Accounting of PHI Disclosures: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 26: | Line 26: | ||
</table> | </table> | ||
<br /> | <br /> | ||
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | ||
<br /><br /> | <br /><br /> | ||
Policy No.: '''6061'''<br /> | Policy No.: '''6061'''<br /> | ||
Effective Date: '''03/17/03'''<br /> | Effective Date: '''03/17/03'''<br /> | ||
Revised Date: <br /> | Revised Date: '''DRAFT''' <br /> | ||
Revised Date: <br /> <br /> | Revised Date: <br /> <br /> | ||
<big>'''Accounting of Protected Health Information Disclosures Policy'''</big> | <big>'''Accounting of Protected Health Information Disclosures Policy'''</big> | ||
Line 36: | Line 36: | ||
It is the policy of the University of Nebraska Medical Center (UNMC) to use and disclose protected health information in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27. | It is the policy of the University of Nebraska Medical Center (UNMC) to use and disclose protected health information in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27. | ||
=== Policy === | === Policy === | ||
UNMC, upon written request, shall provide patients with a list of individuals/organizations to which their protected health information (PHI) has been disclosed.<br /> | UNMC, upon written request, shall provide patients as required by law with a list of applicable individuals/organizations to which their protected health information (PHI) has been disclosed.<br /> | ||
=== Definitions === | === Definitions === | ||
''' | '''Affiliated Covered Entity (ACE)''' means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. The Notice of Privacy Practices lists current ACE members.<br /> | ||
'''Health care operations''' means the following activities related to UNMC’s functions as a health care provider: | |||
*Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines; | |||
*Population-based activities relating to improving health or reducing health care costs; | |||
*Protocol development; | |||
*Contacting of health care providers and patients with information about treatment alternatives; | |||
*Case management and care coordination; | |||
*Risk assessment; | |||
*Reviewing the competence or qualifications and accrediting/licensing of health care providers and plans; | |||
*Training future health care professionals (students and residents); | |||
*Conducting or arranging for legal services; | |||
*Business planning and development; | |||
*General administrative and business functions; | |||
*Conducting or arranging for medical review and auditing services; | |||
*Insurance activities relating to the renewal of a contract of insurance; | |||
*Evaluating health care provider and plan performance; | |||
*Resolution of internal grievances; and | |||
*Fundraising. | |||
'''Payment''' means activities undertaken by a health care provider or health plan to obtain reimbursement for the provision of health care. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums and reimbursement, and health care data processing related to the above-listed activities.<br /> | |||
PHI excludes | '''Protected health information (PHI)''' means individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, whether oral or recorded in any medium that: | ||
*is created or received by the ACE; and | |||
*relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. | |||
PHI excludes education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by UNMC in its role as employer. | |||
'''Treatment''' means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. | |||
=== Procedures=== | |||
#An individual has a right to receive an accounting of disclosures of PHI made by the ACE during a time period specified up to six years prior to the date of the request, except for disclosures: | |||
#*To carry out treatment, payment or health care operations (including permissible disclosures to other providers for their treatment, payment or health care operations) | |||
#*To the individual about his or her own information | |||
#*Authorized by the individual (signed authorization) | |||
#*For the facility directory or to persons involved in the individual's care, or other notification purposes permitted under law; | |||
#*For national security or intelligence purposes; | |||
#*To correctional institutions or other law enforcement officials who have custody of an individual as permitted under law. | |||
#*As part of a limited data set (see Use & Disclosure of PHI policy) | |||
#Individuals shall make their requests to the Health Information Management Department, using the [Request for Accounting of Disclosures of Protected Health Information Form]. | |||
#Content Requirements. The accounting for each disclosure must include: | |||
#*Date of disclosure; | |||
#*Name of entity or person who received the PHI, and, if known, the address of such entity or person; | |||
#*Brief description of the PHI disclosed; | |||
#*A brief statement of the purpose of the disclosure or a copy of the written request for disclosure; and | |||
#*If the disclosure is made on a recurring basis for a single purpose, the person or entity shall be listed once and the frequency of the disclosure shall be listed, with the date of the first and last disclosure. | |||
#Examples of disclosures that must be accounted for include but are not limited to the following: | |||
#*Child abuse reporting | |||
#*Infectious disease/STD reporting | |||
#*Parkinson's Disease | |||
#*Infant hearing screening, metabolic diseases | |||
#*Reports to the FDA | |||
#*Immunization reports | |||
#*Organ donation information | |||
#*Reporting wounds of violence | |||
#*Reports to the following registries: | |||
#:*Cancer | |||
#:*Brain and Head Injury | |||
#:*Birth Defects | |||
#:*E-Code | |||
#:*Trauma | |||
#*Death reporting | |||
#*Disclosures to regulatory agencies with oversight authority | |||
#*Judicial and administrative proceedings | |||
#*Worker's compensation | |||
#*Disclosures to law enforcement | |||
#*Funeral directors/medical examiners | |||
#*Research conducted pursuant to: | |||
#:*An IRB waiver; | |||
#:*decedent PHI; or | |||
#:*use of PHI preparatory to research (if over 50 records reviewed, only need to provide description of protocol, purpose of research, description of type of PHI disclosed, time period disclosure occurred, name address, etc. etc.) | |||
#Department Responsibilities. Health Information Management (HIM) is the designated department for release of patient information. In limited circumstances other areas may release minimal information for such purposes as pre-insurance certification, urgent care, provider communication, releasing test results to the patient, or as otherwise expressly permitted by this or another UNMC policy. All other requests shall be forwarded to the Health Information Management Department for processing. All departments making permitted disclosures of patient information shall document the disclosures in a manner approved by HIM. Departments that maintain health information systems shall alert HIM of the system. When such departments disclose PHI subject to the accounting requirement, department staff shall complete Quick Disclosure tracking documentation in One Chart or establish other record keeping systems for other health information systems and inform HIM of those record keeping systems. A record of such disclosures must be maintained for six years from the date of the disclosure. Departments shall respond to the Health Information Management Department requests for information in response to individual accounting requests within 10 days. | |||
#Provision of Accounting. The Health Information Management Department in coordination with the Privacy Officer shall respond to accounting requests no later than sixty (60) days after receipt. The response time may be extended by no more than thirty (30) additional days, provided that within the first sixty (60) days, the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided. | |||
#Accounting Charges. The first accounting in any twelve-month period must be provided to the individual without charge. A reasonable, cost-based fee may be charged for additional accountings within the twelve-month period, as long as the individual is notified of the fee in advance. | |||
#Suspension of the Right to Accounting. Upon request by a health oversight agency or a law enforcement official, a patient/legal guardian's right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended for the time period specified by the official if the official asserts that the provision of the accounting would be reasonably likely to impede the activities of the official. | |||
===Additional Information=== | ===Additional Information=== | ||
* | *[mailto:debrbishop@nebraskamed.com Privacy Officer], at 402-559-4705 | ||
* | *[mailto:mailto:Privacy@NebraskaMed.com Privacy Office] | ||
*Request for Accounting of Disclosures of Protected Health Information Form | *[Request for Accounting of Disclosures of Protected Health Information Form] - UNDER CONSTRUCTION | ||
This page maintained by [mailto:dpanowic@unmc.edu dkp] | This page maintained by [mailto:dpanowic@unmc.edu dkp] |
Revision as of 12:20, March 28, 2022
Human Resources | Safety/Security | Research Compliance | Compliance | Privacy/Information Security | Business Operations | Intellectual Property | Faculty |
Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation
Policy No.: 6061
Effective Date: 03/17/03
Revised Date: DRAFT
Revised Date:
Accounting of Protected Health Information Disclosures Policy
Basis for Policy
It is the policy of the University of Nebraska Medical Center (UNMC) to use and disclose protected health information in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.
Policy
UNMC, upon written request, shall provide patients as required by law with a list of applicable individuals/organizations to which their protected health information (PHI) has been disclosed.
Definitions
Affiliated Covered Entity (ACE) means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. The Notice of Privacy Practices lists current ACE members.
Health care operations means the following activities related to UNMC’s functions as a health care provider:
- Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines;
- Population-based activities relating to improving health or reducing health care costs;
- Protocol development;
- Contacting of health care providers and patients with information about treatment alternatives;
- Case management and care coordination;
- Risk assessment;
- Reviewing the competence or qualifications and accrediting/licensing of health care providers and plans;
- Training future health care professionals (students and residents);
- Conducting or arranging for legal services;
- Business planning and development;
- General administrative and business functions;
- Conducting or arranging for medical review and auditing services;
- Insurance activities relating to the renewal of a contract of insurance;
- Evaluating health care provider and plan performance;
- Resolution of internal grievances; and
- Fundraising.
Payment means activities undertaken by a health care provider or health plan to obtain reimbursement for the provision of health care. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums and reimbursement, and health care data processing related to the above-listed activities.
Protected health information (PHI) means individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, whether oral or recorded in any medium that:
- is created or received by the ACE; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
PHI excludes education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by UNMC in its role as employer. Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Procedures
- An individual has a right to receive an accounting of disclosures of PHI made by the ACE during a time period specified up to six years prior to the date of the request, except for disclosures:
- To carry out treatment, payment or health care operations (including permissible disclosures to other providers for their treatment, payment or health care operations)
- To the individual about his or her own information
- Authorized by the individual (signed authorization)
- For the facility directory or to persons involved in the individual's care, or other notification purposes permitted under law;
- For national security or intelligence purposes;
- To correctional institutions or other law enforcement officials who have custody of an individual as permitted under law.
- As part of a limited data set (see Use & Disclosure of PHI policy)
- Individuals shall make their requests to the Health Information Management Department, using the [Request for Accounting of Disclosures of Protected Health Information Form].
- Content Requirements. The accounting for each disclosure must include:
- Date of disclosure;
- Name of entity or person who received the PHI, and, if known, the address of such entity or person;
- Brief description of the PHI disclosed;
- A brief statement of the purpose of the disclosure or a copy of the written request for disclosure; and
- If the disclosure is made on a recurring basis for a single purpose, the person or entity shall be listed once and the frequency of the disclosure shall be listed, with the date of the first and last disclosure.
- Examples of disclosures that must be accounted for include but are not limited to the following:
- Child abuse reporting
- Infectious disease/STD reporting
- Parkinson's Disease
- Infant hearing screening, metabolic diseases
- Reports to the FDA
- Immunization reports
- Organ donation information
- Reporting wounds of violence
- Reports to the following registries:
- Cancer
- Brain and Head Injury
- Birth Defects
- E-Code
- Trauma
- Death reporting
- Disclosures to regulatory agencies with oversight authority
- Judicial and administrative proceedings
- Worker's compensation
- Disclosures to law enforcement
- Funeral directors/medical examiners
- Research conducted pursuant to:
- An IRB waiver;
- decedent PHI; or
- use of PHI preparatory to research (if over 50 records reviewed, only need to provide description of protocol, purpose of research, description of type of PHI disclosed, time period disclosure occurred, name address, etc. etc.)
- Department Responsibilities. Health Information Management (HIM) is the designated department for release of patient information. In limited circumstances other areas may release minimal information for such purposes as pre-insurance certification, urgent care, provider communication, releasing test results to the patient, or as otherwise expressly permitted by this or another UNMC policy. All other requests shall be forwarded to the Health Information Management Department for processing. All departments making permitted disclosures of patient information shall document the disclosures in a manner approved by HIM. Departments that maintain health information systems shall alert HIM of the system. When such departments disclose PHI subject to the accounting requirement, department staff shall complete Quick Disclosure tracking documentation in One Chart or establish other record keeping systems for other health information systems and inform HIM of those record keeping systems. A record of such disclosures must be maintained for six years from the date of the disclosure. Departments shall respond to the Health Information Management Department requests for information in response to individual accounting requests within 10 days.
- Provision of Accounting. The Health Information Management Department in coordination with the Privacy Officer shall respond to accounting requests no later than sixty (60) days after receipt. The response time may be extended by no more than thirty (30) additional days, provided that within the first sixty (60) days, the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided.
- Accounting Charges. The first accounting in any twelve-month period must be provided to the individual without charge. A reasonable, cost-based fee may be charged for additional accountings within the twelve-month period, as long as the individual is notified of the fee in advance.
- Suspension of the Right to Accounting. Upon request by a health oversight agency or a law enforcement official, a patient/legal guardian's right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended for the time period specified by the official if the official asserts that the provision of the accounting would be reasonably likely to impede the activities of the official.
Additional Information
- Privacy Officer, at 402-559-4705
- Privacy Office
- [Request for Accounting of Disclosures of Protected Health Information Form] - UNDER CONSTRUCTION
This page maintained by dkp