Page 54 - Privacy_Program
P. 54

IDENTIFYING PROTECTED HEALTH INFORMATION [DP113]
        Back to Table of Contents


        Scope: Enterprise
        Distribution: All Services and Programs Employees, and Others with Access to Protected Health Information (includes
        Finance, contractors, temporary employees and interns with access to PHI)
        Purpose: To define the meaning of “Protected Health Information” within the organization.
        External Regulation or Standard: 45 C.F.R. §160.103 – Definitions


         Who is Responsible     Statement    Policy, Standard, or Procedure Statement
                                 Number
         Employees and            DP113.1    HIPAA applies to Protected Health Information (PHI) transmitted or maintained
         others with Access to               by a Covered Entity.
         PHI
         Employees and others    DP113.1a    PHI means: Any health information, including demograPHIc information
         with Access to PHI                  collected from an individual, transmitted or maintained in any form or
                                             medium; that is created or received by a health care provider, health plan,
                                             employer or health care clearinghouse; and relates to the past, present or
                                             future physical or mental health or condition of an individual; the provision of
                                             health care to an individual; or the past, present, or future payment for the
                                             provision of health care to an individual; and that identifies the individual; or
                                             with respect to which there is a reasonable basis to believe the information
                                             can be used to identify the individual. (For PHI to be “de‐identified,” 18
                                             different identifiers must be removed, not just name and Social Security
                                             number.  PHI cannot be considered de‐identified until the Director of
                                             Information Technology, Privacy and Data Security has reviewed the data
                                             and confirmed that it is de‐identified.)

                                             “Covered Entity” means: An entity that is required to comply with HIPAA.  The
                                             following are Covered Entities:  (1) Health plans; (2) health care clearinghouses;
                                             and (3) health care providers that conduct HIPAA standard transactions (related
                                             to billing and payment) electronically are HIPAA Covered Entities.

         Employees and others     DP113.2    “Hybrid Covered Entity: means an entity that conducts both covered and non
         with Access to PHI                  covered functions under the HIPAA privacy rules. GESMN is a “Hybrid Covered
                                             Entity” and has designated the following operations that perform covered
                                             functions as “health care components  any of the above. No one else at GESMN is
                                             permitted to access PHI without authorization from the Director of Information
                                             Technology, Privacy and Data Security (who will determine if the access is
                                             permitted under HIPAA without participant authorization) or a signed
                                             authorization from the participant at issue.

                                             Members of Finance who bill for services may have limited access to PHI for  the
                                             purpose of billing. Administrative personnel within S&P may have access for the
                                             purpose of filing, data management, processing payment and other functions for
                                             payment and operations. The IT Vendor may have access through storage of PHI
                                             on the network, but will protect that information as stated in  the Business
                                             Associate Agreement and in accordance with GESMN’s Data Security policies.









          GES CONFIDENTIAL                                                                                   50
   49   50   51   52   53   54   55   56   57   58   59