Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 33: Health Oversight Reporting

Definitions:

“Disclosure” means the release, transfer, provision of access to, or divulgence in any other manner, of information to any organization external to UTD.

“Use” means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within UTD.

Policy:

As a general rule, UTD personnel may not disseminate PHI, unless it is requested by the individual to whom the PHI belongs, and a valid authorization has been obtained.

However, UTD may disclose PHI without an authorization to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

  1. The health care system
  2. Government benefit programs for which health information is relevant to beneficiary eligibility;
  3. Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
  4. Entities subject to civil rights laws for which health information is necessary for determining compliance.

Exception to health oversight activities: The following scenario is NOT to be considered health oversight activity:

The individual is the subject of the investigation or activity, and the investigation or other activity is not directly related to:

  • The receipt of health care;
  • A claim for public benefits related to health (e.g. claims for Food Stamps); or
  • Qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services.

Joint activities or investigations:

If a health oversight activity or investigation is related to a claim for public benefits not related to health, the joint activity or investigation shall be considered a health oversight activity for purposes of this policy.

Disclosures by whistleblowers:

All UTD personnel are strongly encouraged to report conduct that is unlawful or otherwise violates professional or clinical standard to the Office of Institutional Compliance. UTD is not considered to have violated the requirements of this policy if a member of its workforce or a business associate discloses PHI, provided that:

  1. The workforce member or business associate believes in good faith that UTD has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by UTD potentially endangers one or more patients, workers, or the public; and
  2. The disclosure is to:
    1. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of UTD;
    2. An appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by UTD; or
    3. An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described above.

Disclosures by UTD personnel who are victims of a crime:

UTD is not considered to have violated the requirements of this policy, with just cause, if a member of its workforce who is the victim of a criminal act discloses PHI of the suspected perpetrator to a law enforcement official, provided that:

  1. The PHI disclosed is about the suspected perpetrator of the criminal act; and
  2. The PHI disclosed is limited to:
    1. Name and address;
    2. Date and place of birth;
    3. Social security number;
    4. Date and time of treatment.