Use and Disclosure of Protected Health Information: Difference between revisions

Jump to navigation Jump to search

Use and Disclosure of Protected Health Information (view source)

Revision as of 16:14, August 31, 2022

5,638 bytes removed ,  August 31, 2022
no edit summary
VisualWikitext
No edit summary
No edit summary
Line 173: Line 173:
#As required by law; and
#As required by law; and
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.   
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.   
De-identified data is not PHI and therefore is not subject to the remuneration prohibition.   However, limited data sets are PHI and are subject to this provision (see the [https://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&action=edit#Limited_Data_Set).   
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]).   
===Minimum Necessary===
===Minimum Necessary===
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing Protected Health Information or when requesting Protected Health Information, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.   
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.   
1. The “minimum necessary” standard does not apply to the following requests, uses, and disclosures of PHI:
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
a. Uses, disclosures or requests among healthcare providers for treatment purposes.
##Uses, disclosures or requests among healthcare providers for treatment purposes.
b. Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
##Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
c. Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
##Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
d. Disclosures made to the Secretary of Health and Human Services or his or her designee.
##Disclosures made to the Secretary of Health and Human Services or his or her designee.
e. Uses or disclosures required for compliance with the Privacy Rule.
##Uses or disclosures required for compliance with the '''''Privacy Rule'''''.
 
#Workforce.  The minimum necessary standard applies to access and use of Protected Health Information by members of the Workforce.  Each member of the Workforce must avoid intentionally accessing, using or disclosing Protected Health Information except as authorized by Nebraska Medicine/UNMC’s policies.   
2. Workforce.  The minimum necessary standard applies to access and use of Protected Health Information by members of the Workforce.  Each member of the Workforce must avoid intentionally accessing, using or disclosing Protected Health Information except as authorized by Nebraska Medicine/UNMC’s policies.   
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
a. When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
b. Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
##Individuals who are performing treatment, payment and healthcare operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.     
d. Individuals who are performing treatment, payment and healthcare operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.     
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
3. Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
a. Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., Health Information Management, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.  
b. Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.  
#Departments that are not responsible for release of information should release records only under the limited conditions identified in UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. All other requests should be sent to HIM.
4. Departments that are not responsible for release of information should release records only under the limited conditions identified in Accounting of Disclosures policy. All other requests should be sent to HIM.
===Limited Data Set===
===Limited Data Set===
1. A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health or health care operations:  
#A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health or health care operations:  
a. Names;
##Names;
b. Postal address information, other than town or city, state, or zip code;
##Postal address information, other than town or city, state, or zip code;
c. Telephone numbers;
##Telephone numbers;
d. Fax numbers;
##Fax numbers;
e. Electronic mail addresses;
##Electronic mail addresses;
f. Social security numbers;
##Social security numbers;
g. Medical record numbers;
##Medical record numbers;
h. Health plan beneficiary numbers;
##Health plan beneficiary numbers;
i. Account numbers;
##Account numbers;
j. Certificate/license numbers;
##Certificate/license numbers;
k. Vehicle identifiers and serial numbers, including license numbers;
##Vehicle identifiers and serial numbers, including license numbers;
l. Device identifiers and serial numbers;
##Device identifiers and serial numbers;
m. Web Universal Resource Locators (URLs);
##Web Universal Resource Locators (URLs);
n. Internet Protocol (IP) address numbers;
##Internet Protocol (IP) address numbers;
o. Biometric identifiers, including finger and voice prints; and  
##Biometric identifiers, including finger and voice prints; and  
p. Full face photographic images and any comparable images.
## Full-face photographic images and any comparable images.
 
#The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
2. The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
===De-identification/Re-identification of PHI===
===De-identification/Re-identification of PHI===
1. PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
a. The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed, and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
1. Names;                     
##Names;                     
2. All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code);                 
##All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code);                 
3. All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);         
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);         
4. Telephone numbers;     
##Telephone numbers;     
5. Fax numbers;                 
##Fax numbers;                 
6. Electronic mail addresses;             
##Electronic mail addresses;             
7. Social Security Numbers;                 
##Social Security Numbers;                 
8. Medical record numbers;
##Medical record numbers;
9. Health plan beneficiary numbers;
##Health plan beneficiary numbers;
10. Account numbers;
##Account numbers;
11. Certificate/license numbers;
##Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
##Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
##Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
##Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
##Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
##Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
##Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code.
##Any other unique identifying number, characteristic, or code.
b. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: d. applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department and/or Privacy Office must approve of the use of this de-identification method and the person who performs it.
#A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department '''UNMC or Nebr med? best contact info ??''' and/or [mailto:privacy@nebraskamed.com Privacy Office] must approve of the use of this de-identification method and the person who performs it.
2. Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:  
#Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:  
a. The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
##The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
b. The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
===Disaster Relief Disclosures===
===Disaster Relief Disclosures===
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
 
''Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts.  Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.''
Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts.  Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.
#Limit releases of information to the information needed by the agencies to perform their disaster relief efforts.  Often, this includes such uses as:
 
##Coordinating availability of care,
1. Limit releases of information to the information needed by the agencies to perform their disaster relief efforts.  Often, this includes such uses as:
##Notification of family and friends, or
 
##Determining the identity of victims and survivors.
a. Coordinating availability of care.
 
b. Notification of family and friends.
 
c. Determining the identity of victims and survivors.
 
#The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the [mailto:debrbishop@nebraskamed.com Privacy Officer] or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. '''need link(s) to plan(s}'''
#The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the [mailto:debrbishop@nebraskamed.com Privacy Officer] or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. '''need link(s) to plan(s}'''
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
===Authorization Generally Required for All Other Uses/Disclosures===
===Authorization Generally Required for All Other Uses/Disclosures===
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into .
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set.
===Compound Authorizations===
===Compound Authorizations===
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases:  
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases:  
Line 258: Line 250:
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
== Definitions ==
== Definitions ==
===Health Care Operations===
Activities related to UNMC’s function as an affiliated health care provider:
#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included
#Population-based activities relating to improving health or reducing health care costs
#Protocol development
#Contacting of health care providers and patients with information about treatment alternatives
#Case management and care coordination
#Risk assessment
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans
:#Training future healthcare professionals (students and residents)
:#Conducting or arranging for legal services
:#Business planning and development
:#Business management activities
:#General administrative and business functions
:#Conducting or arranging for medical review and auditing services
:#Insurance activities relating to the renewal of a contract of insurance
:#Evaluating healthcare provider and plan performance
:#Resolution of internal grievances
:#Fundraising
===Payment===
Activities undertaken by a health care provider or health plan to obtain reimbursement for the provision of health care. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above listed activities.<br />
===Treatment===
The provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.<br />
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
:#Is created or received by ACE; and
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
Protected Health Information includes genetic information containing individual identifiers which is defined as:
:#Information about an individual's genetic tests; or
:#The genetic tests of family members of the individual; or
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history)
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
'''Health information Exchange (HIE)''' is the electronic movement of health-related information among organizations according to nationally recognized standards. The goal of health information exchange is to facilitate access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. '''Health information exchange organizations (HIOs)''' provide the capability to electronically move clinical information between disparate health care information systems.  <br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Marketing|Use and Disclosure of PHI for Marketing]].<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Research|Use and Disclosure of PHI for Research]].<br />
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the


==Additional Information==
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
Retrieved from "https://wiki.unmc.edu/index.php/Special:MobileDiff/13221"

Navigation menu