Standard Number: 1.11.3.9.1
Category: Information Privacy
Owner: Information Technology Services
Effective: August 1, 2022
Revision History: None
Review Date: July 31, 2025
-
Purpose, Scope, and Responsibilities
- As identified in the Protected Health Information Privacy Policy, Protected Health Information (“PHI”) may only be used and disclosed according to HIPAA. Employees, students, volunteers, trainees, and other persons (“Workforce”) of a University Health Care Component (“UHCC”) may use or disclose PHI only in the circumstances identified within this document.
- This Standard is based on the requirements within the HIPAA Privacy Rule.
- The Chief Information Security Officer, in conjunction with the Health Sciences Center Privacy Officer, is responsible for implementing and enforcing this Standard.
- Unless the subject of the PHI (“Individual”) provides written Authorization, UHCCs cannot use or disclose the PHI for any reason except those described in this document or as permitted by HIPAA. Any other request received for access to PHI must be directed to West Virginia University Medicine’s Health Information Management (“HIM”).
- HIM is responsible for addressing all requests to restrict use of WVU Medicine owned, managed, or controlled PHI relating to an encounter that is paid for out-of-pocket by the patient and any other reasonable request that does not prohibit Treatment, Payment, or other Health Care Operations.
- All Senior Management of UHCCs are responsible for implementing and enforcing the requirements within this Standard. Workforce members with access to PHI must follow the requirements outlined in this Standard. Failure to do so may result in appropriate corrective action.
- Individuals are responsible for identifying their representatives following the Personal Representative Procedure.
-
Required Disclosures
- Pursuant to the Protected Health Information Privacy Policy, UHCCs are required to disclose PHI to:
- The Secretary of Health and Human Services for the purposes of investigating or determining compliance with HIPAA Privacy Rule requirements; and to,
- The Individual who is the subject of the PHI, or their representative, provided the following:
- A signed Authorization is on file documenting the request;
- Patients receiving treatment for psychiatric or psychological problems may receive a summary record following termination of the treatment program pursuant to W. Va. Code §16-29-1(a)(1); and,
- Access fees are reasonable and based on applicable policy.
- Pursuant to the Protected Health Information Privacy Policy, UHCCs are required to disclose PHI to:
-
Authorized Disclosures
- PHI may be disclosed to another UHCC or third-party Covered Entity for the Treatment, Payment, and Health Care Operations of the other Covered Entity provided:
- The entity has or had a relationship with the Individual;
- The PHI pertains to that relationship;
- The purpose is for Treatment, Payment, or Health Care Operations;
- The Individual has provided written Authorization to the UHCC to use medical information or to disclose it; however, the Individual may revoke Authorization in writing at any time. See Authorizations section of this document.
- If an Individual has paid for the service out-of-pocket, they may request that the information not be shared with their insurance company.
- PHI may also be disclosed in the following circumstances:
- To a family member, friend, or other person to the extent necessary to help with the Individual’s health care or with Payment for health care;
- To notify, or assist in the notification of (including identifying or locating), the Individual’s general condition or death, to a person involved in the Individual’s care;
- To whomever the Individual has given permission;
- After an Individual’s death, to a family member or other party, provided the Individual was involved in care or health care Payment prior to the Individual’s death unless to do so is inconsistent with the Individual’s wishes. Proof of relationship or care provider must be provided prior to releasing PHI;
- To a public or private entity authorized by law or by its charter to assist with disaster relief. The Health Sciences Center Privacy Office must be contacted before any such disclosure is made;
- To a company or individual that creates, receives, maintains, or transmits PHI to provide contracted services on behalf of a UHCC (“Business Associate”);
- To a Business Associate to assist with an Individual’s medical treatment alternatives;
- For fundraising purposes, provided the Individual has been given an opportunity to opt out;
- As authorized or required by law for certain purposes deemed to be in the public interest or benefit (e.g., disease and vital statistics reporting, child abuse reporting, adult protective services, FDA oversight, cancer registry, trauma registry, birth registry); and,
- In response to court and administrative orders or subpoenas.
- PHI may be used or disclosed for research purposes pursuant to an approved Institutional Review Board protocol in the following circumstances:
- The Individual has provided Authorization;
- The Individual has not provided Authorization, but the information does not contain any specific identifiers of the individual, their relatives, employers, or household members (“De-Identified”). See PHI De-Identification Standard;
- For retrospective research studies involving data re-analysis when the researcher has obtained a written Authorization from the Individual or a waiver from the WVU Institutional Review Board;
- If the researcher represents that the use or disclosure being sought is solely for research on the PHI of deceased Individuals (“Decedents”), that the PHI being sought is necessary for the research, and documentation of the death of the individuals about whom information is being sought from the Covered Entity;
- Limited Data Sets may be disclosed without an Individual’s authorization for research purposes consistent with the HIPAA Privacy Rule; and,
- Studies for which the disclosure of PHI was received prior to April 14, 2003.
- PHI may be disclosed to another UHCC or third-party Covered Entity for the Treatment, Payment, and Health Care Operations of the other Covered Entity provided:
-
Authorizations
- Immunization records may be disclosed to a school to provide proof of immunization for admissions purposes based on verbal Authorization. Such an Authorization must be documented within the Individual’s medical record.
- Individuals must be provided an opportunity to object to the disclosure of their PHI. In the event the Individual is not present, or is incapacitated, PHI must be disclosed based on professional judgement if the disclosure is in the Individual’s best interest.
- In the instance an Individual has instituted legal action against WVU, a UHCC and/or a physician or faculty member, a waiver of the confidential status of the medical record related to the legal action is implied.
- Individuals must notify HIM or UHCC, when UHCC manages and controls the medical record, in writing to request restriction of access to their PHI.
- Parents must sign a Consent for Proxy in person at HIM or UHCC, when UHCC manages and controls the medical record, to authorize disclosure of PHI of children under the age of 10.
- Minors between the ages of 11-18 must sign a Consent for Proxy in person at HIM to authorize disclosure of their PHI. A parent or legal guardian can also provide a notarized signature from the minor or a legal ID card with the minor’s signature for comparison without the minor present.
- Family members of UHCC Workforce must sign a Consent for Proxy in person at HIM to authorize disclosure of their PHI to the UHCC Workforce member. Adults can provide a notarized signature or a legal ID card with signature for comparison without the family member being present.
- Individuals must provide Authorization to be photographed, videotaped, audio recorded, or otherwise recorded. In cases of suspected child or elder abuse, photographs may be taken of the patient to document the abuse.
- Photographs may be released subject to a subpoena, patient authorization, or for use in connection with a suspected child or elder abuse investigation.
- Conditioned and unconditioned authorizations may be combined for research purposes, provided that the authorization clearly differentiates between the conditioned and unconditioned research components. The patient must opt into the unconditioned research opportunity.
-
Unauthorized Disclosures
-
UHCC Workforce members are not permitted to access:
- Their own PHI using any information systems (e.g., EPIC/Merlin Hyperspace) other than MyWVUChart;
- Another Individual’s PHI for any reason other than Treatment, Payment, or Health Care Operations unless there is an executed Consent for Proxy on file with HIM or UHCC, when UHCC manages and controls the medical record, for such a disclosure.
- Pursuant to the Protected Health Information Privacy Policy, providing information to the press, member of any media, or the Individual regarding Unauthorized Disclosures are not permitted by UHCC Workforce members. All communications related to Unauthorized Disclosures must come from the Chief Information Security Officer or the Health Sciences Center Privacy Officer in collaboration with University communication officials only.
- All documentation related to the investigation of Unauthorized Disclosure of PHI will be retained by the University for six (6) years, at minimum.
-
UHCC Workforce members are not permitted to access:
-
Sale of PHI
-
Individual’s authorization explaining that the PHI can be further exchanged for remuneration by the entity receiving the PHI (e.g., pharmacy, laboratory) except in the following circumstances:
- For public health activities;
- For research;
- For Treatment;
- For the sale, merger, or transfer of the Covered Entity;
- To a business associate to perform functions for the UHCC;
- To an Individual who wants copies of his/her PHI; and,
- As a result of any future regulatory exceptions.
-
Individual’s authorization explaining that the PHI can be further exchanged for remuneration by the entity receiving the PHI (e.g., pharmacy, laboratory) except in the following circumstances:
-
Definitions
- “Authorization” means an individual's signed permission to allow a UHCC to disclose the Individual's PHI that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization.
- “Business Associate” means any entity that creates, receives, maintains, or transmits PHI to perform certain functions or activities on behalf of a UHCC or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for a UHCC and the provision of the service involves the disclosure of PHI.
- “Covered Entity” means any health plan, health care clearinghouse, or health care provider that transmits PHI in electronic form in connection with a Covered Transaction.
- “Covered Transaction” means the transmission of information between two parties to carry out financial or administrative activities related to health care and includes: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; health care electronic funds transfers (EFT) and remittance advice; or other transactions that the Secretary of the Department of Health and Human Services may prescribe by regulation.
- “Health Care Operations” means activities related to the operation of the University Health Care Component that include quality assessment and improvement activities; population-based activities relating to improving health or reducing health care costs; case management and care coordination; certification; conducting training programs; accreditation; certification; licensing or credentialing activities; health care fraud; and abuse detection or compliance.
- “Limited Data Sets” means PHI that excludes the direct identifiers of the individual or relatives, employers, or household identified except for the following items:
- Dates, except year, related to the health or identity of the Individual, including birth dates, date of admission, date of discharge, date of death, or exact age of Individuals older than 89; and,
- Geographic data, such as street address, city, country, or zip code.
- “Payment” means providing or obtaining reimbursement for health care, determinations of eligibility or coverage, coordination of benefits, billing, and collection activities.
- “Treatment” means the provision, coordination, or management of health care and related services, including the coordination or management of health care with a third-party, consultation with other health care providers related to a patient, or the referral of a patient for health care to another health care provider.
Related Documents
- Protected Health Information Privacy Policy
- Notice of Privacy Practices
- W. Va. Code 16-29-1(a)(1)
- Personal Representative Procedure (requires WVU Login to access)