Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 53: Line 53:
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.   
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.   
==Procedures==
==Procedures==
Protected Health Information (PHI) may be used and disclosed within the [ Affiliated Covered Entity (ACE)] for each member’s own treatment, payment and [ Health Care Operations] if it has or is about to have a treatment relationship with the patient supporting its need for such use or disclosure of such information, without having to obtain the patient’s authorization. ACE entities also may share PHI with one another without patient authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />
Protected Health Information (PHI) may be used and disclosed within the [ Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the patient supporting its need for such use or disclosure of such information, without having to obtain the patient’s authorization. ACE entities also may share PHI with one another without patient authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />


Members of the Workforce may access patient information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose.  Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
Members of the Workforce may access patient information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose.  Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
Line 70: Line 70:
#Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose Protected Health Information is requested; and (iii) is requesting and will use Protected Health Information for a qualifying health care operations use.
#Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose Protected Health Information is requested; and (iii) is requesting and will use Protected Health Information for a qualifying health care operations use.
#Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
#Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
##Quality assessment activities, utilization management activities, and activities designed to measure or improve care or reduce costs.
##Quality assessment activities, utilization management activities and activities designed to measure or improve care or reduce costs.
##Peer review activities.
##Peer review activities.
##Health care fraud and abuse detection or compliance efforts.
##Health care fraud and abuse detection or compliance efforts.
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.
IV. Incidental Disclosures
===Incidental Disclosures===
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties.  In such cases, the following standards should be met:
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties.  In such cases, the following standards should be met:
 
#The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
1. The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
2. The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
3. Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
##Use common sense and judgment -– look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside patient rooms should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; patients in public areas or being transported should be draped in a manner that respects the patient’s modesty or dignity).
a. Use common sense and judgment – look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside patient rooms should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; patients in public areas or being transported should be draped in a manner that respects the patient’s modesty or dignity).
##Speak in a lower voice;
b. Speak in a lower voice;
##Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of patients receiving treatment through the use of curtains or other visual barriers whenever possible);
c. Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of patients receiving treatment through the use of curtains or other visual barriers whenever possible);
##Pull the dividers or partitions between the patient and other patients or visitors; and
d. Pull the dividers or partitions between the patient and other patients or visitors; and
##Ask if the patient would prefer to talk in a more private location.
e. Ask if the patient would prefer to talk in a more private location.
======Disclosures to the Patient
V.  Disclosures to the Patient
Nebraska Medicine/UNMC may disclose PHI to the patient or his/her Personal Representative.   
Nebraska Medicine/UNMC may disclose Protected Health Information to the patient or his/her Personal Representative.   
The patient has a right to see and obtain copies of PHI maintained in the patient’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set].
The patient has a right to see and obtain copies of Protected Health Information maintained in the patient’s designated record set.   Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. Please refer to Access & Amendment of Designated Record Set policy.
#For other disclosures to the patient
1. For other disclosures to the patient
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
a. For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
###Notation in the medical, billing or other record from which the material was obtained
i.     Notation in the medical, billing or other record from which the material was obtained
###Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
ii. Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
##It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies. This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
b. It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies. This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
##When disclosing to the patient, appropriate safeguards should be taken to reduce the risk that people other than the patient or people permitted by the patient will hear the disclosure. Examples of such safeguards would include:
c. When disclosing to the patient, appropriate safeguards should be taken to reduce the risk that people other than the patient or people permitted by the patient will hear the disclosure. Examples of such safeguards would include:
###Asking the patient if the patient would prefer to talk in a more private location.
i. Asking the patient if the patient would prefer to talk in a more private location.
###Confirming with the patient that it is okay to proceed with the conversation while friends, relatives or others are present.
ii. Confirming with the patient that it is okay to proceed with the conversation while friends, relatives or others are present.
###Speaking in a lower voice.
iii. Speaking in a lower voice.
###Pulling the dividers or partitions between the patient and other patients or visitors.
iv. Pulling the dividers or partitions between the patient and other patients or visitors.
###Providing more privacy through partitions and room arrangements.
v. Providing more privacy through partitions and room arrangements.
#The minimum necessary standard does not apply to disclosures to the patient.
2. The minimum necessary standard does not apply to disclosures to the patient.
===Disclosures to Family, Friends and Others===
VI. Disclosures to Family, Friends and Others
====Facility Directory=====
1. Facility DirectoryNebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. Reference Private Designation policy, for additional details.
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #s'''
2.  Disclosures with the Patient’s Permission
====Disclosures with the Patient’s Permission====
a. You may disclose Protected Health Information to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
#You may disclose PHI to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
b. When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or payment for care.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or payment for care.
c. Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers.  They may have no role in the patient’s care.  They may simply be visiting the patient.  Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers.  They may have no role in the patient’s care.  They may simply be visiting the patient.  Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
d. Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure.
#Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure.
 
====Disclosures Based on Role or Involvement in Patient Care====
3. Disclosures Based on Role or Involvement in Patient Care
#Follow this policy when disclosing Phi to a person, other than a Personal Representative, whom you believe plays a role in the patient’s health care (or payment for health care).  For example, follow this policy when you:
 
a. Follow this policy when disclosing Protected Health Information to a person, other than a Personal Representative, whom you believe plays a role in the patient’s health care (or payment for health care).  For example, follow this policy when you:


i. Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment.
i. Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment.