<\/p>\n
Below are answers to commonly asked questions about\u00a0 Business Associate Agreements and emailing patient information.<\/p>\n
No. The HIPAA privacy regulations create a minimum standard for the protection of health
\ninformation nation-wide. The regulations allow for the possibility that state law is more
\nprotective of a patient\u2019s privacy or provides a patient greater access to protected health
\ninformation. In these instances, state law may actually govern the use or disclosure of health information, not the HIPAA regulations. Thus, it is important for business associates to understand that use or disclosure of protected health information on behalf of UW Medicine must conform to both state and federal requirements.<\/p>\n<\/div>\n<\/div>\n
Maybe. This is ultimately a business decision and your leadership should make this determination. Expanding the reporting period may impact UW Medicine\u2019s ability to respond quickly in the case of a breach. The maximum time UW Medicine generally accepts is twenty days.<\/p>\n<\/div>\n<\/div>\n
Maybe. UW Medicine must consider state law requirements and you should consult with UW Medicine Compliance to discuss the operational implications. Upon request for amendment of a medical record, state law provides that a health care provider must correct or amend the records within ten calendars days of receiving the request (RCW 70.02.100). If unusual circumstances exist, state law provides for a maximum of twenty-one days to respond. The HIPAA privacy regulations, in contrast, allow a health care provider sixty days to respond. This provision tends to be an area in which considerable energy in negotiation is expended. The most important question to address is whether the business associate holds medical records that would be subject of the amendment request and whether they will be impacted by a short deadline.<\/p>\n<\/div>\n<\/div>\n
Yes, the Business Associate Agreement may include any\/all UW Medicine entities. The Business Associate Agreement must have signature lines for each entity included, be signed by an authorized person from each entity, and be maintained in accordance with entity-specific records retention rules.<\/p>\n<\/div>\n<\/div>\n
No, the Business Associate must make PHI available in accordance with HIPAA and state laws governing access of individuals to PHI.<\/p>\n
See\u00a0 COMP.104 Patient Rights Related to Protected Health Information (PHI)<\/a>.<\/p>\n<\/div>\n<\/div>\n Yes, but the Business Associate must enter into a contract that meets the requirements of a business associate agreement or other arrangement with the subcontractor(s) to ensure that the same restrictions and conditions, including the implementation of reasonable and appropriate safeguards to protect the information that apply to the Business Associate, also apply to the subcontractor.<\/p>\n<\/div>\n<\/div>\n Yes, if an entity maintains PHI on behalf of the University of Washington or UW Medicine, it is a business associate even if the entity does not actually view the PHI.<\/p>\n<\/div>\n<\/div>\n When the Business Associate is a governmental entity, UW Medicine may enter a Memorandum of Understanding to document the Business Associate\u2019s privacy, security, and electronic exchanges assurances. The Memorandum of Understanding must contain the required elements of a Business Associate Agreement.<\/p>\n<\/div>\n<\/div>\n If violation(s) of the Business Associate Agreement is suspected or discovered, the department manager or other individual initiating a contract is required to report the violation to UW Medicine Compliance and request investigation.<\/p>\n<\/div>\n<\/div>\n Yes. UW Medicine Compliance policies allow workforce members to communicate electronically with their patients provided they apply reasonable safeguards such as:<\/p>\n Patients have a right to request communication preferences such as text message or email and, when reasonable, workforce members should accommodate such requests. Workforce members may consider using Microsoft Outlook\u2019s Encryption feature in the email\u2019s Options tab when emailing protected health information. If this is not possible then the patient should be warned about the risks of unencrypted email or text messages, which is described in the UW Medicine Agreement for Electronic Correspondence<\/a>.<\/p>\n<\/div>\n<\/div>\n Yes, so long as the following requirements are met:<\/p>\n Yes, the IT personnel that support your department or clinical entity can assist you.<\/p>\n<\/div>\n<\/div>\n Yes, the following language should be included under your signature on any email sent to a patient:<\/p>\n \u201cThe above email may contain patient identifiable or confidential information. Because email is not secure, please be aware of associated risks of email transmission. If you are communicating with a UW Medicine Provider or Researcher via email, your acceptance of the risk and agreement to the conditions for email communications is implied. (See\u00a0http:\/\/www.uwmedicine.org\/about\/compliance\/email-risk<\/a>.)<\/p>\n The information is intended for the individual named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender by reply email, and then destroy all copies of the message and any attachments. See our Notice of Privacy Practices at\u00a0http:\/\/www.uwmedicine.org\/about\/privacy<\/a>.\u201d<\/p>\n<\/div>\n<\/div>\nEmailing Patient Information<\/strong><\/h3>\n
\n
\n
\n