V.C. Confidentiality of Health Information under HIPAA
(Office of Audit, Compliance and Privacy, 2006; revised, 2009)
All faculty members at the University of Pennsylvania should respect the privacy and security of personal health information. Personal health information may be used for appropriate patient care, teaching, and research purposes, consistent with applicable University policy. Further, faculty should take reasonable steps to safeguard personal health information from unauthorized access, use, and disclosure.
Under the Health Insurance Portability and Accountability Act (HIPAA), certain schools and centers within the University must comply with a number of regulatory requirements that have been incorporated into specific policies addressing the privacy and security of health information. Faculty members within the Perelman School of Medicine, the School of Dental Medicine, and faculty practicing at the Student Health Service and Living Independently for Elders (collectively, “HIPAA-Covered Faculty”) should refer to and follow HIPAA privacy and security policies and procedures established for their schools and centers.
HIPAA-Covered Faculty must abide by the following HIPAA requirements:
- HIPAA-Covered Faculty must receive training on policies and procedures implementing HIPAA and abide by such policies and procedures;
- In general, HIPAA-Covered Faculty may not use and/or disclose personal health information without the patient’s signed HIPAA-compliant authorization, except that:
- HIPAA-Covered Faculty may, without patient authorization, use and/or disclose personal health information for purposes of treatment, payment, and for the healthcare operations of the faculty member’s school /center, including but not limited to management, quality assurance, training programs, and compliance programs;
- HIPAA-Covered Faculty may, without patient authorization, share personal health information with a patient’s family members and other relatives or friends that is directly relevant to that person’s involvement in the patient’s care or payment for care, consistent with professional judgment unless the patient otherwise objects to such sharing;
- HIPAA-Covered Faculty may, without patient authorization, use or disclose personal health information for research purposes if Penn’s Institutional Review Board (IRB) or a similar committee has waived the requirement for authorization under HIPAA. However, the faculty member must provide to the designated institutional official an accounting for all disclosures of that information in a manner described in the IRB procedures;
- HIPAA-Covered Faculty may, without patient authorization, use and disclose personal health information for designated priority purposes, including but not limited to reporting to certain governmental agencies, in emergency circumstances, for judicial and administrative proceedings, and where disclosure is required by law, provided that the HIPAA-covered faculty does so in accordance with specific conditions set out in school / center policies and procedures. However, the faculty member must provide to the designated institutional official an accounting for all disclosures of that information in a manner described in school / center policies and procedures;
- HIPAA-Covered faculty must limit uses, disclosures, and requests for personal information to the amount reasonably necessary to accomplish the purpose, except as related to treatment;
- HIPAA-Covered Faculty must permit patients the right to access, inspect, and copy their personal health information, except in specified cases, such as in the course of a clinical trial subject to the terms of the authorization to use the patient’s health information in that trial.
- HIPAA-Covered Faculty must permit patients the right to request amendment of their health information;
- HIPAA-Covered Faculty must enter into HIPAA business associate agreements with vendors that create or receive personal health information on our behalf as described in school / center policies and procedures;
- HIPAA-Covered Faculty must ensure that they provide appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of personal health information; and
- HIPAA-covered faculty must report all unauthorized access to personal health information to school/center privacy officials to the Office of Audit, Compliance and Privacy to ensure appropriate investigation and response.