Effective Date: July 1, 2003
Issuing Authority: Senior Vice President of Finance and Administration
Policy Contact: University HIPAA Officer, 478-301-2300
Purpose
The purpose of this policy is to assure that individuals have both access to and a mechanism for inspecting
their health information, have a mechanism for requesting that their health information be amended by the
University, and for requesting and receiving an accounting of disclosures of their health information.
Scope
This policy applies to all students and employees at Mercer University.
Exclusions
For purposes of HIPAA compliance, employee records and student records subject to FERPA are specifically excluded from the definition of “health record”.
Policy Statement
Except as noted below, it is the policy of Mercer University (Mercer) to allow individuals to inspect and obtain a
copy of their own health information and to request the amendment of their health information that is stored in
any Mercer file or depository, stored electronically, or that exists in any recording device or in any clinical or
research data base, hereafter collectively referred to as the “health record”. Additionally, Mercer allows
individuals to request information regarding disclosures of their health information made by the University to
external third parties.
Individuals may access, inspect, and obtain a copy of their own health information that was obtained by Mercer
and is maintained in any Mercer health record, except as set forth below or otherwise excepted by statute.
Individuals will typically be denied access to information contained in psychotherapy notes, or to information
that was obtained from a non-Mercer source under an agreement of confidentiality, or temporarily, to
information obtained during an active research study or clinical trial involving treatment and pursuant to prior
agreement with the research participant.
Mercer may otherwise choose to deny access to certain health information contained in the health record if, in
the judgment of a licensed health care professional, such access could cause harm to the individual or to
another person.
Mercer will allow an individual to amend information in their health record where the information in question
was created by Mercer and is inaccurate or incomplete. Otherwise, Mercer will allow an individual to request
an amendment of their health record that will be reviewed by a licensed health care professional. If the request
is denied, Mercer will provide the individual a written explanation and allow the individual to submit a statement
of disagreement to become a part of their health record.
Except for information released pursuant to a signed authorization or otherwise excepted by statute, Mercer
will, upon request, provide an individual with information regarding the release of their identifiable health
information to external third parties that was made for non-routine purposes, i.e., for purposes other than
treatment, payment, and healthcare operations. Reasonable attempts will be made to provide this information
in a format requested by the individual. Otherwise, it may be provided in any format mutually agreed upon.
Requests for access to health information, requests to amend health information, or requests for an accounting
of disclosure of health Information must typically be in writing.
It is the responsibility of the department, division or operating unit that houses the protected health information
in question to respond to the requestor regarding the University’s intention to comply with or deny the request
or otherwise to have a protocol in place for responding to such requests. Such response will typically occur
within thirty days of an access request or sixty days in the case of request for amendment or for an accounting
of disclosure. In the event of denial, the response will include an explanation of the denial and will inform the
individual of their right to and the process for appeal. Any denial decision will only be made by a licensed
healthcare professional.
Mercer departments may, at their discretion, charge a requestor a fee not to exceed the actual cost of
compiling, copying, and mailing requested information.
Additional Resources
The above represents a general statement of University operating policy. For further detail regarding this
statement, see Statutory Requirements 45 CFR Sections 164.524, 164.526, and 164.528.
Employees of the Mercer Health System should reference the Mercer Health System Policies and Procedures
for HIPAA compliance guidelines.