Use and Disclosure of Protected Health Information: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
No edit summary
Line 30: Line 30:
Policy No.: '''6057'''<br />
Policy No.: '''6057'''<br />
Effective Date: '''03/17/03'''<br />
Effective Date: '''03/17/03'''<br />
Revised Date: '''draft 09/01/22'''<br />
Revised Date: '''draft 09/20/22'''<br />
Reviewed Date: ''' '''<br />
Reviewed Date: ''' '''<br />


Line 108: Line 108:
#Do not rely on this authority if the Individual is incapacitated or otherwise unable to agree or object to such disclosure.
#Do not rely on this authority if the Individual is incapacitated or otherwise unable to agree or object to such disclosure.
====Disclosures Based on Role or Involvement in Patient Care====
====Disclosures Based on Role or Involvement in Patient Care====
##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
##Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
#Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
##Give an involved family member the Individual’s prescription, so the family member can fill it for the Individual.
#Give an involved family member the Individual’s prescription, so the family member can fill it for the Individual.
##Talk to a family member at discharge, if they play a role in post-discharge care.
#Talk to a family member at discharge, if they play a role in post-discharge care.
##Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
#Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
##Talk to a family member or friend when the Individual indicates you can or should do so, e.g., if the person accompanies the Individual for an appointment or procedure, or is invited and present at admission or discharge.
#Talk to a family member or friend when the Individual indicates you can or should do so, e.g., if the person accompanies the Individual for an appointment or procedure, or is invited and present at admission or discharge.
#If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
##Obtain the Individual’s consent to such disclosure;
#Obtain the Individual’s consent to such disclosure;
##Provide the Individual with an opportunity to object, and disclose only if the Individual does not object; or
#Provide the Individual with an opportunity to object, and disclose only if the Individual does not object; or
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.
#Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.
#If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
''Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.''
 
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the Individual.
'''Note:''' Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.<br />
 
These procedures are not applicable to Personal Representatives because they generally have the same access to information as the Individual.
====Disclosure for Notification Purposes====
====Disclosure for Notification Purposes====
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
Line 128: Line 130:
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Information_Exchange_.28HIE.29 Health Information Exchanges (HIEs)]. Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Information_Exchange_.28HIE.29 Health Information Exchanges (HIEs)]. Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director authorizes individual access to the HIE. The ACE is a member of the following HIEs:
=====CyncHealth (Previously NeHII)=====
=====CyncHealth (Previously NeHII)=====
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].  
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].  
Line 153: Line 155:
Refer requests for disclosures of PHI for marketing or fundraising purposes to the [mailto:privacy@nebraskamed.com Privacy Office].
Refer requests for disclosures of PHI for marketing or fundraising purposes to the [mailto:privacy@nebraskamed.com Privacy Office].
===Use/Disclosure of PHI for Research===
===Use/Disclosure of PHI for Research===
#All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program Policies and Procedures]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.  
#All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC's [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures]]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.  
#For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):  
#For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):  
##A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
##A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
Line 211: Line 213:
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##Names;
###Names;
##All geographic subdivisions smaller than a state (including street address, city, county, precinct and zip code);
###All geographic subdivisions smaller than a state (including street address, city, county, precinct and zip code);
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);  
###All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);  
##Telephone numbers;  
###Telephone numbers;  
##Fax numbers;  
###Fax numbers;  
##Electronic mail addresses;  
###Electronic mail addresses;  
##Social Security Numbers;  
###Social Security Numbers;  
##Medical record numbers;
###Medical record numbers;
##Health plan beneficiary numbers;
###Health plan beneficiary numbers;
##Account numbers;
###Account numbers;
##Certificate/license numbers;
###Certificate/license numbers;
##Vehicle identifiers and serial numbers, including license plate numbers;
###Vehicle identifiers and serial numbers, including license plate numbers;
##Device identifiers and serial numbers;
###Device identifiers and serial numbers;
##Web Universal Resource Locators (URLs);
###Web Universal Resource Locators (URLs);
##Internet Protocol (IP) address numbers;
###Internet Protocol (IP) address numbers;
##Biometric identifiers, including finger and voice prints;
###Biometric identifiers, including finger and voice prints;
##Full face photographic images and any comparable images; and
###Full face photographic images and any comparable images; and
##Any other unique identifying number, characteristic, or code.
###Any other unique identifying number, characteristic, or code.
#A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department '''UNMC or Nebr med? best contact info ??''' and/or [mailto:privacy@nebraskamed.com Privacy Office] must approve of the use of this de-identification method and the person who performs it.
##A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department '''UNMC or Nebr med? best contact info ??''' and/or [mailto:privacy@nebraskamed.com Privacy Office] must approve of the use of this de-identification method and the person who performs it.
#Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:  
#Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:  
##The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
##The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
===Disaster Relief Disclosures===
===Disaster Relief Disclosures===
Nebraska Medicine/UNMC may disclose PHI to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
Nebraska Medicine/UNMC may disclose PHI to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.<br />
''Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.''
 
'''''Disaster relief agency''''' means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.
#Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as:
#Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as:
##Coordinating availability of care,
##Coordinating availability of care,
Line 243: Line 246:
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
===Authorization Generally Required for All Other Uses/Disclosures===
===Authorization Generally Required for All Other Uses/Disclosures===
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Nebraska Medicine Consents and Permits policy, MS14) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set.
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Nebraska Medicine Consents and Permits policy, MS14) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy Nos. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set] and 6066, [[Psychotherapy Notes]].
===Compound Authorizations===
===Compound Authorizations===
An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:  
An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:  
#An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.  
#An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.  
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand-alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes.  
== Definitions ==
== Definitions ==
===Affiliated Covered Entity (ACE)===
===Affiliated Covered Entity (ACE)===
Line 271: Line 274:
#Evaluating healthcare provider and plan performance;
#Evaluating healthcare provider and plan performance;
#Resolution of internal grievances; and
#Resolution of internal grievances; and
'''#Fundraising (see restrictions below).'''
#Fundraising (see [https://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&action=edit#Use.2FDisclosure_of_PHI_for_Marketing Use/Disclosure of PHI for Marketing]).
===Health Information Exchange (HIE)===
===Health Information Exchange (HIE)===
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.  
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.  
Line 295: Line 298:
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and  
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and  
*employment records held by UNMC in its role as employer.
*employment records held by UNMC in its role as employer.
===Psychotherapy Notes===
Notes recorded (in any medium) by a licensed mental health practitioner (LMHP) documenting or analyzing the contents of a conversation during a private counseling session or group, joint or family counseling session. Psychotherapy notes are kept separate from the Individual's medical record. Psychotherapy notes are sometimes referred to as "process notes." Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress. Psychotherapy notes are not progress notes.
===Research ===
===Research ===
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.  
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.  
Line 310: Line 315:
*UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]
*UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]
*UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]
*UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]
*'''UNMC Policy No. 6066, [[Psychotherapy Notes]] is this being deleted or kept? If being kept, it should be reviewed and review date note on policy 6066, even if not changed.'''
*UNMC Policy No. 6066, [[Psychotherapy Notes]] If being kept, this should be reviewed and review date noted on policy 6066, even if not changed.'''
*UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
*UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
*UNMC Policy No. 6304, [[Disclosures of PHI as Permitted or Required by Law]]
*UNMC Policy No. 6304, [[Disclosures of PHI as Permitted or Required by Law]]
*UNMC Policy No. 6305, [[Disclosure of PHI for Law Enforcement Purposes]]
*UNMC Policy No. 6305, [[Disclosure of PHI for Law Enforcement Purposes]]
*UNMC Policy No. 8009, [[Contracts]]  
*UNMC Policy No. 8009, [[Contracts]]  
*UNMC [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices]
*[https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices]
Line 322: Line 328:
*Nebraska Medicine Private Designation policy, for additional details.) '''need Nebr Med policy #'''
*Nebraska Medicine Private Designation policy, for additional details.) '''need Nebr Med policy #'''
*Nebraska Medicine Contract Management policy, FN18
*Nebraska Medicine Contract Management policy, FN18
*Nebraska Medicine Form CON-MR-0074, '''need form name and URL '''
*Nebraska Medicine Form CON-MR-1900, '''need form name and URL '''
*[https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]
*[https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment and Health Care Operations]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment and Health Care Operations]

Navigation menu