Effective Date: July 1, 2025
Issuing Authority: Senior Vice President for Finance and Administration
Policy Contact: University HIPAA Officer, 478-301-2300
Purpose
The purpose of this policy is to assure that identifiable health information is used and disclosed only for purposes for which an individual has been notified, or where a reasonable attempt of such notification has been made, or has provided prior written permission or, with regard to health information used in research, where a waiver of that permission has been granted by Mercer University’s Institutional Review Board (IRB), or without prior patient permission where disclosure is required by law.
Scope
This policy applies to all patients of Mercer University.
Exclusions
None
Policy Statement
It is the policy of Mercer University (Mercer) that an individual’s identifiable health information may typically only be used or disclosed pursuant to notification to and/or permissions granted by the individual, unless otherwise permitted or required by statute.
Mercer will provide individuals with the Mercer Notice of Privacy Practices prior to initial service delivery, unless an emergency or a communications barrier makes providing or obtaining this advanced notice and/or acknowledgment impossible or impracticable and will make a good faith effort to obtain acknowledgment of its receipt.
Except in emergency situations where patient care might be compromised, Mercer will not use or disclose identifiable health information in a manner inconsistent with its Notice of Privacy Practices.
Only the approved Mercer Notice of Privacy Practices may be used for providing notification and no additions, deletions, or modifications may be made to the form without the approval of the University HIPAA Privacy Officer or other authorized University official.
Mercer allows individuals to request restrictions on the use and disclosure of their health information for treatment, payment, and healthcare operations. Following review by authorized Mercer personnel, Mercer may choose not to agree to the requested restrictions. Mercer will adhere, however, to any restrictions to which it agrees.
Acknowledgments of the Notice of Privacy Practices will be retained by the University for a minimum of six years. Any agreed upon restrictions arising out of the notification will remain in effect until revoked by the individual or until the individual is notified by Mercer that Mercer University will no longer honor the agreed upon restrictions.
In the event Mercer receives more than one authorization or permission from a patient that appear to conflict with each other, Mercer University will abide by the more restrictive patient permission, until the conflict is resolved. Mercer will attempt to determine the true intentions of the patient and thus resolve the conflicting permissions as soon as is practicable.
An individual’s protected health information may be used or disclosed by Mercer University for purposes other than treatment, payment, and health care operations, such as for research. Use and disclosure for such purposes requires a valid, signed authorization specifically detailing what information will be used or disclosed, how and by whom the information will be used or disclosed, and during what time period the information will be needed or a statement indicating there is no defined duration.
Only an approved Mercer Authorization Form may be used, and no additions, deletions, or modifications may be made without the approval of the University HIPAA Privacy Officer or other authorized University official.
Authorizations are valid only for the conditions outlined in the document and may not be used for any purpose or purposes not specifically stated and agreed to by the signing individual. Mercer will allow an individual to revoke their authorization at any time by submitting a written request. However, any such revocation shall not be retroactive to the extent that Mercer has already relied and acted on the authorization by the patient.
Treatment of an individual at Mercer University may not be conditioned on obtaining a signed authorization, except treatment associated with a research protocol or with treatment performed for a third party.
Except where otherwise permitted or required by statute, the requirement to obtain authorization for purposes other than treatment, payment, or healthcare operations may only be waived by Mercer’s Institutional Review Board (IRB) and in accordance with that Board’s stated policies and procedures.
Additional Resources
The above represents a general statement of Mercer University operating policy. For further details on this statement, see Statutory Requirements 45 CFR Sections 164.508, 164.520, and 164.522.
Employees of the Mercer Health System should reference the Mercer Health System Policies and Procedures for HIPAA compliance guidelines.
Notice of Privacy Practices Policy: policies. mercer.edu/notice-of-privacy-practices-policy-hipaa-general-operating-policy/
History
Revised June 2003
Revised July 1, 2025