Section 30: Health and Human Services
“Disclosure” means the release, transfer, provision of access to, or divulgence in any other manner, of information to any organization external to UTD.
“Use” means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within UTD.
Policy: As a general rule, UTD personnel may not disseminate PHI, unless it is requested by the individual to whom the PHI belongs, and a valid authorization has been obtained. However, an exception will be granted for PHI used or disclosed to Health and Human Services (HHS), if necessary to determine whether UTD is in compliance with the HIPAA Privacy Standards.
Principles for achieving compliance.
- Cooperation. HHS will, to the extent practicable, seek the cooperation of UTD in obtaining compliance with the HIPAA privacy standards.
- Assistance. HHS may provide technical assistance to UTD to help UTD comply voluntarily with HIPAA privacy standards.
Complaints to HHS.
- Right to file a complaint. A person who believes any UTD department or personnel are not complying with required HIPAA privacy standards may file a complaint with HHS.
- Requirements for filing complaints. Complaints under this section must meet the following requirements:
- be in writing, either on paper or electronically.
- name UTD as the subject of the complaint and describe the acts or omissions believed to be in violation, and
- be filed within 180 days of when the complainant knew or should have known that the act or omission occurred, unless this time limit is waived by HHS for good cause
- Investigation. HHS may investigate complaints filed under this policy. Such investigation may include a review of the pertinent policies, procedures, or practices of UTD and of the circumstances regarding any alleged acts or omissions concerning compliance.
Compliance reviews. HHS may conduct compliance reviews to determine whether UTD is complying with the required HIPAA privacy standards.
Responsibilities of UTD.
- UTD must keep such records and upon request of HHS submit compliance reports whereby HHS can ascertain whether UTD has complied with the HIPAA privacy standards
- During an investigation or compliance review, UTD must cooperate with HHS.
- Permit access to information.
- UTD must permit access by HHS during normal business hours to its facilities, books, records, accounts, and other sources of information, including PHI, that are pertinent to ascertaining compliance with the requirements. If HHS determines that serious circumstances exist, UTD must permit access by HHS at any time and without notice.
- If any information required of UTD is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, UTD must so certify and set forth what efforts it has made to obtain the information.
- HHS will not disclose PHI obtained by his/her office in connection with an investigation or compliance review, except if necessary for ascertaining or enforcing compliance.
HHS action regarding complaints and compliance reviews.
- Resolution where noncompliance is indicated.
- If an investigation or a compliance review indicates a failure to comply, HHS will so inform UTD. If the matter arose from a complaint, the complainant will also be informed in writing and HHS will attempt to resolve the matter by informal means whenever possible.
- If HHS finds UTD is not in compliance and determines that the matter cannot be resolved by informal means, HHS may issue to UTD and, if the matter arose from a complaint, to the complainant written findings documenting the non-compliance.
- If no violation is found after an investigation or compliance review, HHS will so inform UTD. If the matter arose from a complaint, the complainant may also receive written notification from HHS.