Use and Disclosure of Protected Health Information: Difference between revisions

Jump to navigation Jump to search
m
no edit summary
No edit summary
mNo edit summary
Line 30: Line 30:
Policy No.: '''6057'''<br />
Policy No.: '''6057'''<br />
Effective Date: '''03/17/03'''<br />
Effective Date: '''03/17/03'''<br />
Revised Date: '''draft 08/31/22'''<br />
Revised Date: '''draft 09/01/22'''<br />
Reviewed Date: ''' '''<br />
Reviewed Date: ''' '''<br />


Line 44: Line 44:
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy, and the Authorized Consenting Persons section of the Consents and Permits policy.) '''need Nebr Med policy #s'''
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy, and the Authorized Consenting Persons section of the Consents and Permits policy.) '''need Nebr Med policy #s'''
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
#If a disclosure of PHI is subject to a patient’s right to an accounting, it must be documented per UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. Also note the documentation requirements listed throughout this policy and associated policies.  
#If a disclosure of PHI is subject to a patient’s right to an accounting, it must be documented per UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. Also note the documentation requirements listed throughout this policy and associated policies.  
#Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The [mailto:debrbishop@nebraskamed.com Privacy Officer] is the designated decision-maker unless someone else is designated by the [mailto:privacy@nebraskamed.com Privacy Office] (at 402-559-5136) for a particular policy or situation. (See Consents and Permits policy.) '''need Nebr Med policy #'''
#Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The [mailto:debrbishop@nebraskamed.com Privacy Officer] is the designated decision-maker unless someone else is designated by the [mailto:privacy@nebraskamed.com Privacy Office] (at 402-559-5136) for a particular policy or situation. (See Consents and Permits policy.) '''need Nebr Med policy #'''
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
Line 55: Line 55:
Protected Health Information (PHI) may be used and disclosed within the [ Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the patient supporting its need for such use or disclosure of such information, without having to obtain the patient’s authorization. ACE entities also may share PHI with one another without patient authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />
Protected Health Information (PHI) may be used and disclosed within the [ Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the patient supporting its need for such use or disclosure of such information, without having to obtain the patient’s authorization. ACE entities also may share PHI with one another without patient authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />


Members of the Workforce may access patient information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
Members of the Workforce may access patient information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
===Treatment===
===Treatment===
Nebraska Medicine/UNMC may disclose Protected Health Information to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.   
Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.   
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.   
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.   
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the patient was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the patient was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
Line 67: Line 67:
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.   
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.   
===Health Care Operations===
===Health Care Operations===
Nebraska Medicine/UNMC may disclose Protected Health Information to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.  
Nebraska Medicine/UNMC may disclose PHI to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.  
#Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose Protected Health Information is requested; and (iii) is requesting and will use Protected Health Information for a qualifying health care operations use.
#Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose PHI is requested; and (iii) is requesting and will use PHI for a qualifying health care operations use.
#Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
#Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
##Quality assessment activities, utilization management activities and activities designed to measure or improve care or reduce costs.
##Quality assessment activities, utilization management activities and activities designed to measure or improve care or reduce costs.
Line 79: Line 79:
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
#Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
##Use common sense and judgment -look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside patient rooms should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; patients in public areas or being transported should be draped in a manner that respects the patient’s modesty or dignity).
##Use common sense and judgment--look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside patient rooms should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; patients in public areas or being transported should be draped in a manner that respects the patient’s modesty or dignity).
##Speak in a lower voice;
##Speak in a lower voice;
##Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of patients receiving treatment through the use of curtains or other visual barriers whenever possible);
##Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of patients receiving treatment through the use of curtains or other visual barriers whenever possible);
Line 119: Line 119:
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.
#If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
#If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
 
''Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.''
Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
====Disclosure for Notification Purposes====
====Disclosure for Notification Purposes====
Nebraska Medicine/UNMC may disclose PHI about a patient in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
Nebraska Medicine/UNMC may disclose PHI about a patient in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
#Ask the patient, if possible, whether he or she consents to such disclosure and rely on what the patient says.#
#Ask the patient, if possible, whether they consent to such disclosure and rely on what the patient says.#
#If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them.
#If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
Line 131: Line 130:
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
=====CyncHealth (Previously NeHII)=====
=====CyncHealth (Previously NeHII)=====
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].  
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].  
=====Epic-integrated HIE Software=====
=====Epic-integrated HIE Software=====
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.  
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.  
Line 139: Line 138:
===Business Associate Agreements/Addendums===
===Business Associate Agreements/Addendums===
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Contract Management policy, FN18).  
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Contract Management policy, FN18).  
===Use/Disclosure of PHI for Training Healthcare Professionals ===
===Use/Disclosure of PHI for Training Health Care Professionals ===
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
===Use/Disclosure of PHI Permitted/Required by Law===
===Use/Disclosure of PHI Permitted/Required by Law===
Line 161: Line 160:
#Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a [https://unmcredcap.unmc.edu/redcap/surveys/?s=NMPNWMEA7W Electronic Health Data Request] Form to the [https://www.unmc.edu/cctr/resources/ehr/index.html Electronic Health Record Data Access Core] to obtain access to such PHI.  
#Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a [https://unmcredcap.unmc.edu/redcap/surveys/?s=NMPNWMEA7W Electronic Health Data Request] Form to the [https://www.unmc.edu/cctr/resources/ehr/index.html Electronic Health Record Data Access Core] to obtain access to such PHI.  
#Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
#Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
##that the use or disclosure is sought solely to review Protected Health Information as necessary to prepare a research protocol or for similar purposes preparatory to research;  
##that the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;  
##that no PHI is to be removed from the covered entity by the researcher in the course of the review; and  
##that no PHI is to be removed from the covered entity by the researcher in the course of the review; and  
##that the PHI for which disclosure and use is sought is necessary for the research purposes.
##that the PHI for which disclosure and use is sought is necessary for the research purposes.
Line 170: Line 169:
#For treatment and payment purposes;
#For treatment and payment purposes;
#To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a Business Associate Agreement with Nebraska Medicine/UNMC);  
#To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a Business Associate Agreement with Nebraska Medicine/UNMC);  
#To an Individual who is requesting access to his or her own PHI;
#To an Individual who is requesting access to their own PHI;
#As required by law; and
#As required by law; and
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.   
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.   
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]).   
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]).   
===Minimum Necessary===
===Minimum Necessary===
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.   
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit PHI used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.   
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
##Uses, disclosures or requests among healthcare providers for treatment purposes.
##Uses, disclosures or requests among health care providers for treatment purposes.
##Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
##Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
##Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
##Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
##Disclosures made to the Secretary of Health and Human Services or his or her designee.
##Disclosures made to the Secretary of Health and Human Services or their designee.
##Uses or disclosures required for compliance with the '''''Privacy Rule'''''.
##Uses or disclosures required for compliance with the '''''Privacy Rule'''''.
#Workforce. The minimum necessary standard applies to access and use of Protected Health Information by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing Protected Health Information except as authorized by Nebraska Medicine/UNMC’s policies.
#Workforce. The minimum necessary standard applies to access and use of PHI by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing PHI except as authorized by Nebraska Medicine/UNMC’s policies.  
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
##Individuals who are performing treatment, payment and healthcare operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.    
##Individuals who are performing treatment, payment and health care operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.  
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
Line 212: Line 211:
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##Names;                  
##Names;
##All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code);              
##All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code);
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);      
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);  
##Telephone numbers;  
##Telephone numbers;  
##Fax numbers;              
##Fax numbers;  
##Electronic mail addresses;          
##Electronic mail addresses;  
##Social Security Numbers;              
##Social Security Numbers;  
##Medical record numbers;
##Medical record numbers;
##Health plan beneficiary numbers;
##Health plan beneficiary numbers;
Line 235: Line 234:
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
===Disaster Relief Disclosures===
===Disaster Relief Disclosures===
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
Nebraska Medicine/UNMC may disclose PHI to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
''Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.''
''Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.''
#Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as:
#Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as:
##Coordinating availability of care,
##Coordinating availability of care,
##Notification of family and friends, or
##Notification of family and friends, or
Line 246: Line 245:
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set.
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set.
===Compound Authorizations===
===Compound Authorizations===
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases:  
An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:  
#An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.  
#An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.  
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand-alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
== Definitions ==
== Definitions ==


Line 255: Line 254:
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]

Navigation menu