Use and Disclosure of Protected Health Information: Difference between revisions

Jump to navigation Jump to search
no edit summary
mNo edit summary
No edit summary
Line 26: Line 26:
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
<br /><br />
<br /><br />
Policy No.: '''6057'''<br />
Policy No.: '''6057'''<br />
Effective Date: '''03/17/03'''<br />
Effective Date: '''03/17/03'''<br />
Revised Date: '''10/30/2013'''<br />
Revised Date: '''draft 08/31/22'''<br />
Reviewed Date: '''10/29/2013'''<br />
Reviewed Date: ''' '''<br />


<big>'''Use and Disclosure of Protected Health Information Policy'''</big>  
<big>'''Use and Disclosure of Protected Health Information Policy'''</big>  
== Basis for Policy ==  
== Basis for Policy ==  
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
== Policy ==  
== Policy ==  
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27].
Nebraska Medicine/UNMC shall limit the use and disclosure of Protected Health Information (PHI) to the right people, for the right purposes, with the right authority, and always subject to reasonable safeguards -- all as defined by the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and Nebraska Medicine/UNMC policies.
== Definitions ==
==Purpose==
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
To establish guidelines for the use and disclosure of PHI.
===General Policies Governing the Use and Disclosure of PHI===
#Each use or disclosure of PHI must be an authorized use or disclosure (either by a written patient authorization or Nebraska Medicine/UNMC policy). Some of the authorized uses and disclosures are described in this policy and associated policies.
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy, and the Authorized Consenting Persons section of the Consents and Permits policy.)  '''need Nebr Med policy #s'''
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.)  '''need Nebr Med policy #'''
#If a disclosure of PHI is subject to a patient’s right to an accounting, it must be documented per UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures].  Also note the documentation requirements listed throughout this policy and associated policies.
#Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The [mailto:debrbishop@nebraskamed.com Privacy Officer] is the designated decision-maker unless someone else is designated by the [mailto:privacy@nebraskamed.com Privacy Office] (at 402-559-5136) for a particular policy or situation. (See Consents and Permits policy.) '''need Nebr Med policy #'''
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
#Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures. 
==Procedures==
Protected Health Information (PHI) may be used and disclosed within the [ Affiliated Covered Entity (ACE)] for each member’s own treatment, payment and [ Health Care Operations] if it has or is about to have a treatment relationship with the patient supporting its need for such use or disclosure of such information, without having to obtain the patient’s authorization. ACE entities also may share PHI with one another without patient authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />
 
Members of the Workforce may access patient information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose.  Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
===Treatment===
Nebraska Medicine/UNMC may disclose Protected Health Information to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information. 
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes. 
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the patient was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the patient who is the subject of such PHI.
===Payment===
Nebraska Medicine/UNMC may disclose Protected Health Information to another provider or covered entity for its payment purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes. 
===Health Care Operations===
Nebraska Medicine/UNMC may disclose Protected Health Information to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.
#Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose Protected Health Information is requested; and (iii) is requesting and will use Protected Health Information for a qualifying health care operations use.
#Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
##Quality assessment activities, utilization management activities, and activities designed to measure or improve care or reduce costs.
##Peer review activities.
##Health care fraud and abuse detection or compliance efforts.
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.
IV. Incidental Disclosures
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties.  In such cases, the following standards should be met:
 
1. The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
2. The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
3. Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
a. Use common sense and judgment – look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside patient rooms should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; patients in public areas or being transported should be draped in a manner that respects the patient’s modesty or dignity).
b. Speak in a lower voice;
c. Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of patients receiving treatment through the use of curtains or other visual barriers whenever possible);
d. Pull the dividers or partitions between the patient and other patients or visitors; and
e. Ask if the patient would prefer to talk in a more private location.
V.  Disclosures to the Patient
Nebraska Medicine/UNMC may disclose Protected Health Information to the patient or his/her Personal Representative. 
The patient has a right to see and obtain copies of Protected Health Information maintained in the patient’s designated record set.  Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented.  Please refer to Access & Amendment of Designated Record Set policy.
1. For other disclosures to the patient –
a. For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
i.     Notation in the medical, billing or other record from which the material was obtained
ii. Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
b. It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies.  This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
c. When disclosing to the patient, appropriate safeguards should be taken to reduce the risk that people other than the patient or people permitted by the patient will hear the disclosure.  Examples of such safeguards would include:
i. Asking the patient if the patient would prefer to talk in a more private location.
ii. Confirming with the patient that it is okay to proceed with the conversation while friends, relatives or others are present.
iii. Speaking in a lower voice.
iv. Pulling the dividers or partitions between the patient and other patients or visitors.
v. Providing more privacy through partitions and room arrangements.
2. The minimum necessary standard does not apply to disclosures to the patient.
VI. Disclosures to Family, Friends and Others
1. Facility Directory.  Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies.  Reference Private Designation policy, for additional details.
2.  Disclosures with the Patient’s Permission
a. You may disclose Protected Health Information to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object.  Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
b. When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or payment for care.
c. Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers.  They may have no role in the patient’s care.  They may simply be visiting the patient.  Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
d. Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure.
 
3. Disclosures Based on Role or Involvement in Patient Care
 
a. Follow this policy when disclosing Protected Health Information to a person, other than a Personal Representative, whom you believe plays a role in the patient’s health care (or payment for health care).  For example, follow this policy when you:
 
i. Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment.
 
ii. Give an involved family member the patient’s prescription, so the family member can fill it for the patient.
 
iii. Talk to a family member at discharge, if they play a role in post-discharge care.
 
iv. Talk to the patient’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
 
v. Talk to a family member or friend when the patient indicates you can or should do so – such as if the person accompanies the patient for an appointment or procedure, or is invited and present at admission or discharge.
 
b. If the patient is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following –
 
i. Obtain the patient’s consent to such disclosure;
 
ii. Provide the patient with an opportunity to object, and disclose only if the patient does not object; or
 
iii. Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.
 
c. If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient.  If so, disclose only the Protected Health Information directly relevant to the recipient’s involvement in the Individual’s health care.  A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient care to disclose information relevant to the Individual’s involvement.
    Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.
 
d. These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
 
4. Disclosure for Notification Purposes
 
Nebraska Medicine/UNMC may disclose Protected Health Information about a patient in order to notify family, friends or others of 
the patient’s whereabouts, general condition or death.  In these cases, Nebraska Medicine/UNMC may not know the details of the
involvement of others in the patient’s care or payment for care.  Therefore, in these cases, try to follow these steps:
 
a. Ask the patient, if possible, whether he or she consents to such disclosure and rely on what the patient says.
 
b. If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them.
 
c. If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes.  Try asking for the person by order of priority (Reference Consents and Permits policy).  Try to limit disclosures to individuals in the highest priority you can locate.  In the end, use your best professional judgment in deciding how much you can say and to whom.
 
d. When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement.  In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the Privacy Office to disclosure additional information.
5. Uses/Disclosure of PHI for electronic Health Information Exchanges (HIEs). 
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved HIEs.  Members of the Workforce may not access their own medical records via the HIE.  Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE.  The Enterprise Applications Executive Director authorizes individual access to the HIE.  The ACE is a member of the following HIEs:
a. CyncHealth (previously NeHII).  CyncHealth participants may access CyncHealth PHI pursuant to CyncHealth’s Privacy and Information Security Policies and Procedures, found at https://cynchealth.org/privacy-security/. If unsure as to whether a particular use or disclosure is permissible, contact the Privacy Office.   
b. Epic-integrated HIE software including but not limited to Care Everywhere.  Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement.  It generally may not be used for payment, healthcare operations, or any other purposes, regardless if otherwise permitted under HIPAA.
i. eHealth Exchange includes federal and non-federal organizations.  Veterans Administration (VA) is a participant of this HIE.  Members of the ACE access this HIE via Care Everywhere; as such,  PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
ii. All users of the eHealth Exchange are required to: cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws; and report any suspected breach of PHI to the Privacy Office immediately.  Users must not disclose passwords or any other security measures to anyone.
VII.  Business Associate Agreements/Addendums
Nebraska Medicine/UNMC shall enter into a business associate agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see Contract Management policy, FN18).
VIII. Use/Disclosure of PHI for Training Healthcare Professionals
Please reference Use/Disclosure of PHI for Training Healthcare Professionals policy.
IX. Use/Disclosure of PHI Permitted/Required by Law
Please reference Disclosures of PHI As Permitted or Required by Law policy.
X. Use/Disclosure of PHI for Law Enforcement Purposes.
Please reference Disclosures of PHI for Law Enforcement Purposes policy.
XI.    Use/Disclosure of PHI for Whistleblowing Purposes.
A Workforce member may disclose PHI for whistleblowing purposes when:
1. The Workforce member believes in good faith that Nebraska Medicine/UNMC engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by Nebraska Medicine/UNMC potentially endangers one or more patients, other Workforce members, or the public; and
2. The disclosure is to:
a. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of Nebraska Medicine/UNMC or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Nebraska Medicine/UNMC; or
b. An attorney retained by or on behalf of the Workforce member or business associate for the purpose of determining the legal options of the Workforce member or business associate with regard to the conduct described in this section.
XII.  Use/Disclosure of PHI for Marketing
Refer requests for disclosures of PHI for marketing or fundraising purposes to the Office of Privacy.
XIII. Use/Disclosure of PHI for Research
1. All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval.  See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.  The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA.  To learn more about such waivers, please reference UNMC HRPP policy. 
2. For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):
a. A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
b. Documentation of the death of such Individuals; and
c. A representation that the requested PHI is necessary for the research purposes.
3. Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a "Request for Electronic Health Data" form to the Electronic Health Record Data Access Core to obtain access to such PHI.  This request form is located at: https://www.unmc.edu/cctr/resources/ehr/index.html. 
 
4. Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
a. that the use or disclosure is sought solely to review Protected Health Information as necessary to prepare a research protocol or for similar purposes preparatory to research;
b. that no Protected Health Information is to be removed from the covered entity by the researcher in the course of the review; and
c. that the Protected Health Information for which disclosure and use is sought is necessary for the research purposes.
 
XIV. Sale of Protected Health Information.
Selling Protected Health Information is generally prohibited unless the patient signs an authorization specifically permitting the sale.  This includes any disclosure of PHI where Nebraska Medicine/UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the Protected Health Information. Sale of Protected Health Information does not include certain disclosures of PHI:
a. For public health purposes;
b. For research purposes where the only remuneration received by Organization is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
c. For treatment and payment purposes;
d. To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a business associate agreement with Nebraska Medicine/UNMC);
e. To an Individual who is requesting access to his or her own PHI;
f. As required by law; and
g. For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.  The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies. 
 
De-identified data is not PHI and therefore is not subject to the remuneration prohibition.  However, limited data sets are PHI and are subject to this provision (see the Limited Data Set section below). 
 
XV. Minimum Necessary.
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing Protected Health Information or when requesting Protected Health Information, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request. 
1. The “minimum necessary” standard does not apply to the following requests, uses, and disclosures of PHI:
a. Uses, disclosures or requests among healthcare providers for treatment purposes.
b. Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
c. Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
d. Disclosures made to the Secretary of Health and Human Services or his or her designee.
e. Uses or disclosures required for compliance with the Privacy Rule.
 
2. Workforce.  The minimum necessary standard applies to access and use of Protected Health Information by members of the Workforce.  Each member of the Workforce must avoid intentionally accessing, using or disclosing Protected Health Information except as authorized by Nebraska Medicine/UNMC’s policies. 
a. When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
b. Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
d. Individuals who are performing treatment, payment and healthcare operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.   
3. Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.
a. Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g.,  Health Information Management, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
b. Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.
4. Departments that are not responsible for release of information should release records only under the limited conditions identified in Accounting of Disclosures policy.  All other requests should be sent to HIM.
XVI. Limited Data Set.
1. A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health, or health care operations:
a. Names;
b. Postal address information, other than town or city, state, or zip code;
c. Telephone numbers;
d. Fax numbers;
e. Electronic mail addresses;
f. Social security numbers;
g. Medical record numbers;
h. Health plan beneficiary numbers;
i. Account numbers;
j. Certificate/license numbers;
k. Vehicle identifiers and serial numbers, including license numbers;
l. Device identifiers and serial numbers;
m. Web Universal Resource Locators (URLs);
n. Internet Protocol (IP) address numbers;
o. Biometric identifiers, including finger and voice prints; and
p. Full face photographic images and any comparable images.
 
2. The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
 
XVII.    De-identification/Re-identification of PHI
1. PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:
a. The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed, and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
1. Names;                   
2. All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code);               
3. All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);       
4. Telephone numbers;   
5. Fax numbers;               
6. Electronic mail addresses;           
7. Social Security Numbers;               
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code.
b. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: d. applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination.  The Legal Services department and/or Privacy Office must approve of the use of this de-identification method and the person who performs it.
2. Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:
a. The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and
b. The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
 
XVIII. Disaster Relief Disclosures
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
 
Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts.  Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.
 
1. Limit releases of information to the information needed by the agencies to perform their disaster relief efforts.  Often, this includes such uses as:
 
a. Coordinating availability of care.
 
b. Notification of family and friends.
 
c. Determining the identity of victims and survivors.
 
2. The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances.  Professional judgment under this policy may be exercised and documented by the Privacy Officer or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan.
 
3. The minimum necessary standard does not apply to disclosures to disaster relief agencies.
 
XIX. Authorization Generally Required for all other Uses/Disclosures.
Unless otherwise permitted by this policy, any  use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900). Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy.
 
XX. Compound authorizations.
 
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases:
1. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.
2. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.  
 
 


'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities.<br />


'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:
== Definitions ==
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included
===Health Care Operations===
:#Population-based activities relating to improving health or reducing health care costs
Activities related to UNMC’s function as an affiliated health care provider:
:#Protocol development
#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included
:#Contacting of health care providers and patients with information about treatment alternatives
#Population-based activities relating to improving health or reducing health care costs
:#Case management and care coordination
#Protocol development
:#Risk assessment
#Contacting of health care providers and patients with information about treatment alternatives
#Case management and care coordination
#Risk assessment
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans
:#Training future healthcare professionals (students and residents)
:#Training future healthcare professionals (students and residents)
Line 61: Line 308:
:#Resolution of internal grievances
:#Resolution of internal grievances
:#Fundraising
:#Fundraising
===Payment===
Activities undertaken by a health care provider or health plan to obtain reimbursement for the provision of health care. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above listed activities.<br />
===Treatment===
The provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
:#Is created or received by ACE; and
:#Is created or received by ACE; and
Line 228: Line 483:
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.  
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.  
==Staff Accountability==
[mailto:debrbishop@nebraskamed.com Privacy Officer]
==Additional Information==
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
Line 237: Line 491:
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures]
*[http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]


This page is maintained by [mailto:dpanowic@unmc.edu dkp].
This page is maintained by [mailto:dpanowic@unmc.edu dkp].

Navigation menu