Chapter 3364-15 HIPAA Organizational Structure; Fraud, Waste and Abuse; Compliance and Confidentiality of Patient Information

3364-15-01 HIPAA organizational structure and administrative responsibilities.

(A) Policy statement

The university of Toledo ("UT") and the university of Toledo physicians, "LLC", ("UTP") have a long-standing commitment to protect the confidentiality, integrity and availability of identifiable patient health information by taking reasonable and appropriate steps to address the requirements of "HIPAA." "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-91, enacted August 21, 1996, codified at 42 U.S.C. 1320d, the administrative simplification regulations found at parts 160 through 164 of Title 45 of the Code of Federal Regulations, as may be amended.

(B) The purpose of this policy:

(1) Designate "UT" as a hybrid entity;

(2) Designate "UT" and "UTP" as an affiliated covered entity ("ACE");

(3) Define the organizational structure and administrative responsibilities as required by "HIPAA"; and

(4) Designate a privacy officer and information security officer and identify their administrative responsibilities.

(C) Scope

This policy applies to "UTP" and all "UT" covered components and their respective workforce members. Covered components are designated from time to time by the privacy and security committee. Covered components are identified in the addendum to this policy and include the health science campus, the university of Toledo medical center, the student health center, and designated departments of the main campus that perform "HIPAA" covered functions. A reference in this policy to the covered entity refers to "UTP" and the designated components of "UT."

(D) Designation as a hybrid entity:

(1) "UT" designates itself as a hybrid entity; a single entity that is a covered entity whose business activities include both "HIPAA" covered and non-covered functions, and that designates health care components.

(2) The privacy and security committee determines and maintains the list of covered components. The health care components for purposes of "HIPAA" compliance include "UTP," the entire health science campus and designated departments or units on the main campus.

(3) The "HIPAA" requirements apply only to the health care components of "UT" and "UTP" referred to as "covered entity" going forward in this policy.

Although "UT" is a single legal entity, the covered entity must treat units not designated as part of the covered entity as an external entity with respect to uses and disclosures of protected health information.

If a person performs duties for both the covered entity and for another unit of the university such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the covered entity.

(E) Designation as a single affiliated covered entity ("ACE")

(1) "UT" and "UTP" are affiliated, legally separate entities under common ownership that have joined together as an affiliated covered entity ("ACE") for purposes of complying with "HIPAA," to be known as "UT ACE."

(2) The "UT ACE" will name a single "HIPAA" privacy officer and information security officer, adopt common "HIPAA" policies and procedures, and issue a single notice of privacy practices. The "UT ACE" may use a signal consent form to obtain consent for uses and disclosures for treatment, payment, or health care operations.

(3) The "UT ACE" will comply with all "UT" policies that address "HIPAA" privacy and security regulations.

(4) "PHI" may be used and disclosed among the "UT ACE" for all functions of the covered entities, consistent with all "UT HIPAA" privacy and security policies located on "UT" website: www.utoledo.edu/policies.

(F) Administrative responsibility:

(1) A privacy and security committee will consist of the following representatives and operate under a plan developed by the committee:

(a) Privacy officer

(b) Information security officer

(c) Legal counsel

(d) "UTP" designee

(e) Compliance officer, "UTP"

(f) Chief medical information officer

(g) Chief operating and clinical officer

(h) Director of information management

(i) "UTMC" clinic representative

(j) Director of internal audit and chief compliance officer

(k) Director of nursing

(l) Clinical trial division chief

(2) The privacy officer

(a) Co-chairs the privacy and security committee

(b) Develops and implements "HIPAA" compliance program

(c) Collaborates with the information security officer to ensure compliance with "HIPAA" privacy and security regulations. Develops and revises "HIPAA" privacy policies and procedures.

(d) Provides a process for individuals to make complaints concerning violations of "HIPAA" privacy and security policies and regulations. Provides a method for documenting complaints and the investigation in such a manner that protects the confidentiality of the reporting individual.

(e) Investigates all reports of a breach and works with legal counsel to perform breach analysis, document the investigation response, notification, and remediation follow through.

(f) Understands the "HIPAA" privacy rule and how it applies within each covered component.

(g) Oversees the enforcement of patient privacy rights within each covered component.

(h) Monitors the covered components for compliance with privacy policies and procedures.

(i) Develops and implements "HIPAA" privacy training for employees within each covered component.

(j) Develop and implement any other procedures with respect to protected health information that is necessary for "UT ACE" compliance with the standards, implementation specifications or other requirements of "HIPAA."

(3) Information security officer

(a) Co-chair of the privacy and security committee

(b) Ensures that all health care components secure all health information subject to these security regulations, housed or transmitted electronically, hold reasonable protections depending on the needs and current technology in place. These reasonable protections will include:

Develops procedures including certification, incident response and reporting, contingency planning, documented policies and procedures and training;

(c) Provide physical safeguards, including physical access controls, workstation usage and placement, device and media disposal, reuse, and accountability;

(d) Provide technical security services, including access, audit and authorization controls; and

(e) Provide technical security mechanisms, including communications/network transmission controls.

(f) Understands the "HIPAA" security rule and how it applies within each covered component.

(g) Develops appropriate policies and procedures to comply with the "HIPAA" security rule,

(h) Analyzes and manages reasonably anticipated threats to the security of integrity of "ePHI" within each covered entity.

(i) Ensures availability of "ePHI" through proper storage, backup, disaster recovery plans, contingency operations, testing, and other safeguards.

(j) Monitors workforce members in each covered entity for compliance with security policies and procedures including auditing information system activity of workforce members and access reports.

(k) Implements "ePHI" access controls and termination of access.

(l) Identifies, evaluates threats to the confidentiality and integrity of "ePHI".

(m) Protects against uses or disclosures of "ePHI" that are not permitted under the privacy standards.

(n) Responds to security incidents and actual or suspected breaches in the confidentiality or integrity of "ePHI" and maintaining security incident tracking reports.

(G) Standards for electronic transactions: "UT-ACE" must electronically bill using the standardized formats, codes, and data elements and comply with the rules governing such transactions.

(H) Workforce members

Workforce members of "UT ACE," including employees of the designated health care components who have access or may be exposed to "PHI "will complete "HIPAA" training conducted by the privacy and security officer or their designee(s). Business associates who need to access electronic protected health information will follow all business associate agreement terms and conditions.

All "UT ACE" workforce members must complete "HIPAA" Privacy and security training upon hiring or prior to exposure to "PHI."

(I) Violation of policy or procedures:

The failure of a workforce member to comply with this policy or any "UT" policy or procedure that relates to "HIPAA" or "IT" security will be grounds for discipline under the applicable disciplinary policies or collective bargaining agreement. These disciplinary proceedings shall not apply to workforce member "whistleblower" activities, crime victims or complaints, investigations or opposition as set forth in the applicable regulations. The "UT ACE" must document any sanctions applied under the disciplinary policies or collective bargaining agreements.

(J) Monitoring/auditing

Monitoring/auditing of compliance with "UT" policies relating to "HIPAA" privacy and security will be performed to assure compliance with "HIPAA" privacy and security regulations.

(K) Definition

Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the "UT ACE" or its healthcare components is under the direct control of the "UT ACE" or its healthcare components regardless of whether or not they are paid by the "UT ACE" or its healthcare components.

Effective: 4/25/2016
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364

3364-15-02 Detecting and preventing fraud, waste and abuse.

(A) Policy statement

The university of Toledo is committed to following all applicable laws and regulations, including those that address fraud, waste, and abuse. The university has established policies and procedures for ensuring compliance with such laws and for detecting and preventing fraud, waste, and abuse. These policies and procedures apply equally to the academic enterprise, as well as to federal health care programs and the proper billing of medicare, medicaid, and other payors.

(B) Purpose of policy

This policy provides information to all university employees, including vendors and contractors, about pertinent federal and state laws, relevant whistleblower protections, and the university's policies and procedures for detecting and preventing fraud, waste, and abuse in compliance with the Deficit Reduction Act of 2005 ("DRA"), the Federal False Claims Act, 31 U.S.C. 3729-3733 ("FCA"), and relevant portions of Ohio law, including section 5162.15 of the Revised Code.

(C) Deficit Reduction Act of 2005 and the Federal False Claims Act

(1) Generally

The "DRA" was enacted on February 8, 2006, and contained anti-fraud legislation modeled after the "FCA." The "FCA" is a federal statute that covers fraud involving any federally funded contract or program. These contracts/and programs may be academic in nature, but also would include the medicare and medicaid programs in its scope. The "FCA" establishes liability for any person who knowingly presents or causes to be presented a false or fraudulent claim to the United States government for payment.

(2) Violations

Examples of violations against the Federal False Claims Act are:

(a) Financial false claim: including but not limited to: waste, fraud, embezzlement, theft of university assets, and submitting false and incomplete invoices to federal agencies, whether intentionally or unintentionally, may subject university and/or individuals to substantial fines, penalties, and interest.

(b) Medical false claim: including but not limited to: falsifying medical records submitted, billing for services not rendered or goods not provided, duplicating billing to obtain double compensation, billing, certifying, or prescribing services medically unnecessary, and under- or over-coding.

(3) Penalties and fines

Violations of the "FCA" will result in any or all of the following

(a) Civil monetary penalties: payment of interest at the maximum rate on the amount of the payments, a fine between five thousand five hundred dollars and eleven thousand dollars for each false filing, and any other reasonable expenses determined by the court.

(b) Fines: In addition to five thousand five hundred dollars to eleven thousand dollars for each act, an assessment of damages three times the amount of the overpayment may be prescribed.

(c) Criminal penalties: if convicted, the individual could face jail time and be ordered to pay fines and restitution. Additionally, a licensure could come under review and be suspended or permanently revoked.

(d) Medicare/medicaid exclusion: a conviction under the "FCA" could lead to exclusion from medicare, medicaid and all other federal health care programs. If excluded, then no payment will be made by any federal health care program for any items or services furnished, ordered or prescribed by an excluded individual or entity.

Health care providers and suppliers (person and organizations) who violate the "FCA" are subject to an investigation by the office of inspector general ("OIG"), who may seek to exclude the provider or supplier from participation in federal health care programs.

A financial incentive was created for the states according to section 1909 of the "FCA" added by section 6031 of the "DRA." This statute permits the state government the ability to recover fifty per cent of the funds collected for violation of the "FCA."

(4) "Qui Tam" and whistleblower protection provisions

To encourage employees to come forward and report misconduct involving false claims, the "FCA" includes a "qui tam" or "whistleblower" provision. This provision allows any person with actual knowledge of false claims activity to file a lawsuit on behalf of the federal government. To prevail under a lawsuit

(a) The whistleblower must file suit in a federal district court under seal.

(b) The whistleblower must be the "original source" of the information reported to the federal government

(c) The whistleblower must have direct and independent knowledge of the false claims activities and voluntarily provide this information to the government.

(d) If the matter disclosed is already the subject of a federal investigation, or if the health care provider or supplier has previously disclosed the problem to the federal agency, the whistleblower may be barred from obtaining a recovery under the "FCA."

(e) The whistleblower is entitled to a recovery between fifteen and twenty-five percent of state recovery from the federal damages and penalties depending upon the extent to which the whistleblower contributed to the case.

"Rights of Parties to Qui Tam actions" is determined if the federal government decides that the law suit has merit and joins the prosecution of the lawsuit. The United States department of justice will direct the prosecution. If the government decides not to intervene, the whistleblower can continue with the lawsuit on his or her own.

(5) Non retaliation

In accordance with the "FCA," any employee who reports in good faith suspected misconduct is protected from retaliation. See rule 3364-15-04 of the Administrative Code, "Non-Retaliation."

In addition to a financial award, the "FCA" entitles whistleblowers to additional relief: including employment reinstatement, back pay, and any other compensation arising from retaliatory conduct against a whistleblower.

(C) Ohio law information

Ohio law regarding false claims encourages employees to report in good faith any suspected violation relating to financial or medical irregularities in accordance with the university's policy and procedures.

Once notified of a violation a reasonable and good faith effort to correct the violation shall be made and communicated to the employee. If the employee does not receive a communication regarding the plan to resolve the violation within a reasonable time frame, the employee may file a written report of the violation with any of the following:

(1) The prosecuting attorney,

(2) Law enforcement,

(3) Governmental entity that has regulatory authority or

(4) Inspector general.

Section 124.341 of the Revised Code permits state employee to file an appeal with the state personnel board of review if retaliatory or disciplinary action is implemented as a result of the employee filing a report. Section 4113.52 of the Revised Code provides protection for non-state employees.

(E) Detecting and preventing fraud, waste and abuse at the university of Toledo

Policies and procedures have been established to detect and prevent fraud, waste, and abuse at the university. University employees, including staff, faculty, students, resident, volunteers, vendors, and contractors are encouraged to report in good faith any suspected violations of university policies and violations of federal or state regulations.

The university engages in specific compliance efforts to detect and prevent fraud, waste, and abuse including but are not limited to:

(a) The university compliance plan, which provides guidance to ensure compliance with all applicable laws and standards, available at http://www.utoledo.edu/offices/internalaudit/.

(b) Rule 3364-15-04 of the Administrative Code, which protects individuals from interference with making a protected disclosure and from retaliation for having made a protected disclosure.

(c) Rule 3364-15-05 of the Administrative Code, which describes the process to anonymously report in good faith any suspected misconduct or violation of any policy, law, rule, or regulation that governs the university.

(d) The internal audit and compliance department, which investigates any reports of fraud, waste, or abuse of federal and state funds as well as university property. It also has primary responsibility for implementing and managing the compliance plan, and works with university administration and departments to develop and monitor compliance programs.

(e) Specific applicable training programs encompassing various departments offered to all employees. Such as, "A Roadmap for New Physicians," education material provided by the United States department of health and human services and the office of inspector general.

(f) All of the aforementioned policies, including additional information about the anonymous reporting line, are available at utoledo.edu.

Individuals who know of or suspect a violation of the "FCA" should report to the university immediately.

The university will investigate any suspected violation and resolve the issues up to and including termination of employees who are found to have violated federal and state laws, as well as university policy.

(F) Definitions

(1) Deficit Reduction Act of 2005 is the federal law that was enacted to save money over time from mandatory spending programs through changing student loan formulas, slowing the growth in spending for medicare and vedicaid, and other measures. The Deficit Reduction Act of 2005 in part requires that state medicaid plans be amended to require certain health care organizations to establish written policies that address "FCA"; applicable state laws pertaining to the "FCA"; the whistleblower protections provided to employees; and the university's policies and procedures for detecting and preventing fraud, waste, and abuse.

(2) Employee means staff, faculty, students, employees, residents, vendors, and contractors.

(3) Federal False Claims Act means the federal law which prohibits knowingly presenting or causing to be presented to the United States government a false or fraudulent claim for payment or approval; knowingly making, using, or causing to be made or used a false record or statement to get a false or fraudulent claim paid or approved; and conspiring to defraud the government by getting a false or fraudulent claim paid or allowed.

(4) Knowingly is defined to mean that a person, with respect to information has actual knowledge of falsity of information in the claim, acts in deliberate ignorance of the truth or falsity of the information in a claim, or acts in reckless disregard of the truth or falsity of the information in a claim.

(5) Entity includes a governmental agency, organization, unit, corporation, partnership, or other business arrangement that receives or makes payments, under a state plan approved under Title XIX or under any waiver of such plan, totaling at least five million dollars annually.

(6) Retaliation means disciplinary or adverse action taken against an individual because she or he has made a protected disclosure or has participated in an investigation, proceeding, or hearing involving a protected disclosure.

(7) Whistleblower or "Qui Tam" provisions permit a private person to file a lawsuit in federal court against entities that defraud the federal government. Should the relator file an original claim the relator may be awarded a share of the recoveries.

(8) Under seal means the lawsuit is kept confidential while the government reviews and investigates the allegations contained in the lawsuit and decides how to proceed.

Effective: 6/1/2016
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364

3364-15-03 Compliance incident reporting.

(A) Policy statement

The university strives to comply with all federal, state, and local statutes. This policy sets forth the procedures that the university of Toledo will use to respond to reports by institutional members or others regarding possible violations of university policies and procedures or a possible violation of applicable state and federal laws.

The following list includes, but is not limited to, critical areas of compliance:

(1) Fraud and abuse/false claims

(2) Research

(3) Construction

(4) Family educational rights and privacy act ("FERPA")

(5) Health insurance portability and accountability act ("HIPAA")

(6) National collegiate athletic association ("NCAA")

(7) Record industry association of America ("RIAA")

(8) Public records laws

(9) Ohio ethics laws

(10) Discrimination laws

(11) Federal financial aid

(12) Medicare and medicaid anti-kickback statutes/stark laws

(13) Improper claims for clinical trials/provider based clinics/organ acquisition

(14) Direct graduate medical education/indirect medical education ("DGME/IME") reimbursement

(15) Emergency medical treatment and active labor act ("EMTALA")

(16) Medicare part "D"

(17) Joint commission

(18) University and medical center policies

(B) Purpose of policy

(1) This policy establishes the university's response in situations where:

(a) The policies, rules and standards of the university may not have been followed;

(b) Individuals may have knowingly or inadvertently violated university policies, rules and standards or applicable state or federal regulations;

(c) Corrective action or procedures are necessary to be compliant with university policies, rules or standards or applicable state or federal regulations;

(d) It is necessary to protect the university in the event of civil or criminal enforcement actions;

(e) It is necessary to preserve and protect the university's assets.

(C) Definitions

(1) Availability. Assurance that information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is requested.

(2) Confidentiality. Assurance that information is accessible only to those authorized to have access.

(3) Incident. Any time that sensitive information, is viewed, accessed or attempted to be accessed, discussed, communicated outside of the normal treatment, payment, or other normal operations of the university. An incident is also considered an action that compromises information, the access to information, or the integrity of our information infrastructure.

Below is a listing of incident examples. This list is not inclusive, and serves as a guideline.

(a) Disclosing or transmitting sensitive information when authorization has not been granted;

(b) Accessing information for which you have not been approved for or using resources for anything outside of your required job functions;

(c) Using sensitive information on another's behalf without consent;

(d) Speaking or displaying sensitive information in close proximity of others without consideration of privacy or confidentiality;

(e) Stealing information or physical assets;

(f) Recognizing any behavior or characteristic that doesn't "seem right";

(g) Using equipment that is not authorized for campus usage or is illegally obtained;

(h) Using sensitive information to maliciously cause harm.

(4) Institutional members. Anyone who participates in university activities, or has an affiliation with the university of Toledo; includes, but is not limited to general staff, managers, medical staff, contractors, vendors, students, alumni and others involved in treatment, payment, or other normal operations of the university, whether or not they are paid by the university.

(5) Integrity. Assurance that information has not been modified or destroyed in an unauthorized manner.

(6) Whistleblower. A whistleblower is an institutional member who reports misconduct to people or entities that have the power to take corrective action.

(D) Procedures related to incident reporting

(1) Institutional member duty.

Institutional members have a duty to ask questions regarding potential issues and to report potential concerns. If any institutional member knows of or suspects a violation, they are to report it immediately without fear of retaliation. At no time will any retaliatory action be taken against any individual who files a complaint. Refer to rule 3364-15-04 of the Administrative Code "Non-retaliation policy."

(2) Reporting methods.

To respond to these concerns, the university has established the following channels for institutional members to report incidents or other suspicious activities. Information collected during the reporting process will only be used to complete investigation into the reported incident, while maintaining confidentiality and privacy to the extent the law permits.

(a) Local resolution.

The recommended method to raise a concern begins with your own college, department or unit through supervisory channels.

(b) Central offices.

Due to the subject matter, work or personal relationship, it may be best to raise questions through a specialized central office. Examples include:

(i) Human resource office or the office of institutional diversity for concerns regarding discrimination or sexual harassment;

(ii) Athletic compliance officer for possible "NCAA" violations;

(iii) Research compliance officer for research concerns.

(c) Internal audit and compliance department.

If the institutional member is uncomfortable with addressing concerns at the local level or through a central office, needs advice on how to handle an issue, or issues have not been resolved satisfactorily, the institutional member can call and report directly to the internal audit and compliance department. Institutional members may also submit a written report to the internal audit and compliance department. Alternately, institutional members may also contact the director of internal audit and chief compliance officer directly at 419-530-8718.

(d) Anonymous reporting line.

The university has an anonymous reporting line to report any situation without using any personally identifiable information (888-416-1308). Refer to rule 3364-15-05 of the Administrative Code "Protected disclosures and anonymous reporting line."

(e) Direct reporting.

Should institutional members feel that the issues or concerns are not being addressed by administration; the institutional member may file a complaint directly to the government or supporting agency. Whistleblower methods may grant the institutional member compensation should the complaint meet the requirements set by the government or agency in question.

Below is a listing of direct reporting examples. This list is not inclusive, and serves as a guideline.

(i) Department of justice ("DOJ");

(ii) Prosecuting attorneys;

(iii) Accreditation organizations, such as joint commission

(3) Investigation procedure to be conducted:

(a) Direct an expedient investigation of alleged problem or incident;

(b) If applicable, solicit the support of the office of internal audit, general counsel, and departments specific to the issue and external resources with knowledge of the applicable laws and regulations and required policies, procedures or standards that relate to the specific problem in question;

(c) Interview the complainant and other persons who may have knowledge of the alleged problem or process and a review of the applicable policies, laws and regulations which might be relevant to or provide guidance with respect to the appropriateness or inappropriateness of the activity in questions, to determine whether or not a problem actually exits;

(d) Conduct interviews with person or persons in the departments and institutions who appeared to play a role in the process in which the problem exists. The purpose of the interview will be to determine the facts related to the alleged incident;

(e) Identify and review documents, files and information submitted to the university or other materials to determine the nature of the problem, the scope of the problem, the frequency of the problem, the duration of the problem and the potential financial magnitude of the problem;

(f) Determine if the review results in conclusions or findings that the issue is permitted under applicable laws, regulations or policy or that the incident did not occur as alleged or that it does not otherwise appear to be a problem, if so, the investigation will then be closed;

(g) Determine if the initial investigation concludes that there is improper activity occurring, that practices are occurring which are contrary to applicable law, that potentially fraudulent behavior is taking place, or that additional evidence is necessary, if so, the investigation will then proceed;

(h) Build summary documentation that accurately reflects all investigation findings.

(4) Investigation documentation to be conducted by the internal audit and compliance department ;

(a) Completion of a report for each reported incident;

(b) Entry of incident information into electronic recordkeeping system;

(c) Assignment of an incident number to each reported incident for tracking reasons;

(d) Preparation of a summary report for each reported incident which:

(i) Defines the nature of the problem

(ii) Summarizes the investigation process

(iii) Identifies any person whom the investigator believes to have either acted deliberately or with reckless disregard or intentional indifference toward the university policies, rules and standards

(iv) If possible, estimates the nature and extent of the resulting problems

(e) Retention of incident information, evidence, and history in a retrievable format for future analysis or to the extent the law requires;

(f) Implementation or usage of controls to prevent unauthorized modification, viewing, sharing or destruction of information collected.

(5) Training.

All institutional members, where appropriate, will be trained on appropriate reporting of security incidents.

(E) Enforcement

The failure of any institutional member to perform any obligation required of this policy or applicable local, state and federal laws or regulations will be subject to established university disciplinary actions and/or prosecution by state or federal authorities.

Effective: 6/1/2016
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364

3364-15-04 Non-retaliation policy.

(A) Policy statement

The university of Toledo encourages all employees, students, volunteers, agents, or contractors acting in good faith, to report suspected or actual wrongful conduct. The university, in compliance with section 4113.52 of the Revised Code, is committed to protecting individuals from interference with making a protected disclosure and from retaliation for having made a protected disclosure or for having refused an illegal order as defined by this policy.

(B) Purpose of policy

This policy is intended to:

(1) Encourage individuals to engage in good faith disclosures of suspected wrongful conduct to the appropriate university official so that prompt, corrective action can be taken by the university

(2) Protect individuals from disciplinary action or other retaliation as a result of disclosing wrongful conduct (individuals who self-report their own misconduct are not afforded protection by this policy)

(3) Protect individuals against false allegations of retaliation

(4) Protect the university when taking action against individuals who make bad faith disclosures

This policy will not provide protection for any communication that proves to have been both unsubstantiated and made with malice or with knowledge of its falsity and will not interfere with legitimate employment decisions.

(C) Procedure

To make a report of wrongful conduct, including violations of this policy, see rule 3364-15-05 of the Administrative Code, "Protected disclosures and anonymous reporting line."

(1) All reports of wrongful conduct will be investigated in accordance with rule 3364-15-05 of the Administrative Code, "Protected disclosures and anonymous reporting line."

(2) Actions determined to be retaliation or bad faith reporting can result in disciplinary actions up to and including termination.

(3) The university's anonymous reporting line can be used to report any situation without using any personally identifiable information (888-416-1308).

(D) Definitions

(1) Wrongful conduct. A serious violation of university policy; a violation of applicable state and federal laws; or the use of university property, resources or authority for personal gain or other non-university-related purpose except as provided under university policy.

(2) Protected disclosure. Communications about actual or suspected wrongful conduct engaged in by a university employee, student, volunteer, agent or contractor (who is not the disclosing individual) based on a good faith and a reasonable belief that the conduct has both occurred and is wrongful under applicable law and/or university policy.

(3) Retaliation. Disciplinary or adverse action taken against an individual because she or he has made a protected disclosure or has participated in an investigation, proceeding, or hearing involving a protected disclosure.

(4) Acting in good faith. Anyone filing a complaint concerning a violation or suspected violation of this policy must have reasonable grounds for believing the information disclosed indicates a violation of the policy.

Effective: 6/1/2016
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364

3364-15-05 Protected disclosures and anonymous reporting line.

(A) Policy statement

According to federal sentencing guidelines, the university of Toledo must provide procedures for employees to report, in good faith, suspected violations of university policies and federal, state, or local laws and regulations.

(B) Purpose of policy

The purpose of this policy is to provide communication channels for employees to report any activity or conduct that they suspect violates the university's policies and procedures, and/or federal, state, or local laws and regulations. All concerns reported will be investigated and the university will determine appropriate follow up action.

(C) Procedures

Individuals who have compliance related questions or concerns are encouraged to share them as soon as possible so that appropriate action can be taken. Multiple communication channels are available for employees to ask questions and report concerns. In many cases the individual's supervisor is in the best position to address the question or concern, but other channels exist as outlined :

(1) To make a protected disclosure or report any violation of university policies or any applicable law, contact:

(a) The disclosing individual's supervisor, either verbally or in writing, or

(b) An appropriate central office, such as the human resources department for employment related issues, or

(c) The anonymous reporting line at 1-888-416-1308, or

(d) The appropriate governmental unit, law enforcement office, or ethics commission after first providing a written communication about the alleged wrongful conduct to the appropriate university administrator.

(2) The procedure for utilizing the external anonymous reporting line is:

(a) Call 1-888-416-1308,

(b) After the operator answers and provides a greeting, discuss in detail the issue or concern, ask questions, and answer questions the operator may have. The operator will reinforce that the caller does not need to identify him or herself,

(c) Record your password for future reference, and

(d) Access the site with your password within ten days to receive an update, answer questions from the investigator, or obtain a report on actions taken to date. At this time the investigator can let you know if they need additional time to fully investigate.

The director of internal audit and the compliance officer will review the issue to determine the appropriate department for investigation.

(3) Upon receiving a report, the university will notify the individual, acknowledge receipt of the report, and conduct an investigation that can take more than ten days but will be completed within forty-five days of the receipt of the question or concern unless more time is necessary to thoroughly investigate.

(4) Upon completion of an investigation, university can take appropriate disciplinary action based on the report, up to and including termination.

(5) The outcome of the investigation is communicated to the complainant. The means of communicating the outcome depends on the means in which the complaint was communicated (i.e., in writing, phone, etc.). The outcomes of the investigations received via the anonymous reporting line are documented in the anonymous reporting line database.

All members of the university community (including students) seeking to raise concerns should speak directly with the responsible university office. Student employees who have concerns regarding their university job can use the reporting options listed in this paragraph.

(D) Confidentiality and good faith disclosures/reports

The university will attempt to maintain confidentiality of an individual who makes a protected disclosure or report of suspected compliance violations or concerns. Protected disclosures and reports will be kept confidential to the extent possible, consistent with the need to conduct an adequate investigation, and in accordance with the Ohio Public Records Act.

Any individual making a protected disclosure concerning a suspected violation of university policies must be acting in good faith and have reasonable grounds for believing the information disclosed indicates a violation of the policies. There is no retribution or discipline for anyone who reports a concern in good faith even if the report be unsubstantiated.

Individuals, who knowingly or with reckless disregard for the truth give false information, knowingly make a false report of wrongful conduct, or knowingly make a subsequent false report of retaliation will be subject to disciplinary action, up to and including termination.

(E) Compliance

All university employees, students, volunteers, agents or contractors are expected to understand and follow university policies and/or federal, state, and local laws and regulations. Individuals are encouraged to report compliance concerns to maintain the mission of the university.

The university, in compliance with section 4113.52 of the Revised Code, is committed to protecting individuals from interference with making a protected disclosure and from retaliation for having made a protected disclosure. See rule 3364-15-04 of the Administrative Code, "Non-retaliation policy."

Individuals who wish to be protected by the Ohio Whistleblower Protection Act must provide a written report, as referenced in paragraph (C)(1)(e) of this rule, that provides sufficient detail to identify and describe the alleged violation.

(F) Definitions

(1) Protected disclosure. Reports about actual or suspected wrongful conduct engaged in by a university employee, student, volunteer, agent or contractor (who is not the disclosing individual) based on a good faith and a reasonable belief that the conduct has both occurred and is wrongful under applicable law and/or university policy.

(2) Wrongful conduct. A serious violation of university policy; a violation of applicable state and federal laws; or the use of university property, resources or authority for personal gain or other non-university-related purposes except as provided under university policy.

(3) Retaliation. Disciplinary or adverse action taken against an individual because she or he has made a protected disclosure or has participated in an investigation, proceeding, or hearing involving a protected disclosure.

(4) Anonymous reporting line. The anonymous reporting line is an external service provider that collects and documents information provided on the call. It operates seven days a week, twenty four hours a day, and three hundred sixty-five days a year.

Effective: 6/1/2016
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364

3364-15-10 Confidentiality of patient information.

(A) Policy statement

The university of Toledo "UT" requires that all workforce members that have access to patient information be committed to ensuring that patient information is protected and kept confidential. Patient information shall be used and disclosed in accordance with applicable laws and university policies.

(B) Purpose of policy

The purpose of this policy is to outline the appropriate use of confidential patient information consistent with the Health Insurance Portability and Accountability Act "HIPAA" privacy rule and all updates allowing for the use and disclosure of patient information for treatment, payment, or health care operations. Patient information includes all health and financial information pertaining to a patient and the relatives or household members of the patient (See the university of Toledo medical center policy 3364-70-05, protections of human subjects in research for confidentiality of research information.)

(C) Procedure

Organizational structure and administrative responsibilities rule 3364- 15-01 designated "UT" and "UTP" as an affiliated covered entity "ACE" and designated "UT" as a hybrid entity. The entire health science campus in addition to certain departments or units on the main campus of "UT" are designated as health care components and "UTP" as an "ACE" which are covered entitles for purposes of "HIPAA" compliance.

All patient information that identifies or can be used to identify an individual is confidential and must be safeguarded.

(1) Patient information may be accessed by the university workforce members who are directly or indirectly involved in the patient's care or finances and those who have a need to know the information to perform specific tasks or provides specific services. Examples of those who can have access to confidential patient information include, but are not limited to:

(a) Employees

(b) Faculty

(c) Volunteers and trainers

(d) Medical staff members

(e) Residents

(f) Students

(2) Affiliates who are provided access for the purpose of continuity of care must maintain the confidentiality of patient information in compliance with the privacy and security regulations and university policies. Those persons who are considered affiliates are but not limited to:

(a) Residents from other affiliated hospitals

(b) Hospice

(c) Physicians and their staff from other affiliated hospitals and/or clinics that refer patients to the university of Toledo medical center

(d) Cancer registry

(3) Persons not involved with a patient's care or finances and/or who do not have a specific need to know patient information for the performance of specific tasks or to provide specific services shall neither have nor seek access to patient information.

(4) Access to use and disclosure of patient information shall be limited to the minimum necessary to perform a specific task or provide a specific service except when a healthcare provider accesses for treatment purposes.

Minimum necessary requirements to patient health information must follow the university of Toledo medical center policy 3364-100-90-2.

(5) Release of health information must be safeguarded by following the "HIPAA" regulations and university rules. As well as taking reasonable effort to maintain the confidentiality by using appropriate physical, technical and administrative safeguards, including but not limited to:

Selecting private settings to conduct interviews, refraining from discussing patient information in public area, assuring location of records and files in non-public area, and placing computers and electronic devices in appropriate locations and positions.

(a) Electronic devices that contain "PHI" must incorporate the use of password protection. The physical security of the device must always be maintained by the user.

(b) When accessing patient information computers should not be left unattended, if one must leave their computer unattended, it should be locked or logged off

(c) Use of electronic mail system for patient information must follow electronic mail services rule 3364-100-50-32.

(d) Voice messages containing confidential patient information generally should not be left on recorders. Messages to patient should be messages containing confidential patient information generally should not be left on recorders. Messages to patient recorders should be limited to pre-registration information, confirmation of appointments, or to solicit a return call, unless otherwise agreed or requested by a patient. Protected patient information in regards to additional copy print outs is limited by function through "UT's" information system. Additional copies generated must follow the disposal of protected health information rule 3364-15-09 of the Administrative Code.

(6) A confidentiality statement acknowledging that an individual is aware of and understands the university's confidentiality policy shall be signed prior to any person obtaining access or exposure to patient information.

(7) Individuals with access to patient health information are educated about confidentiality during orientation and during training on the hospital information system.

Access to the hospital information system requires identification and password as defined by the university of Toledo medical center policy 3364-65-02, access control .

(8) Breaches and other incidents involving patient confidentiality must be reported to and investigated by the privacy officer in accordance with institutional corrective action/disciplinary policies.

(D) Definitions

(1) Covered entity - a health plan, a healthcare clearinghouse or a healthcare provider who transmits any health information in an electronic form in connection with a transaction. See 45 CFR 160.103 for the few statutory exemptions. The health science campus is considered a covered entity and specific departments on the main campus and "UTP" as an "ACE" will be designated as a covered entity. See rule 3364-15-01 of the Administrative Code.

(2) Health plan means any individual or group that provides or pays the cost of medical care, including public and private health insurance issuers, "HMOs," or other managed care organizations, employee benefit plans, the medicare and medicaid programs, military/veterans plans, and other "policy, plan or programs" for which a principal purpose it to provide or pay for health care services.

(3) Health care provider (as defined in section 1861(u) of the Social Security Act, 42 USC 1395x(u) ), a provider of medical or health services, as defined in this section (as defined in section 1861(u) of the Social Security Act, 42 USC 1395x(u) ), any other person or organizations who furnishes, bills, or is paid for health care in the normal course of business.

(4) Health information is any information, including genetic information, whether oral or recorded in any form or medium, that (45 CFA 160.103 ):

(a) Is created or received by a health care provider, health plan, public health authority, employer, lifer insurer, school or university of heath care clearinghouse.

(b) Related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

(5) Health information technology means hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation maintenance, access, or exchange of health information [HITECH Act, section 3000(5)].

(6) Financial information for the purpose of this policy includes but is not limited to:

(a) Health care claims information (including diagnostic and procedure codes, services rendered and charges associated with those services);

(b) Insurance or other payment information;

(c) Payment activity;

(d) Coordination of benefits;

(e) Claim status;

(f) Referral certifications and authorizations;

(g) Realth claim attachments; and

(h) Collection activity documentation.

(7) De-identification in accordance with the "HIPAA" privacy rule, requires that the expert determination method be used or the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:

(a) Name;

(b) Street address;

(c) City;

(d) County;

(e) Precinct;

(f) Zip code;

(g) Genocide;

(h) Birth date;

(i) Admission date;

(j) Discharge date;

(k) Date of death;

(l) Age;

(m) Telephone number;

(n) Fax number:

(o) E-mail;

(p) Social security number;

(q) Medical record number;

(r) Health plan number;

(s) Account number;

(t) Certificate/license number;

(u) Vehicle "ID" number and license plate;

(v) Device identifier;

(w) Web location, internet address;

(x) Biometric identifier;

(y) photographs; or

(z) Any unique "ID"

Note: Ages over eighty-nine and all elements of date (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety or older.

(8) Workforce member is an employee, volunteer, trainee, and other person whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Effective: 7/11/2016
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364

3364-15-16 Electronic signatures.

(A) Policy statement

Electronic transactions conducted in accordance with this rule shall have the same legal effect as paper-based transactions. The university of Toledo ("UT") through its office of information security shall establish procedures to provide authentication, non-repudiation and integrity to the extent reasonable for each electronic transaction.

(B) Purpose of policy

Prior to using or accepting electronic signatures, Ohio law requires that the university establish security procedures that govern the use of electronic signatures and ensure the authenticity, integrity, and non-repudiation of such signatures. The use of electronic signatures, as directed by this rule, can potentially facilitate the timely execution of activities across the university, including personnel actions, contract approvals, and other activities requiring confirmation of acceptance.

(C) Scope

This policy applies to all electronic transactions entered into on behalf of the university.

(D) Definitions

(1) Authenticity - the assurance that the electronic signature is that of the person purporting to sign a record or otherwise conducting an electronic transaction.

(2) Domain - a category of persons based on the nature of the identity of the person. For purposes of this policy, electronic transactions may belong to one of the following domains:

(a) Citizen domain

(i) The citizen domain consists of individuals acting on their own behalf or on the behalf of any other individual under a power of attorney.

(ii) The citizen domain includes only those individuals who choose to interact electronically with the state of Ohio.

(iii) The citizen domain also includes state web and application servers that interact with citizens.

(b) Business domain

(i) The business domain consists of corporations, business trusts, partnerships, limited liability companies, associations, joint ventures or any other commercial, charitable or legal entity that interacts electronically with state agencies.

(ii) This domain also includes web and application servers that interact with businesses.

(c) State internal domain

(i) The state internal domain consists of state employees acting on behalf of the state, and any other agent of the state; network components; and web and application servers that use electronic transaction-enabled applications to conduct internal state business.

(ii) The state internal domain also applies to local government representatives for electronic transactions with state government agencies.

(3) Electronic record - as defined by Chapter 1306. of the Revised Code is a record created, generated, sent, communicated, received, or stored by electronic means.

(4) Electronic signature - An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

(5) Electronic transactions - An action or set of actions, like an exchange of an electronic record and electronic signature between the university and an individual relating to the conduct of such business as:

(a) Consent to release information;

(b) Purchase, sell or lease goods, services or construction;

(c) Transfer funds;

(d) Facilitate the submission of an electronic record with an electronic signature required or accepted by the UT; or

(e) Create records formally issued under a signature and upon which the university or any other person will reasonably rely including but not limited to formal communication, letters, notices, directives, policies, guidelines and any other record.

(6) Integrity - the assurance that the electronic record is not modified from what the signatory adopted.

(7) Non-repudiation - proof that the signatory adopted or assented to the electronic record or electronic transaction.

(8) Scanned signature - a photocopy, fax, pdf or other copy of a document signed electronically or by hand.

(9) Security procedure - a procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or from detecting changes and errors in a procedure requiring the use of codes or algorithms;

(a) Identifying words or numbers;

(b) Encryption

(c) Call back or

(d) Other acknowledgement procedures.

(E) Discipline

(1) Failure to comply with this policy may lead to disciplinary action up to and including termination.

(2) The university may repudiate any document signed in violation of its rules, policies, and procedures, and the person signing the instrument may be held personally liable for any obligations incurred.

(F) Compliance

A record, signature or contract may not be denied legal effect or enforceability when it is in electronic form. Electronic form satisfies the law.

(G) Phone Contacts

(1) Office of legal affairs (419) 530-8411

(2) Office of information security (419) 530-3995

(G) Procedure

(1) Electronic signatures

(a) No individual may electronically sign any document for or accept an electronic or scanned signature from another party on behalf of the university except in accordance with this policy.

(b) Electronic transaction report

(i) Upon request from a unit of the university, the office of information security, in collaboration with the office of legal affairs, shall file an electronic transaction report with the Ohio office of information technology for each set of transactions to be consummated using electronic signatures.

(ii) The office of legal affairs shall determine the appropriate domain of each set of transactions.

(iii) The office of information security shall conduct a security risk assessment for each set of transactions, identify a security level required for said transactions, and establish security policies and procedures for the transaction set.

(iv) The university shall maintain electronic transaction reports for as long as the electronic records of the electronic transaction are retained in accordance with the appropriate record retention schedule.

(c) Facilitating the use of electronic signatures

(i) The university shall, through its normal procurement processes, acquire software to facilitate the use of electronic signatures.

(ii) Each person authorized to sign contracts under rule 3364-40-15 of the Administrative Code shall be issued a license for the electronic signature software.

(iii) The software shall require the individual to login using his/her "UTAD" credentials in order to electronically sign a document.

(d) The system used to sign electronic contracts shall capture the document at the time of signature and shall securely store it so that the signed version may be retrieved in the event of a dispute.

(e) Electronic signature software

The electronic signature software shall require a separate and distinct action for each signature.

(f) This policy does not grant contracting authority to any individual or expand the authority already granted in the university document "delegation authority for documents that bind the university."

(2) Scanned signatures

(a) If the office of legal affairs determines that immediate evidence of execution of an instrument is necessary, the university may use and accept scanned signatures.

(b) The office of legal affairs shall seek to acquire a hard copy or electronic signature as soon as practicable.

Effective: 3/16/2015
Promulgated Under: 111.15
Statutory Authority: 1306, 3364
Rule Amplifies: 3364