Use and Disclosure of Protected Health Information

From University of Nebraska Medical Center
Jump to: navigation, search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty

Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training

Policy No.: 6057
Effective Date: 03/17/03
Revised Date: 10/30/2013
Reviewed Date: 10/29/2013

Use and Disclosure of Protected Health Information Policy

Basis for Policy

To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. (45 CFR 164.502)


The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and University of Nebraska Executive Memorandum No. 27.


Treatment means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.

Payment means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities.

Healthcare operations means the following activities related to UNMC’s function as an affiliated healthcare provider:

  1. Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included
  2. Population-based activities relating to improving health or reducing health care costs
  3. Protocol development
  4. Contacting of health care providers and patients with information about treatment alternatives
  5. Case management and care coordination
  6. Risk assessment
  7. Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans
  8. Training future healthcare professionals (students and residents)
  9. Conducting or arranging for legal services
  10. Business planning and development
  11. Business management activities
  12. General administrative and business functions
  13. Conducting or arranging for medical review and auditing services
  14. Insurance activities relating to the renewal of a contract of insurance
  15. Evaluating healthcare provider and plan performance
  16. Resolution of internal grievances
  17. Fundraising

Protected Health Information (PHI) is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:

  1. Is created or received by ACE; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Protected Health Information includes genetic information containing individual identifiers which is defined as:

  1. Information about an individual's genetic tests; or
  2. The genetic tests of family members of the individual; or
  3. The manifestation of a disease or disorder in family members of such individual (i.e., family medical history)

Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.

Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.

Health information Exchange (HIE) is the electronic movement of health-related information among organizations according to nationally recognized standards. The goal of health information exchange is to facilitate access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health information exchange organizations (HIOs) provide the capability to electronically move clinical information between disparate health care information systems.

Affiliated Covered Entity (ACE) means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.

Individual means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.

Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing.

Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research.

Sale of Protected Health Information means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information.


Use/Disclosure of PHI Related to Healthcare

Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.

  1. Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.
  2. The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.

The ACE may disclose PHI for the treatment activities of a healthcare provider.

The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.

Use of electronic health information exchanges (HIEs). The ACE may access and disclose PHI through ACE-approved HIEs. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The ACE is a member of two HIEs:

  1. Nebraska Health Information Initiative (NeHII). NeHII participants may access NeHII PHI for treatment, payment and limited health care operations purposes. Refer to the NeHII Privacy and Information Security Policies and Procedures or contact the Privacy Office if you are unsure whether a particular use of NeHII PHI is permissible.
  2. EPIC Care Everywhere and Care Elsewhere. Use of EPIC Care Everywhere and Care Elsewhere is restricted to treatment purposes only. It cannot be used for payment, healthcare operations or other purposes otherwise permitted under HIPAA.

UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.

Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See UNMC Policy No. 6058, Notice of Privacy Practices.

Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:

  1. Use of their name, location and general condition in the facility directory.
  2. Disclosure of religious affiliation to clergy members.
  3. Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.

Request for restrictions

Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.

  1. All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.
  2. Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.

Use/Disclosure of PHI Related for Training Healthcare Professionals

Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.

Use/Disclosure of PHI Permitted/Required by Law

Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:

  1. Disclosure required by law
  2. Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)
    1. Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.
  3. Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.
  4. Disclosures for law enforcements purposes. See Use and Disclosure of PHI for Law Enforcement Purposes.
  5. Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.
  6. Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.
  7. Disclosure about decedents to medical examiners and coroners consistent with law.
  8. Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.
  9. Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.
  10. Disclosures to prevent serious threat to health or safety consistent with applicable law.
  11. Disclosures about military personnel to military command authority in limited circumstances.

Use/Disclosure of PHI for Law Enforcement Purposes

PHI may be disclosed to law enforcement under the following circumstances:

  1. Laws require reporting violent wounds to law enforcement
  2. A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.
  3. Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only: name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics.
    1. May not provide DNA information, blood samples, dental records, tissue or other fluid samples
  4. If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.
  5. Patient is deceased and the death is (or suspected to be) the result of criminal conduct.
  6. Crime (or suspected crime) occurred on UNMC campus.
  7. UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)

Use/Disclosure of PHI for Marketing

The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA. Additionally the following activities are not marketing under HIPAA:

  1. Communication for treatment of the individual.
  2. Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual.
  3. Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and
    1. Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits

Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.

Use/Disclosure of PHI for Fundraising

Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.

Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising.

  1. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth
  2. Dates of healthcare provided to an individual
  3. Department of service information
  4. Treating physician
  5. Outcome information; and
  6. Health insurance status

Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization.

All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.

Use/Disclosure of PHI for Research

All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.

Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a Request for Electronic Health Data form to the Electronic Health Record Core to obtain access to PHI.

Sale of Protected Health Information

Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:

  1. For public health purposes
  2. For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
  3. For treatment and payment purposes
  4. To an individual where the individual is requesting access to their own PHI
  5. Required by law; and
  6. For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.

De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.

Authorization Required for all other Uses/Disclosures

All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy No. 6066, Psychotherapy Notes.

Minimum Necessary

When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.45 CFR 164.502(b)

  1. Role-based Access; access to PHI shall be based on role performed as specified in the following:
    1. Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI
  2. Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.
  3. Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.
    1. Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).
    2. Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.
  4. The following uses/disclosures of PHI are not subject to the minimum necessary requirement:
    1. Disclosure to healthcare providers for treatment purposes
    2. Disclosures required by law
    3. Disclosures made to the individual or pursuant to an authorization initiated by the individual
    4. Disclosure made to the Secretary of HHS for enforcement purposes
    5. Electronic data elements transmitted in electronic claims

Limited Data Set

A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:

  1. Names
  2. Postal address information, other than town or city, state or zip code
  3. Telephone numbers
  4. Fax numbers
  5. Electronic mail addresses
  6. Social security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers, including license numbers
  12. Device identifiers and serial numbers
  13. Web Universal Resources Locators (URLs)
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers, including finger and voice prints; and
  16. Full face photographic images and any comparable images

The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.

De-Identification /Re-Identification of PHI (164.514)

De-Identification of PHI. PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:

  1. Names
  2. All geographic subdivisions smaller than a state
  3. All elements of dates except year, for dates related to individual
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Accounts numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device Identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and other comparable images and
  18. Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below

Re-Identification of PHI. A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:

  1. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
  2. The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.

Staff Accountability

Privacy Officer

Additional Information

This page is maintained by dkp.