1. PURPOSE: To ensure that UAB covered entities implement and maintain policies for the use and disclosure of health information in compliance with the Health Insurance Portability and Accountability Act ("HIPAA") and Alabama state law.

2. PHILOSOPHY: UAB values and promotes business practices respecting the confidentiality of health information.

3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, the Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of the UAB Health System, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., and Valley Foundation. For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as "UAB."

4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164. The following definitions are relevant to this policy:

Authorization: A document that is required to be signed by the patient to use and disclose specified protected health information for specified purposes.

Business Associate: A person or entity (other than a member of the workforce of a UAB Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, repricing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Business associates include a health information organization, e-prescribing gateway, or other vendors who provide data transmission services that require access to PHI on a routine basis; entities that offer personal health records; and subcontractors that receive PHI on behalf of the business associate. A business associate of one UAB Covered Entity does not become a business associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.

Covered Entity: A health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form.

Direct Treatment Relationship: A treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside a UAB Covered Entity maintaining the information.

Healthcare Operations: Any of the activities set forth in the regulations that includes, but is not limited to the following:

Indirect Treatment Relationship: A relationship between an individual and a UAB Covered Entity in which the Covered Entity delivers health care to the individual based on the orders of another health care provider and the Covered Entity typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the patient.

Minimum Necessary: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the least amount of PHI necessary to accomplish the intended purpose of the use or disclosure.

Payment: The activities described in the regulation, including, but not limited to, those undertaken by a provider to obtain or provide reimbursement for the provision of health care, including, but not limited to determinations of eligibility or coverage; risk adjusting amounts due; billing, claims management, and collection activities; review of health care services with respect to medical necessity and coverage; utilization review activities, including precertification and preauthorization of services; and disclosure to consumer reporting agencies of the following information: name/address, date of birth, social security number, payment history, account number, and name and address of the provider.

Person/Individual: A natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and excepted by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

Psychotherapy Notes: Notes recorded by a provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Public Health: Population-level activities to prevent disease in and promote the health of populations such as identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety or a population, which may involve the collection of PHI, but does not include activities for the following purposes: (1) to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care (2) to impose criminal, civil, administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care, or (3) to identify any person for any of the activities described in (1) or (2) above.

Reproductive Health Care: Health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.

Sale of Patient Data: The provision of identified or de-identified patient information for which the covered entity receives direct or indirect compensation from a vendor, Business Associate or other covered entity.

Treatment: The provision, coordination, or management of health care services by providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for health care from one provider to another.

Use: The sharing, employment, application, utilization, examination or analysis of PHI within an entity that maintains the PHI.

1. UAB Covered Entities will only use or disclose PHI in accordance with the requirements set forth in this policy.

2. With certain exceptions noted below, when using, disclosing or requesting PHI, UAB Covered Entities will limit PHI to the Minimum Necessary to accomplish the intended purpose of the use, disclosure or request.

a. Each UAB Covered Entity shall be responsible for developing procedures that identify the classes of persons within the Covered Entity who need access to PHI to carry out their job duties, the types of PHI needed and appropriate conditions to the use and disclosure, and protocols or criteria for reviewing requests for use and disclosure of PHI.

1) For routine and recurring disclosures and requests for disclosure, the Covered Entities may develop standard protocols that limit PHI to the minimum necessary.

2) For all other disclosures and requests for disclosure, the Covered Entities may develop criteria for the minimum necessary and must have the requests reviewed on an individual basis.
3) UAB Covered Entities may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when

a) making disclosures to public officials if the public official represents that the information requested is the minimum necessary for the stated purpose;
b) the information is requested by another covered entity;
c) the information is requested by a business associate for the purpose of providing services to the Covered Entity if the business associate represents that the information requested is the minimum necessary for the stated purpose; or
d) documentation or representation that the information requested is the minimum necessary has been provided by a person requesting the information for research purposes.

2) disclosures to the individual who is the subject of the disclosure
3) uses or disclosures made pursuant to authorizations uses or disclosures made pursuant to authorizations
4) uses or disclosures required by law

3. Whenever an individual's authorization or opportunity to object is required by this policy, UAB Covered Entities will treat Personal Representatives as the individual for purposes of this policy, as appropriate.

1) Individuals with authority to act on behalf of an adult or emancipated minor in making decisions related to healthcare.
2) Executors or administrators acting on behalf of a deceased individual or the individual's estate.

1) If adults have the authority of Personal Representatives and are furnishing consent for healthcare treatment for minors, UAB Covered Entities will honor the request, consent, or authorization from the adults with that authority.

2) Minors may independently request, consent, or authorize the use and disclosure of PHI under this policy for healthcare services for which they are legally authorized and do consent, independent of any other consent, including that of their parents or other Personal Representatives.

c. UAB Covered Entities are not required to honor the requests of personal representatives if the entities have a reasonable belief the personal representative is abusing or neglecting the patient or if the entities, in the exercise of professional judgment, decide that it is not in the best interest of the patient to treat the person as the patient's Personal Representative.

B. Not Permitted Use or Disclosure of Health Information - Reproductive Health Care

PHI will not be disclosed when the PHI is requested for the purpose of investigating or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care or to identify a person in connection with this purpose AND one or more of the following conditions exists:

C. Not Permitted Use or Disclosure of Health Information- Sale of Patient Data

Except under certain circumstances, the sale of patient's data, even if de-identified, is inconsistent with he relationship established with patients when they present for care. Therefore, the sale of patient data shall not be permitted if it is primarily for the benefit of the recipient and does not fall under and of the following conditions:

1. To an individual who requests their own PHI. The disclosure must follow the procedure set forth in the UAB Patient Health Information Rights policy.

2. To the Secretary of the Department of Health and Human Services to investigate UAB's compliance with HIPAA.

E. Permitted Uses and Disclosures - Treatment, Payment or Healthcare Operations

1. Use of PHI within and among UAB Covered Entities. UAB Covered Entities may use PHI for treatment, payment or healthcare operations except as set forth in Section i. related to psychotherapy notes.

2. Disclosure of PHI to Covered Entities outside UAB.

a. For Treatment. UAB Covered Entities may disclose PHI to another Provider for Treatment activities of that Provider.

b. For Payment. UAB Covered Entities may disclose PHI to another Covered Entity for Payment activities of that Entity.

c. For Healthcare Operations. UAB Covered Entities may disclose PHI to another Covered Entity for Healthcare Operations if:

2) the disclosure is for a purpose included in the definition of Healthcare Operations in Section 4 of this policy.

d. For Healthcare Operations. UAB Covered Entities that participate in an organized healthcare arrangement (OHCA) may disclose PHI to other participants in the OHCA for any Healthcare Operations activities of the OHCA.

1. A UAB Covered Entity may disclose PHI to a Business Associate IF the Business Associate has executed a Business Associate Agreement with the UAB Covered Entity.

2. The following disclosures of PHI do not require Business Associate Agreements:

a. to providers for treatment

b. to health plans for payment

c. to any entity that is merely serving as a conduit for transmission of the PHI (i.e. telephone companies)

d. incidental disclosures of PHI (i.e. janitorial staff)

e. within an organized healthcare arrangement

3. UAB Covered Entities must promptly report to UAB Legal (University) Counsel or UAB HIPAA Privacy or Security Officer/Coordinator any instances of a pattern of activity of the Business Associate that constitutes a material breach or violation of the Business Associate's obligations under the Agreement so that reasonable steps may be taken to cure the breach, end the violation, or terminate the Agreement.

G. Permitted Uses and Disclosures -UAB Covered Entities may use or disclose PHI with no patient consent, authorization, or opportunity to object under any one of the following circumstances:

1. Required by law. UAB Covered Entities may use or disclose PHI as required by law.

2. Public Health activities. UAB Covered Entities may use or disclose PHI to the following:

a. outside public health or legal authorities charged with preventing or controlling disease or injury;

b. a person subject to the jurisdiction of the FDA for which that person has responsibility for quality safety or effectiveness of FDA-regulated products;

c. a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting a disease, if authorized by law to do so;

d. an employer about an employee if the health care is furnished at the request of the employer for medical surveillance of the workplace or a work-related illness or injury and the UAB Covered Entity provides written notice to the employee that PHI is disclosed to the employer.

3. Reporting of victims of abuse, neglect or domestic violence. UAB Covered Entities may use or disclose PHI to outside entities charged with overseeing victims of abuse, neglect or domestic violence, consistent with reporting obligations under law.

4. Health oversight activities. UAB Covered Entities may use or disclose PHI to a health oversight agency for activities authorized by law, i.e. government, licensing, or accreditation agencies. A signed attestation, asserting that the PHI requested is not for any prohibited purpose, is required for requests of PHI potentially related to reproductive health care for disclosures for health oversight activities.

5. Judicial and administrative proceedings.

a. UAB Covered Entities may use or disclose PHI in the course of any judicial or administrative proceeding:

1) in response to an order of a court or administrative tribunal

2) in response to a subpoena, discovery request, or other lawful process, if the subpoena or discovery request is accompanied by one of the following:

a) written documentation from the requesting party that a qualified protective order has been entered or applied for that limits disclosure to the proceedings and requires return or destruction of the PHI at the end of the proceeding;

b) written documentation from the requesting party that the individual has been notified, given an opportunity to object and did not object.

c) a valid HIPAA authorization signed by the individual.

b. A signed attestation, asserting that the PHI requested is not for any prohibited purpose, is required for requests of PHI potentially related to reproductive health care for disclosures for judicial and administrative proceedings.

6. Law enforcement purposes. UAB Covered Entities may use or disclose PHI for law enforcement purposes, as follows:

a. pursuant to process and as otherwise required by law, i.e. court subpoenas or orders

b. pursuant to a law enforcement official's request for information to identify and locate a suspect, fugitive, material witness, or missing person provided

1) only the following information is disclosed: name, address, date of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, if applicable, and a description of distinguishing physical characteristics

2) the following information will not be disclosed: any PHI related to the individual's DNA or DNA analysis, dental records, or typing samples of analysis of body fluids or tissue

c. pursuant to a law enforcement official's request for information about an individual who is a victim of a crime, provided that the individual consents to the disclosure; if the individual is unable to consent because of incapacity or other emergency circumstances, the information may be released only if the law enforcement official represents that the information is needed for an investigation and will not be used against the victim

d. to alert law enforcement officials about an individual who has died if the death may have resulted from criminal conduct

e. to report evidence of criminal conduct on the premises

f. A signed attestation, asserting that the PHI requested is not for any prohibited purpose, is required for requests of PHI potentially related to reproductive health care for disclosures for law enforcement purposes.

7. Family Members of Decedent. UAB Covered Entities may disclose to a family member, other relative, or close personal friend who was involved in the individual's care or payment for care (not just Personal Representative) prior to the individual's death, PHI of the deceased that is relevant to that person's involvement, unless doing so is inconsistent with any prior expressed preference of the deceased individual made known to the Covered Entity.

8. Coroners, medical examiners and funeral directors. UAB Covered Entities may use or disclose PHI to coroners, medical examiners, and funeral directors, as necessary for them to perform their functions. Before disclosing PHI to coroners and medical examiners, a signed attestation, asserting that the PHI requested is not for any prohibited purpose, is required for requests of PHI potentially related to reproductive health care.

9. Cadaveric, organ, eye or tissue donation. UAB Covered Entities may use or disclose PHI to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donor bank.

10. Avert a serious threat to health or safety. UAB Covered Entities may use or disclose PHI to prevent a serious threat to the patient's health and safety or the health and safety of the public or another person. The disclosure may only be made to someone able to help prevent the threat.

11. Specialized government functions. UAB Covered Entities may use or disclose PHI to military command authorities for military and veterans activities, to federal officials for intelligence and national security activities and protective services, and to correctional institution or law enforcement officials for provision of health care or for the health and safety of others.

12. Workers Compensation. UAB Covered Entities may use and disclose PHI to employers and administrators for workers' compensation or similar programs.

H. Permitted Uses and Disclosures - UAB Covered Entities may use or disclose PHI in accordance with the UAB Policies referenced below:

1. Research - see UAB/UABHS HIPAA core policy on Use and Disclosure of Identifiable Health Information for Research.

2. Marketing - see UAB/UABHS HIPAA core policy on Use and Disclosure of Health Information for Marketing

3. Fundraising - see UAB /UABHS HIPAA core policy on Use and Disclosure of Health Information for Fundraising

I. Permitted Uses and Disclosures - UAB Covered Entities may use or disclose PHI to third parties under any one of the following circumstances IF the patient is given an opportunity to agree or object as set forth:

1. Facility Directories. Unless the patient chooses to opt out of the Directory, UAB Covered Entities may disclose the patient's name, location, and general condition that does not communicate specific medical information to individuals who ask for the patient by name. In addition, clergy may receive the patient's religious affiliation and are not required to ask for the patient by name. If a patient is incapacitated or in an emergency treatment circumstance, UAB Covered Entities may disclose the patient's information (name, location, and general condition) in the facility directory if the health care provider is not aware of a time the patient objected to inclusion in the directory and if the health care provider determines, in the exercise of professional judgment, that inclusion in the directory would be in the patient's best interest. The health care provider must inform the patient of this decision and provide the patient an opportunity to object to inclusion in the directory when it is practical to do so.

2. Individuals (family members, friends, or others) involved in the patient's care or in payment for the patient's care.

a. If the patient is present or otherwise available, the healthcare provider of UAB Covered Entities should ask the patient whether or not it is okay to discuss their medical condition in front of or with other individuals that are present.

b. If the patient is not available or incapable of communicating, the healthcare provider of a UAB Covered Entity may, in the exercise of professional judgment and if believed to be in the best interests of the patient, disclose the patient's health information to a person involved in the care of the patient to the extent relevant to the person's involvement with the patient's health care.

4. Individuals shall be informed of these possible uses and disclosures of PHI and of their right to object to these uses in the UAB Notice of Health Information Practices.

J. Permitted Uses and Disclosures - Psychotherapy Notes may only be used or disclosed by UAB Covered Entities under the following conditions:

1. Without an Authorization from the individual, if use and disclosure is limited to:

a. use by the originator of the psychotherapy notes for treatment;

b. use or disclosure by the UAB Covered Entity in mental health training programs; or

c. use or disclosure to defend legal actions or other proceedings brought by the patient.

1. Disclosures of PHI that are incidental and secondary to a permitted use or disclosure of PHI as set forth in this policy are permitted if they cannot reasonably be prevented, are limited in nature, are a by-product of an otherwise permitted use and if the UAB Covered Entity has established reasonable safeguards to ensure that the minimum necessary amount of disclosure will occur.

2. Incidental disclosures include, but are not limited to, teaching rounds, sign-in sheets in clinics, and overhead pages.

1. UAB Covered Entities may use or disclose a "Limited Data Set" if the Entity enters into a Data Use Agreement with the recipient and the recipient certifies that the use is for research, certain healthcare operations, or public health activities. UAB Covered Entities may use or disclose a "Limited Data Set" if the Entity enters into a Data Use Agreement with the recipient and the recipient certifies that the use is for research, certain healthcare operations, or public health activities. A Limited Data Set is PHI that excludes the following:

a. names;

b. postal address information, other than town or city, State, and zip code;

c. telephone numbers;

d. fax numbers;

e. electronic mail addresses;

f. social security numbers;

g. medical record numbers;

h. health plan beneficiary numbers;

i. account numbers;

j. certificate/license numbers;

k. vehicle identifiers and serial numbers, including license plate numbers;

l. device identifiers and serial numbers;

m. web universal resource locators (URLs);

n. internet protocol (IP) address numbers;

o. biometric identifiers, including finger and voice prints and retinal images; and

p. full face photographic images and any comparable images.

2. The UAB Covered Entity disclosing the Limited Data Set to a UAB employee or to a non-UAB Covered Entity must enter into a Data Use Agreement with the employee or entity receiving the Limited Data Set.

1. Health plans may disclose to plan sponsor/employer summary health information, if requested by the plan sponsor/employer, for the purposes of obtaining premium bids or modifying, amending, or terminating the health plan.

2. Health plans may disclose to the plan sponsor/employer if an individual is participating in, is enrolled in, or disenrolled from a plan.

3. Health plans may disclose to plan sponsor/employer an individual's medical information for plan administrative functions if the plan sponsor/employer agrees to ensure confidentiality of the information and to not use it for employment-related activities.

4. Health plans shall not use or disclose PHI that is genetic information for underwriting purposes except as provided by law.

N. Permitted Uses and Disclosures - Authorizations are required for all uses and disclosures of PHI not otherwise addressed in this policy.

2. Compound authorizations are not permitted for psychotherapy notes or for instances in which a UAB Covered Entity conditioned treatment on execution of an Authorization.

3. UAB Covered Entities cannot condition the furnishing of treatment or enrollment in a health plan on signing Authorizations for release of PHI, except:

a. participating in research projects can be conditioned on the individual signing an Authorization to use and disclose PHI in the research.

b. initial enrollment in health plans can be conditioned on signing an Authorization for the health plan to review PHI to make eligibility determinations.
c. furnishing healthcare services to an individual at the request of a third party can be conditioned on the individual signing an Authorization for disclosure of the PHI to the third party requesting the treatment.

4. Individuals may revoke Authorizations by submitting a written revocation to a UAB Covered Entity. The revocation will not be effective for any actions taken in reliance on the Authorization prior to receipt of the written revocation.

5. UAB Covered Entities are responsible for developing processes to ensure appropriate Authorizations are obtained for use and disclosure of PHI, when required, and that copies of the Authorizations and any revocations are maintained for a period of six years.

a. An employee who is a victim of a criminal act may disclose PHI to a law enforcement official if the disclosure is about the suspected perpetrator of the criminal act and the PHI is limited to name/address, birthdate, social security number, ABO blood type and rh factor, type of injury, date/time of treatment and distinguishing physical characteristics.

b. An employee or business associate of UAB Covered Entities may disclose PHI to oversight agencies if they believe the entities are engaging in unlawful conduct of which the employee has notified the entity and the entity has not responded to the employee.

1. UAB Covered Entities shall maintain a Notice of Health Information Practices (Notice) and must make it available upon request to any person.

2. UAB Covered Entities who have a Direct Treatment Relationship with an individual must

a. provide the Notice to the individual no later than the date of the first service delivery, including service delivered electronically.

b. In an emergency treatment situation, provide Notice to the individual as soon as reasonably practicable after the emergency treatment situation

c. make a good faith effort to obtain written acknowledgement of the individual's receipt of the Notice, absent an emergency treatment situation. If the individual's acknowledgement is not obtained, the Covered Entities must document their good faith efforts to obtain the acknowledgement and the reason why the acknowledgement was not obtained.

d. In their physical service delivery sites have the Notice available for individuals to request to take with them and post the Notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the Covered Entity to be able to read the Notice

e. Whenever the Notice is revised, make the Notice available upon request on or after the effective date of the revision.

a. provide the Notice to individuals who are new enrollees

b. once every three years notify individuals covered by the plan of the availability of the Notice and how to obtain the Notice

c. inform individuals of a material change to the Notice either by

1) posting its revised Notice on its website, if it maintains a website, by the effective date of the change and provide the revised Notice, or information about the change and how to obtain the revised Notice, in its next annual mailing to individuals covered by the plan, or

2) providing the revised Notice to individuals covered by the plan or provide information about the material change and how to obtain the revised Notice within 60 days of the material revision.

4. A UAB Covered Entity that maintains a website must prominently post its Notice on the website and make the Notice available electronically through the website.

5. A UAB Covered Entity may provide Notice to an individual by email if the individual agrees. If the Covered Entity knows the email transmission failed, a paper copy of the Notice must be provided.

6. If a UAB Covered Entity delivers the first health care service to an individual electronically, the electronic Notice must be provided automatically and contemporaneously in response to the individual's first request for service.

7. Any individual who receives an electronic Notice has the right to obtain a paper copy of the Notice upon request.

8. UAB Covered Entities must revise the Notice if the use and disclosure practices change.

9. UAB Covered Entities must keep copies of all versions of the Notice and all acknowledgements received for a period of six years.

P. Each UAB Covered Entity shall develop procedures to implement this policy.

6. REFERENCES: None

7. SCOPE: This policy applies to all UAB Covered Entities and to UABHS Covered Entities identified in Section 3.

8. ATTACHMENTS: Note: All HIPAA forms may be found at the UAB/UABHS HIPAA website
To view other HIPAA Core Policies and for more information, please HIPAA website