Individually Identifiable Health Information" - Any information that relates to a specifically identifiable individual and includes demographic data and information that relates to the individual's past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual such as:
"Protected Health Information - The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information."
"De-identified Health Information" - There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual. The University employs option two (2).
- Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
- Health care payment and remittance advice;
- Coordination of health care benefits;
- Health care claim status;
- Enrollment and disenrollment in a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certifications and authorization;
- First report of injury;
- Health claims attachments
2.2 Wheeling Jesuit University will take appropriate actions to protect against unauthorized disclosure of any personally-identifiable health information that pertains to an employee's health care services. Appropriate physical and technical safeguards will be implemented to protect against unauthorized disclosure of personally-identifiable health information.
2.3 As a covered entity (a company health plan), the University, as defined by the Health Insurance Portability and Accountability Act (HIPAA), is required by law to maintain the privacy of protected health information. The areas of the University that handle protected health information will require HIPAA Privacy Training for all employees who work with protected personally identifiable health information. Employees in those areas will be advised and trained and the individual identifiable health information will be treated as "private-confidential."
2.4 Employees must not use e-mail to send information or ask questions related to protected individually identifiable health information due to privacy issues addressed in HIPAA. All questions should be directed to the Human Resources Department in person or by confidential university mail.
2.5 Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make. All information used for health care operations, such as a census to obtain health care quotes, will be de-identified health information only.
2.6 If an employee believes that his/her privacy has been violated under this policy, s/he should contact Human Resources immediately to resolve the complaint. If the issue is not resolved to his/her satisfaction, the employee should follow the University's Dispute Resolution Procedure to resolve his/her complaint.
2.7 No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.
2.9 Corrective Action
Disclosure of any protected personally identifiable health information outside the parameters of allowable uses may be grounds for corrective action up to and including immediate termination.