is in the same room as patient during a procedure,staff typically can infer that disclosures to the familymember are appropriate.

Disclosure Permitted I4/hen Patient is Unable to Agree but Disclosure isin Pøtient's Best Interest.

Where a patient is not available or cannot agree or object to a use ordisclosure because of incapacity, incompetency or emergency, appropriateUSC staff may disclose Protected Health Information as follows:

a. USC faculty or staff determine, in the exercise of professionaljudgment that the disclosure is in the best interest of the patient orthat the patient would not object.

c.

l.

1l

111.

4

lssued by

Date issued


University of Southern CaliforniaP 15 of 17



For example, pharmacy staff may infer that it is in the best interests of thepatient to allow another person to pick up a prescription on behalfof the patient. Or in a potentially crisis situation where a patient isincapacitated a health care professional can disclose information toa family member, or other person searching for the patient.

b. The disclosure is limited only to the minimum ProtectedHealth Information directly relevant to the person's involvement in thepatient's health care.

F. Disclosures over the Telephone.

In general, USC employees should not give patient status information to a personover the telephone. Employees may release Protected Health Information overthe telephone only in very limited circumstances once the caller's identity hasbeen confirmed, such as the following:

When the staff member recognizes the voice of a person who hadpreviously been identified by a patient.

Staff members obtain two identifiers of the caller and the caller has somefamiliarity of the patient's condition.

If a patient's Personal Representative (as defined in HIPAA Policy CLIN-202: Personal Representatives of Patients) is the caller, and USC hasdocumentation/verification that the patient designated the individual as

their Personal Representative.

In order to facilitate immediate treatment or to interpret the health carepractitioner's instructions to a person who is assisting the patient, and onlyafter the health care practitioner has determined that the patient isunavailable (and therefore cannot give consent) and has determined that itis in the best interest of the patient to disclose the Protected HealthInformation.

The Protected Health Information disclosed over the telephone should be limitedto the information directly relevant to the person's involvement in the patient'scare. If more detailed information is requested, the health care practitioner should

1

2.

îJ

4

lssued by:

Date issued


University of Southern CaliforniaPaqe 16 of 17



make an appointment with the patient and the person requesting the information.

Additional References

4s CFR $$ 164.s06; 164.510(b);164.520

Responsible Office: Office of Compliancehttp://ooc.usc.edu/complian(òlsc.edu(2r3) 740-82s8

Executed by: Michael QuickProvost and Senior VicePresident, Academic Affairs

Date issued: November 30,20t6

Todd R. DickeySenior Vice President,Administration

lssued by:

Date issued:


University of Southern CaliforniaPage 17 of 17


Documents

HEALTH PROTECTED OF RULE: HIPAA PRIVACY HEALTH AND