Student Health Service
BGSU STUDENT HEALTH SERVICE PRIVACY NOTICE
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. Any questions may be directed to our front desk Office Manager, Marlene Reynolds, 419-372-9824. The effective date for this policy is April 14, 2003.
The Student Health Service is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information. While this policy is in effect, we are required by law to abide by its terms.
Patients who have questions or require additional information should be referred to the front desk Office Manager, who serves as the Privacy Contact. Patients who believe their rights have been violated can submit complaints on the evaluation forms available in the waiting room. They will be reviewed by our Privacy Contact, by the Continuous Quality Improvement Committee, and by the Associate Director, who serves as the Privacy Officer. Patients who have complaints that require immediate attention should ask for the Director and Physician in Chief or the Associate Director. Patients whose complaints have not been resolved to their satisfaction can address complaints to the Director and Physician in Chief and to the Secretary of the United States Department of Health and Human Services. The Student Health Service will not retaliate against any individual for filing a complaint.
A copy of this policy is given to all new patients, and we request that they sign an acknowledgment form. (See section VII-W.1) Patients may obtain additional copies at the Student Health Service reception desk. The policy is posted in the Student Health Service. The Privacy Notice and all related forms (sections VII-W.1 through VII-W.11) are posted on our web page.
Any medical information that could in any way identify an individual patient is considered Protected Health Information (PHI.)
Treatment, Payment, and Health Care Operations (TPO) are activities related to the provision of medical care, and activities related to collecting payment from the patient or a third party, and health care operations.
Health Care Operations encompasses functions such as quality improvement, peer review, accreditation, licensing, contracting with insurers, business planning, auditing and general administration.
The Minimum Necessary information is the least amount of PHI that is required to achieve the desired purpose.
Access and Disclosure:
PHI may be used and disclosed for purposes of TPO. PHI may be disclosed in certain other situations, as described below, relating to public health and safety. The Student Health Service may also use PHI to contact patients who have missed appointments, to follow up on test results or to advise them of available treatment alternatives. With some infrequently occurring exceptions, any other disclosure of PHI requires the written authorization of the patient.
The following people or entities will have access to PHI:
- The patient. (We require that a member of our staff be present when the patient has the original medical record.)
- Any person to whom the patient has provided written authorization for the release of information.
- Parents or legal guardians of a minor, with some exceptions: PHI regarding contraception, pregnancy, sexually transmitted disease, assault, and drug and alcohol use will not be released to parents or guardians without signed authorization by the patient.
- Student Health Service and some BGSU staff will have access for purposes of TPO as indicated below:
- Nurses, nurse practitioners and physicians need access to the entire medical record.
- Medical assistants need to know the current complaint, and may need to know about past or chronic conditions, in order to assist in treatment.
- Laboratory staff and radiology staff need access to the entire medical record to enable them to focus their tests accurately, or to provide consultation on what tests might be most helpful.
- Pharmacists need access to the entire medical record to provide consultation to prescribers.
- Pharmacy techs need access to all prescription records.
- Dietitians need access to the entire medical record to determine the patient’s dietary needs.
- Substance abuse counselors need access to the entire medical record to determine the severity of the problem and whether there are any special considerations that will affect treatment plans. Note: Substance abuse counselors’ notes are maintained separately from the medical record. Any disclosure or use of these notes by anyone other than the substance abuse counselor requires a signed authorization by the patient.
- Transcriptionists need access to all dictated records.
- Filing and reception staff needs access to the entire medical record in order to file all components of the chart.
- Secretaries who assist students with insurance problems may need access to the entire record in order to determine dates of service, whether a condition is pre-existing, and other such questions.
- Bursar’s Office employees need only the date of service and the amount charged to the student's account.
- Custodial staff does not have access to PHI. Custodial staff is informed of this policy, and sign a statement acknowledging their understanding of it. (See section VII-W.10.)
- Student employees do not have access to PHI. Student employees do not open charts. Staff does not discuss PHI in the presence of student employees. When student employees answer a patient phone call, they ask only for the patient’s name, identification number and phone number, so a staff member can return the call. At the time of their employment, student employees are informed of this policy, and sign a statement acknowledging that they understand it. (See section VII-W.11.)
- Student nurses, medical students, and medical residents who are receiving clinical training at the Student Health Service may, with the patient’s consent, participate in patient care. The student or resident will have access only to PHI related to the care the patient receives that day.
- Pharmacy students in their final year of training who are receiving supervised clinical experience at the Student Health Service pharmacy are considered part of our staff. They have the same access to PHI as staff pharmacists.
- Medical or other clinical consultants, for treatment purposes, including reference laboratories, radiologists to interpret radiographs, and cardiologists to interpret electrocardiograms.
- The patient’s health insurer, or other third party payers, for payment purposes.
- The companies that support our medical and pharmacy software. (These companies are contractually obligated to maintain the confidentiality of all PHI.)
- Public health services, regulatory officials, and law enforcement agencies, when required by law. (See sections I-K, VII-Z.) Examples include child abuse or domestic violence reports, reports regarding decedents, disclosure to avert a serious threat to health or safety, and reports for workers’ compensation.
- Courts, when there is a court order.
- Courts and/or attorneys, when there is a subpoena, discovery request or other lawful process, and certain other conditions are satisfied. When we receive a request of this type, we consult University General Counsel to assure that all legal conditions are satisfied. We also attempt to inform the patient prior to responding.
In general, use or disclosure of PHI for purposes other than treatment or a disclosure requested by the patient is limited to the minimum necessary. Use of PHI for continuous quality improvement purposes will be limited to Student Health Service staff, and will include the entire medical record. The Privacy Officer will obtain from each Business Associate, and review and approve, a statement of the minimum necessary information it requires. The Privacy Contact will review all non-routine requests for disclosure of PHI to assure that they meet the minimum necessary requirement. The Privacy Contact may consult the Privacy Officer for assistance in making this determination.
Before we use or disclose PHI for purposes not related to TPO, and not required by law, we must obtain written patient authorization, signed and dated. click here to download form The authorization must contain a description of the information to be used or disclosed, the name of the recipient of the PHI, an expiration date, and a description of the purpose of the use or disclosure. ("Request of individual" is sufficient if the patient initiates the request.) If we request the authorization for our own purposes we must provide the patient with a copy of the signed authorization. The patient can revoke the authorization at any time.
- Patients have a right to see and copy their PHI. We require that a member of our staff be present when the patient inspects the original medical record. We require that patients provide a written request for a copy of their medical record. Click here to download form We charge $0.15 per page for records longer than five pages. We do not charge for copies of immunization records or tuberculosis skin test results. We charge an additional $5.00 if the patient requests that we mail the records. On rare occasions, if it is felt that disclosure of the medical record to the patient would be harmful, we may deny a request. We must provide a reason for the denial in writing within thirty days, and include notification that the patient can appeal this denial to a designated reviewing official. Our designated official is Fleming Fallon, M.D. of the BGSU College of Health and Human Services.
- Patients have a right to request limitations to the routine use of PHI for TPO. The request must be in writing. Click here to download form If we agree to any limitation, we must abide by that agreement except in case of emergency. If disclosure of PHI is made to another provider in an emergency, we will request that no further disclosure or use is made.
- Patients have a right to request changes in their PHI. We require that such requests be in writing. Click here to download form If we deny the request, we must provide an explanation and we must also allow the patient to provide a statement of disagreement that will be added to the medical record.
- Patients have a right to request that they receive information from us by alternative means or at alternative locations. Click here to download form We must accommodate any reasonable request.
- In recognition of the fact that email is the preferred form of communication for many BGSU Student Health Service patients and staff, email between patients and staff is permitted within procedural guidelines intended to provide confidentiality and security to the fullest extent possible. The Authorization to Communicate by Email form must be completed, signed and returned to the Student Health Service prior to email communication between provider and patient.
- Patients have the right to see a list of all people to whom PHI has been disclosed, except for disclosures related to TPO, disclosures to the patient, and disclosures pursuant to an authorization. We must also suspend the right of patients to receive an accounting of disclosures to health oversight agencies and law enforcement officials if the agency or official provides a written statement that an accounting would likely impede the agency’s activities and specifies the time for which the suspension is required.
In order to meet this requirement, the Health Service must keep a disclosure log. The log must record all disclosures, both written and verbal. For example, notification of the Health Department about a reportable disease would be logged whether it was by phone or in writing.
Privacy measures are designed to protect the confidentiality of PHI. All staff will observe the following rules:
- Staff will exert due diligence to avoid being overheard when discussing PHI.
- All records will be kept secured. When the SHS is open, patient records are not left exposed in unlocked offices. When the SHS is closed, it is locked and alarmed. Individual charts are either in offices, or are in a file area, which is additionally protected by motion detectors.
- Access to medical records computers will require a personal code, which will be periodically changed.
- Any Business Associates who must have access to PHI will be required to sign an agreement that they will hold confidential and private all PHI. Business Associates who do not honor their agreement will be subject to termination of their relationship with the SHS.
- The SHS front desk Office Manager serves as the Privacy Contact.
- The SHS Associate Director serves as the Privacy Officer.
- A designee of the University ITS department serves as the Security Officer.