UW Medicine Compliance
Patient Information Privacy and Security Compliance Program and Administrative Requirements – COMP.101
This policy addresses:
- UW Medicine’s Designation of Healthcare Components at the University of Washington (UW);
- Administrative requirements addressing safeguards for protected health information (PHI), disclosures of PHI by whistleblowers, mitigation strategies, prohibition of retaliatory acts, patients’ non-waiver of rights, personnel designations and revisions and documentation of privacy policies and procedures;
- The maintenance of the designated record set.
Applicability: UW Medicine Affiliated Covered Entity
Policy Title: Patient Information Privacy and Security Compliance Program and Administrative Requirements
Policy Number: COMP.101
Superseded Policies: PP-01, PP-03, PP-26
Date Established: October 11, 2017
Date Effective: June 21, 2019
Next Review Date: June 21, 2022
The Health Insurance Portability and Accountability Act (HIPAA) and Washington Uniform Health Care Act (Revised Code of Washington (RCW) 70.02) provide the primary regulatory framework for a type of personally identifiable information about patients called PHI. Requirements for protecting patient privacy govern oral, paper and electronic PHI and apply to certain organizations called covered entities. The UW is a hybrid covered entity that includes several components, including UW Medicine which is an affiliated covered entity comprised of multiple separate healthcare components. These are treated as one covered entity for HIPAA purposes.
A. UW Covered Entity
For the UW Healthcare Components that comprise the UW Covered Entity, please see 101.G1 UW HIPAA Designation (University of Washington Non-UW Medicine Healthcare Components and University of Washington UW Medicine Healthcare Components).
B. UW Medicine Affiliated Covered Entity (ACE)
UW further designates specific healthcare components as one affiliated covered entity known as UW Medicine. Please see 101.G1 UW HIPAA Designation (UW Medicine — Affiliated Covered Entity — Other Healthcare Components and University of Washington UW Medicine Healthcare Components).
C. Healthcare and Other Covered Components of the UW
Certain services and activities that support the healthcare components of the UW are performed by non-healthcare components of the UW. To the extent that non-healthcare components perform support functions requiring the use or disclosure of PHI for or on behalf of healthcare components, they are deemed to be functioning as healthcare components. Some examples of support functions are:
- Administrative support relating to treatment, payment or healthcare operations.
- Document retention services.
- Environmental and workplace safety.
- Information systems management.
- Investigations involving clinical care or scholarly integrity.
- Medical staff peer review.
- Personnel services.
- Risk management services.
D. UW Healthcare Components Policy Governance
UW designated healthcare components are subject to the patient information privacy and security policies established by UW Medicine. Wherever policies refer to “UW Medicine” or specify a UW Medicine authority, each UW designated healthcare component will substitute their respective entity-specific name or authority.
UW Medicine may enter into Organized Health Care Arrangements (OHCAs) with certain eligible healthcare providers and organizations in order to allow legally separate covered entities to use and disclose PHI for the joint operation of the arrangement. For information about organizations participating in an OHCA with UW Medicine, please contact UW Medicine Compliance at 206.543.3098 or 855.211.6193.
UW Medicine has established compliance policies, procedures, technical standards and guidelines to ensure that appropriate administrative, technical and physical safeguards are in place to protect the privacy and security of PHI.
Safeguards are defined as the administrative, technical, and physical protective measures and controls imposed by UW Medicine to protect the privacy of an individual’s PHI from impermissible use or disclosure. These safeguards include, but are not limited to:
- Hardware and software security features;
- Operating procedures;
- Accountability procedures and management constraints;
- Access and distribution controls;
- Personnel security; and
- Physical structures, areas and devices.
B. Sale of PHI
Workforce members shall not sell PHI.
C. Disclosures by Whistleblowers
Workforce members and business associates may disclose PHI for the purposes of making a whistleblower complaint to a health oversight agency, a public health authority authorized to investigate the conduct in question or a healthcare accreditation organization.
To the extent practicable, UW Medicine mitigates known harmful effects from the use or disclosure of PHI that was made in violation of institutional policy.
E. Retaliatory Acts Prohibited
UW Medicine does not intimidate, threaten, coerce, or retaliate against persons for filing complaints to the Secretary of Health and Human Services or the Washington Department of Health; for testifying, assisting or participating in investigations, compliance reviews, proceedings or hearings under Part C of Title XI of the Social Security Act; or, for opposing real or perceived unlawful acts or practices under this act provided the opposition is reasonable and does not involve a disclosure of PHI that would be prohibited under federal and state patient privacy laws and regulations. (See also COMP.004 Reporting and Non-Retaliation.)
F. No Waiver of Individual Rights
UW Medicine does not require an individual to waive his/her right to file a complaint to the Office for Civil Rights as a condition for the provision of treatment.
G. Personnel Designations
The UW Medicine Chief Compliance Officer, serves as the Chief Privacy Officer and oversees the UW Medicine compliance program as described in the UW Medicine Compliance Program Document. UW Medicine has also designated a Chief Information Security Officer (CISO) who partners with the UW Medicine compliance program team on matters related to the security of patient information. The CISO is designated as the UW Medicine Security Official.
H. Compliance Patient Information Privacy and Security Policies
Policies that govern patient privacy protection at UW Medicine are subject to the requirements outlined in COMP.001 Compliance Policy Development.
I. Legal Medical Record and Designated Record Set
The Legal Medical Record (LMR) is the set of healthcare records used when responding to requests for information for legal and legally permissible purposes. The Designated Record Set (DRS) are healthcare records in addition to and separate from the LMR that are available when specifically identified and requested for legal and legally permissible purposes.
Each UW Medicine entity is to develop release and disclosure procedures, when appropriate, and in accordance with the UW Medicine Policy: Definition, Retention & Disclosure of the Legal Medical Record and Designated Record Set. (See also Schematic of LMR and DRS, NWH Legal Medical Record Definition, Retention, Disclosure & Designated Record Set, VMC Medical Record Policy).
The designated record sets are the property of the UW Medicine ACE. Patients’ requests for access to their designated record sets are facilitated by the applicable Health Information Management departments.
- UW Medicine Compliance Glossary.
- 101.G1 University of Washington HIPAA Designation.
- 101.G2 Privacy Policies Summary.
- UW Medicine Health Information Management Policy: Definition, Retention & Disclosure of the Legal Medical Record and Designated Record Set (see also Schematic of LMR and DRS).
- NWH Legal Medical Record Definition, Retention, Disclosure & Designated Record Set
- VMC Medical Record Policy
- UW Medicine Records Retention Schedule.
- Refraining from intimidation or retaliation, 45 C.F.R. §160, Subpart C.
- Privacy of Individually Identifiable Health Information, 45 C.F.R. §164, Subpart E.