UW Medicine Compliance

Patient Information Privacy Policies

Table of Contents | Privacy Policies Summary | Privacy Policies Map

101 Patient Information Privacy and Security Compliance Program and Administrative Requirement

Policy Page:

Patient Information Privacy and Security Compliance Program and Administrative Requirement

This policy addresses:

  • UW Medicine’s Designation of Healthcare Components at the University of Washington (UW);
  • Administrative requirements addressing safeguards for protected health information (PHI), disclosures of PHI by whistleblowers, mitigation strategies, prohibition of retaliatory acts, patients’ non-waiver of rights, personnel designations and revisions and documentation of privacy policies and procedures;
  • The maintenance of the designated record set.

Policy Outline:

I. Designation of Healthcare Components

A. UW Covered Entity
B. UW Medicine Affiliated Covered Entity (ACE)
C. Healthcare and Other Covered Components of the UW
D. UW Healthcare Components Policy Governance

II. Organized Health Care Arrangements

III. Administrative Requirements

A. Safeguards
B. Sale of PHI
C. Disclosures by Whistleblowers
D. Mitigation
E. Retaliatory Acts Prohibited
F. No Waiver of Individual Rights
G. Personnel Designations
H. Compliance Patient Information Privacy and Security Policies
I. Legal Medical Record and Designated Record Set

Policy Resources:

102 Safeguarding the Privacy and Security of Protected Health Information

Policy Page:

Safeguarding the Privacy and Security of Protected Health Information

This policy establishes UW Medicine safeguards for protecting the confidentiality, integrity and availability of protected health information (PHI).

Policy Outline:

I. Safeguarding Verbal PHI

II. Safeguarding Paper and Electronic PHI

III. Verification Requirements for Disclosures of PHI

A. Conditioned Disclosures
B. Identity of Public Officials
C. Authority of Public Officials
D. Professional Judgment

IV. Access Management: Authorizing Users for Access to UW Medicine Information Systems Containing PHI

A. UW Medicine Workforce
B. Non-UW Medicine Workforce

1. OHCA Members
2. Business Associates
3. External healthcare facilities or professionals
4. Other non-UW Medicine workforce
5. Limited account access

C. Access Modifications and Terminations
D. Access Documentation and Records Retention

Policy Resources:

103 Use and Disclosure of Protected Health Information

Policy Page:

Use and Disclosure of Protected Health Information

This policy outlines the requirements for appropriate use and disclosure of protected health information (PHI), addresses the concept of minimum necessary as it applies to PHI uses and disclosures, describes the special restrictions on PHI requiring heightened standards of confidentiality, and references the requirement to document certain PHI disclosures made without patient authorization.

Policy Outline:

I. The Minimum Necessary Requirement

A. Minimum Necessary: UW Medicine Disclosures of PHI
B. Minimum Necessary: UW Medicine Requests for PHI from Outside UW Medicine

II. Uses and Disclosures of PHI That Do Not Require Patient Authorization

A. Treatment, Payment or Healthcare Operations
B. Public Health Activities
C. Workers Compensation
D. Employers
E. Health Oversight Activities
F. Deceased Patients
G. Averting a Serious Threat to Health or Safety
H. Judicial and Administrative Proceedings
I. Law Enforcement and Correctional Institutions

1. Reporting a crime when providing emergency healthcare services
2. Patients brought to the healthcare facility by authorities
3. Patients in custody
4. Identification and location purposes
5. Crime on UW Medicine premises or against UW Medicine workforce members
6. Crime victims
7. Alcohol or drug test results
8. Mandatory reporting of violent injuries for patients
9. Mandatory reporting of Protected Health Information when requested by law enforcement

J. Victims of Abuse, Neglect, Domestic Violence or Sexual Assault

1. Requirement to disclose PHI for abuse of vulnerable adults and children
2. Disclosure of PHI for competent adults who are victims of domestic violence
3. Victims of sexual offenses

K. Fundraising Activities

1. General principles
2. Use of PHI for fundraising activities
3. Opting out of or back in to receiving fundraising communications

L. Other Disclosures Required by Law

1. Military and veteran activities
2. Homeland and national security activities

M. Restrictions on PHI Subject to Heightened Confidentiality

III. Uses and Disclosures of PHI Requiring a Patient’s Opportunity to Agree or Disagree

A. Inpatient Facility Directories

1. Inpatient facility directory – General
2. Individual’s opportunity to object to inclusion in the inpatient directory
3. Permitted uses or disclosures after an opportunity to object
4. Permitted uses or disclosures for emergency treatment or during an individual’s incapacity
5. Special circumstances for inpatient facility directories

B. Disclosure of Proof of Immunization for a Student or Prospective Student
C. Law Enforcement: Photographing Patients and Obtaining Evidence
D. Family, Friends and Other Designated Individuals Involved in the Care or Payment of Care

1. Use or disclosure requirements
2. Abuse, neglect, and endangerment situations
3. Disclosure limitations
4. Notification
5. Disaster relief purposes
6. Minor patients
7. Patient portal proxy access to a patient’s online personal health information
8. Consent process diagrams

IV. Uses and Disclosures of PHI Requiring Patient Authorization

A. Psychotherapy Notes
B. Information regarding Mental Health, Human Immunodeficiency Virus (HIV) Testing and Other Sexually Transmitted Diseases (STDs)
C. Research
D. Marketing Activities

V. Authorizations for the Use or Disclosure of PHI

A. Valid Authorization
B. Invalid Authorizations
C. Prohibition on Conditioning of Authorizations
D. Compound Authorizations
E. Processing Authorizations
F. Revocation of Authorizations

VI. Special Circumstances

A. Limited Data Sets
B. De-Identification of PHI

1. Requirements for de-identification of PHI
2. Re-identification requirements

C. Public Records Requests
D. Business Associates

Policy Resources:

104 Patient Rights Related to Protected Health Information (PHI)

Policy Page:

Patient Rights Related to Protected Health Information

This policy establishes the obligations of UW Medicine with respect to patients’ rights regarding their protected health information (PHI).

Policy Outline:

I. Notice of Privacy Practices

A. Distribution of the Notice
B. Acknowledgment of the Notice
C. Revisions to the Notice of Privacy Practices

II. Requests for Additional Privacy Protections for PHI

A. Requests for Restrictions
B. Terminating a Restriction Agreement
C. Request for Restrictions on Disclosures of PHI to Health Plans when Patients Self-Pay
D. Request for Alternative Forms of and/or Confidential Communications

III. Patient Requests to Access, Inspect or Request a Copy of PHI

A. Patient Requests for Access
B. Response to Patient Requests for Access
C. Charging for Requests for Access
D. Denial of Access

1. Unreviewable grounds for denial
2. Reviewable grounds for denial

E. Patient Appeal/Review Process

IV. Right to Request an Amendment to PHI

A. Requests for Amendment
B. Responding to Requests for Amendment

1. Accepting a requested amendment
2. Denying a requested amendment

C. Notice of Amendment from another Covered Entity
D. Documentation Requirements for an Amendment

V. Right to an Accounting of Disclosures of PHI

A. Documenting Disclosures of PHI
B. Patient Requests for Accounting of Disclosures of PHI
C. Temporary Suspension of Accounting of Disclosures of PHI
D. Responding to Requests for Accounting of Disclosures of PHI
E. Charging for an Accounting of Disclosures
F. Documentation Requirements for an Accounting of Disclosures

VI. Right to File a Complaint

Policy Resources:

105 Breach Notification

Policy Page:

Breach Notification

The purpose of this policy is to establish the following:

  • The process UW Medicine follows to investigate potential breaches of protected health information (PHI) and refer potential breaches of non-PHI University Personal Data to the appropriate department;
  • UW Medicine’s obligation to notify patients and other parties of a breach of PHI;
  • The parties that must be notified and timelines that must be observed;
  • Required content of notifications made to patients; and
  • Parties responsible for implementing the policy.

Policy Outline:

I. Assessment of Potential Breach Involving Protected Health Information
II. Parties Required to be Notified
III. Notification Timelines
IV. Required Elements of Patient Notifications

A. Written Notifications
B. Alternatives to Written Notification

V. Documentation Requirements
VI. Responsibility for Implementation
VII. Breaches Involving Personal Data (non-Protected Health Information)

Policy Resources:

106 Use and Disclosure of Protected Health Information by Business Associates

Policy Page:

Use and Disclosure of Protected Health Information by Business Associates

This policy outlines the criteria for a business associate (BA) and establishes the requirements for disclosing PHI to a BA, including the required content of a Business Associate Agreement (BAA).

Policy Outline:

I. Disclosing PHI to a Business Associate
II. Business Associate Agreement (BAA) Requirements
III. Determining the Need for a BAA
IV. Required Elements of a BAA
V. Violations of the BAA

Policy Resources:

107 Information Security

Policy Page:

Information Security

This policy establishes UW Medicine requirements for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Policy Outline:

I. Administrative Processes

A. Applications and Data Criticality Analysis
B. Risk Analysis
C. Risk Management
D. Evaluation
E. Business Associate Contracts and Other Arrangements

II. Integrity and Availability of ePHI

A. Security Incident Procedures
B. Contingency Planning & Operations
C. Maintenance Records
D. Facility Security Plan

III. Information Access Control and Management / Identity and Access Management

A. Person or Entity Authentication
B. Access Control, Access Authorization and Validation Procedures
C. Workforce Security

IV. Workstation, Device and Media Security and Controls

A. Workstation Use
B. Protection from Malicious Software
C. Encryption and Decryption
D. Disposal
E. Media Re-use
F. Data Backup and Storage

V. Transmission Security

VI. Information System Activity Review

A. Audit Controls, Logging and Monitoring

Policy Resources: