Sale of PHI
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Sale of PHI
Policy Number: PPS-22
Effective Date: September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Executive Vice President, Treasurer and Chief Operating Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To address the importance of properly protecting patient information and to only sell protected health information to the extent permitted under HIPAA.
Drexel University (DU) shall not sell a patient's protected health information for direct or indirect remuneration without prior written authorization from the patient unless an exception applies. For purposes of this policy, remuneration is not limited to financial remuneration, but also includes in kind remuneration. The sale of protected health information includes, selling, licensing, leasing and providing access to protected health information for remuneration.
Exceptions to the foregoing includes:
- Public health activities;
- Research (to the extent permitted under the HIPAA privacy rules) and the price reflects the costs of preparation and transmittal of the data for such purpose;
- Treatment of the individual;
- Sale, transfer, merger or consolidation of all or part of DU and the due diligence related to such activity;
- Business Associate activities under a Business Associate agreement (where the Business Associate is being paid to provide a service);
- Providing an individual with a copy of his/her protected health information; and
- Other future exceptions permitted by HIPAA.
Sales of protected health information must be made in accordance with protocols developed by Legal, Compliance and Privacy Offices.
Back to Top