General Compliance Policies

Providing Non-UW Health Care Professionals Access to Patient Information

Effective Date: 5/21/2012

Last Updated: 8/18/2020

Background and Purpose

UWSOD may provide individuals who are not part of its workforce with role-based access to UWSOD information systems containing PHI when a business relationship or continuity of patient care creates the need for access. These circumstances are categorized as follows:

  • Entities in an Organized Healthcare Arrangement (OHCA) with the UWSOD.
  • Business associates.
  • External healthcare facilities or professionals.
  • Other non-UWSOD workforce (for example, auditors, risk managers, regulators, insurers, external researchers).
  • Limited account access.

The following requirements for specific categories must be met and the processes followed in order to obtain access.

  1. OHCA members: UWSOD provides individuals from organizations that have entered into an OHCA with UWSOD with access to UWSOD information systems containing PHI for the purposes of joint treatment, payment and healthcare operations activities, or IRB-reviewed/approved research. Each individual shall follow his or her own entity-specific process in regards to access authorization and confidentiality agreements.
  2. Business Associates: The UWSOD leader (for purposes of this policy, defined as manager or higher) that oversees the work of the business associate must assure that a Business Associate Agreement has been executed and must authorize the access to information systems containing PHI. Each individual must sign the 102.F3 Non-UWSOD Workforce Member PCISA  before access is granted. (The completed form is retained by the non-UWSOD access coordinator.)
  3. External healthcare facilities or professionals: All of the following criteria must be met and approval granted before individuals from external healthcare facilities or external healthcare professionals are granted electronic access to information systems containing PHI:

a. A UWSOD leader (manager or higher) must sponsor the access.
b. The information need cannot be met through standard entity Release of Information processes.
c. The request for electronic access to information systems containing PHI is made through SODIT.
d. There is an ongoing relationship with the external facility or professional, which includes sharing PHI for ongoing patient care or mandated reporting at a high frequency and/or volume, where:

    • Efficiency, utilization and quality of patient care is improved by allowing electronic access; and
    • Waiting for an individual disclosure would negatively impact patient care delivery.

e. Providing access to the external healthcare facility or professional will improve patient or public safety. There is a contract, affiliation, legal obligation or agreement in place that reflects the need to provide access to the external facility or professional, and a copy of this document is maintained by the applicable HIM Director or designated official. (See F1 Agreement for Electronic Access to PHI .)

If the above criteria are met, the applicable HIM Director or designated official may approve the access request. Each individual must sign the 102.F3 Non-UWSOD Workforce Member PCISA  before access is granted. (The completed form is retained by the non-UWSOD access coordinator.

  1. Other non-UWSOD workforce:Other non-UWSOD workforce members’ (for example, auditors, insurers or external researchers)  access to information systems containing PHI must be authorized by a UWSOD leader (manager or higher). Each of these individuals must sign the 102.F3 Non-UWSOD Workforce Member PCISA  before access is granted. (The completed form is retained by the non-UWSOD access coordinator.)
  2. Limited account access:The applicable HIM director or designee may provide limited electronic access to specific patient account(s) as an alternative to processing Release of Information disclosures through HIM.

Policy

The School of Dentistry notifies its patients via the Notice of Privacy Practices that protected health information may be shared with non-UW health care professionals who participate in and provide services to School of Dentistry patients. The School of Dentistry requires a signed Non-UW School of Dentistry Privacy, Confidentiality and Information Security Agreement for all non-UW health care professionals who have access to School of Dentistry patient information.

Dean of UW SOD:

Gary Farris, Assistant Dean, Finance & Administration

August 18, 2020