https://wiki.unmc.edu/api.php?action=feedcontributions&user=Spammer&feedformat=atomUniversity of Nebraska Medical Center - User contributions [en]2024-03-29T10:12:39ZUser contributionsMediaWiki 1.39.4https://wiki.unmc.edu/index.php?title=Conflict_of_Interest&diff=2100Conflict of Interest2013-06-26T18:47:01Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]<br />
<br /><br /><br />
Policy No.: '''8010'''<br /><br />
Effective Date: '''09/04/07'''<br /><br />
Revised Date: '''05/20/2013'''<br /><br />
Reviewed Date: '''05/20/2013'''<br />
<br /><br /><br />
<big>'''Conflict of Interest Policy'''</big> <br />
== Basis for Policy ==<br />
Statutes, regulations, University policies and accreditation standards related to conflict of interest identification and management are: <br />
#"Responsibility of Applicants for Promoting Objectivity in Research for which Public Health Service Funding is Sought and Responsible Prospective Contractors" regulations at 42 CFR Part 50 and 45 CFR Part 94 <br />
#"Financial Disclosure by Clinical Investigators" Food & Drug Administration regulations at 21 CFR Part 54 <br />
#Nebraska Conflict of Interest Statute at Neb. Rev. Stat. §49-1493 et. seq. <br />
#Bylaws of the Board of Regents of the University of Nebraska Sections 3.10, 3.45 and 3.8 <br />
#Board of Regents Conflict of Interest Policy, RP-3.2.8 <br />
#Board of Regents Patent & Technology Policy, RP-4.4.2 <br />
#UNMC Human Research Protections Policy #3.12, "Identification and Management of Potential Financial Conflicts of Interest of Research Personnel" <br />
#UNMC Policy No. 1049, [[Outside Employment]] <br />
#UNMC "Interactions between College of Medicine Faculty, Staff & Trainees and Health Care Vendors" policy <br />
== Policy ==<br />
Potential conflicts of interest arise in a variety of circumstances in the academic health sciences center environment when an individual's private financial interests either conflict with or create the appearance of conflicting with UNMC's public interests. This policy applies to potential conflict of interest arising in any UNMC activity, including but not limited to research, teaching, patient care, outreach to underserved populations and the associated business activities in support of them. Covered Persons shall disclose all financial interests related to their University of Nebraska responsibilities so that an analysis of potential conflict of interest may be conducted. When a conflict of interest is identified, the conflict will either be managed or eliminated to reduce the appearance of bias and maintain responsible stewardship of public resources. This policy shall be publicly posted in the UNMC [[Policies and Procedures]] manual on the UNMC internet site. <br />
== Definitions ==<br />
'''Covered Person''' under Regents Policy 3.2.8 shall mean: <br />
#University administrative officers and employees, specifically including any University employees with delegated signature, purchasing or contracting authority on behalf of the university; <br />
#University employees and faculty engaged in outside employment or other activities specified in this policy (tech transfer/use of University facilities or equipment) that may create a Conflict of Interest; and <br />
#Sponsored research investigators who participate in sponsored research; and non-sponsored research investigators participating in human subjects or animal subjects research. <br />
'''Investigator''' under PHS regulations shall mean the project director or principal investigator and any other person, regardless of title or position, who is responsible for the design, conduct or reporting of research which may include graduate students, post-docs, residents, collaborators or consultants. <br />
'''Conflict of Interest (COI)''' under Regents Policy 3.2.8 shall mean situations when a Covered Person's direct or indirect personal financial interest, (whether or not the value is readily ascertainable) may compromise, or have the appearance of compromising, the Covered Person's professional judgment or behavior in carrying out his or her obligations to the University of Nebraska. This includes indirect personal financial interests of a Covered Person that may be obtained through third parties such as a Covered Person's immediate family, business relationships, fiduciary relationships, or investments.<br /><br />
<br />
'''Equity''' includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value. <br /><br />
<br />
'''Financial Conflict of Interest (FCOI)''' under PHS regulations means a Significant Financial Interest that the COI Officer or COI committee reasonably determines could directly and significantly affect the design, conduct or reporting of research. <br /><br />
<br />
'''Immediate Family''' under Regents Policy 3.2.8 shall mean an individual who is a spouse, child, brother, sister, grandchild, or grandparent, by blood, marriage, or adoption of the Covered Person. <br /><br />
<br />
'''Institutional Conflict of Interest (ICOI)''' may occur when the University or a Covered Person in a senior administrative position has a financial interest in a commercial entity that itself has an interest in a University research project, including potential conflicts with equity/ownership interests or royalty arrangements. <br /><br />
<br />
'''Institutional Responsibilities''' means professional responsibilities on behalf of the University of Nebraska which may include activities such as professional service including patient care, teaching, research & research consultation, outreach, administrative, institutional committee membership including service on panels such as the Institutional Review Board or Data and Safety Monitoring Boards, and other duties as specified in the Covered Person's job description and/or employment agreement. <br /><br />
<br />
'''Remuneration''' includes salary and any payment for services not otherwise identified as salary including but not limited to consulting fees, honoraria, and paid authorship. <br /><br />
<br />
'''Senior/Key Personnel''' means the Project Director (PD)/Principal Investigator (PI) and any other person identified as senior/key personnel in the UNMC grant application, progress report, or any other report submitted to the PHS by UNMC. <br /><br />
<br />
'''Significant Financial Interest''' means a financial interest of the Investigator or his/her Immediate Family Member that reasonably appears to be related to the Investigator's Institutional Responsibilities, and: <br />
#If with a publicly traded entity, the value of any remuneration received from the entity in the twelve months preceding the disclosure and the value of any equity interest in the entity as of the date of the disclosure, when aggregated, exceeds $5,000; <br />
#If with a non-publicly traded entity, the value of any remuneration received exceeds $5,000 or when a research Investigator or Immediate Family holds any equity interest; <br />
#Intellectual property rights and interests upon receipt of income related to such rights and interests, excluding income paid by the University of Nebraska.; <br />
#For PHS-funded research investigators, includes reimbursed or sponsored travel, excluding travel that is reimbursed or sponsored by a Federal, state, or local government agency, an Institution of higher education, an academic teaching hospital, a medical center, or a research institute affiliated with an Institution of higher education. <br />
==Conflict of Interest Management Roles and Responsibilities ==<br />
===COI Officer===<br />
The UNMC Conflict of Interest Officer shall be responsible for implementing the UNMC COI management program. The COI management program shall also include review and approval of the "Application for Authorization to Engage in Outside Professional Activity" forms as delegated by the Chancellor with associated management of conflict of commitment under Regents Policy 3.8. and UNMC Policy 1049, [[Outside Employment]]. The COI Officer shall: <br />
#Ensure UNMC policy meets Board of Regents policy and state and federal regulatory requirements; <br />
#Implement annual disclosure requirements for Covered Persons and monitor to ensure compliance. The UNMC electronic Annual Disclosure of Financial Interest form is incorporated into this policy by reference. The Annual Disclosure of Interest and Application for Authorization to Engage in Outside Professional Activity forms are located at: http://net.unmc.edu/rss/ . <br />
#Coordinate identified conflict of interest matters with Sponsored Programs Administration, UNeMED, the Institutional Review Board (IRB), the Institutional Animal Care and Use (IACUC) committee, the Associate Vice Chancellor, Business and Finance (for business COI), and the Continuing Medical and Nursing Education offices as relevant. Whenever a potential COI involving activities with another University of Nebraska campus or university affiliated entity is disclosed or identified, notify the other campus or university affiliated entity COI contact and collaboratively review and manage the potential COI.<br />
#'''COI Education.''' Provide COI education to covered persons at time of hire, and every four years thereafter, and immediate re-education when there are policy changes or when investigators fail to comply with the COI policy. For investigators conducting Public Health Service (PHS) sponsored research, education shall be completed prior to the expenditure of any PHS funds. <br />
#When Covered Persons have significant financial interests related to their institutional responsibilities, present information to the COI committee for potential COI management plan creation. <br />
#'''Report FCOI to PHS'''. When the COI committee has implemented a COI management plan for PHS-funded research, update the PHS e-Commons with the FCOI report provided by the COI committee. Provide initial, annual and revised FCOI reports, if applicable for both UNMC and its subrecipients. Revised FCOI reports shall be submitted within 60 days of identification for new Investigators added to a grant, or newly identified FCOIs for existing investigators. The FCOI report shall contain the following elements: <br />
##The role and principal duties of the conflicted Investigator in the research project; <br />
##Conditions of the management plan; <br />
##How the management plan is designed to safeguard objectivity in the research project; <br />
##Confirmation of the Investigator's agreement to the management plan; <br />
##How the management plan will be monitored to ensure Investigator compliance; and <br />
##Other information as needed. <br />
#'''Conduct retrospective review.''' If UNMC identifies a significant financial interest that was not disclosed by a research Investigator in a timely manner, or was not reviewed by UNMC, the COI officer shall, within sixty (60) days: review the significant financial interest and determine whether it is related to PHS-funded research. The COI committee shall determine whether a financial conflict of interest exists, and, if so, implement an interim COI management plan. Within 120 days, the COI committee shall complete a documented retrospective review of the research Investigator's activities and the PHS-funded research project to determine whether any PHS-funded research conducted during the period of non-compliance was biased in the design, conduct or reporting of such research. The documented review shall contain all of the elements required by the PHS regulations. <br />
#'''Reporting Bias & Mitigation Report.''' If bias is found with the design, conduct or reporting of PHS-funded research, the COI Officer shall notify the PHS awarding component promptly and submit a Mitigation Report containing the retrospective review information and a description of the impact of the bias on the research project and UNMC's plan of actions taken to eliminate or mitigate the effect of the bias. <br />
#If the research is clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment, the COI committee shall require the Investigator to disclose the FCOI in each public presentation of the results of the research, and request an addendum to previously published presentations, in addition to any applicable disclosure listed below in Disclosure of Financial Interest. <br />
#'''Public Disclosure.''' Disclose Financial Conflicts of Interest (FCOI) of senior/key personnel involved in Public Health Service funded research only as determined by the COI Committee in response to public requests within five (5) business days of the request as required by PHS regulations. These requests shall be coordinated with the University of Nebraska Records Management Officer. <br />
#'''Board of Regents Annual Report.''' Submit the annual Conflict of Interest and Outside Activities report to the University of Nebraska Director of Internal Audit and Advisory Services for review by the Board of Regents Audit Committee. <br />
===Covered Persons===<br />
#'''Annual Disclosure of Financial Interest.''' Individuals covered under this COI policy shall complete a UNMC Annual Disclosure of Financial Interest Questionnaire through the UNMC electronic e-Disclosure system annually. Covered Persons shall receive an e-mail notification from the Compliance Department to complete the form. The UNMC Disclosure of Financial Interest form contains all elements required under Board of Regents policy and federal regulations (including PHS regulations) and is incorporated into this policy by reference. The e-Disclosure system may be accessed through the Research Support System (RSS) website at: http://net.unmc.edu/rss/ . Individuals shall disclose all financial interests related to their University of Nebraska (institutional) responsibilities. <br />
#'''Research Investigators''' shall review and update their Annual Disclosure of Financial Interest when sponsored grants and contracts are submitted, including PHS-funded research. Investigators shall update their Annual Disclosure of Financial Interest form within thirty (30) days of discovering or acquiring a Significant Financial Interest and on an annual basis thereafter during the period of the award. <br />
#'''Education.''' Covered Persons shall complete education on Board of Regents COI policy, UNMC COI policy, and PHS COI regulations, and their disclosure responsibilities prior to initially completing the Annual UNMC Disclosure of Financial Interest, and every four (4) years thereafter. Covered Persons shall not spend any PHS research funds until education has been completed. <br />
#'''Disclosure of Financial Interest.''' Covered Persons who are research Investigators shall disclose the nature of all financial interests related to their research (e.g. consulting advisory board, intellectual property) in all publications and presentations and to all UNMC personnel involved in the research project, including students. In human subjects research, Investigators shall disclose their financial interests related to the research in the informed consent, as required by UNMC HRPP Policy 3.01. <br />
#'''Appeal Rights.''' Covered Persons may appeal adverse decisions made under this policy to the Vice Chancellor for Academic Affairs. The appeal shall be in writing and contain a description of the adverse decision, justification for why the decision should be changed, and the change desired. The appeal request shall be submitted to the COI Officer. The VCAA shall respond in writing to the Covered Person with his/her decision within thirty (30) days of receipt. The VCAA's decision is final. <br />
===COI Committee.===<br />
The UNMC COI Committee composition and operating procedures are contained in Appendix A. The COI Officer shall be a member of the COI committee and shall provide administrative support for the committee. The COI committee shall: <br />
#Provide oversight over the UNMC COI program, advise the COI officer, and provide guidance on UNMC COI policy matters. <br />
#Review Significant Financial Interests. Review Disclosures of Financial Interest in the amount of $5,000 and above for research Investigators and determine if these Significant Financial Interests are related to the research, and, if so related, whether the Significant Financial Interest constitutes a Financial Conflict of Interest. A Significant Financial Interest is a Financial Conflict of Interest if it could directly and significantly affect the design, conduct , or reporting of research, including PHS-funded research. <br />
#Create COI Management Plans for Financial Conflicts of Interest. <br />
#Conduct retrospective reviews of newly identified Significant Financial Interests as described in Conduct Retrps[ectove Review above. <br />
#Review COI Policy violations and recommend sanctions, if appropriate, to the Vice Chancellor Academic Affairs and to the appropriate UNMC administrator responsible for supervision of the individual(s) violating the policy. <br />
===Sponsored Programs Administration===<br />
Sponsored Programs Administration shall: <br />
#Notify all research Investigators submitting sponsored grant/contract proposals to review their Annual Disclosure of Financial Interest form and update the information as needed. Sponsored Programs Administration shall verify review has been completed for all applications. <br />
#Coordinate with the COI Officer when Investigators disclose significant financial interests related to the sponsored project to determine if a COI management plan is required. <br />
'''Subrecipients.''' Include provisions in PHS-funded subrecipient agreements that: <br />
#the subrecipient certifies that its FCOI policy complies with PHS regulations or in the alternative that the subrecipient will follow the UNMC COI policy; and <br />
#the subrecipient shall report identified FCOIs for its Investigators in a timely manner so UNMC can report identified FCOIs to the PHS in the time frames in '''Repprt FCOI to PHS''' and '''Conduct retrospective review''' above. <br />
===Associate Vice Chancellor, Business and Finance===<br />
The Associate Vice Chancellor of Business and Finance shall manage business conflict of interest by reviewing all Annual Disclosure of Financial Interest questionnaires completed by Covered Persons with contract signature authority under Executive Memorandum 13 and 14; Covered Persons with purchasing authority; Covered Persons who identify family member(s) with a financial interest with the University of Nebraska; and any other potential business-related financial interest identified by the COI Officer through the annual COI disclosure process or by any other person at UNMC. Business COI management plans shall be created to minimize the appearance of bias in decision-making and ensure state and federal regulations and University of Nebraska business-related policies are followed. Business COI management plans shall be reported through the UNMC COI committee and reported on the Annual COI report to the Board of Regents Audit committee. <br />
===Institutional Review Board (IRB)===<br />
The IRB shall require all Covered Persons listed on the IRB application who have a financial interest to update their Annual Disclosure of Financial Interest form pursuant to UNMC HRPP Policy #3.12. The IRB shall review and approve proposed COI management plans as described in HRPP Policy #3.12. <br />
===UNeMED===<br />
The President of UNeMED or designee shall coordinate with the COI officer on UNeMED activities where it appears that a Covered Person's or UNMC's financial interest may be a potential individual or institutional conflict of interest, including intellectual property interests and equity interests involving technology transfer companies. <br />
===Continuing Education Offices===<br />
UNMC is accredited by the Accreditation Council for Continuing Medical Education (ACCME). The Continuing Medical Education (CME) office shall review disclosures of financial interest for UNMC employees who are serving as course directors, faculty or peer reviewers for UNMC CME courses, as required by the ACCME Standards for Commercial Support. <br />
==Institutional Conflict of Interest Management ==<br />
In order to avoid real or perceived favoritism in relationships with research sponsors, each/every potential Institutional COI shall be reported. Any Covered Person who has knowledge of potential Institutional COI shall report the information to the COI Officer. Potential Institutional COI may be identified through the Annual Disclosure of Financial Interest questionnaire for senior administrative personnel. The COI Officer shall convene a group of senior UNMC officials appointed by the Chancellor to review the disclosure and propose a management plan for Chancellor approval if appropriate. It is important to note that PHS COI regulations do not cover institutional conflict of interest. <br />
==Records Retention==<br />
All Disclosure of Financial Interest information, COI management plans and all Public Health Service-funded Financial Conflict of Interest-related records shall be retained for the fiscal year in which the grant or contract is closed plus seven (7) years as required by Board of Regents Records Retention Schedule 170-8, "Sponsored Projects (Grants)". No destruction of records shall take place if there is a Preservation Hold in effect, or if any litigation, claim, negotiation, audit or other actions involving the records have been started before the expiration of the retention period. The records must be retained until completion of the action and resolution of all issues which arise from it, or the seven year retention period, whichever is later, as required under 45 CFR 74.53 and 92.42. <br />
==Public Accessibility of PHS-funded Senior/Key Personnel FCOI ==<br />
Upon request, the COI Officer shall make available to the public information concerning identified FCOIs held by Senior/Key personnel receiving PHS research funding as required by PHS regulations. Information shall be provided in writing within five (5) business days of the request. The COI officer shall coordinate these public requests with the University of Nebraska Records Management Officer. All other financial interest disclosure information and conflict of interest determinations shall remain confidential and may be withheld from the public as permitted under Neb. Rev. Stat. 84-712.05, "Records which may be withheld from the public; enumerated." <br />
==Sanctions ==<br />
Covered Persons who violate this policy may receive corrective action under UNMC Policy No. 1098, [[Corrective/Disciplinary Action|Corrective and Disciplinary Action Policy]]. The COI Committee may also recommend other corrective action such as additional training, or for serious violations, recommend that research funding be withheld or recommend other appropriate sanctions to maintain the integrity of the research. The Vice Chancellor of Academic Affairs shall review and approve all proposed sanctions. The sanctions shall be coordinated with the respective Dean, Director or Vice Chancellor for enforcement. <br />
<br />
==Additional Information==<br />
<P>For additional information, contact the [mailto:swrobel@unmc.edu Chief Compliance Officer].<br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].<br />
<br />
== Policy 8010 Appendix A ==<br />
<big>Conflict of Interest Committee (COIC) Governance</big><br /><br />
'''COI Committee Composition.''' The COI Committee shall have at least 16 members representing the following areas: </P><br />
<P><br />
{| class="wikitable" border="1"<br />
|-<br />
| College of Medicine<br />
| Vice Chancellor for Business & Finance<br />
|-<br />
| College of Dentistry<br />
| Vice Chancellor for Research<br />
|-<br />
| College of Pharmacy<br />
| Compliance/Conflict of Interest Officer<br />
|-<br />
| College of Nursing<br />
| Sponsored Programs Administration<br />
|-<br />
| College of Public Health<br />
| Institutional Review Board<br />
|-<br />
| Eppley Cancer Institute<br />
| Associate General Counsel for Healthcare<br />
|-<br />
| Munroe Meyer Institute<br />
| Center for Continuing Medical Education<br />
|-<br />
| Vice Chancellor for Academic Affairs<br />
| Community Member<br />
|}<br />
<br />
'''Membership Term.''' COI Committee members shall serve for a term of three years, which may be automatically renewed upon mutual agreement of the member and the Chancellor or his/her designee. New members shall be nominated by the department/unit and approved by the Vice Chancellor of Academic Affairs or his/her designee. The Chancellor or his/her designee shall appoint a faculty chair of the COI Committee. The Vice Chancellor of Academic Affairs or his/her designee shall select the community member. The Chancellor or his designee can appoint additional voting and non-voting members. <br /><br />
<br /><br />
<br />
'''Quorum.''' A quorum is required for meetings to be conducted. More than half of the membership present will constitute a quorum.<br /><br />
<br /><br />
'''Voting.''' All committee members are eligible to vote. No regular motion shall pass unless a majority of the COI Committee members present vote in favor of the motion.<br /><br />
<br /><br />
'''COIC Member Conflicts.''' If a COIC member has a conflict of interest with a specific matter being discussed, the member shall declare that he/she has a potential conflict and shall not vote on the matter. Such conflicts may arise when:<br />
#the member is participating in the research under review;<br />
#the member has a financial relationship with a research sponsor under review; or <br />
#the member has a personal relationship or conflict with the individual under review that could potentially cause the member to be perceived as less than objective in his/her review.<br />
'''Committee Review by Telephone/Electronically'''. While face-to-face meetings will normally be held, committee review of potential conflicts may be conducted by telephone or electronically at the discretion of the COI Committee chair.<br /><br />
<br /><br />
'''Meeting Minutes.''' The COI Coordinator chair shall prepare meeting minutes and present them for approval at the next scheduled COI Committee meeting.<br />
== Additional Information ==<br />
Contact the [mailto:swrobel@unmc.edu Chief Compliance Officer]<br /><br />
Contact the [mailto:dthomas@unmc.edu Associate Vice Chancellor for Business and Finance] <br /><br />
[[Conflict_of_Interest_Procedures|Conflict of Interest Procedures]]<br /><br />
[http://webmedia.unmc.edu/policy/8010-1.doc Appendix 1 - Disclosure of Potential Business Conflict of Interest]<br /><br />
[[Research Conflict of Interest Procedures]]<br /><br />
[[Outside Employment]] Policy<br /><br />
[http://www.unmc.edu/hr/Forms/outactapp.pdf Application for Permission to Engage in Professional Activity Outside the University]<br /><br />
[http://webmedia.unmc.edu/policy/COIForm.doc Disclosure of Potential Conflict of Interest Form] <br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2099Use and Disclosure of Protected Health Information2013-06-26T18:46:10Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATE: '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which is defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.<br />
<br />
===Request for restrictions=== <br />
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Laws require reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure to healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2098Use and Disclosure of Protected Health Information2013-06-26T18:45:54Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which is defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.<br />
<br />
===Request for restrictions=== <br />
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Laws require reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure to healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2097Use and Disclosure of Protected Health Information2013-06-25T17:41:58Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which is defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.<br />
<br />
===Request for restrictions=== <br />
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Laws require reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure to healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2096Use and Disclosure of Protected Health Information2013-06-25T17:39:30Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which is defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.<br />
<br />
===Request for restrictions=== <br />
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Laws require reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure to healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2095Use and Disclosure of Protected Health Information2013-06-25T17:38:44Z<p>Spammer: /* Definitions */</p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which is defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.<br />
<br />
===Request for restrictions=== <br />
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Laws require reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure to healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2094Use and Disclosure of Protected Health Information2013-06-25T17:35:45Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which is defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.<br />
<br />
===Request for restrictions=== <br />
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Laws require reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure to healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2064Use and Disclosure of Protected Health Information2013-06-24T16:07:14Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
<br />
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. <br />
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Device Identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2063Use and Disclosure of Protected Health Information2013-06-24T15:57:33Z<p>Spammer: /* Use/Disclosure of PHI Related for Trainign Healthcare Professionals */</p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Training Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2061Use and Disclosure of Protected Health Information2013-06-24T15:21:23Z<p>Spammer: /* Definitions */</p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2060Use and Disclosure of Protected Health Information2013-06-24T15:20:29Z<p>Spammer: /* Policy */</p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /><br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2059Use and Disclosure of Protected Health Information2013-06-24T15:20:08Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI Related for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for Law Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Information===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2058Use and Disclosure of Protected Health Information2013-06-24T15:10:44Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> <br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for LAw Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Informatin===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2057Use and Disclosure of Protected Health Information2013-06-24T14:53:02Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for LAw Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Informatin===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2056Use and Disclosure of Protected Health Information2013-06-24T14:52:13Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for LAw Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Informatin===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [45 CFR 164.502(b)]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2055Use and Disclosure of Protected Health Information2013-06-24T14:43:11Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See [[Contracts|Contracts Policy]].<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See Notice of Privacy Practices Policy.<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for LAw Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Informatin===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Note policy.<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [45 CFR 164.502(b)]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Conflict_of_Interest&diff=2054Conflict of Interest2013-06-24T14:40:25Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]<br />
<br /><br /><br />
Policy No.: '''8010'''<br /><br />
Effective Date: '''09/04/07'''<br /><br />
Revised Date: '''08/30/2012'''; '''09/18/12'''; '''2/13/2013''', '''05/20/2013'''<br /><br />
Reviewed Date: '''05/20/2013'''<br />
<br /><br /><br />
<big>'''Conflict of Interest Policy'''</big> <br />
== Basis for Policy ==<br />
Statutes, regulations, University policies and accreditation standards related to conflict of interest identification and management are: <br />
#"Responsibility of Applicants for Promoting Objectivity in Research for which Public Health Service Funding is Sought and Responsible Prospective Contractors" regulations at 42 CFR Part 50 and 45 CFR Part 94 <br />
#"Financial Disclosure by Clinical Investigators" Food & Drug Administration regulations at 21 CFR Part 54 <br />
#Nebraska Conflict of Interest Statute at Neb. Rev. Stat. §49-1493 et. seq. <br />
#Bylaws of the Board of Regents of the University of Nebraska Sections 3.10, 3.45 and 3.8 <br />
#Board of Regents Conflict of Interest Policy, RP-3.2.8 <br />
#Board of Regents Patent & Technology Policy, RP-4.4.2 <br />
#UNMC Human Research Protections Policy #3.12, "Identification and Management of Potential Financial Conflicts of Interest of Research Personnel" <br />
#UNMC Policy No. 1049, [[Outside Employment]] <br />
#UNMC "Interactions between College of Medicine Faculty, Staff & Trainees and Health Care Vendors" policy <br />
== Policy ==<br />
Potential conflicts of interest arise in a variety of circumstances in the academic health sciences center environment when an individual's private financial interests either conflict with or create the appearance of conflicting with UNMC's public interests. This policy applies to potential conflict of interest arising in any UNMC activity, including but not limited to research, teaching, patient care, outreach to underserved populations and the associated business activities in support of them. Covered Persons shall disclose all financial interests related to their University of Nebraska responsibilities so that an analysis of potential conflict of interest may be conducted. When a conflict of interest is identified, the conflict will either be managed or eliminated to reduce the appearance of bias and maintain responsible stewardship of public resources. This policy shall be publicly posted in the UNMC [[Policies and Procedures]] manual on the UNMC internet site. <br />
== Definitions ==<br />
'''Covered Person''' under Regents Policy 3.2.8 shall mean: <br />
#University administrative officers and employees, specifically including any University employees with delegated signature, purchasing or contracting authority on behalf of the university; <br />
#University employees and faculty engaged in outside employment or other activities specified in this policy (tech transfer/use of University facilities or equipment) that may create a Conflict of Interest; and <br />
#Sponsored research investigators who participate in sponsored research; and non-sponsored research investigators participating in human subjects or animal subjects research. <br />
'''Investigator''' under PHS regulations shall mean the project director or principal investigator and any other person, regardless of title or position, who is responsible for the design, conduct or reporting of research which may include graduate students, post-docs, residents, collaborators or consultants. <br />
'''Conflict of Interest (COI)''' under Regents Policy 3.2.8 shall mean situations when a Covered Person's direct or indirect personal financial interest, (whether or not the value is readily ascertainable) may compromise, or have the appearance of compromising, the Covered Person's professional judgment or behavior in carrying out his or her obligations to the University of Nebraska. This includes indirect personal financial interests of a Covered Person that may be obtained through third parties such as a Covered Person's immediate family, business relationships, fiduciary relationships, or investments.<br /><br />
<br />
'''Equity''' includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value. <br /><br />
<br />
'''Financial Conflict of Interest (FCOI)''' under PHS regulations means a Significant Financial Interest that the COI Officer or COI committee reasonably determines could directly and significantly affect the design, conduct or reporting of research. <br /><br />
<br />
'''Immediate Family''' under Regents Policy 3.2.8 shall mean an individual who is a spouse, child, brother, sister, grandchild, or grandparent, by blood, marriage, or adoption of the Covered Person. <br /><br />
<br />
'''Institutional Conflict of Interest (ICOI)''' may occur when the University or a Covered Person in a senior administrative position has a financial interest in a commercial entity that itself has an interest in a University research project, including potential conflicts with equity/ownership interests or royalty arrangements. <br /><br />
<br />
'''Institutional Responsibilities''' means professional responsibilities on behalf of the University of Nebraska which may include activities such as professional service including patient care, teaching, research & research consultation, outreach, administrative, institutional committee membership including service on panels such as the Institutional Review Board or Data and Safety Monitoring Boards, and other duties as specified in the Covered Person's job description and/or employment agreement. <br /><br />
<br />
'''Remuneration''' includes salary and any payment for services not otherwise identified as salary including but not limited to consulting fees, honoraria, and paid authorship. <br /><br />
<br />
'''Senior/Key Personnel''' means the Project Director (PD)/Principal Investigator (PI) and any other person identified as senior/key personnel in the UNMC grant application, progress report, or any other report submitted to the PHS by UNMC. <br /><br />
<br />
'''Significant Financial Interest''' means a financial interest of the Investigator or his/her Immediate Family Member that reasonably appears to be related to the Investigator's Institutional Responsibilities, and: <br />
#If with a publicly traded entity, the value of any remuneration received from the entity in the twelve months preceding the disclosure and the value of any equity interest in the entity as of the date of the disclosure, when aggregated, exceeds $5,000; <br />
#If with a non-publicly traded entity, the value of any remuneration received exceeds $5,000 or when a research Investigator or Immediate Family holds any equity interest; <br />
#Intellectual property rights and interests upon receipt of income related to such rights and interests, excluding income paid by the University of Nebraska.; <br />
#For PHS-funded research investigators, includes reimbursed or sponsored travel, excluding travel that is reimbursed or sponsored by a Federal, state, or local government agency, an Institution of higher education, an academic teaching hospital, a medical center, or a research institute affiliated with an Institution of higher education. <br />
==Conflict of Interest Management Roles and Responsibilities ==<br />
===COI Officer===<br />
The UNMC Conflict of Interest Officer shall be responsible for implementing the UNMC COI management program. The COI management program shall also include review and approval of the "Application for Authorization to Engage in Outside Professional Activity" forms as delegated by the Chancellor with associated management of conflict of commitment under Regents Policy 3.8. and UNMC Policy 1049, [[Outside Employment]]. The COI Officer shall: <br />
#Ensure UNMC policy meets Board of Regents policy and state and federal regulatory requirements; <br />
#Implement annual disclosure requirements for Covered Persons and monitor to ensure compliance. The UNMC electronic Annual Disclosure of Financial Interest form is incorporated into this policy by reference. The Annual Disclosure of Interest and Application for Authorization to Engage in Outside Professional Activity forms are located at: http://net.unmc.edu/rss/ . <br />
#Coordinate identified conflict of interest matters with Sponsored Programs Administration, UNeMED, the Institutional Review Board (IRB), the Institutional Animal Care and Use (IACUC) committee, the Associate Vice Chancellor, Business and Finance (for business COI), and the Continuing Medical and Nursing Education offices as relevant. Whenever a potential COI involving activities with another University of Nebraska campus or university affiliated entity is disclosed or identified, notify the other campus or university affiliated entity COI contact and collaboratively review and manage the potential COI.<br />
#'''COI Education.''' Provide COI education to covered persons at time of hire, and every four years thereafter, and immediate re-education when there are policy changes or when investigators fail to comply with the COI policy. For investigators conducting Public Health Service (PHS) sponsored research, education shall be completed prior to the expenditure of any PHS funds. <br />
#When Covered Persons have significant financial interests related to their institutional responsibilities, present information to the COI committee for potential COI management plan creation. <br />
#'''Report FCOI to PHS'''. When the COI committee has implemented a COI management plan for PHS-funded research, update the PHS e-Commons with the FCOI report provided by the COI committee. Provide initial, annual and revised FCOI reports, if applicable for both UNMC and its subrecipients. Revised FCOI reports shall be submitted within 60 days of identification for new Investigators added to a grant, or newly identified FCOIs for existing investigators. The FCOI report shall contain the following elements: <br />
##The role and principal duties of the conflicted Investigator in the research project; <br />
##Conditions of the management plan; <br />
##How the management plan is designed to safeguard objectivity in the research project; <br />
##Confirmation of the Investigator's agreement to the management plan; <br />
##How the management plan will be monitored to ensure Investigator compliance; and <br />
##Other information as needed. <br />
#'''Conduct retrospective review.''' If UNMC identifies a significant financial interest that was not disclosed by a research Investigator in a timely manner, or was not reviewed by UNMC, the COI officer shall, within sixty (60) days: review the significant financial interest and determine whether it is related to PHS-funded research. The COI committee shall determine whether a financial conflict of interest exists, and, if so, implement an interim COI management plan. Within 120 days, the COI committee shall complete a documented retrospective review of the research Investigator's activities and the PHS-funded research project to determine whether any PHS-funded research conducted during the period of non-compliance was biased in the design, conduct or reporting of such research. The documented review shall contain all of the elements required by the PHS regulations. <br />
#'''Reporting Bias & Mitigation Report.''' If bias is found with the design, conduct or reporting of PHS-funded research, the COI Officer shall notify the PHS awarding component promptly and submit a Mitigation Report containing the retrospective review information and a description of the impact of the bias on the research project and UNMC's plan of actions taken to eliminate or mitigate the effect of the bias. <br />
#If the research is clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment, the COI committee shall require the Investigator to disclose the FCOI in each public presentation of the results of the research, and request an addendum to previously published presentations, in addition to any applicable disclosure listed below in Disclosure of Financial Interest. <br />
#'''Public Disclosure.''' Disclose Financial Conflicts of Interest (FCOI) of senior/key personnel involved in Public Health Service funded research only as determined by the COI Committee in response to public requests within five (5) business days of the request as required by PHS regulations. These requests shall be coordinated with the University of Nebraska Records Management Officer. <br />
#'''Board of Regents Annual Report.''' Submit the annual Conflict of Interest and Outside Activities report to the University of Nebraska Director of Internal Audit and Advisory Services for review by the Board of Regents Audit Committee. <br />
===Covered Persons===<br />
#'''Annual Disclosure of Financial Interest.''' Individuals covered under this COI policy shall complete a UNMC Annual Disclosure of Financial Interest Questionnaire through the UNMC electronic e-Disclosure system annually. Covered Persons shall receive an e-mail notification from the Compliance Department to complete the form. The UNMC Disclosure of Financial Interest form contains all elements required under Board of Regents policy and federal regulations (including PHS regulations) and is incorporated into this policy by reference. The e-Disclosure system may be accessed through the Research Support System (RSS) website at: http://net.unmc.edu/rss/ . Individuals shall disclose all financial interests related to their University of Nebraska (institutional) responsibilities. <br />
#'''Research Investigators''' shall review and update their Annual Disclosure of Financial Interest when sponsored grants and contracts are submitted, including PHS-funded research. Investigators shall update their Annual Disclosure of Financial Interest form within thirty (30) days of discovering or acquiring a Significant Financial Interest and on an annual basis thereafter during the period of the award. <br />
#'''Education.''' Covered Persons shall complete education on Board of Regents COI policy, UNMC COI policy, and PHS COI regulations, and their disclosure responsibilities prior to initially completing the Annual UNMC Disclosure of Financial Interest, and every four (4) years thereafter. Covered Persons shall not spend any PHS research funds until education has been completed. <br />
#'''Disclosure of Financial Interest.''' Covered Persons who are research Investigators shall disclose the nature of all financial interests related to their research (e.g. consulting advisory board, intellectual property) in all publications and presentations and to all UNMC personnel involved in the research project, including students. In human subjects research, Investigators shall disclose their financial interests related to the research in the informed consent, as required by UNMC HRPP Policy 3.01. <br />
#'''Appeal Rights.''' Covered Persons may appeal adverse decisions made under this policy to the Vice Chancellor for Academic Affairs. The appeal shall be in writing and contain a description of the adverse decision, justification for why the decision should be changed, and the change desired. The appeal request shall be submitted to the COI Officer. The VCAA shall respond in writing to the Covered Person with his/her decision within thirty (30) days of receipt. The VCAA's decision is final. <br />
===COI Committee.===<br />
The UNMC COI Committee composition and operating procedures are contained in Appendix A. The COI Officer shall be a member of the COI committee and shall provide administrative support for the committee. The COI committee shall: <br />
#Provide oversight over the UNMC COI program, advise the COI officer, and provide guidance on UNMC COI policy matters. <br />
#Review Significant Financial Interests. Review Disclosures of Financial Interest in the amount of $5,000 and above for research Investigators and determine if these Significant Financial Interests are related to the research, and, if so related, whether the Significant Financial Interest constitutes a Financial Conflict of Interest. A Significant Financial Interest is a Financial Conflict of Interest if it could directly and significantly affect the design, conduct , or reporting of research, including PHS-funded research. <br />
#Create COI Management Plans for Financial Conflicts of Interest. <br />
#Conduct retrospective reviews of newly identified Significant Financial Interests as described in Conduct Retrps[ectove Review above. <br />
#Review COI Policy violations and recommend sanctions, if appropriate, to the Vice Chancellor Academic Affairs and to the appropriate UNMC administrator responsible for supervision of the individual(s) violating the policy. <br />
===Sponsored Programs Administration===<br />
Sponsored Programs Administration shall: <br />
#Notify all research Investigators submitting sponsored grant/contract proposals to review their Annual Disclosure of Financial Interest form and update the information as needed. Sponsored Programs Administration shall verify review has been completed for all applications. <br />
#Coordinate with the COI Officer when Investigators disclose significant financial interests related to the sponsored project to determine if a COI management plan is required. <br />
'''Subrecipients.''' Include provisions in PHS-funded subrecipient agreements that: <br />
#the subrecipient certifies that its FCOI policy complies with PHS regulations or in the alternative that the subrecipient will follow the UNMC COI policy; and <br />
#the subrecipient shall report identified FCOIs for its Investigators in a timely manner so UNMC can report identified FCOIs to the PHS in the time frames in '''Repprt FCOI to PHS''' and '''Conduct retrospective review''' above. <br />
===Associate Vice Chancellor, Business and Finance===<br />
The Associate Vice Chancellor of Business and Finance shall manage business conflict of interest by reviewing all Annual Disclosure of Financial Interest questionnaires completed by Covered Persons with contract signature authority under Executive Memorandum 13 and 14; Covered Persons with purchasing authority; Covered Persons who identify family member(s) with a financial interest with the University of Nebraska; and any other potential business-related financial interest identified by the COI Officer through the annual COI disclosure process or by any other person at UNMC. Business COI management plans shall be created to minimize the appearance of bias in decision-making and ensure state and federal regulations and University of Nebraska business-related policies are followed. Business COI management plans shall be reported through the UNMC COI committee and reported on the Annual COI report to the Board of Regents Audit committee. <br />
===Institutional Review Board (IRB)===<br />
The IRB shall require all Covered Persons listed on the IRB application who have a financial interest to update their Annual Disclosure of Financial Interest form pursuant to UNMC HRPP Policy #3.12. The IRB shall review and approve proposed COI management plans as described in HRPP Policy #3.12. <br />
===UNeMED===<br />
The President of UNeMED or designee shall coordinate with the COI officer on UNeMED activities where it appears that a Covered Person's or UNMC's financial interest may be a potential individual or institutional conflict of interest, including intellectual property interests and equity interests involving technology transfer companies. <br />
===Continuing Education Offices===<br />
UNMC is accredited by the Accreditation Council for Continuing Medical Education (ACCME). The Continuing Medical Education (CME) office shall review disclosures of financial interest for UNMC employees who are serving as course directors, faculty or peer reviewers for UNMC CME courses, as required by the ACCME Standards for Commercial Support. <br />
==Institutional Conflict of Interest Management ==<br />
In order to avoid real or perceived favoritism in relationships with research sponsors, each/every potential Institutional COI shall be reported. Any Covered Person who has knowledge of potential Institutional COI shall report the information to the COI Officer. Potential Institutional COI may be identified through the Annual Disclosure of Financial Interest questionnaire for senior administrative personnel. The COI Officer shall convene a group of senior UNMC officials appointed by the Chancellor to review the disclosure and propose a management plan for Chancellor approval if appropriate. It is important to note that PHS COI regulations do not cover institutional conflict of interest. <br />
==Records Retention==<br />
All Disclosure of Financial Interest information, COI management plans and all Public Health Service-funded Financial Conflict of Interest-related records shall be retained for the fiscal year in which the grant or contract is closed plus seven (7) years as required by Board of Regents Records Retention Schedule 170-8, "Sponsored Projects (Grants)". No destruction of records shall take place if there is a Preservation Hold in effect, or if any litigation, claim, negotiation, audit or other actions involving the records have been started before the expiration of the retention period. The records must be retained until completion of the action and resolution of all issues which arise from it, or the seven year retention period, whichever is later, as required under 45 CFR 74.53 and 92.42. <br />
==Public Accessibility of PHS-funded Senior/Key Personnel FCOI ==<br />
Upon request, the COI Officer shall make available to the public information concerning identified FCOIs held by Senior/Key personnel receiving PHS research funding as required by PHS regulations. Information shall be provided in writing within five (5) business days of the request. The COI officer shall coordinate these public requests with the University of Nebraska Records Management Officer. All other financial interest disclosure information and conflict of interest determinations shall remain confidential and may be withheld from the public as permitted under Neb. Rev. Stat. 84-712.05, "Records which may be withheld from the public; enumerated." <br />
==Sanctions ==<br />
Covered Persons who violate this policy may receive corrective action under UNMC Policy No. 1098, [[Corrective/Disciplinary Action|Corrective and Disciplinary Action Policy]]. The COI Committee may also recommend other corrective action such as additional training, or for serious violations, recommend that research funding be withheld or recommend other appropriate sanctions to maintain the integrity of the research. The Vice Chancellor of Academic Affairs shall review and approve all proposed sanctions. The sanctions shall be coordinated with the respective Dean, Director or Vice Chancellor for enforcement. <br />
<br />
==Additional Information==<br />
<P>For additional information, contact the [mailto:swrobel@unmc.edu Chief Compliance Officer].<br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].<br />
<br />
== Policy 8010 Appendix A ==<br />
<big>Conflict of Interest Committee (COIC) Governance</big><br /><br />
'''COI Committee Composition.''' The COI Committee shall have at least 16 members representing the following areas: </P><br />
<P><br />
{| class="wikitable" border="1"<br />
|-<br />
| College of Medicine<br />
| Vice Chancellor for Business & Finance<br />
|-<br />
| College of Dentistry<br />
| Vice Chancellor for Research<br />
|-<br />
| College of Pharmacy<br />
| Compliance/Conflict of Interest Officer<br />
|-<br />
| College of Nursing<br />
| Sponsored Programs Administration<br />
|-<br />
| College of Public Health<br />
| Institutional Review Board<br />
|-<br />
| Eppley Cancer Institute<br />
| Associate General Counsel for Healthcare<br />
|-<br />
| Munroe Meyer Institute<br />
| Center for Continuing Medical Education<br />
|-<br />
| Vice Chancellor for Academic Affairs<br />
| Community Member<br />
|}<br />
<br />
'''Membership Term.''' COI Committee members shall serve for a term of three years, which may be automatically renewed upon mutual agreement of the member and the Chancellor or his/her designee. New members shall be nominated by the department/unit and approved by the Vice Chancellor of Academic Affairs or his/her designee. The Chancellor or his/her designee shall appoint a faculty chair of the COI Committee. The Vice Chancellor of Academic Affairs or his/her designee shall select the community member. The Chancellor or his designee can appoint additional voting and non-voting members. <br /><br />
<br /><br />
<br />
'''Quorum.''' A quorum is required for meetings to be conducted. More than half of the membership present will constitute a quorum.<br /><br />
<br /><br />
'''Voting.''' All committee members are eligible to vote. No regular motion shall pass unless a majority of the COI Committee members present vote in favor of the motion.<br /><br />
<br /><br />
'''COIC Member Conflicts.''' If a COIC member has a conflict of interest with a specific matter being discussed, the member shall declare that he/she has a potential conflict and shall not vote on the matter. Such conflicts may arise when:<br />
#the member is participating in the research under review;<br />
#the member has a financial relationship with a research sponsor under review; or <br />
#the member has a personal relationship or conflict with the individual under review that could potentially cause the member to be perceived as less than objective in his/her review.<br />
'''Committee Review by Telephone/Electronically'''. While face-to-face meetings will normally be held, committee review of potential conflicts may be conducted by telephone or electronically at the discretion of the COI Committee chair.<br /><br />
<br /><br />
'''Meeting Minutes.''' The COI Coordinator chair shall prepare meeting minutes and present them for approval at the next scheduled COI Committee meeting.<br />
== Additional Information ==<br />
Contact the [mailto:swrobel@unmc.edu Chief Compliance Officer]<br /><br />
Contact the [mailto:dthomas@unmc.edu Associate Vice Chancellor for Business and Finance] <br /><br />
[[Conflict_of_Interest_Procedures|Conflict of Interest Procedures]]<br /><br />
[http://webmedia.unmc.edu/policy/8010-1.doc Appendix 1 - Disclosure of Potential Business Conflict of Interest]<br /><br />
[[Research Conflict of Interest Procedures]]<br /><br />
[[Outside Employment]] Policy<br /><br />
[http://www.unmc.edu/hr/Forms/outactapp.pdf Application for Permission to Engage in Professional Activity Outside the University]<br /><br />
[http://webmedia.unmc.edu/policy/COIForm.doc Disclosure of Potential Conflict of Interest Form] <br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2053Use and Disclosure of Protected Health Information2013-06-24T14:34:49Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. (45 CFR 164.502)<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See Contracts Policy.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See Notice of Privacy Practices Policy.<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for LAw Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Informatin===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Note policy.<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [45 CFR 164.502(b)]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
===De-Identification /Re-Identification of PHI (164.514)===<br />
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PPHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:<br />
:#Names<br />
:#All geographic subdivisions smaller than a state<br />
:#All elements of dates except year, for dates related to individual<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Accounts numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers<br />
:#Web Universal Resource Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints<br />
:#Full face photographic images and other comparable images and<br />
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below<br />
<br />
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under VIIA about to be re-identified by UNMC, provided that:<br />
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and<br />
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. <br />
<br />
==Staff Accountability==<br />
[mailto:swrobel@unmc.edu Privacy Officer] <br />
<br />
<br />
This page is maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2052Use and Disclosure of Protected Health Information2013-06-24T14:25:18Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. (45 CFR 164.502)<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See Contracts Policy.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See Notice of Privacy Practices Policy.<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
===Use/Disclosure of PHI for LAw Enforcement Purposes===<br />
PHI may be disclosed to law enforcement under the following circumstances:<br />
:#Law requires reporting violent wounds to law enforcement<br />
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)<br />
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. <br />
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples<br />
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.<br />
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.<br />
:#Crime (or suspected crime) occurred on UNMC campus.<br />
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)<br />
<br />
===Use/Disclosure of PHI for Marketing===<br />
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.<br />
Additionally the following activities are not marketing under HIPAA:<br />
:#Communication for treatment of the individual.<br />
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. <br />
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
<br />
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.<br />
<br />
===Use/Disclosure of PHI for Fundraising===<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth<br />
:#Dates of healthcare provided to an individual<br />
:#Department of service information<br />
:#Treating physician<br />
:#Outcome information; and <br />
:#Health insurance status<br />
<br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br />
<br />
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.<br />
<br />
===Use/Disclosure of PHI for Research===<br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br />
<br />
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm<br />
<br />
===Sale of Protected Health Informatin===<br />
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:<br />
:#For public health purposes<br />
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes<br />
:#For treatment and payment purposes<br />
:#To an individual where the individual is requesting access to their own PHI<br />
:#Required by law; and<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
<br />
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.<br />
<br />
===Authorization Required for all other Uses/Disclosures===<br />
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Note policy.<br />
<br />
===Minimum Necessary===<br />
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [45 CFR 164.502(b)]<br />
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:<br />
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI<br />
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.<br />
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.<br />
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).<br />
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.<br />
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:<br />
:##Disclosure of healthcare providers for treatment purposes<br />
:##Disclosures required by law<br />
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual<br />
:##Disclosure made to the Secretary of HHS for enforcement purposes<br />
:##Electronic data elements transmitted in electronic claims<br />
<br />
===Limited Data Set===<br />
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:<br />
:#Names<br />
:#Postal address information, other than town or city, state or zip code<br />
:#Telephone numbers<br />
:#Fax numbers<br />
:#Electronic mail addresses<br />
:#Social security numbers<br />
:#Medical record numbers<br />
:#Health plan beneficiary numbers<br />
:#Account numbers<br />
:#Certificate/license numbers<br />
:#Vehicle identifiers and serial numbers, including license numbers<br />
:#Device identifiers and serial numbers<br />
:#Web Universal Resources Locators (URLs)<br />
:#Internet Protocol (IP) address numbers<br />
:#Biometric identifiers, including finger and voice prints; and<br />
:#Full face photographic images and any comparable images<br />
<br />
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. <br />
<br />
<br />
This page updated on Monday, February 16, 2004, by dkp.</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2051Use and Disclosure of Protected Health Information2013-06-24T14:04:32Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. (45 CFR 164.502)<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
===Use/Disclosure of PHI Related to Healthcare===<br />
<br />
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.<br />
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.<br />
:#The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.<br />
<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See Contracts Policy.<br />
<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See Notice of Privacy Practices Policy.<br />
<br />
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:<br />
:#Use of their name, location and general condition in the facility directory.<br />
:#Disclosure of religious affiliation to clergy members.<br />
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.<br />
<br />
Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.<br />
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.<br />
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.<br />
<br />
===Use/Disclosure of PHI RElated for Trainign Healthcare Professionals===<br />
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.<br />
<br />
===Use/Disclosure of PHI Permitted/Required by Law===<br />
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:<br />
:#Disclosure required by law<br />
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)<br />
:##Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.<br />
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.<br />
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.<br />
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.<br />
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.<br />
:#Disclosure about decedents to medical examiners and coroners consistent with law.<br />
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.<br />
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.<br />
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.<br />
:#Disclosures about military personnel to military command authority in limited circumstances.<br />
<br />
<br />
<br />
<br />
This page updated on Monday, February 16, 2004, by dkp.</div>Spammerhttps://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&diff=2050Use and Disclosure of Protected Health Information2013-06-24T13:49:29Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" <br />
width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]<br />
<br /><br /><br />
POLICY NO: '''6057'''<br /><br />
EFFECTIVE DATE: '''03/17/03'''<br /><br />
REVISED DATES: '''02/04/2010''', '''05/29/2013'''<br /><br />
LAST REVIEWED DATE: '''05/29/2013'''<br /><br />
<br />
== Basis for Policy == <br />
To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. (45 CFR 164.502)<br /><br />
<br /> <br />
<br />
== Policy == <br />
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br /><br />
<br /> <br />
<br />
== Definitions ==<br />
<br /> <br />
'''Treatment''' means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
<br />
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities<br />
<br />
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:<br />
<br />
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included<br />
:#Population-based activities relating to improving health or reducing health care costs<br />
:#Protocol development<br />
:#Contacting of health care providers and patients with information about treatment alternatives<br />
:#Case management and care coordination<br />
:#Risk assessment<br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans<br />
:#Training future healthcare professionals (students and residents)<br />
:#Conducting or arranging for legal services<br />
:#Business planning and development<br />
:#Business management activities<br />
:#General administrative and business functions<br />
:#Conducting or arranging for medical review and auditing services<br />
:#Insurance activities relating to the renewal of a contract of insurance<br />
:#Evaluating healthcare provider and plan performance<br />
:#Resolution of internal grievances<br />
:#Fundraising<br />
<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that<br />
<br />
:#Is created or received by ACE; and<br />
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.<br />
<br />
Protected Health Information includes genetic information containing individual identifiers which are defined as:<br />
:#Information about an individual's gentic tests; or<br />
:#The genetic tests of family members of the individual; or<br />
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) <br />
<br />
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing<br />
<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research<br />
<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information<br />
<br />
<br />
== Procedures ==<br />
<br /><br />
<br />
<br />
<br />
<br />
This page updated on Monday, February 16, 2004, by dkp.</div>Spammerhttps://wiki.unmc.edu/index.php?title=Conflict_of_Interest&diff=1916Conflict of Interest2013-06-19T14:49:54Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]<br />
<br /><br /><br />
Policy No.: '''8010'''<br /><br />
Effective Date: '''09/04/07'''<br /><br />
Revised Date: '''08/30/2012'''; '''09/18/12'''; '''2/13/2013''', '''05/20/2013'''<br /><br />
Reviewed Date: '''05/20/2013'''<br />
<br /><br /><br />
<big>'''Conflict of Interest Policy'''</big> <br />
== Basis for Policy ==<br />
Statutes, regulations, University policies and accreditation standards related to conflict of interest identification and management are: <br />
#"Responsibility of Applicants for Promoting Objectivity in Research for which Public Health Service Funding is Sought and Responsible Prospective Contractors" regulations at 42 CFR Part 50 and 45 CFR Part 94 <br />
#"Financial Disclosure by Clinical Investigators" Food & Drug Administration regulations at 21 CFR Part 54 <br />
#Nebraska Conflict of Interest Statute at Neb. Rev. Stat. §49-1493 et. seq. <br />
#Bylaws of the Board of Regents of the University of Nebraska Sections 3.10, 3.45 and 3.8 <br />
#Board of Regents Conflict of Interest Policy, RP-3.2.8 <br />
#Board of Regents Patent & Technology Policy, RP-4.4.2 <br />
#UNMC Human Research Protections Policy #3.12, "Identification and Management of Potential Financial Conflicts of Interest of Research Personnel" <br />
#UNMC Policy No. 1049, [[Outside Employment]] <br />
#UNMC "Interactions between College of Medicine Faculty, Staff & Trainees and Health Care Vendors" policy <br />
== Policy ==<br />
Potential conflicts of interest arise in a variety of circumstances in the academic health sciences center environment when an individual's private financial interests either conflict with or create the appearance of conflicting with UNMC's public interests. This policy applies to potential conflict of interest arising in any UNMC activity, including but not limited to research, teaching, patient care, outreach to underserved populations and the associated business activities in support of them. Covered Persons shall disclose all financial interests related to their University of Nebraska responsibilities so that an analysis of potential conflict of interest may be conducted. When a conflict of interest is identified, the conflict will either be managed or eliminated to reduce the appearance of bias and maintain responsible stewardship of public resources. This policy shall be publicly posted in the UNMC [[Policies and Procedures]] manual on the UNMC internet site. <br />
== Definitions ==<br />
'''Covered Person''' under Regents Policy 3.2.8 shall mean: <br />
#University administrative officers and employees, specifically including any University employees with delegated signature, purchasing or contracting authority on behalf of the university; <br />
#University employees and faculty engaged in outside employment or other activities specified in this policy (tech transfer/use of University facilities or equipment) that may create a Conflict of Interest; and <br />
#Sponsored research investigators who participate in sponsored research; and non-sponsored research investigators participating in human subjects or animal subjects research. <br />
'''Investigator''' under PHS regulations shall mean the project director or principal investigator and any other person, regardless of title or position, who is responsible for the design, conduct or reporting of research which may include graduate students, post-docs, residents, collaborators or consultants. <br />
'''Conflict of Interest (COI)''' under Regents Policy 3.2.8 shall mean situations when a Covered Person's direct or indirect personal financial interest, (whether or not the value is readily ascertainable) may compromise, or have the appearance of compromising, the Covered Person's professional judgment or behavior in carrying out his or her obligations to the University of Nebraska. This includes indirect personal financial interests of a Covered Person that may be obtained through third parties such as a Covered Person's immediate family, business relationships, fiduciary relationships, or investments.<br /><br />
<br />
'''Equity''' includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value. <br /><br />
<br />
'''Financial Conflict of Interest (FCOI)''' under PHS regulations means a Significant Financial Interest that the COI Officer or COI committee reasonably determines could directly and significantly affect the design, conduct or reporting of research. <br /><br />
<br />
'''Immediate Family''' under Regents Policy 3.2.8 shall mean an individual who is a spouse, child, brother, sister, grandchild, or grandparent, by blood, marriage, or adoption of the Covered Person. <br /><br />
<br />
'''Institutional Conflict of Interest (ICOI)''' may occur when the University or a Covered Person in a senior administrative position has a financial interest in a commercial entity that itself has an interest in a University research project, including potential conflicts with equity/ownership interests or royalty arrangements. <br /><br />
<br />
'''Institutional Responsibilities''' means professional responsibilities on behalf of the University of Nebraska which may include activities such as professional service including patient care, teaching, research & research consultation, outreach, administrative, institutional committee membership including service on panels such as the Institutional Review Board or Data and Safety Monitoring Boards, and other duties as specified in the Covered Person's job description and/or employment agreement. <br /><br />
<br />
'''Remuneration''' includes salary and any payment for services not otherwise identified as salary including but not limited to consulting fees, honoraria, and paid authorship. <br /><br />
<br />
'''Senior/Key Personnel''' means the Project Director (PD)/Principal Investigator (PI) and any other person identified as senior/key personnel in the UNMC grant application, progress report, or any other report submitted to the PHS by UNMC. <br /><br />
<br />
'''Significant Financial Interest''' means a financial interest of the Investigator or his/her Immediate Family Member that reasonably appears to be related to the Investigator's Institutional Responsibilities, and: <br />
#If with a publicly traded entity, the value of any remuneration received from the entity in the twelve months preceding the disclosure and the value of any equity interest in the entity as of the date of the disclosure, when aggregated, exceeds $5,000; <br />
#If with a non-publicly traded entity, the value of any remuneration received exceeds $5,000 or when a research Investigator or Immediate Family holds any equity interest; <br />
#Intellectual property rights and interests upon receipt of income related to such rights and interests, excluding income paid by the University of Nebraska.; <br />
#For PHS-funded research investigators, includes reimbursed or sponsored travel, excluding travel that is reimbursed or sponsored by a Federal, state, or local government agency, an Institution of higher education, an academic teaching hospital, a medical center, or a research institute affiliated with an Institution of higher education. <br />
==Conflict of Interest Management Roles and Responsibilities ==<br />
===COI Officer===<br />
The UNMC Conflict of Interest Officer shall be responsible for implementing the UNMC COI management program. The COI management program shall also include review and approval of the "Application for Authorization to Engage in Outside Professional Activity" forms as delegated by the Chancellor with associated management of conflict of commitment under Regents Policy 3.8. and UNMC Policy 1049, [[Outside Employment]]. The COI Officer shall: <br />
#Ensure UNMC policy meets Board of Regents policy and state and federal regulatory requirements; <br />
#Implement annual disclosure requirements for Covered Persons and monitor to ensure compliance. The UNMC electronic Annual Disclosure of Financial Interest form is incorporated into this policy by reference. The Annual Disclosure of Interest and Application for Authorization to Engage in Outside Professional Activity forms are located at: http://net.unmc.edu/rss/ . <br />
#Coordinate identified conflict of interest matters with Sponsored Programs Administration, UNeMED, the Institutional Review Board (IRB), the Institutional Animal Care and Use (IACUC) committee, the Associate Vice Chancellor, Business and Finance (for business COI), and the Continuing Medical and Nursing Education offices as relevant. Whenever a potential COI involving activities with another University of Nebraska campus or university affiliated entity is disclosed or identified, notify the other campus or university affiliated entity COI contact and collaboratively review and manage the potential COI.<br />
#'''COI Education.''' Provide COI education to covered persons at time of hire, and every four years thereafter, and immediate re-education when there are policy changes or when investigators fail to comply with the COI policy. For investigators conducting Public Health Service (PHS) sponsored research, education shall be completed prior to the expenditure of any PHS funds. <br />
#When Covered Persons have significant financial interests related to their institutional responsibilities, present information to the COI committee for potential COI management plan creation. <br />
#'''Report FCOI to PHS'''. When the COI committee has implemented a COI management plan for PHS-funded research, update the PHS e-Commons with the FCOI report provided by the COI committee. Provide initial, annual and revised FCOI reports, if applicable for both UNMC and its subrecipients. Revised FCOI reports shall be submitted within 60 days of identification for new Investigators added to a grant, or newly identified FCOIs for existing investigators. The FCOI report shall contain the following elements: <br />
##The role and principal duties of the conflicted Investigator in the research project; <br />
##Conditions of the management plan; <br />
##How the management plan is designed to safeguard objectivity in the research project; <br />
##Confirmation of the Investigator's agreement to the management plan; <br />
##How the management plan will be monitored to ensure Investigator compliance; and <br />
##Other information as needed. <br />
#'''Conduct retrospective review.''' If UNMC identifies a significant financial interest that was not disclosed by a research Investigator in a timely manner, or was not reviewed by UNMC, the COI officer shall, within sixty (60) days: review the significant financial interest and determine whether it is related to PHS-funded research. The COI committee shall determine whether a financial conflict of interest exists, and, if so, implement an interim COI management plan. Within 120 days, the COI committee shall complete a documented retrospective review of the research Investigator's activities and the PHS-funded research project to determine whether any PHS-funded research conducted during the period of non-compliance was biased in the design, conduct or reporting of such research. The documented review shall contain all of the elements required by the PHS regulations. <br />
#'''Reporting Bias & Mitigation Report.''' If bias is found with the design, conduct or reporting of PHS-funded research, the COI Officer shall notify the PHS awarding component promptly and submit a Mitigation Report containing the retrospective review information and a description of the impact of the bias on the research project and UNMC's plan of actions taken to eliminate or mitigate the effect of the bias. <br />
#If the research is clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment, the COI committee shall require the Investigator to disclose the FCOI in each public presentation of the results of the research, and request an addendum to previously published presentations, in addition to any applicable disclosure listed below in Disclosure of Financial Interest. <br />
#'''Public Disclosure.''' Disclose Financial Conflicts of Interest (FCOI) of senior/key personnel involved in Public Health Service funded research only as determined by the COI Committee in response to public requests within five (5) business days of the request as required by PHS regulations. These requests shall be coordinated with the University of Nebraska Records Management Officer. <br />
#'''Board of Regents Annual Report.''' Submit the annual Conflict of Interest and Outside Activities report to the University of Nebraska Director of Internal Audit and Advisory Services for review by the Board of Regents Audit Committee. <br />
===Covered Persons===<br />
#'''Annual Disclosure of Financial Interest.''' Individuals covered under this COI policy shall complete a UNMC Annual Disclosure of Financial Interest Questionnaire through the UNMC electronic e-Disclosure system annually. Covered Persons shall receive an e-mail notification from the Compliance Department to complete the form. The UNMC Disclosure of Financial Interest form contains all elements required under Board of Regents policy and federal regulations (including PHS regulations) and is incorporated into this policy by reference. The e-Disclosure system may be accessed through the Research Support System (RSS) website at: http://net.unmc.edu/rss/ . Individuals shall disclose all financial interests related to their University of Nebraska (institutional) responsibilities. <br />
#'''Research Investigators''' shall review and update their Annual Disclosure of Financial Interest when sponsored grants and contracts are submitted, including PHS-funded research. Investigators shall update their Annual Disclosure of Financial Interest form within thirty (30) days of discovering or acquiring a Significant Financial Interest and on an annual basis thereafter during the period of the award. <br />
#'''Education.''' Covered Persons shall complete education on Board of Regents COI policy, UNMC COI policy, and PHS COI regulations, and their disclosure responsibilities prior to initially completing the Annual UNMC Disclosure of Financial Interest, and every four (4) years thereafter. Covered Persons shall not spend any PHS research funds until education has been completed. <br />
#'''Disclosure of Financial Interest.''' Covered Persons who are research Investigators shall disclose the nature of all financial interests related to their research (e.g. consulting advisory board, intellectual property) in all publications and presentations and to all UNMC personnel involved in the research project, including students. In human subjects research, Investigators shall disclose their financial interests related to the research in the informed consent, as required by UNMC HRPP Policy 3.01. <br />
#'''Appeal Rights.''' Covered Persons may appeal adverse decisions made under this policy to the Vice Chancellor for Academic Affairs. The appeal shall be in writing and contain a description of the adverse decision, justification for why the decision should be changed, and the change desired. The appeal request shall be submitted to the COI Officer. The VCAA shall respond in writing to the Covered Person with his/her decision within thirty (30) days of receipt. The VCAA's decision is final. <br />
===COI Committee.===<br />
The UNMC COI Committee composition and operating procedures are contained in Appendix A. The COI Officer shall be a member of the COI committee and shall provide administrative support for the committee. The COI committee shall: <br />
#Provide oversight over the UNMC COI program, advise the COI officer, and provide guidance on UNMC COI policy matters. <br />
#Review Significant Financial Interests. Review Disclosures of Financial Interest in the amount of $5,000 and above for research Investigators and determine if these Significant Financial Interests are related to the research, and, if so related, whether the Significant Financial Interest constitutes a Financial Conflict of Interest. A Significant Financial Interest is a Financial Conflict of Interest if it could directly and significantly affect the design, conduct , or reporting of research, including PHS-funded research. <br />
#Create COI Management Plans for Financial Conflicts of Interest. <br />
#Conduct retrospective reviews of newly identified Significant Financial Interests as described in Conduct Retrps[ectove Review above. <br />
#Review COI Policy violations and recommend sanctions, if appropriate, to the Vice Chancellor Academic Affairs and to the appropriate UNMC administrator responsible for supervision of the individual(s) violating the policy. <br />
===Sponsored Programs Administration===<br />
Sponsored Programs Administration shall: <br />
#Notify all research Investigators submitting sponsored grant/contract proposals to review their Annual Disclosure of Financial Interest form and update the information as needed. Sponsored Programs Administration shall verify review has been completed for all applications. <br />
#Coordinate with the COI Officer when Investigators disclose significant financial interests related to the sponsored project to determine if a COI management plan is required. <br />
'''Subrecipients.''' Include provisions in PHS-funded subrecipient agreements that: <br />
#the subrecipient certifies that its FCOI policy complies with PHS regulations or in the alternative that the subrecipient will follow the UNMC COI policy; and <br />
#the subrecipient shall report identified FCOIs for its Investigators in a timely manner so UNMC can report identified FCOIs to the PHS in the time frames in '''Repprt FCOI to PHS''' and '''Conduct retrospective review''' above. <br />
===Associate Vice Chancellor, Business and Finance===<br />
The Associate Vice Chancellor of Business and Finance shall manage business conflict of interest by reviewing all Annual Disclosure of Financial Interest questionnaires completed by Covered Persons with contract signature authority under Executive Memorandum 13 and 14; Covered Persons with purchasing authority; Covered Persons who identify family member(s) with a financial interest with the University of Nebraska; and any other potential business-related financial interest identified by the COI Officer through the annual COI disclosure process or by any other person at UNMC. Business COI management plans shall be created to minimize the appearance of bias in decision-making and ensure state and federal regulations and University of Nebraska business-related policies are followed. Business COI management plans shall be reported through the UNMC COI committee and reported on the Annual COI report to the Board of Regents Audit committee. <br />
===Institutional Review Board (IRB)===<br />
The IRB shall require all Covered Persons listed on the IRB application who have a financial interest to update their Annual Disclosure of Financial Interest form pursuant to UNMC HRPP Policy #3.12. The IRB shall review and approve proposed COI management plans as described in HRPP Policy #3.12. <br />
===UNeMED===<br />
The President of UNeMED or designee shall coordinate with the COI officer on UNeMED activities where it appears that a Covered Person's or UNMC's financial interest may be a potential individual or institutional conflict of interest, including intellectual property interests and equity interests involving technology transfer companies. <br />
===Continuing Education Offices===<br />
UNMC is accredited by the Accreditation Council for Continuing Medical Education (ACCME). The Continuing Medical Education (CME) office shall review disclosures of financial interest for UNMC employees who are serving as course directors, faculty or peer reviewers for UNMC CME courses, as required by the ACCME Standards for Commercial Support. <br />
==Institutional Conflict of Interest Management ==<br />
In order to avoid real or perceived favoritism in relationships with research sponsors, each/every potential Institutional COI shall be reported. Any Covered Person who has knowledge of potential Institutional COI shall report the information to the COI Officer. Potential Institutional COI may be identified through the Annual Disclosure of Financial Interest questionnaire for senior administrative personnel. The COI Officer shall convene a group of senior UNMC officials appointed by the Chancellor to review the disclosure and propose a management plan for Chancellor approval if appropriate. It is important to note that PHS COI regulations do not cover institutional conflict of interest. <br />
==Records Retention==<br />
All Disclosure of Financial Interest information, COI management plans and all Public Health Service-funded Financial Conflict of Interest-related records shall be retained for the fiscal year in which the grant or contract is closed plus seven (7) years as required by Board of Regents Records Retention Schedule 170-8, "Sponsored Projects (Grants)". No destruction of records shall take place if there is a Preservation Hold in effect, or if any litigation, claim, negotiation, audit or other actions involving the records have been started before the expiration of the retention period. The records must be retained until completion of the action and resolution of all issues which arise from it, or the seven year retention period, whichever is later, as required under 45 CFR 74.53 and 92.42. <br />
==Public Accessibility of PHS-funded Senior/Key Personnel FCOI ==<br />
Upon request, the COI Officer shall make available to the public information concerning identified FCOIs held by Senior/Key personnel receiving PHS research funding as required by PHS regulations. Information shall be provided in writing within five (5) business days of the request. The COI officer shall coordinate these public requests with the University of Nebraska Records Management Officer. All other financial interest disclosure information and conflict of interest determinations shall remain confidential and may be withheld from the public as permitted under Neb. Rev. Stat. 84-712.05, "Records which may be withheld from the public; enumerated." <br />
==Sanctions ==<br />
Covered Persons who violate this policy may receive corrective action under UNMC Policy No. 1098, [[Corrective/Disciplinary Action|Corrective and Disciplinary Action Policy]]. The COI Committee may also recommend other corrective action such as additional training, or for serious violations, recommend that research funding be withheld or recommend other appropriate sanctions to maintain the integrity of the research. The Vice Chancellor of Academic Affairs shall review and approve all proposed sanctions. The sanctions shall be coordinated with the respective Dean, Director or Vice Chancellor for enforcement. <br />
<br />
==Additional Information==<br />
<P>For additional information, contact the [mailto:swrobel@unmc.edu Chief Compliance Officer].<br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].<br />
<br />
== Policy 8010 Appendix A ==<br />
<big>Conflict of Interest Committee (COIC) Governance</big><br /><br />
'''COI Committee Composition.''' The COI Committee shall have at least 16 members representing the following areas: </P><br />
<P><br />
{| class="wikitable" border="1"<br />
|-<br />
| College of Medicine<br />
| Vice Chancellor for Business & Finance<br />
|-<br />
| College of Dentistry<br />
| Vice Chancellor for Research<br />
|-<br />
| College of Pharmacy<br />
| Compliance/Conflict of Interest Officer<br />
|-<br />
| College of Nursing<br />
| Sponsored Programs Administration<br />
|-<br />
| College of Public Health<br />
| Institutional Review Board<br />
|-<br />
| Eppley Cancer Institute<br />
| Associate General Counsel for Healthcare<br />
|-<br />
| Munroe Meyer Institute<br />
| Center for Continuing Medical Education<br />
|-<br />
| Vice Chancellor for Academic Affairs<br />
| Community Member<br />
|}<br />
<br />
'''Membership Term.''' COI Committee members shall serve for a term of three years, which may be automatically renewed upon mutual agreement of the member and the Chancellor or his/her designee. New members shall be nominated by the department/unit and approved by the Vice Chancellor of Academic Affairs or his/her designee. The Chancellor or his/her designee shall appoint a faculty chair of the COI Committee. The Vice Chancellor of Academic Affairs or his/her designee shall select the community member. The Chancellor or his designee can appoint additional voting and non-voting members. <br /><br />
<br /><br />
<br />
'''Quorum.''' A quorum is required for meetings to be conducted. More than half of the membership present will constitute a quorum.<br /><br />
<br /><br />
Voting. All committee members are eligible to vote. No regular motion shall pass unless a majority of the COI Committee members present vote in favor of the motion.<br /><br />
<br /><br />
'''COIC Member Conflicts.''' If a COIC member has a conflict of interest with a specific matter being discussed, the member shall declare that he/she has a potential conflict and shall not vote on the matter. Such conflicts may arise when:<br />
#the member is participating in the research under review;<br />
#the member has a financial relationship with a research sponsor under review; or <br />
#the member has a personal relationship or conflict with the individual under review that could potentially cause the member to be perceived as less than objective in his/her review.<br />
'''Committee Review by Telephone/Electronically'''. While face-to-face meetings will normally be held, committee review of potential conflicts may be conducted by telephone or electronically at the discretion of the COI Committee chair.<br /><br />
<br /><br />
'''Meeting Minutes.''' The COI Coordinator chair shall prepare meeting minutes and present them for approval at the next scheduled COI Committee meeting.<br />
== Additional Information ==<br />
Contact the [mailto:swrobel@unmc.edu Chief Compliance Officer]<br /><br />
Contact the [mailto:dthomas@unmc.edu Associate Vice Chancellor for Business and Finance] <br /><br />
[[Conflict_of_Interest_Procedures|Conflict of Interest Procedures]]<br /><br />
[http://webmedia.unmc.edu/policy/8010-1.doc Appendix 1 - Disclosure of Potential Business Conflict of Interest]<br /><br />
[[Research Conflict of Interest Procedures]]<br /><br />
[[Outside Employment]] Policy<br /><br />
[http://www.unmc.edu/hr/Forms/outactapp.pdf Application for Permission to Engage in Professional Activity Outside the University]<br /><br />
[http://webmedia.unmc.edu/policy/COIForm.doc Disclosure of Potential Conflict of Interest Form] <br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Conflict_of_Interest&diff=1914Conflict of Interest2013-06-12T14:34:08Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]<br />
<br /><br /><br />
Policy No.: '''8010'''<br /><br />
Effective Date: '''09/04/07'''<br /><br />
Revised Date: '''09/18/12'''<br /><br />
Reviewed Date: '''09/18/12'''<br />
<br /><br /><br />
<big>'''Conflict of Interest Policy'''</big> <br />
== Basis for Policy ==<br />
Statutes, regulations, University policies and accreditation standards related to conflict of interest identification and management are: <br />
#"Responsibility of Applicants for Promoting Objectivity in Research for which Public Health Service Funding is Sought and Responsible Prospective Contractors" regulations at 42 CFR Part 50 and 45 CFR Part 94 <br />
#"Financial Disclosure by Clinical Investigators" Food & Drug Administration regulations at 21 CFR Part 54 <br />
#Nebraska Conflict of Interest Statute at Neb. Rev. Stat. §49-1493 et. seq. <br />
#Bylaws of the Board of Regents of the University of Nebraska Sections 3.10, 3.45 and 3.8 <br />
#Board of Regents Conflict of Interest Policy, RP-3.2.8 <br />
#Board of Regents Patent & Technology Policy, RP-4.4.2 <br />
#UNMC Human Research Protections Policy #3.12, "Identification and Management of Potential Financial Conflicts of Interest of Research Personnel" <br />
#UNMC Policy No. 1049, [[Outside Employment]] <br />
#UNMC "Interactions between College of Medicine Faculty, Staff & Trainees and Health Care Vendors" policy <br />
== Policy ==<br />
Potential conflicts of interest arise in a variety of circumstances in the academic health sciences center environment when an individual's private financial interests either conflict with or create the appearance of conflicting with UNMC's public interests. This policy applies to potential conflict of interest arising in any UNMC activity, including but not limited to research, teaching, patient care, outreach to underserved populations and the associated business activities in support of them. Covered Persons shall disclose all financial interests related to their University of Nebraska responsibilities so that an analysis of potential conflict of interest may be conducted. When a conflict of interest is identified, the conflict will either be managed or eliminated to reduce the appearance of bias and maintain responsible stewardship of public resources. This policy shall be publicly posted in the UNMC [[Policies and Procedures]] manual on the UNMC internet site. <br />
== Definitions ==<br />
'''Covered Person''' under Regents Policy 3.2.8 shall mean: <br />
#University administrative officers and employees, specifically including any University employees with delegated signature, purchasing or contracting authority on behalf of the university; <br />
#University employees and faculty engaged in outside employment or other activities specified in this policy (tech transfer/use of University facilities or equipment) that may create a Conflict of Interest; and <br />
#Sponsored research investigators who participate in sponsored research; and non-sponsored research investigators participating in human subjects or animal subjects research. <br />
'''Investigator''' under PHS regulations shall mean the project director or principal investigator and any other person, regardless of title or position, who is responsible for the design, conduct or reporting of research which may include graduate students, post-docs, residents, collaborators or consultants. <br />
'''Conflict of Interest (COI)''' under Regents Policy 3.2.8 shall mean situations when a Covered Person's direct or indirect personal financial interest, (whether or not the value is readily ascertainable) may compromise, or have the appearance of compromising, the Covered Person's professional judgment or behavior in carrying out his or her obligations to the University of Nebraska. This includes indirect personal financial interests of a Covered Person that may be obtained through third parties such as a Covered Person's immediate family, business relationships, fiduciary relationships, or investments.<br /><br />
<br />
'''Equity''' includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value. <br /><br />
<br />
'''Financial Conflict of Interest (FCOI)''' under PHS regulations means a Significant Financial Interest that the COI Officer or COI committee reasonably determines could directly and significantly affect the design, conduct or reporting of research. <br /><br />
<br />
'''Immediate Family''' under Regents Policy 3.2.8 shall mean an individual who is a spouse, child, brother, sister, grandchild, or grandparent, by blood, marriage, or adoption of the Covered Person. <br /><br />
<br />
'''Institutional Conflict of Interest (ICOI)''' may occur when the University or a Covered Person in a senior administrative position has a financial interest in a commercial entity that itself has an interest in a University research project, including potential conflicts with equity/ownership interests or royalty arrangements. <br /><br />
<br />
'''Institutional Responsibilities''' means professional responsibilities on behalf of the University of Nebraska which may include activities such as professional service including patient care, teaching, research & research consultation, outreach, administrative, institutional committee membership including service on panels such as the Institutional Review Board or Data and Safety Monitoring Boards, and other duties as specified in the Covered Person's job description and/or employment agreement. <br /><br />
<br />
'''Remuneration''' includes salary and any payment for services not otherwise identified as salary including but not limited to consulting fees, honoraria, and paid authorship. <br /><br />
<br />
'''Senior/Key Personnel''' means the Project Director (PD)/Principal Investigator (PI) and any other person identified as senior/key personnel in the UNMC grant application, progress report, or any other report submitted to the PHS by UNMC. <br /><br />
<br />
'''Significant Financial Interest''' means a financial interest of the Investigator or his/her Immediate Family Member that reasonably appears to be related to the Investigator's Institutional Responsibilities, and: <br />
#If with a publicly traded entity, the value of any remuneration received from the entity in the twelve months preceding the disclosure and the value of any equity interest in the entity as of the date of the disclosure, when aggregated, exceeds $5,000; <br />
#If with a non-publicly traded entity, the value of any remuneration received exceeds $5,000 or when a research Investigator or Immediate Family holds any equity interest; <br />
#Intellectual property rights and interests upon receipt of income related to such rights and interests, excluding income paid by the University of Nebraska.; <br />
#For PHS-funded research investigators, includes reimbursed or sponsored travel, excluding travel that is reimbursed or sponsored by a Federal, state, or local government agency, an Institution of higher education, an academic teaching hospital, a medical center, or a research institute affiliated with an Institution of higher education. <br />
==Conflict of Interest Management Roles and Responsibilities ==<br />
===COI Officer===<br />
The UNMC Conflict of Interest Officer shall be responsible for implementing the UNMC COI management program. The COI management program shall also include review and approval of the "Application for Authorization to Engage in Outside Professional Activity" forms as delegated by the Chancellor with associated management of conflict of commitment under Regents Policy 3.8. and UNMC Policy 1049, [[Outside Employment]]. The COI Officer shall: <br />
#Ensure UNMC policy meets Board of Regents policy and state and federal regulatory requirements; <br />
#Implement annual disclosure requirements for Covered Persons and monitor to ensure compliance. The UNMC electronic Annual Disclosure of Financial Interest form is incorporated into this policy by reference. The Annual Disclosure of Interest and Application for Authorization to Engage in Outside Professional Activity forms are located at: http://net.unmc.edu/rss/ . <br />
#Coordinate identified conflict of interest matters with Sponsored Programs Administration, UNeMED, the Institutional Review Board (IRB), the Institutional Animal Care and Use (IACUC) committee, the Associate Vice Chancellor, Business and Finance (for business COI), and the Continuing Medical and Nursing Education offices as relevant. Whenever a potential COI involving activities with another University of Nebraska campus or university affiliated entity is disclosed or identified, notify the other campus or university affiliated entity COI contact and collaboratively review and manage the potential COI.<br />
#'''COI Education.''' Provide COI education to covered persons at time of hire, and every four years thereafter, and immediate re-education when there are policy changes or when investigators fail to comply with the COI policy. For investigators conducting Public Health Service (PHS) sponsored research, education shall be completed prior to the expenditure of any PHS funds. <br />
#When Covered Persons have significant financial interests related to their institutional responsibilities, present information to the COI committee for potential COI management plan creation. <br />
#'''Report FCOI to PHS'''. When the COI committee has implemented a COI management plan for PHS-funded research, update the PHS e-Commons with the FCOI report provided by the COI committee. Provide initial, annual and revised FCOI reports, if applicable for both UNMC and its subrecipients. Revised FCOI reports shall be submitted within 60 days of identification for new Investigators added to a grant, or newly identified FCOIs for existing investigators. The FCOI report shall contain the following elements: <br />
##The role and principal duties of the conflicted Investigator in the research project; <br />
##Conditions of the management plan; <br />
##How the management plan is designed to safeguard objectivity in the research project; <br />
##Confirmation of the Investigator's agreement to the management plan; <br />
##How the management plan will be monitored to ensure Investigator compliance; and <br />
##Other information as needed. <br />
#'''Conduct retrospective review.''' If UNMC identifies a significant financial interest that was not disclosed by a research Investigator in a timely manner, or was not reviewed by UNMC, the COI officer shall, within sixty (60) days: review the significant financial interest and determine whether it is related to PHS-funded research. The COI committee shall determine whether a financial conflict of interest exists, and, if so, implement an interim COI management plan. Within 120 days, the COI committee shall complete a documented retrospective review of the research Investigator's activities and the PHS-funded research project to determine whether any PHS-funded research conducted during the period of non-compliance was biased in the design, conduct or reporting of such research. The documented review shall contain all of the elements required by the PHS regulations. <br />
#'''Reporting Bias & Mitigation Report.''' If bias is found with the design, conduct or reporting of PHS-funded research, the COI Officer shall notify the PHS awarding component promptly and submit a Mitigation Report containing the retrospective review information and a description of the impact of the bias on the research project and UNMC's plan of actions taken to eliminate or mitigate the effect of the bias. <br />
#If the research is clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment, the COI committee shall require the Investigator to disclose the FCOI in each public presentation of the results of the research, and request an addendum to previously published presentations, in addition to any applicable disclosure listed below in Disclosure of Financial Interest. <br />
#'''Public Disclosure.''' Disclose Financial Conflicts of Interest (FCOI) of senior/key personnel involved in Public Health Service funded research only as determined by the COI Committee in response to public requests within five (5) business days of the request as required by PHS regulations. These requests shall be coordinated with the University of Nebraska Records Management Officer. <br />
#'''Board of Regents Annual Report.''' Submit the annual Conflict of Interest and Outside Activities report to the University of Nebraska Director of Internal Audit and Advisory Services for review by the Board of Regents Audit Committee. <br />
===Covered Persons===<br />
#'''Annual Disclosure of Financial Interest.''' Individuals covered under this COI policy shall complete a UNMC Annual Disclosure of Financial Interest Questionnaire through the UNMC electronic e-Disclosure system annually. Covered Persons shall receive an e-mail notification from the Compliance Department to complete the form. The UNMC Disclosure of Financial Interest form contains all elements required under Board of Regents policy and federal regulations (including PHS regulations) and is incorporated into this policy by reference. The e-Disclosure system may be accessed through the Research Support System (RSS) website at: http://net.unmc.edu/rss/ . Individuals shall disclose all financial interests related to their University of Nebraska (institutional) responsibilities. <br />
#'''Research Investigators''' shall review and update their Annual Disclosure of Financial Interest when sponsored grants and contracts are submitted, including PHS-funded research. Investigators shall update their Annual Disclosure of Financial Interest form within thirty (30) days of discovering or acquiring a Significant Financial Interest and on an annual basis thereafter during the period of the award. <br />
#'''Education.''' Covered Persons shall complete education on Board of Regents COI policy, UNMC COI policy, and PHS COI regulations, and their disclosure responsibilities prior to initially completing the Annual UNMC Disclosure of Financial Interest, and every four (4) years thereafter. Covered Persons shall not spend any PHS research funds until education has been completed. <br />
#'''Disclosure of Financial Interest.''' Covered Persons who are research Investigators shall disclose the nature of all financial interests related to their research (e.g. consulting advisory board, intellectual property) in all publications and presentations and to all UNMC personnel involved in the research project, including students. In human subjects research, Investigators shall disclose their financial interests related to the research in the informed consent, as required by UNMC HRPP Policy 3.01. <br />
#'''Appeal Rights.''' Covered Persons may appeal adverse decisions made under this policy to the Vice Chancellor for Academic Affairs. The appeal shall be in writing and contain a description of the adverse decision, justification for why the decision should be changed, and the change desired. The appeal request shall be submitted to the COI Officer. The VCAA shall respond in writing to the Covered Person with his/her decision within thirty (30) days of receipt. The VCAA's decision is final. <br />
===COI Committee.===<br />
The UNMC COI Committee composition and operating procedures are contained in Appendix A. The COI Officer shall be a member of the COI committee and shall provide administrative support for the committee. The COI committee shall: <br />
#Provide oversight over the UNMC COI program, advise the COI officer, and provide guidance on UNMC COI policy matters. <br />
#Review Significant Financial Interests. Review Disclosures of Financial Interest in the amount of $5,000 and above for research Investigators and determine if these Significant Financial Interests are related to the research, and, if so related, whether the Significant Financial Interest constitutes a Financial Conflict of Interest. A Significant Financial Interest is a Financial Conflict of Interest if it could directly and significantly affect the design, conduct , or reporting of research, including PHS-funded research. <br />
#Create COI Management Plans for Financial Conflicts of Interest. <br />
#Conduct retrospective reviews of newly identified Significant Financial Interests as described in Conduct Retrps[ectove Review above. <br />
#Review COI Policy violations and recommend sanctions, if appropriate, to the Vice Chancellor Academic Affairs and to the appropriate UNMC administrator responsible for supervision of the individual(s) violating the policy. <br />
===Sponsored Programs Administration===<br />
Sponsored Programs Administration shall: <br />
#Notify all research Investigators submitting sponsored grant/contract proposals to review their Annual Disclosure of Financial Interest form and update the information as needed. Sponsored Programs Administration shall verify review has been completed for all applications. <br />
#Coordinate with the COI Officer when Investigators disclose significant financial interests related to the sponsored project to determine if a COI management plan is required. <br />
'''Subrecipients.''' Include provisions in PHS-funded subrecipient agreements that: <br />
#the subrecipient certifies that its FCOI policy complies with PHS regulations or in the alternative that the subrecipient will follow the UNMC COI policy; and <br />
#the subrecipient shall report identified FCOIs for its Investigators in a timely manner so UNMC can report identified FCOIs to the PHS in the time frames in '''Repprt FCOI to PHS''' and '''Conduct retrospective review''' above. <br />
===Associate Vice Chancellor, Business and Finance===<br />
The Associate Vice Chancellor of Business and Finance shall manage business conflict of interest by reviewing all Annual Disclosure of Financial Interest questionnaires completed by Covered Persons with contract signature authority under Executive Memorandum 13 and 14; Covered Persons with purchasing authority; Covered Persons who identify family member(s) with a financial interest with the University of Nebraska; and any other potential business-related financial interest identified by the COI Officer through the annual COI disclosure process or by any other person at UNMC. Business COI management plans shall be created to minimize the appearance of bias in decision-making and ensure state and federal regulations and University of Nebraska business-related policies are followed. Business COI management plans shall be reported through the UNMC COI committee and reported on the Annual COI report to the Board of Regents Audit committee. <br />
===Institutional Review Board (IRB)===<br />
The IRB shall require all Covered Persons listed on the IRB application who have a financial interest to update their Annual Disclosure of Financial Interest form pursuant to UNMC HRPP Policy #3.12. The IRB shall review and approve proposed COI management plans as described in HRPP Policy #3.12. <br />
===UNeMED===<br />
The President of UNeMED or designee shall coordinate with the COI officer on UNeMED activities where it appears that a Covered Person's or UNMC's financial interest may be a potential individual or institutional conflict of interest, including intellectual property interests and equity interests involving technology transfer companies. <br />
===Continuing Education Offices===<br />
UNMC is accredited by the Accreditation Council for Continuing Medical Education (ACCME). The Continuing Medical Education (CME) office shall review disclosures of financial interest for UNMC employees who are serving as course directors, faculty or peer reviewers for UNMC CME courses, as required by the ACCME Standards for Commercial Support. <br />
==Institutional Conflict of Interest Management ==<br />
In order to avoid real or perceived favoritism in relationships with research sponsors, each/every potential Institutional COI shall be reported. Any Covered Person who has knowledge of potential Institutional COI shall report the information to the COI Officer. Potential Institutional COI may be identified through the Annual Disclosure of Financial Interest questionnaire for senior administrative personnel. The COI Officer shall convene a group of senior UNMC officials appointed by the Chancellor to review the disclosure and propose a management plan for Chancellor approval if appropriate. It is important to note that PHS COI regulations do not cover institutional conflict of interest. <br />
==Records Retention==<br />
All Disclosure of Financial Interest information, COI management plans and all Public Health Service-funded Financial Conflict of Interest-related records shall be retained for the fiscal year in which the grant or contract is closed plus seven (7) years as required by Board of Regents Records Retention Schedule 170-8, "Sponsored Projects (Grants)". No destruction of records shall take place if there is a Preservation Hold in effect, or if any litigation, claim, negotiation, audit or other actions involving the records have been started before the expiration of the retention period. The records must be retained until completion of the action and resolution of all issues which arise from it, or the seven year retention period, whichever is later, as required under 45 CFR 74.53 and 92.42. <br />
==Public Accessibility of PHS-funded Senior/Key Personnel FCOI ==<br />
Upon request, the COI Officer shall make available to the public information concerning identified FCOIs held by Senior/Key personnel receiving PHS research funding as required by PHS regulations. Information shall be provided in writing within five (5) business days of the request. The COI officer shall coordinate these public requests with the University of Nebraska Records Management Officer. All other financial interest disclosure information and conflict of interest determinations shall remain confidential and may be withheld from the public as permitted under Neb. Rev. Stat. 84-712.05, "Records which may be withheld from the public; enumerated." <br />
==Sanctions ==<br />
Covered Persons who violate this policy may receive corrective action under UNMC Policy No. 1098, [[Corrective/Disciplinary Action|Corrective and Disciplinary Action Policy]]. The COI Committee may also recommend other corrective action such as additional training, or for serious violations, recommend that research funding be withheld or recommend other appropriate sanctions to maintain the integrity of the research. The Vice Chancellor of Academic Affairs shall review and approve all proposed sanctions. The sanctions shall be coordinated with the respective Dean, Director or Vice Chancellor for enforcement. <br />
<br />
==Additional Information==<br />
<P>For additional information, contact the [mailto:swrobel@unmc.edu Chief Compliance Officer].<br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].<br />
<br />
== Policy 8010 Appendix A ==<br />
<big>Conflict of Interest Committee (COIC) Governance</big><br /><br />
'''COI Committee Composition.''' The COI Committee shall have at least 16 members representing the following areas: </P><br />
<P><br />
{| class="wikitable" border="1"<br />
|-<br />
| College of Medicine<br />
| Vice Chancellor for Business & Finance<br />
|-<br />
| College of Dentistry<br />
| Vice Chancellor for Research<br />
|-<br />
| College of Pharmacy<br />
| Compliance/Conflict of Interest Officer<br />
|-<br />
| College of Nursing<br />
| Sponsored Programs Administration<br />
|-<br />
| College of Public Health<br />
| Institutional Review Board<br />
|-<br />
| Eppley Cancer Institute<br />
| Associate General Counsel for Healthcare<br />
|-<br />
| Munroe Meyer Institute<br />
| Center for Continuing Medical Education<br />
|-<br />
| Vice Chancellor for Academic Affairs<br />
| Community Member<br />
|}<br />
<br />
'''Membership Term.''' COI Committee members shall serve for a term of three years, which may be automatically renewed upon mutual agreement of the member and the Chancellor or his/her designee. New members shall be nominated by the department/unit and approved by the Vice Chancellor of Academic Affairs or his/her designee. The Chancellor or his/her designee shall appoint a faculty chair of the COI Committee. The Vice Chancellor of Academic Affairs or his/her designee shall select the community member. The Chancellor or his designee can appoint additional voting and non-voting members. <br /><br />
<br /><br />
<br />
'''Quorum.''' A quorum is required for meetings to be conducted. More than half of the membership present will constitute a quorum.<br /><br />
<br /><br />
Voting. All committee members are eligible to vote. No regular motion shall pass unless a majority of the COI Committee members present vote in favor of the motion.<br /><br />
<br /><br />
'''COIC Member Conflicts.''' If a COIC member has a conflict of interest with a specific matter being discussed, the member shall declare that he/she has a potential conflict and shall not vote on the matter. Such conflicts may arise when:<br />
#the member is participating in the research under review;<br />
#the member has a financial relationship with a research sponsor under review; or <br />
#the member has a personal relationship or conflict with the individual under review that could potentially cause the member to be perceived as less than objective in his/her review.<br />
'''Committee Review by Telephone/Electronically'''. While face-to-face meetings will normally be held, committee review of potential conflicts may be conducted by telephone or electronically at the discretion of the COI Committee chair.<br /><br />
<br /><br />
'''Meeting Minutes.''' The COI Coordinator chair shall prepare meeting minutes and present them for approval at the next scheduled COI Committee meeting.<br />
== Additional Information ==<br />
Contact the [mailto:swrobel@unmc.edu Chief Compliance Officer]<br /><br />
Contact the [mailto:dthomas@unmc.edu Associate Vice Chancellor for Business and Finance] <br /><br />
[[Conflict_of_Interest_Procedures|Conflict of Interest Procedures]]<br /><br />
[http://webmedia.unmc.edu/policy/8010-1.doc Appendix 1 - Disclosure of Potential Business Conflict of Interest]<br /><br />
[[Research Conflict of Interest Procedures]]<br /><br />
[[Outside Employment]] Policy<br /><br />
[http://www.unmc.edu/hr/Forms/outactapp.pdf Application for Permission to Engage in Professional Activity Outside the University]<br /><br />
[http://webmedia.unmc.edu/policy/COIForm.doc Disclosure of Potential Conflict of Interest Form] <br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Conflict_of_Interest&diff=1913Conflict of Interest2013-06-12T14:27:54Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]<br />
<br /><br /><br />
Policy No.: '''8010'''<br /><br />
Effective Date: '''09/04/07'''<br /><br />
Revised Date: '''09/18/12'''<br /><br />
Reviewed Date: '''09/18/12'''<br />
<br /><br /><br />
<big>'''Conflict of Interest Policy'''</big> <br />
== Basis for Policy ==<br />
Statutes, regulations, University policies and accreditation standards related to conflict of interest identification and management are: <br />
#"Responsibility of Applicants for Promoting Objectivity in Research for which Public Health Service Funding is Sought and Responsible Prospective Contractors" regulations at 42 CFR Part 50 and 45 CFR Part 94 <br />
#"Financial Disclosure by Clinical Investigators" Food & Drug Administration regulations at 21 CFR Part 54 <br />
#Nebraska Conflict of Interest Statute at Neb. Rev. Stat. §49-1493 et. seq. <br />
#Bylaws of the Board of Regents of the University of Nebraska Sections 3.10, 3.45 and 3.8 <br />
#Board of Regents Conflict of Interest Policy, RP-3.2.8 <br />
#Board of Regents Patent & Technology Policy, RP-4.4.2 <br />
#UNMC Human Research Protections Policy #3.12, "Identification and Management of Potential Financial Conflicts of Interest of Research Personnel" <br />
#UNMC Policy No. 1049, [[Outside Employment]] <br />
#UNMC "Interactions between College of Medicine Faculty, Staff & Trainees and Health Care Vendors" policy <br />
== Policy ==<br />
Potential conflicts of interest arise in a variety of circumstances in the academic health sciences center environment when an individual's private financial interests either conflict with or create the appearance of conflicting with UNMC's public interests. This policy applies to potential conflict of interest arising in any UNMC activity, including but not limited to research, teaching, patient care, outreach to underserved populations and the associated business activities in support of them. Covered Persons shall disclose all financial interests related to their University of Nebraska responsibilities so that an analysis of potential conflict of interest may be conducted. When a conflict of interest is identified, the conflict will either be managed or eliminated to reduce the appearance of bias and maintain responsible stewardship of public resources. This policy shall be publicly posted in the UNMC [[Policies and Procedures]] manual on the UNMC internet site. <br />
== Definitions ==<br />
'''Covered Person''' under Regents Policy 3.2.8 shall mean: <br />
#University administrative officers and employees, specifically including any University employees with delegated signature, purchasing or contracting authority on behalf of the university; <br />
#University employees and faculty engaged in outside employment or other activities specified in this policy (tech transfer/use of University facilities or equipment) that may create a Conflict of Interest; and <br />
#Sponsored research investigators who participate in sponsored research; and non-sponsored research investigators participating in human subjects or animal subjects research. <br />
'''Investigator''' under PHS regulations shall mean the project director or principal investigator and any other person, regardless of title or position, who is responsible for the design, conduct or reporting of research which may include graduate students, post-docs, residents, collaborators or consultants. <br />
'''Conflict of Interest (COI)''' under Regents Policy 3.2.8 shall mean situations when a Covered Person's direct or indirect personal financial interest, (whether or not the value is readily ascertainable) may compromise, or have the appearance of compromising, the Covered Person's professional judgment or behavior in carrying out his or her obligations to the University of Nebraska. This includes indirect personal financial interests of a Covered Person that may be obtained through third parties such as a Covered Person's immediate family, business relationships, fiduciary relationships, or investments.<br /><br />
<br />
'''Equity''' includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value. <br /><br />
<br />
'''Financial Conflict of Interest (FCOI)''' under PHS regulations means a Significant Financial Interest that the COI Officer or COI committee reasonably determines could directly and significantly affect the design, conduct or reporting of research. <br /><br />
<br />
'''Immediate Family''' under Regents Policy 3.2.8 shall mean an individual who is a spouse, child, brother, sister, grandchild, or grandparent, by blood, marriage, or adoption of the Covered Person. <br /><br />
<br />
'''Institutional Conflict of Interest (ICOI)''' may occur when the University or a Covered Person in a senior administrative position has a financial interest in a commercial entity that itself has an interest in a University research project, including potential conflicts with equity/ownership interests or royalty arrangements. <br /><br />
<br />
'''Institutional Responsibilities''' means professional responsibilities on behalf of the University of Nebraska which may include activities such as professional service including patient care, teaching, research & research consultation, outreach, administrative, institutional committee membership including service on panels such as the Institutional Review Board or Data and Safety Monitoring Boards, and other duties as specified in the Covered Person's job description and/or employment agreement. <br /><br />
<br />
'''Remuneration''' includes salary and any payment for services not otherwise identified as salary including but not limited to consulting fees, honoraria, and paid authorship. <br /><br />
<br />
'''Senior/Key Personnel''' means the Project Director (PD)/Principal Investigator (PI) and any other person identified as senior/key personnel in the UNMC grant application, progress report, or any other report submitted to the PHS by UNMC. <br /><br />
<br />
'''Significant Financial Interest''' means a financial interest of the Investigator or his/her Immediate Family Member that reasonably appears to be related to the Investigator's Institutional Responsibilities, and: <br />
#If with a publicly traded entity, the value of any remuneration received from the entity in the twelve months preceding the disclosure and the value of any equity interest in the entity as of the date of the disclosure, when aggregated, exceeds $5,000; <br />
#If with a non-publicly traded entity, the value of any remuneration received exceeds $5,000 or when a research Investigator or Immediate Family holds any equity interest; <br />
#Intellectual property rights and interests upon receipt of income related to such rights and interests, excluding income paid by the University of Nebraska.; <br />
#For PHS-funded research investigators, includes reimbursed or sponsored travel, excluding travel that is reimbursed or sponsored by a Federal, state, or local government agency, an Institution of higher education, an academic teaching hospital, a medical center, or a research institute affiliated with an Institution of higher education. <br />
==Conflict of Interest Management Roles and Responsibilities ==<br />
===COI Officer===<br />
The UNMC Conflict of Interest Officer shall be responsible for implementing the UNMC COI management program. The COI management program shall also include review and approval of the "Application for Authorization to Engage in Outside Professional Activity" forms as delegated by the Chancellor with associated management of conflict of commitment under Regents Policy 3.8. and UNMC Policy 1049, [[Outside Employment]]. The COI Officer shall: <br />
#Ensure UNMC policy meets Board of Regents policy and state and federal regulatory requirements; <br />
#Implement annual disclosure requirements for Covered Persons and monitor to ensure compliance. The UNMC electronic Annual Disclosure of Financial Interest form is incorporated into this policy by reference. The Annual Disclosure of Interest and Application for Authorization to Engage in Outside Professional Activity forms are located at: http://net.unmc.edu/rss/ . <br />
#Coordinate identified conflict of interest matters with Sponsored Programs Administration, UNeMED, the Institutional Review Board (IRB), the Institutional Animal Care and Use (IACUC) committee, the Associate Vice Chancellor, Business and Finance (for business COI), and the Continuing Medical and Nursing Education offices as relevant; <br />
#'''COI Education.''' Provide COI education to covered persons at time of hire, and every four years thereafter. For investigators conducting Public Health Service (PHS) sponsored research, education shall be completed prior to the expenditure of any PHS funds. <br />
#When Covered Persons have significant financial interests related to their institutional responsibilities, present information to the COI committee for potential COI management plan creation. <br />
#'''Report FCOI to PHS'''. When the COI committee has implemented a COI management plan for PHS-funded research, update the PHS e-Commons with the FCOI report provided by the COI committee. Provide initial, annual and revised FCOI reports, if applicable for both UNMC and its subrecipients. Revised FCOI reports shall be submitted within 60 days of identification for new Investigators added to a grant, or newly identified FCOIs for existing investigators. The FCOI report shall contain the following elements: <br />
##The role and principal duties of the conflicted Investigator in the research project; <br />
##Conditions of the management plan; <br />
##How the management plan is designed to safeguard objectivity in the research project; <br />
##Confirmation of the Investigator's agreement to the management plan; <br />
##How the management plan will be monitored to ensure Investigator compliance; and <br />
##Other information as needed. <br />
#'''Conduct retrospective review.''' If UNMC identifies a significant financial interest that was not disclosed by a research Investigator in a timely manner, or was not reviewed by UNMC, the COI officer shall, within sixty (60) days: review the significant financial interest and determine whether it is related to PHS-funded research. The COI committee shall determine whether a financial conflict of interest exists, and, if so, implement an interim COI management plan. Within 120 days, the COI committee shall complete a documented retrospective review of the research Investigator's activities and the PHS-funded research project to determine whether any PHS-funded research conducted during the period of non-compliance was biased in the design, conduct or reporting of such research. The documented review shall contain all of the elements required by the PHS regulations. <br />
#'''Reporting Bias & Mitigation Report.''' If bias is found with the design, conduct or reporting of PHS-funded research, the COI Officer shall notify the PHS awarding component promptly and submit a Mitigation Report containing the retrospective review information and a description of the impact of the bias on the research project and UNMC's plan of actions taken to eliminate or mitigate the effect of the bias. <br />
#If the research is clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment, the COI committee shall require the Investigator to disclose the FCOI in each public presentation of the results of the research, and request an addendum to previously published presentations, in addition to any applicable disclosure listed below in Disclosure of Financial Interest. <br />
#'''Public Disclosure.''' Disclose Financial Conflicts of Interest (FCOI) of senior/key personnel involved in Public Health Service funded research only as determined by the COI Committee in response to public requests within five (5) business days of the request as required by PHS regulations. These requests shall be coordinated with the University of Nebraska Records Management Officer. <br />
#'''Board of Regents Annual Report.''' Submit the annual Conflict of Interest and Outside Activities report to the University of Nebraska Director of Internal Audit and Advisory Services for review by the Board of Regents Audit Committee. <br />
===Covered Persons===<br />
#'''Annual Disclosure of Financial Interest.''' Individuals covered under this COI policy shall complete a UNMC Annual Disclosure of Financial Interest Questionnaire through the UNMC electronic e-Disclosure system annually. Covered Persons shall receive an e-mail notification from the Compliance Department to complete the form. The UNMC Disclosure of Financial Interest form contains all elements required under Board of Regents policy and federal regulations (including PHS regulations) and is incorporated into this policy by reference. The e-Disclosure system may be accessed through the Research Support System (RSS) website at: http://net.unmc.edu/rss/ . Individuals shall disclose all financial interests related to their University of Nebraska (institutional) responsibilities. <br />
#'''Research Investigators''' shall review and update their Annual Disclosure of Financial Interest when sponsored grants and contracts are submitted, including PHS-funded research. Investigators shall update their Annual Disclosure of Financial Interest form within thirty (30) days of discovering or acquiring a Significant Financial Interest and on an annual basis thereafter during the period of the award. <br />
#'''Education.''' Covered Persons shall complete education on Board of Regents COI policy, UNMC COI policy, and PHS COI regulations, and their disclosure responsibilities prior to initially completing the Annual UNMC Disclosure of Financial Interest, and every four (4) years thereafter. Covered Persons shall not spend any PHS research funds until education has been completed. <br />
#'''Disclosure of Financial Interest.''' Covered Persons who are research Investigators shall disclose the nature of all financial interests related to their research (e.g. consulting advisory board, intellectual property) in all publications and presentations and to all UNMC personnel involved in the research project, including students. In human subjects research, Investigators shall disclose their financial interests related to the research in the informed consent, as required by UNMC HRPP Policy 3.01. <br />
#'''Appeal Rights.''' Covered Persons may appeal adverse decisions made under this policy to the Vice Chancellor for Academic Affairs. The appeal shall be in writing and contain a description of the adverse decision, justification for why the decision should be changed, and the change desired. The appeal request shall be submitted to the COI Officer. The VCAA shall respond in writing to the Covered Person with his/her decision within thirty (30) days of receipt. The VCAA's decision is final. <br />
===COI Committee.===<br />
The UNMC COI Committee composition and operating procedures are contained in Appendix A. The COI Officer shall be a member of the COI committee and shall provide administrative support for the committee. The COI committee shall: <br />
#Provide oversight over the UNMC COI program, advise the COI officer, and provide guidance on UNMC COI policy matters. <br />
#Review Significant Financial Interests. Review Disclosures of Financial Interest in the amount of $5,000 and above for research Investigators and determine if these Significant Financial Interests are related to the research, and, if so related, whether the Significant Financial Interest constitutes a Financial Conflict of Interest. A Significant Financial Interest is a Financial Conflict of Interest if it could directly and significantly affect the design, conduct , or reporting of research, including PHS-funded research. <br />
#Create COI Management Plans for Financial Conflicts of Interest. <br />
#Conduct retrospective reviews of newly identified Significant Financial Interests as described in Conduct Retrps[ectove Review above. <br />
#Review COI Policy violations and recommend sanctions, if appropriate, to the Vice Chancellor Academic Affairs and to the appropriate UNMC administrator responsible for supervision of the individual(s) violating the policy. <br />
===Sponsored Programs Administration===<br />
Sponsored Programs Administration shall: <br />
#Notify all research Investigators submitting sponsored grant/contract proposals to review their Annual Disclosure of Financial Interest form and update the information as needed. Sponsored Programs Administration shall verify review has been completed for all applications. <br />
#Coordinate with the COI Officer when Investigators disclose significant financial interests related to the sponsored project to determine if a COI management plan is required. <br />
'''Subrecipients.''' Include provisions in PHS-funded subrecipient agreements that: <br />
#the subrecipient certifies that its FCOI policy complies with PHS regulations or in the alternative that the subrecipient will follow the UNMC COI policy; and <br />
#the subrecipient shall report identified FCOIs for its Investigators in a timely manner so UNMC can report identified FCOIs to the PHS in the time frames in '''Repprt FCOI to PHS''' and '''Conduct retrospective review''' above. <br />
===Associate Vice Chancellor, Business and Finance===<br />
The Associate Vice Chancellor of Business and Finance shall manage business conflict of interest by reviewing all Annual Disclosure of Financial Interest questionnaires completed by Covered Persons with contract signature authority under Executive Memorandum 13 and 14; Covered Persons with purchasing authority; Covered Persons who identify family member(s) with a financial interest with the University of Nebraska; and any other potential business-related financial interest identified by the COI Officer through the annual COI disclosure process or by any other person at UNMC. Business COI management plans shall be created to minimize the appearance of bias in decision-making and ensure state and federal regulations and University of Nebraska business-related policies are followed. Business COI management plans shall be reported through the UNMC COI committee and reported on the Annual COI report to the Board of Regents Audit committee. <br />
===Institutional Review Board (IRB)===<br />
The IRB shall require all Covered Persons listed on the IRB application who have a financial interest to update their Annual Disclosure of Financial Interest form pursuant to UNMC HRPP Policy #3.12. The IRB shall review and approve proposed COI management plans as described in HRPP Policy #3.12. <br />
===UNeMED===<br />
The President of UNeMED or designee shall coordinate with the COI officer on UNeMED activities where it appears that a Covered Person's or UNMC's financial interest may be a potential individual or institutional conflict of interest, including intellectual property interests and equity interests involving technology transfer companies. <br />
===Continuing Education Offices===<br />
UNMC is accredited by the Accreditation Council for Continuing Medical Education (ACCME). The Continuing Medical Education (CME) office shall review disclosures of financial interest for UNMC employees who are serving as course directors, faculty or peer reviewers for UNMC CME courses, as required by the ACCME Standards for Commercial Support. <br />
==Institutional Conflict of Interest Management ==<br />
In order to avoid real or perceived favoritism in relationships with research sponsors, each/every potential Institutional COI shall be reported. Any Covered Person who has knowledge of potential Institutional COI shall report the information to the COI Officer. Potential Institutional COI may be identified through the Annual Disclosure of Financial Interest questionnaire for senior administrative personnel. The COI Officer shall convene a group of senior UNMC officials appointed by the Chancellor to review the disclosure and propose a management plan for Chancellor approval if appropriate. It is important to note that PHS COI regulations do not cover institutional conflict of interest. <br />
==Records Retention==<br />
All Disclosure of Financial Interest information, COI management plans and all Public Health Service-funded Financial Conflict of Interest-related records shall be retained for the fiscal year in which the grant or contract is closed plus seven (7) years as required by Board of Regents Records Retention Schedule 170-8, "Sponsored Projects (Grants)". No destruction of records shall take place if there is a Preservation Hold in effect, or if any litigation, claim, negotiation, audit or other actions involving the records have been started before the expiration of the retention period. The records must be retained until completion of the action and resolution of all issues which arise from it, or the seven year retention period, whichever is later, as required under 45 CFR 74.53 and 92.42. <br />
==Public Accessibility of PHS-funded Senior/Key Personnel FCOI ==<br />
Upon request, the COI Officer shall make available to the public information concerning identified FCOIs held by Senior/Key personnel receiving PHS research funding as required by PHS regulations. Information shall be provided in writing within five (5) business days of the request. The COI officer shall coordinate these public requests with the University of Nebraska Records Management Officer. All other financial interest disclosure information and conflict of interest determinations shall remain confidential and may be withheld from the public as permitted under Neb. Rev. Stat. 84-712.05, "Records which may be withheld from the public; enumerated." <br />
==Sanctions ==<br />
Covered Persons who violate this policy may receive corrective action under UNMC Policy No. 1098, [[Corrective/Disciplinary Action|Corrective and Disciplinary Action Policy]]. The COI Committee may also recommend other corrective action such as additional training, or for serious violations, recommend that research funding be withheld or recommend other appropriate sanctions to maintain the integrity of the research. The Vice Chancellor of Academic Affairs shall review and approve all proposed sanctions. The sanctions shall be coordinated with the respective Dean, Director or Vice Chancellor for enforcement. <br />
<br />
==Additional Information==<br />
<P>For additional information, contact the [mailto:swrobel@unmc.edu Chief Compliance Officer].<br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].<br />
<br />
== Policy 8010 Appendix A ==<br />
<big>Conflict of Interest Committee (COIC) Governance</big><br /><br />
'''COI Committee Composition.''' The COI Committee shall have at least 16 members representing the following areas: </P><br />
<P><br />
{| class="wikitable" border="1"<br />
|-<br />
| College of Medicine<br />
| Vice Chancellor for Business & Finance<br />
|-<br />
| College of Dentistry<br />
| Vice Chancellor for Research<br />
|-<br />
| College of Pharmacy<br />
| Compliance/Conflict of Interest Officer<br />
|-<br />
| College of Nursing<br />
| Sponsored Programs Administration<br />
|-<br />
| College of Public Health<br />
| Institutional Review Board<br />
|-<br />
| Eppley Cancer Institute<br />
| Associate General Counsel for Healthcare<br />
|-<br />
| Munroe Meyer Institute<br />
| Center for Continuing Medical Education<br />
|-<br />
| Vice Chancellor for Academic Affairs<br />
| Community Member<br />
|}<br />
<br />
'''Membership Term.''' COI Committee members shall serve for a term of three years, which may be automatically renewed upon mutual agreement of the member and the Chancellor or his/her designee. New members shall be nominated by the department/unit and approved by the Vice Chancellor of Academic Affairs or his/her designee. The Chancellor or his/her designee shall appoint a faculty chair of the COI Committee. The Vice Chancellor of Academic Affairs or his/her designee shall select the community member. The Chancellor or his designee can appoint additional voting and non-voting members. <br /><br />
<br /><br />
<br />
'''Quorum.''' A quorum is required for meetings to be conducted. More than half of the membership present will constitute a quorum.<br /><br />
<br /><br />
Voting. All committee members are eligible to vote. No regular motion shall pass unless a majority of the COI Committee members present vote in favor of the motion.<br /><br />
<br /><br />
'''COIC Member Conflicts.''' If a COIC member has a conflict of interest with a specific matter being discussed, the member shall declare that he/she has a potential conflict and shall not vote on the matter. Such conflicts may arise when:<br />
#the member is participating in the research under review;<br />
#the member has a financial relationship with a research sponsor under review; or <br />
#the member has a personal relationship or conflict with the individual under review that could potentially cause the member to be perceived as less than objective in his/her review.<br />
'''Committee Review by Telephone/Electronically'''. While face-to-face meetings will normally be held, committee review of potential conflicts may be conducted by telephone or electronically at the discretion of the COI Committee chair.<br /><br />
<br /><br />
'''Meeting Minutes.''' The COI Coordinator chair shall prepare meeting minutes and present them for approval at the next scheduled COI Committee meeting.<br />
== Additional Information ==<br />
Contact the [mailto:swrobel@unmc.edu Chief Compliance Officer]<br /><br />
Contact the [mailto:dthomas@unmc.edu Associate Vice Chancellor for Business and Finance] <br /><br />
[[Conflict_of_Interest_Procedures|Conflict of Interest Procedures]]<br /><br />
[http://webmedia.unmc.edu/policy/8010-1.doc Appendix 1 - Disclosure of Potential Business Conflict of Interest]<br /><br />
[[Research Conflict of Interest Procedures]]<br /><br />
[[Outside Employment]] Policy<br /><br />
[http://www.unmc.edu/hr/Forms/outactapp.pdf Application for Permission to Engage in Professional Activity Outside the University]<br /><br />
[http://webmedia.unmc.edu/policy/COIForm.doc Disclosure of Potential Conflict of Interest Form] <br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammerhttps://wiki.unmc.edu/index.php?title=Conflict_of_Interest&diff=1912Conflict of Interest2013-06-11T15:07:22Z<p>Spammer: </p>
<hr />
<div><table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"><br />
<tr><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td><br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td><br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td><br />
</tr><br />
</table><br />
<br /><br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]<br />
<br /><br /><br />
Policy No.: '''8010'''<br /><br />
Effective Date: '''09/04/07'''<br /><br />
Revised Date: '''09/18/12'''<br /><br />
Reviewed Date: '''09/18/12'''<br />
<br /><br /><br />
<big>'''Conflict of Interest Policy'''</big> <br />
== Basis for Policy ==<br />
Statutes, regulations, University policies and accreditation standards related to conflict of interest identification and management are: <br />
#"Responsibility of Applicants for Promoting Objectivity in Research for which Public Health Service Funding is Sought and Responsible Prospective Contractors" regulations at 42 CFR Part 50 and 45 CFR Part 94 <br />
#"Financial Disclosure by Clinical Investigators" Food & Drug Administration regulations at 21 CFR Part 54 <br />
#Nebraska Conflict of Interest Statute at Neb. Rev. Stat. §49-1493 et. seq. <br />
#Bylaws of the Board of Regents of the University of Nebraska Sections 3.10, 3.45 and 3.8 <br />
#Board of Regents Conflict of Interest Policy, RP-3.2.8 <br />
#Board of Regents Patent & Technology Policy, RP-4.4.2 <br />
#UNMC Human Research Protections Policy #3.12, "Identification and Management of Potential Financial Conflicts of Interest of Research Personnel" <br />
#UNMC Policy No. 1049, [[Outside Employment]] <br />
#UNMC "Interactions between College of Medicine Faculty, Staff & Trainees and Health Care Vendors" policy <br />
== Policy ==<br />
Potential conflicts of interest arise in a variety of circumstances in the academic health sciences center environment when an individual's private financial interests either conflict with or create the appearance of conflicting with UNMC's public interests. This policy applies to potential conflict of interest arising in any UNMC activity, including but not limited to research, teaching, patient care, outreach to underserved populations and the associated business activities in support of them. Covered Persons shall disclose all financial interests related to their University of Nebraska responsibilities so that an analysis of potential conflict of interest may be conducted. When a conflict of interest is identified, the conflict will either be managed or eliminated to reduce the appearance of bias and maintain responsible stewardship of public resources. This policy shall be publicly posted in the UNMC [[Policies and Procedures]] manual on the UNMC internet site. <br />
== Definitions ==<br />
'''Covered Person''' under Regents Policy 3.2.8 shall mean: <br />
#University administrative officers and employees, specifically including any University employees with delegated signature, purchasing or contracting authority on behalf of the university; <br />
#University employees and faculty engaged in outside employment or other activities specified in this policy (tech transfer/use of University facilities or equipment) that may create a Conflict of Interest; and <br />
#Sponsored research investigators who participate in sponsored research; and non-sponsored research investigators participating in human subjects or animal subjects research. <br />
'''Investigator''' under PHS regulations shall mean the project director or principal investigator and any other person, regardless of title or position, who is responsible for the design, conduct or reporting of research which may include graduate students, post-docs, residents, collaborators or consultants. <br />
'''Conflict of Interest (COI)''' under Regents Policy 3.2.8 shall mean situations when a Covered Person's direct or indirect personal financial interest, (whether or not the value is readily ascertainable) may compromise, or have the appearance of compromising, the Covered Person's professional judgment or behavior in carrying out his or her obligations to the University of Nebraska. This includes indirect personal financial interests of a Covered Person that may be obtained through third parties such as a Covered Person's immediate family, business relationships, fiduciary relationships, or investments.<br /><br />
<br />
'''Equity''' includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value. <br /><br />
<br />
'''Financial Conflict of Interest (FCOI)''' under PHS regulations means a Significant Financial Interest that the COI Officer or COI committee reasonably determines could directly and significantly affect the design, conduct or reporting of research. <br /><br />
<br />
'''Immediate Family''' under Regents Policy 3.2.8 shall mean an individual who is a spouse, child, brother, sister, grandchild, or grandparent, by blood, marriage, or adoption of the Covered Person. <br /><br />
<br />
'''Institutional Conflict of Interest (ICOI)''' may occur when the University or a Covered Person in a senior administrative position has a financial interest in a commercial entity that itself has an interest in a University research project, including potential conflicts with equity/ownership interests or royalty arrangements. <br /><br />
<br />
'''Institutional Responsibilities''' means professional responsibilities on behalf of the University of Nebraska which may include activities such as professional service including patient care, teaching, research & research consultation, outreach, administrative, institutional committee membership including service on panels such as the Institutional Review Board or Data and Safety Monitoring Boards, and other duties as specified in the Covered Person's job description and/or employment agreement. <br /><br />
<br />
'''Remuneration''' includes salary and any payment for services not otherwise identified as salary including but not limited to consulting fees, honoraria, and paid authorship. <br /><br />
<br />
'''Senior/Key Personnel''' means the Project Director (PD)/Principal Investigator (PI) and any other person identified as senior/key personnel in the UNMC grant application, progress report, or any other report submitted to the PHS by UNMC. <br /><br />
<br />
'''Significant Financial Interest''' means a financial interest of the Investigator or his/her Immediate Family Member that reasonably appears to be related to the Investigator's Institutional Responsibilities, and: <br />
#If with a publicly traded entity, the value of any remuneration received from the entity in the twelve months preceding the disclosure and the value of any equity interest in the entity as of the date of the disclosure, when aggregated, exceeds $5,000; <br />
#If with a non-publicly traded entity, the value of any remuneration received exceeds $5,000 or when a research Investigator or Immediate Family holds any equity interest; <br />
#Intellectual property rights and interests upon receipt of income related to such rights and interests, excluding income paid by the University of Nebraska.; <br />
#For PHS-funded research investigators, includes reimbursed or sponsored travel, excluding travel that is reimbursed or sponsored by a Federal, state, or local government agency, an Institution of higher education, an academic teaching hospital, a medical center, or a research institute affiliated with an Institution of higher education. <br />
==Conflict of Interest Management Roles and Responsibilities ==<br />
===COI Officer===<br />
The UNMC Conflict of Interest Officer shall be responsible for implementing the UNMC COI management program. The COI management program shall also include review and approval of the "Application for Authorization to Engage in Outside Professional Activity" forms as delegated by the Chancellor with associated management of conflict of commitment under Regents Policy 3.8. and UNMC Policy 1049, [[Outside Employment]]. The COI Officer shall: <br />
#Ensure UNMC policy meets Board of Regents policy and state and federal regulatory requirements; <br />
#Implement annual disclosure requirements for Covered Persons and monitor to ensure compliance. The UNMC electronic Annual Disclosure of Financial Interest form is incorporated into this policy by reference. The Annual Disclosure of Interest and Application for Authorization to Engage in Outside Professional Activity forms are located at: http://net.unmc.edu/rss/ . <br />
#Coordinate identified conflict of interest matters with Sponsored Programs Administration, UNeMED, the Institutional Review Board (IRB), the Institutional Animal Care and Use (IACUC) committee, the Associate Vice Chancellor, Business and Finance (for business COI), and the Continuing Medical and Nursing Education offices as relevant; <br />
#'''COI Education.''' Provide COI education to covered persons at time of hire, and every four years thereafter. For investigators conducting Public Health Service (PHS) sponsored research, education shall be completed prior to the expenditure of any PHS funds. <br />
#When Covered Persons have significant financial interests related to their institutional responsibilities, present information to the COI committee for potential COI management plan creation. <br />
#'''Report FCOI to PHS'''. When the COI committee has implemented a COI management plan for PHS-funded research, update the PHS e-Commons with the FCOI report provided by the COI committee. Provide initial, annual and revised FCOI reports, if applicable for both UNMC and its subrecipients. Revised FCOI reports shall be submitted within 60 days of identification for new Investigators added to a grant, or newly identified FCOIs for existing investigators. The FCOI report shall contain the following elements: <br />
:#The role and principal duties of the conflicted Investigator in the research project; <br />
:#Conditions of the management plan; <br />
:#How the management plan is designed to safeguard objectivity in the research project; <br />
:#Confirmation of the Investigator's agreement to the management plan; <br />
:#How the management plan will be monitored to ensure Investigator compliance; and <br />
:#Other information as needed. <br />
#'''Conduct retrospective review.''' If UNMC identifies a significant financial interest that was not disclosed by a research Investigator in a timely manner, or was not reviewed by UNMC, the COI officer shall, within sixty (60) days: review the significant financial interest and determine whether it is related to PHS-funded research. The COI committee shall determine whether a financial conflict of interest exists, and, if so, implement an interim COI management plan. Within 120 days, the COI committee shall complete a documented retrospective review of the research Investigator's activities and the PHS-funded research project to determine whether any PHS-funded research conducted during the period of non-compliance was biased in the design, conduct or reporting of such research. The documented review shall contain all of the elements required by the PHS regulations. <br />
#'''Reporting Bias & Mitigation Report.''' If bias is found with the design, conduct or reporting of PHS-funded research, the COI Officer shall notify the PHS awarding component promptly and submit a Mitigation Report containing the retrospective review information and a description of the impact of the bias on the research project and UNMC's plan of actions taken to eliminate or mitigate the effect of the bias. <br />
#If the research is clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment, the COI committee shall require the Investigator to disclose the FCOI in each public presentation of the results of the research, and request an addendum to previously published presentations, in addition to any applicable disclosure listed below in Disclosure of Financial Interest. <br />
#'''Public Disclosure.''' Disclose Financial Conflicts of Interest (FCOI) of senior/key personnel involved in Public Health Service funded research only as determined by the COI Committee in response to public requests within five (5) business days of the request as required by PHS regulations. These requests shall be coordinated with the University of Nebraska Records Management Officer. <br />
#'''Board of Regents Annual Report.''' Submit the annual Conflict of Interest and Outside Activities report to the University of Nebraska Director of Internal Audit and Advisory Services for review by the Board of Regents Audit Committee. <br />
===Covered Persons===<br />
#'''Annual Disclosure of Financial Interest.''' Individuals covered under this COI policy shall complete a UNMC Annual Disclosure of Financial Interest Questionnaire through the UNMC electronic e-Disclosure system annually. Covered Persons shall receive an e-mail notification from the Compliance Department to complete the form. The UNMC Disclosure of Financial Interest form contains all elements required under Board of Regents policy and federal regulations (including PHS regulations) and is incorporated into this policy by reference. The e-Disclosure system may be accessed through the Research Support System (RSS) website at: http://net.unmc.edu/rss/ . Individuals shall disclose all financial interests related to their University of Nebraska (institutional) responsibilities. <br />
#'''Research Investigators''' shall review and update their Annual Disclosure of Financial Interest when sponsored grants and contracts are submitted, including PHS-funded research. Investigators shall update their Annual Disclosure of Financial Interest form within thirty (30) days of discovering or acquiring a Significant Financial Interest and on an annual basis thereafter during the period of the award. <br />
#'''Education.''' Covered Persons shall complete education on Board of Regents COI policy, UNMC COI policy, and PHS COI regulations, and their disclosure responsibilities prior to initially completing the Annual UNMC Disclosure of Financial Interest, and every four (4) years thereafter. Covered Persons shall not spend any PHS research funds until education has been completed. <br />
#'''Disclosure of Financial Interest.''' Covered Persons who are research Investigators shall disclose the nature of all financial interests related to their research (e.g. consulting advisory board, intellectual property) in all publications and presentations and to all UNMC personnel involved in the research project, including students. In human subjects research, Investigators shall disclose their financial interests related to the research in the informed consent, as required by UNMC HRPP Policy 3.01. <br />
#'''Appeal Rights.''' Covered Persons may appeal adverse decisions made under this policy to the Vice Chancellor for Academic Affairs. The appeal shall be in writing and contain a description of the adverse decision, justification for why the decision should be changed, and the change desired. The appeal request shall be submitted to the COI Officer. The VCAA shall respond in writing to the Covered Person with his/her decision within thirty (30) days of receipt. The VCAA's decision is final. <br />
===COI Committee.===<br />
The UNMC COI Committee composition and operating procedures are contained in Appendix A. The COI Officer shall be a member of the COI committee and shall provide administrative support for the committee. The COI committee shall: <br />
#Provide oversight over the UNMC COI program, advise the COI officer, and provide guidance on UNMC COI policy matters. <br />
#Review Significant Financial Interests. Review Disclosures of Financial Interest in the amount of $5,000 and above for research Investigators and determine if these Significant Financial Interests are related to the research, and, if so related, whether the Significant Financial Interest constitutes a Financial Conflict of Interest. A Significant Financial Interest is a Financial Conflict of Interest if it could directly and significantly affect the design, conduct , or reporting of research, including PHS-funded research. <br />
#Create COI Management Plans for Financial Conflicts of Interest. <br />
#Conduct retrospective reviews of newly identified Significant Financial Interests as described in Conduct Retrps[ectove Review above. <br />
#Review COI Policy violations and recommend sanctions, if appropriate, to the Vice Chancellor Academic Affairs and to the appropriate UNMC administrator responsible for supervision of the individual(s) violating the policy. <br />
===Sponsored Programs Administration===<br />
Sponsored Programs Administration shall: <br />
#Notify all research Investigators submitting sponsored grant/contract proposals to review their Annual Disclosure of Financial Interest form and update the information as needed. Sponsored Programs Administration shall verify review has been completed for all applications. <br />
#Coordinate with the COI Officer when Investigators disclose significant financial interests related to the sponsored project to determine if a COI management plan is required. <br />
'''Subrecipients.''' Include provisions in PHS-funded subrecipient agreements that: <br />
#the subrecipient certifies that its FCOI policy complies with PHS regulations or in the alternative that the subrecipient will follow the UNMC COI policy; and <br />
#the subrecipient shall report identified FCOIs for its Investigators in a timely manner so UNMC can report identified FCOIs to the PHS in the time frames in '''Repprt FCOI to PHS''' and '''Conduct retrospective review''' above. <br />
===Associate Vice Chancellor, Business and Finance===<br />
The Associate Vice Chancellor of Business and Finance shall manage business conflict of interest by reviewing all Annual Disclosure of Financial Interest questionnaires completed by Covered Persons with contract signature authority under Executive Memorandum 13 and 14; Covered Persons with purchasing authority; Covered Persons who identify family member(s) with a financial interest with the University of Nebraska; and any other potential business-related financial interest identified by the COI Officer through the annual COI disclosure process or by any other person at UNMC. Business COI management plans shall be created to minimize the appearance of bias in decision-making and ensure state and federal regulations and University of Nebraska business-related policies are followed. Business COI management plans shall be reported through the UNMC COI committee and reported on the Annual COI report to the Board of Regents Audit committee. <br />
===Institutional Review Board (IRB)===<br />
The IRB shall require all Covered Persons listed on the IRB application who have a financial interest to update their Annual Disclosure of Financial Interest form pursuant to UNMC HRPP Policy #3.12. The IRB shall review and approve proposed COI management plans as described in HRPP Policy #3.12. <br />
===UNeMED===<br />
The President of UNeMED or designee shall coordinate with the COI officer on UNeMED activities where it appears that a Covered Person's or UNMC's financial interest may be a potential individual or institutional conflict of interest, including intellectual property interests and equity interests involving technology transfer companies. <br />
===Continuing Education Offices===<br />
UNMC is accredited by the Accreditation Council for Continuing Medical Education (ACCME). The Continuing Medical Education (CME) office shall review disclosures of financial interest for UNMC employees who are serving as course directors, faculty or peer reviewers for UNMC CME courses, as required by the ACCME Standards for Commercial Support. <br />
==Institutional Conflict of Interest Management ==<br />
In order to avoid real or perceived favoritism in relationships with research sponsors, each/every potential Institutional COI shall be reported. Any Covered Person who has knowledge of potential Institutional COI shall report the information to the COI Officer. Potential Institutional COI may be identified through the Annual Disclosure of Financial Interest questionnaire for senior administrative personnel. The COI Officer shall convene a group of senior UNMC officials appointed by the Chancellor to review the disclosure and propose a management plan for Chancellor approval if appropriate. It is important to note that PHS COI regulations do not cover institutional conflict of interest. <br />
==Records Retention==<br />
All Disclosure of Financial Interest information, COI management plans and all Public Health Service-funded Financial Conflict of Interest-related records shall be retained for the fiscal year in which the grant or contract is closed plus seven (7) years as required by Board of Regents Records Retention Schedule 170-8, "Sponsored Projects (Grants)". No destruction of records shall take place if there is a Preservation Hold in effect, or if any litigation, claim, negotiation, audit or other actions involving the records have been started before the expiration of the retention period. The records must be retained until completion of the action and resolution of all issues which arise from it, or the seven year retention period, whichever is later, as required under 45 CFR 74.53 and 92.42. <br />
==Public Accessibility of PHS-funded Senior/Key Personnel FCOI ==<br />
Upon request, the COI Officer shall make available to the public information concerning identified FCOIs held by Senior/Key personnel receiving PHS research funding as required by PHS regulations. Information shall be provided in writing within five (5) business days of the request. The COI officer shall coordinate these public requests with the University of Nebraska Records Management Officer. All other financial interest disclosure information and conflict of interest determinations shall remain confidential and may be withheld from the public as permitted under Neb. Rev. Stat. 84-712.05, "Records which may be withheld from the public; enumerated." <br />
==Sanctions ==<br />
Covered Persons who violate this policy may receive corrective action under UNMC Policy No. 1098, [[Corrective/Disciplinary Action|Corrective and Disciplinary Action Policy]]. The COI Committee may also recommend other corrective action such as additional training, or for serious violations, recommend that research funding be withheld or recommend other appropriate sanctions to maintain the integrity of the research. The Vice Chancellor of Academic Affairs shall review and approve all proposed sanctions. The sanctions shall be coordinated with the respective Dean, Director or Vice Chancellor for enforcement. <br />
<br />
==Additional Information==<br />
<P>For additional information, contact the [mailto:swrobel@unmc.edu Chief Compliance Officer].<br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].<br />
<br />
== Policy 8010 Appendix A ==<br />
<big>Conflict of Interest Committee (COIC) Governance</big><br /><br />
'''COI Committee Composition.''' The COI Committee shall have at least 16 members representing the following areas: </P><br />
<P><br />
{| class="wikitable" border="1"<br />
|-<br />
| College of Medicine<br />
| Vice Chancellor for Business & Finance<br />
|-<br />
| College of Dentistry<br />
| Vice Chancellor for Research<br />
|-<br />
| College of Pharmacy<br />
| Compliance/Conflict of Interest Officer<br />
|-<br />
| College of Nursing<br />
| Sponsored Programs Administration<br />
|-<br />
| College of Public Health<br />
| Institutional Review Board<br />
|-<br />
| Eppley Cancer Institute<br />
| Associate General Counsel for Healthcare<br />
|-<br />
| Munroe Meyer Institute<br />
| Center for Continuing Medical Education<br />
|-<br />
| Vice Chancellor for Academic Affairs<br />
| Community Member<br />
|}<br />
<br />
'''Membership Term.''' COI Committee members shall serve for a term of three years, which may be automatically renewed upon mutual agreement of the member and the Chancellor or his/her designee. New members shall be nominated by the department/unit and approved by the Vice Chancellor of Academic Affairs or his/her designee. The Chancellor or his/her designee shall appoint a faculty chair of the COI Committee. The Vice Chancellor of Academic Affairs or his/her designee shall select the community member. The Chancellor or his designee can appoint additional voting and non-voting members. <br /><br />
<br /><br />
<br />
'''Quorum.''' A quorum is required for meetings to be conducted. More than half of the membership present will constitute a quorum.<br /><br />
<br /><br />
Voting. All committee members are eligible to vote. No regular motion shall pass unless a majority of the COI Committee members present vote in favor of the motion.<br /><br />
<br /><br />
'''COIC Member Conflicts.''' If a COIC member has a conflict of interest with a specific matter being discussed, the member shall declare that he/she has a potential conflict and shall not vote on the matter. Such conflicts may arise when:<br />
#the member is participating in the research under review;<br />
#the member has a financial relationship with a research sponsor under review; or <br />
#the member has a personal relationship or conflict with the individual under review that could potentially cause the member to be perceived as less than objective in his/her review.<br />
'''Committee Review by Telephone/Electronically'''. While face-to-face meetings will normally be held, committee review of potential conflicts may be conducted by telephone or electronically at the discretion of the COI Committee chair.<br /><br />
<br /><br />
'''Meeting Minutes.''' The COI Coordinator chair shall prepare meeting minutes and present them for approval at the next scheduled COI Committee meeting.<br />
== Additional Information ==<br />
Contact the [mailto:swrobel@unmc.edu Chief Compliance Officer]<br /><br />
Contact the [mailto:dthomas@unmc.edu Associate Vice Chancellor for Business and Finance] <br /><br />
[[Conflict_of_Interest_Procedures|Conflict of Interest Procedures]]<br /><br />
[http://webmedia.unmc.edu/policy/8010-1.doc Appendix 1 - Disclosure of Potential Business Conflict of Interest]<br /><br />
[[Research Conflict of Interest Procedures]]<br /><br />
[[Outside Employment]] Policy<br /><br />
[http://www.unmc.edu/hr/Forms/outactapp.pdf Application for Permission to Engage in Professional Activity Outside the University]<br /><br />
[http://webmedia.unmc.edu/policy/COIForm.doc Disclosure of Potential Conflict of Interest Form] <br /><br />
<br /><br />
This page maintained by [mailto:dpanowic@unmc.edu dkp].</div>Spammer