Policies:
UMHS Policy 01-04-300 -
Introduction to Privacy Concepts and Definitions
(Formerly UMHS Policy 300)
Effective Date: 04/14/03; Revised: 10/04
I. POLICY STATEMENT
It shall be the policy of the University of Michigan Health System that the privacy of health information in our care is protected in accordance with applicable federal and state law. These privacy policies use a variety of specialized terminology. This policy provides standardized definitions of those terms.
II. POLICY PURPOSE AND SCOPE
The purpose of this policy is to provide standardized definitions of the terminology used in the other UMHS privacy-related policies.
This policy applies to all workforce members of UMHS except M-CARE, M-CAID, MHC, Kids Care, MHMC, and those subsidiaries and joint ventures of MHC that are not affiliated covered entities of the University or included in the University's organized health care arrangement. The policy refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked.
III. DEFINITIONS
Below are definitions of some words and phrases used often in this manual and in the Privacy Rule. These words appear in italics when used throughout this manual.
Authorization - The written permission we need before using or disclosing a patient's PHI for a purpose other than for treatment, payment, or health care operations, or other purposes specifically exempted from authorization. It has certain required elements. The current standard UMHS authorization is available at http://www.med.umich.edu/i/mis/RELEASE.pdf or by contacting the Medical Information Services department.
Business Associate - A person or organization who (1) performs a function or activity on behalf of UMHS or other units of the UM OHCA (defined below) or (2) performs a specified service, where disclosure of individually identifiable health information is considered routine, such as legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services.
Consent - The written permission we may choose to request before using or disclosing a patient's PHI for treatment, payment, or health care operations.
Covered Entity - A health care provider, health plan, or health care clearinghouse regulated by HIPAA. The University of Michigan is a "hybrid" covered entity because some of its units, including UMHS, are regulated by HIPAA.
De-identified - Information is "de-identified" (and not subject to the Privacy Rule or these policies and procedures) if it does not identify a patient and if there is no reasonable basis to believe that it could be used to identify a patient. See Section 5 for additional details.
Designated Record Set - (1) A patient's medical record and billing records of UMHS patients; (2) the enrollment, payment, claims adjudication and case or medical management record systems maintained by or for one of the University of Michigan's health plans (e.g., M-CARE, M-CAID, Kids Care, and health plans sponsored by the University for its employees); and (3) records used, in whole or in part, by or for UMHS to make decisions about patients or health plan members. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for UMHS.
Disclosure - The release, transfer, provision of access to, or divulging in any other way of PHI outside the UM OHCA (defined below). See also Use (defined below).
Health Care Operations - These include, but are not limited to, any of the following activities to the extent these activities are related to UMHS's functions as a health care provider or health plan:1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that "generalizable knowledge" is not the primary purpose of any studies resulting from the activities; population-based activities relating to improving health or reducing health care costs; protocol development; case management and care coordination; contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
2. Reviewing competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners to practice or improve skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
3. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that applicable legal requirements are met;
4. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
5. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating UMHS, including formulary development and administration, development or improvement of payment or coverage policies; and
6. Business management and general administrative activities of UMHS, including, but not limited to:a) Management activities relating to implementation of and compliance with HIPAA;
b) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that PHI is not disclosed to such policy holder, plan sponsor, or customer.
c) Resolution of internal grievances;
d) The sale, transfer, merger, or consolidation of all or part of UMHS with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
e) Consistent with the applicable requirements of the HIPAA Privacy Standards, creating de-identified health information or a limited data set, and fundraising for the benefit of UMHS.
Most research activities are not included in Health Care Operations.
Health Care Provider - A person or organization - such as a doctor, dentist, nurse, pharmacy, dialysis center, DME provider, hospital, clinic, nursing home or ambulatory care facility - who provides clinical care, coordination, and treatment to individuals.
Health Oversight Agency - An agency that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Health Oversight Agencies include some subcontractors and agents of public agencies. Examples of health oversight agencies include the federal Department of Health and Human Services (including CMS, OCR, FDA, and OHRP), the Michigan Department of Community Health, and the Family Independence Agency.
Health Plan - An HMO, insurer, or other payor - such as M-CARE, M-CAID or Kids Care - issued, administered or serviced by the University of Michigan.
HIPAA - The Health Insurance Portability and Accountability Act of 1996 and Standards for Privacy of Individually Identifiable Health Information adopted by the federal Department of Health and Human Services.
Individually Identifiable Health Information - Patient information that has not been de-identified. See Section 5 for additional details.
IRBMED - The University of Michigan Medical School Institutional Review Board.
Minimum Necessary Standard - A limitation placed on uses, disclosures, and requests for PHI.Mitigation - The reasonable action that we would take to reduce the damage of any known wrongful use or disclosure of PHI.
Notice of Privacy Practices or NPP - The document used by the University of Michigan to inform patients and health plan members how we use their PHI and what their privacy rights and responsibilities are. A current version of the University's NPP is posted on the UMHS Website at http://www.umich.edu/hipaa/npp.htm. See UMHS Policy 320, "The Notice of Privacy Practices (NPP)" (pending publication on the UMHS Policy website) for additional information.
Organized Health Care Arrangement - one or more of the following:
1. A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;
2. An organized system of health care in which more than one covered entity participates, and in which the participating covered entities:(a) Hold themselves out to the public as participating in a joint arrangement; and
(b) Participate in joint activities that include at least one of the following:(i) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
(ii) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
(iii) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
3. A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;
4. A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or
5. The group health plans described in paragraph 4 of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.Payment Activities - The activities undertaken by a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of plan benefits, as well as those activities undertaken by a health care provider to obtain or to provide reimbursement for the provision of health care. These include, but are not limited to, determinations of eligibility or coverage, risk adjusting amounts due based on enrollee health status and demographic characteristics, billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing, review of health care services, utilization review activities, and disclosure to consumer reporting agencies of any of the following PHI: name and address; date of birth; social security number; payment history; account number; and name and address of the health care provider and/or health plan.
Privacy Board - The Privacy Board is a committee established by the UMHS to grant waivers of authorization under HIPAA for certain research projects and to facilitate other privacy compliance activities as specified in its Standard Operating Procedures and by the Privacy Director.
Privacy Director - The Privacy Director is the individual who is responsible for UMHS's compliance with the Privacy Rule.
Privacy Officials - Privacy Officials are individuals who coordinate the privacy compliance activities of individual departments, divisions or other units and serve as liaisons to the Privacy Director.
Privacy Standards or Privacy Rule - The final rule "Standards for Privacy of Individually Identifiable Health Information," published by the Department of Health and Human Services. See http://www.hhs.gov/ocr/hipaa.
Protected Health Information ("PHI") - PHI is information (including demographic information) about a patient that:
1. is created or received by a health care provider;
2. relates to the past, present, or future physical or mental health of the patient; the provision of health care to the patient; or payment for the provision of health care to the patient; and
3. identifies the patient or with respect to which there is a reasonable basis to believe it could be used to identify the patient.
PHI excludes certain health information, including information in education records covered by the Family Educational Rights and Privacy Act as amended ("FERPA"); and in employment records held by the University of Michigan in its role as an employer.Public Health Authority - An agency or other subdivision of a federal, state, or local government authority, or a contractor or agent of the agency - that is responsible for public health matters as part of its official mandate. A public health authority can create health information as well as receive it. Examples of public health authorities include many agencies of the federal Department of Health and Human Services, such as the Centers for Disease Control and Prevention and the National Institutes of Health; the Michigan Department of Community Health; and the Washtenaw County Public Health Department.
Research - A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Sanctions - Administrative actions taken by the University of Michigan against members of its workforce who fail to comply with our policies and procedures or with the requirements of the Privacy Rule.
Treatment - The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.
UM OHCA - The University of Michigan's "organized health care arrangement." See UMHS Policy 420, "The University of Michigan Organized Health Care Arrangement (OHCA)" (pending publication on the UMHS Policy website) for additional information.
Use - The sharing, employment, application, utilization, examination, or analysis of PHI within the UM OHCA. See also UMHS Policy 312, "Disclosure to Family and Friends of Patients" (pending publication on the UMHS Policy website) for additional information. .
Workforce - Our workforce includes any faculty, staff, students, volunteers, trainees, or other people whose conduct is under our direct control, whether or not we pay them for their services. The fact that an individual is designated as a UM OHCA workforce member does not mean or imply that the person is necessarily an employee or agent for purposes of any law, regulation, contractual commitment or other legal mandate, other than the Privacy Rule.
IV. POLICY STANDARDS
None
V. PROCEDURE/ACTIONS
None
VI. EXHIBITS
None
VII. REFERENCES
None
Author: HIPAA Implementation Team (Contact: UMHS Compliance Office, 615-8350)
Approved by: The Health System Executive Group, April 10, 2003; and
the Associate Vice President, UMHS, February 9, 2004; October 12, 2004
Revised: UMHS Compliance Office, October 11, 2004
Original policies are held by Carolyn Ladd, Policy Coordinator, Executive Directors Office, telephone 647-2510
