Page 54 - Privacy_Program
P. 54
IDENTIFYING PROTECTED HEALTH INFORMATION [DP113]
Back to Table of Contents
Scope: Enterprise
Distribution: All Services and Programs Employees, and Others with Access to Protected Health Information (includes
Finance, contractors, temporary employees and interns with access to PHI)
Purpose: To define the meaning of “Protected Health Information” within the organization.
External Regulation or Standard: 45 C.F.R. §160.103 – Definitions
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Employees and DP113.1 HIPAA applies to Protected Health Information (PHI) transmitted or maintained
others with Access to by a Covered Entity.
PHI
Employees and others DP113.1a PHI means: Any health information, including demograPHIc information
with Access to PHI collected from an individual, transmitted or maintained in any form or
medium; that is created or received by a health care provider, health plan,
employer or health care clearinghouse; and relates to the past, present or
future physical or mental health or condition of an individual; the provision of
health care to an individual; or the past, present, or future payment for the
provision of health care to an individual; and that identifies the individual; or
with respect to which there is a reasonable basis to believe the information
can be used to identify the individual. (For PHI to be “de‐identified,” 18
different identifiers must be removed, not just name and Social Security
number. PHI cannot be considered de‐identified until the Director of
Information Technology, Privacy and Data Security has reviewed the data
and confirmed that it is de‐identified.)
“Covered Entity” means: An entity that is required to comply with HIPAA. The
following are Covered Entities: (1) Health plans; (2) health care clearinghouses;
and (3) health care providers that conduct HIPAA standard transactions (related
to billing and payment) electronically are HIPAA Covered Entities.
Employees and others DP113.2 “Hybrid Covered Entity: means an entity that conducts both covered and non
with Access to PHI covered functions under the HIPAA privacy rules. GESMN is a “Hybrid Covered
Entity” and has designated the following operations that perform covered
functions as “health care components any of the above. No one else at GESMN is
permitted to access PHI without authorization from the Director of Information
Technology, Privacy and Data Security (who will determine if the access is
permitted under HIPAA without participant authorization) or a signed
authorization from the participant at issue.
Members of Finance who bill for services may have limited access to PHI for the
purpose of billing. Administrative personnel within S&P may have access for the
purpose of filing, data management, processing payment and other functions for
payment and operations. The IT Vendor may have access through storage of PHI
on the network, but will protect that information as stated in the Business
Associate Agreement and in accordance with GESMN’s Data Security policies.
GES CONFIDENTIAL 50