4-OP-H-31 HIPAA Authorization for Use and Disclosure of Protected Health Information Policy

Responsible Executive: Information Security and Privacy Office

Approving Official: Vice President for Finance and Administration

Effective Date: March 1, 2024

Revision History: No revisions at this time.


  1. INTRODUCTION
    1. PURPOSE

      The purpose of this policy is to establish Florida State University’s requirements for authorized use and disclosure of protected health information (“PHI”) in accordance with the Health Insurance Portability and Accountability Act (“HIPAA”).

      As defined herein, HIPAA includes the HIPAA Privacy, Security, Enforcement, and Breach Notification rules under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, the Genetic Information Nondiscrimination Act (“GINA”) enacted by the U.S. Congress, and HIPAA rules promulgated by the U.S. Department of Health and Human Services as amended from time to time.

      Collectively, HIPAA, HITECH, GINA, and HIPAA rules are referred to in this policy as “HIPAA” and are to be interpreted to mean the regulatory requirements specified within, or authorized by, each Act.
       

    2. SCOPE

      The Florida State University (“university” or “FSU”) has elected to operate as a hybrid entity in accordance with HIPAA, and this policy designates its HIPAA-covered health care components to include the university centers, colleges, departments, divisions, institutes, and laboratories, that would meet the definition of a covered entity or business associate if they were members of separate and distinct legal entities. Collectively, university internal business associates and (“University Health Care Component”).

      Although the university remains responsible for HIPAA oversight, compliance, and enforcement obligations, the HIPAA requirements in this policy only apply to the University Health Care Components identified in the 4-OP-H-30.01 Designation of University Health Care Components (“Designation”). University Health Care Components also may be referred to as members of the university’s HIPAA Compliance Area, which denote university entities affected by HIPAA to the extent they are supporting a covered function or are responsible for safeguarding protected health information regulated by HIPAA. 

    3. DEFINITIONS

      Please refer to the FSU 4-OP-H-30 Health Insurance Portability and Accountability Act (HIPAA) Policy for definitions of relevant HIPAA terms referenced herein. 
       

  2. POLICY

    University Health Care Components, shall obtain an individual’s valid, signed Authorization prior to using or disclosing PHI regulated by HIPAA, unless such Authorization is not required by HIPAA or other law or regulation.

    1. HIPAA AUTHORIZATION TO USE OR DISCLOSE PROTECTED HEALTH INFORMATION

      When University Health Care Components obtain a valid Authorization for use and/or disclosure of PHI, any such use or disclosure shall be governed by HIPAA and this policy and shall be consistent with the parameters of any such Authorization.

      University Health Care Components receiving services from external providers performing covered functions, or performing covered functions for external covered entities, are required to negotiate and enter into a business associate contract in accordance with HIPAA prior to initiation of such services.

      Authorizations to use or disclose PHI must comply with 45 C.F.R. §§ 164.508(b) and 164.522(b) and comply with notice requirements in 45 C.F.R. § 164.520.

      1. Authorization to Disclose PHI (“Authorization”)
        1. Authorizations shall be written in plain language and shall include, at a minimum, the following required elements:
          1. A specific description of the PHI to be used or disclosed which identifies the information in a specific manner.  A generic description of the requested information is not authorized.
          2. The name of the entity or other specific identification of the person(s) or workforce members the PHI is intended to be used by or disclosed to, e.g., university college, department, institute, billing office, human resources department, medical director, external organization, etc.
          3. The name of the entity or other specific identification of the person(s) authorized to receive the requested disclosure.
          4. A description of the purpose for each use or disclosure being requested. For example, “At the request of the individual” is sufficient description when the individual initiates the request for disclosure of their PHI.
          5. A specific expiration date or expiration event relating to the purpose.
          6. Individual signature and date. If the signature is by the representative, a concise description of the representative’s authority, e.g., custodial parent, executor, conservator.
        2. A valid Authorization shall also include required statements notifying an individual of:
          1. The right to revoke the Authorization at any time in writing and a statement indicating that the revocation is effective upon receipt, but a use or disclosure that has previously occurred cannot be withdrawn.
          2. The means or process by which an individual may withdraw their Authorization.
          3. Circumstances where treatment or payment is conditioned on the Authorization. See Prohibition on Conditioning of Authorization herein. 
          4. The potential for re-disclosure of PHI by a recipient who is not required by HIPAA to protect PHI, if applicable.
        3. Authorizations are not valid, if:
          1. The Authorization has not been completed with all required information.
          2. The Authorization is known to have been revoked.
          3. The Authorization violates any Florida law or federal law or regulation.
          4. A relevant expiration date to the Authorization has passed or a relevant expiration event is known by the University Health Care Component to already have occurred.
          5. Any material information in the Authorization is known by the University Health Care Component to be false.
        4. Records of Individual Authorizations

          University Health Care Components shall maintain records of Authorizations provided by individuals.

        5. Prohibition On Conditioning of Authorization
          1. University Health Care Components, or university workforce members affiliated with such components, shall not condition an individual’s treatment or payment on whether the Individual signs a requested Authorization, except for:
            1. Research-related treatment protocols which may be conditioned on an Authorization to use or disclose PHI for the research project. 
            2. Healthcare services provided solely for the purpose of creating PHI for disclosure to a third party may be conditioned on an Authorization to disclose to the third party.  Examples of such services include research related treatments, or physical or pre-employment examinations.
      2. Revocation of Authorization to Disclose PHI

        University Health Care Components shall permit an individual to revoke an Authorization at any time, provided that the revocation is provided in writing, except to the extent the University Health Care Component has previously acted in reliance on the Authorization, or when use or disclosure of the PHI is authorized or required by law.

      3. When Authorization is Not Required to Use or Disclose PHI
        1. For a University Health Care Component to carry out treatment, payment, or health care operations.
        2. For a University Health Care Component to conduct its own training programs.
        3. For the university to defend a legal action or other legal proceeding brought by the individual.
        4. As required by the Secretary of the United States Department of Health & Human Services.
        5. For health oversight activities.
        6. When use or disclosure is required by law.
        7. When required by public health authorities and authorized by law. 
        8. To prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
        9. When Authorization to Use or Disclose PHI meets additional exception requirements specified in 45 C.F.R. § 164.512.
      4. Authorization for Marketing Purposes

        University Health Care Components are required to obtain a valid Authorization for any use or disclosure of PHI for marketing communications, whether for “treatment” or for “health care operations” purposes, where the University Health Care Component receives direct or indirect payment for making the communication from a third party whose product or service is being marketed. If the University Health Care Component will be paid by a third party for the marketing activity, the Authorization also must include a statement in plain language indicating the marketing involves payment by a third party.

        1. The marketing requirements in the previous paragraph of this subsection 4 apply to communications related to use or disclosure of PHI unless the communication is:
          1. A refill reminder or other communications that are about a drug or biologic that is currently being prescribed for the individual. 
          2. A face-to-face communication made by the University Health Care Component to the individual.
          3. A promotional gift of nominal value provided by the University Health Care Component.
        2. The following communication types are excluded from HIPAA marketing requirements:
          1. Communications promoting health in general, which do not promote a product or service from a particular provider.
          2. Communications about government and government-sponsored programs, such as Medicare, Medicaid, or the Florida Children’s Health Insurance Program, e.g., Florida Healthy Kids.
      5. Authorization to Disclose Psychotherapy Notes

        Use and disclosure of psychotherapy notes are subject to increased levels of privacy and security under HIPAA. Psychotherapy notes shall not be disclosed without first obtaining the individual’s Authorization except in accordance with requirements established in HIPAA, and where relevant, in accordance with applicable Florida or federal laws or regulations. University health care components shall refer to the FSU Office of the General Counsel for additional information.

      6. Authorization by Minors or an Individual’s Legal Representative

        In situations where the parent, guardian, or legal representative of a minor or individual has the authority to act on behalf of the individual’s legally authorized representative, and an Authorization to use or disclose the individual’s PHI is required, the Authorization may be signed by the individual’s legally authorized representative, in accordance with Chapter 456 and Chapter 765, Florida Statutes.

        If the minor has the legal authority to act on their own behalf when receiving health care services under Chapter 743.015, Florida Statutes, or other Florida law, then the minor must sign his or her own Authorization. In this situation, the minor must authorize any disclosures to parents or guardians. University Health Care Components shall refer to the FSU Office of the General Counsel for information about the legal rights minor’s or individual’s legal representatives.

      7. Authorization to Disclose PHI to Satisfy Attorney and Court Issued Requests

        Attorney or court requests for PHI may be honored if signed by the individual, signed by the patient’s authorized representative, or pursuant to a court- or grand jury- issued subpoena, directing the university to disclose information to a specified attorney. If PHI is disclosed in response to such a request, only the expressly authorized PHI may be disclosed in accordance with the HIPAA. University health care components shall refer to the FSU Office of the General Counsel for additional information.

  3. HIPAA RESEARCH AUTHORIZATION
    1. PHI in Research Studies

      The HIPAA Privacy Rule specifies that a covered entity is permitted to use and disclose PHI for research with an Authorization signed by the individuals, or without Authorization under limited circumstances set forth in the Privacy Rule, i.e., when a waiver of authorization to release PHI for research purposes has been granted in accordance with this policy, HIPAA requirements, and Florida law.

      Data to be used in a research study are considered PHI regulated by HIPAA when, for example: (1) such data are accessed, obtained, or extracted from an individual’s electronic health records maintained by a University Health Care Component or covered entity external to the university, (2) such data include, where applicable, electronic billing(s) associated with an individual’s insurance plan or third party payer for any research procedure, and (3) such research data are related to, or involve, an intervention or interaction conducted pursuant to an IRB-approved protocol for the study.

      University Health Care Components shall obtain a waiver of authorization ("Waiver of Research Authorization”) in accordance with 45 C.F.R § 164.512(i)(1)(i) or an authorization for use or disclosure of PHI for research purposes (“Research Authorization”) in accordance with the HIPAA Privacy Rule, 45 C.F.R § 164.508, and the requirements of the university’s Office of Human Subjects Protection.

    2. Disclosure of PHI for Research Purposes
      1. In accordance with 45 C.F.R § 164.308(b), business associate contracts are not required for a University Health Care Component to disclose PHI to a university researcher strictly for research purposes when such disclosure is authorized by an individual, a Waiver of Research Authorization has been received in accordance with 45 C.F.R § 164.512(i)(1)(i), or as a limited data set pursuant to 45 C.F.R § 164.514.
      2. University Health Care Components reliant on services performed by a university internal business associate are not required to enter into an internal contract or memorandum of understanding if the internal business associate is in compliance with the FSU 4-OP-H-30 Health Information Portability and Accountability Act (HIPAA) Policy requirements which authorize other arrangements in accordance with 45 C.F.R § 164.308.  (See 45 C.F.R. §§ 164.308(b), 164.314(a), 164.504(e)(2), 164.504(e)(3).)
      3. When a researcher is not involved with performing a HIPAA-regulated function or activity, e.g., such as payment or health care operations, accessing or utilizing PHI, or providing a service included in the definition of business associate in 45 C.F.R. 160.103, the researcher is not considered a business associate, and no business associate contract is required.
      4. Notwithstanding the other paragraphs in this subsection III.B, a covered entity external to the university is only permitted to disclose PHI to a university researcher conducting or performing covered functions in accordance with HIPAA and (a) with an individual’s authorization (45 C.F.R § 164.508), (b) without an individual’s authorization in accordance with 45 C.F.R § 164.512(i), or (c) as a limited data set, provided that a data use agreement between the external covered entity and the university recipient is in place. (45 C.F.R § 164.514(e)).
    3. Reviews Preparatory to Research

      The covered entity or University Health Care Component is required to obtain documented representations from the researcher which confirm:

      1. The use or disclosure is solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research.
      2. No PHI is to be removed from the University Health Care Component or external covered entity by the researcher in the course of the review.
      3. The PHI for which access or use is sought is necessary for research purposes.
    4. Alteration to Research Authorization or Waiver of Research Authorization

      University Health Care Components shall obtain an IRB-approved alteration to, or waiver of, Authorization for use or disclosure of PHI for research purposes in accordance with the HIPAA Privacy Rule 45 C.F.R § 164.512, and the university’s Office of Human Subjects Protection requirements regarding use and disclosure of a health care provider’s patient information for research purposes.

      1. The Research Authorization may not be modified except as described in this policy or as expressly authorized by HIPAA.
      2. Researchers are not permitted to change the Research Authorization without express review and approval provided by an approved university IRB protocol.  Please contact the university Office of Human Subjects Protection for additional Information.

        University Health Care Components are not required to obtain a Research Authorization or a waiver of a Research Authorization when there is a documented applicable exception in accordance with 45 C.F.R § 164.506 and no use or disclosure is made for a research purpose.

    5. Research on Decedents’ Protected Health Information

      To use or disclose a deceased individual’s PHI for research, covered entities are not required to obtain: (1) a Research Authorization from the personal representative or next of kin, (2) a waiver, (3) an alteration of the Research Authorization, or (4) a data use agreement.

      However, University Health Care Components are required to obtain from the researcher who is seeking access to decedents’ PHI (1) oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents, (2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and (3) documentation, at the request of the university internal covered entity, of the death of the individuals whose PHI is sought by the researchers.

    6. Research Subject Certificates of Confidentiality

      The HIPAA Privacy Rule and Certificates of Confidentiality offer privacy protections for research subjects and are meant to assist researchers with achieving research objectives and increase study participation.  The Privacy Rule and Certificates of Confidentiality safeguard research study participant privacy by protecting against forced disclosure of personally identifiable research information, e.g., such as through a court order or subpoena.  However, such protections do not prevent all forced disclosures, e.g., such as disclosures required by law.

      When applicable, certificates enable researchers to refuse disclosure of information that could identify research participants in civil, criminal, administrative, legislative, or related proceedings, whether the proceeding is conducted by federal, state, or local governments.

      Certificates of Confidentiality also may be granted by NIH (National Institutes of Health), CDC (Centers for Disease Control and Prevention), the Food and Drug Administration (FDA) and other federal agencies responsible for studies that collect information that could damage the financial standing, employability, insurability, or reputation of study participants, or cause other adverse impacts if disclosed.

  4. POLICY VIOLATIONS

    Failure to comply with the requirements of this policy, and any supplemental policies, requirements, or standards published by the university may result in reduced or revoked access to the university network, and university Information Technology ("IT") or data resources.

    FSU personnel who violate this policy may be subject to other penalties and disciplinary action, both within and outside the university. University disciplinary action is governed under the Disciplinary Guidelines published by the FSU Office of Human Resources. Unauthorized or fraudulent use of university data or computing resources may result in criminal prosecution.

  5. LEGAL AUTHORITY, JUSTIFICATION, AND REVIEW OF THIS POLICY

    Specific Authority and Justification

    BOG Regulation 3.0075 - Security of Data Related Information Technology Resources

    Chapter 501.171, Florida Statutes – Security of Confidential Personal Information, Florida Information Protection Act 2014 (FIPA)

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Part 160 – General Administrative Requirements

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Part 164 – HIPAA Security and Privacy 

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Parts 164.400-414 – Notification in the Case of Breach of Unsecured Protected Health Information

    HHS Covered Entities and Business Associates


    Review 
    This policy shall be reviewed by the Chief Information Security Officer at least three (3) years from the date of initial establishment, or when determined to be necessary based on changes in changes in federal or state law, rules, regulations, or relevant university requirements.