Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 63: Line 63:
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the patient who is the subject of such PHI.
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the patient who is the subject of such PHI.
===Payment===
===Payment===
Nebraska Medicine/UNMC may disclose Protected Health Information to another provider or covered entity for its payment purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.   
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.   
Line 75: Line 75:
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.
===Incidental Disclosures===
===Incidental Disclosures===
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties. In such cases, the following standards should be met:
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties. In such cases, the following standards should be met:
#The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
#The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
Line 84: Line 84:
##Pull the dividers or partitions between the patient and other patients or visitors; and
##Pull the dividers or partitions between the patient and other patients or visitors; and
##Ask if the patient would prefer to talk in a more private location.
##Ask if the patient would prefer to talk in a more private location.
======Disclosures to the Patient
===Disclosures to the Patient===
Nebraska Medicine/UNMC may disclose PHI to the patient or his/her Personal Representative.   
Nebraska Medicine/UNMC may disclose PHI to the patient or his/her Personal Representative.   
The patient has a right to see and obtain copies of PHI maintained in the patient’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set].
The patient has a right to see and obtain copies of PHI maintained in the patient’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set].
#For other disclosures to the patient
#For Other Disclosures to Patient
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
###Notation in the medical, billing or other record from which the material was obtained
###Notation in the medical, billing or other record from which the material was obtained
Line 100: Line 100:
#The minimum necessary standard does not apply to disclosures to the patient.
#The minimum necessary standard does not apply to disclosures to the patient.
===Disclosures to Family, Friends and Others===
===Disclosures to Family, Friends and Others===
====Facility Directory=====
====Facility Directory====
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #s'''
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #'''
====Disclosures with the Patient’s Permission====
====Disclosures with Patient’s Permission====
#You may disclose PHI to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
#You may disclose PHI to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or payment for care.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the patient’s care. They may simply be visiting the patient. Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the patient’s care. They may simply be visiting the patient. Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure.
#Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure.
====Disclosures Based on Role or Involvement in Patient Care====
====Disclosures Based on Role or Involvement in Patient Care====
#Follow this policy when disclosing Phi to a person, other than a Personal Representative, whom you believe plays a role in the patient’s health care (or payment for health care). For example, follow this policy when you:
##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the patient’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
##Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment.
##Give an involved family member the patient’s prescription, so the family member can fill it for the patient.
##Talk to a family member at discharge, if they play a role in post-discharge care.
##Talk to the patient’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
##Talk to a family member or friend when the patient indicates you can or should do so, e.g., if the person accompanies the patient for an appointment or procedure, or is invited and present at admission or discharge.
#If the patient is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
##Obtain the patient’s consent to such disclosure;
##Provide the patient with an opportunity to object, and disclose only if the patient does not object; or
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.
#If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />


i. Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment.
Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.
 
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
ii. Give an involved family member the patient’s prescription, so the family member can fill it for the patient.
====Disclosure for Notification Purposes====
 
Nebraska Medicine/UNMC may disclose PHI about a patient in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
iii. Talk to a family member at discharge, if they play a role in post-discharge care.
#Ask the patient, if possible, whether he or she consents to such disclosure and rely on what the patient says.#
 
#If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them.
iv. Talk to the patient’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
 
#When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
v. Talk to a family member or friend when the patient indicates you can or should do so – such as if the person accompanies the patient for an appointment or procedure, or is invited and present at admission or discharge.
===Uses/Disclosure of PHI for Electronic Health Information Exchanges===
 
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
b. If the patient is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following –
====CyncHealth (Previously NeHII)====
 
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].     
i. Obtain the patient’s consent to such disclosure;
====Epic-integrated HIE Software====
 
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.  
ii. Provide the patient with an opportunity to object, and disclose only if the patient does not object; or
====eHealth Exchange====
 
#Includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
iii. Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
 
===Business Associate Agreements/Addendums===
c. If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient.  If so, disclose only the Protected Health Information directly relevant to the recipient’s involvement in the Individual’s health care.  A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient care to disclose information relevant to the Individual’s involvement.
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Contract Management policy, FN18).  
    Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.
===Use/Disclosure of PHI for Training Healthcare Professionals ===
 
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
d. These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
 
4. Disclosure for Notification Purposes
 
Nebraska Medicine/UNMC may disclose Protected Health Information about a patient in order to notify family, friends or others of
the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the  
involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
 
a. Ask the patient, if possible, whether he or she consents to such disclosure and rely on what the patient says.
 
b. If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them.
 
c. If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (Reference Consents and Permits policy). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
 
d. When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the Privacy Office to disclosure additional information.
5. Uses/Disclosure of PHI for electronic Health Information Exchanges (HIEs). 
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved HIEs.   Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director authorizes individual access to the HIE. The ACE is a member of the following HIEs:
a. CyncHealth (previously NeHII)CyncHealth participants may access CyncHealth PHI pursuant to CyncHealth’s Privacy and Information Security Policies and Procedures, found at https://cynchealth.org/privacy-security/. If unsure as to whether a particular use or disclosure is permissible, contact the Privacy Office.     
b. Epic-integrated HIE software including but not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, healthcare operations, or any other purposes, regardless if otherwise permitted under HIPAA.  
i. eHealth Exchange includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
ii. All users of the eHealth Exchange are required to: cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws; and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
VII.  Business Associate Agreements/Addendums
Nebraska Medicine/UNMC shall enter into a business associate agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see Contract Management policy, FN18).  
VIII. Use/Disclosure of PHI for Training Healthcare Professionals  
Please reference Use/Disclosure of PHI for Training Healthcare Professionals policy.
IX. Use/Disclosure of PHI Permitted/Required by Law
IX. Use/Disclosure of PHI Permitted/Required by Law
Please reference Disclosures of PHI As Permitted or Required by Law policy.
Please reference Disclosures of PHI As Permitted or Required by Law policy.
Line 335: Line 320:
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Research|Use and Disclosure of PHI for Research]].<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Research|Use and Disclosure of PHI for Research]].<br />


'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See [[index.php?title=Protected_Health_Information_(PHI)&action=edit|Sale of Protected Health Information]].
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the  
== Procedures ==
===Use/Disclosure of PHI Related to Healthcare===
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
 
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
 
Use of electronic health information exchanges (HIEs). The ACE may access and disclose PHI through ACE-approved HIEs. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The ACE is a member of two HIEs:
:#Nebraska Health Information Initiative (NeHII). NeHII participants may access NeHII PHI for treatment, payment and limited health care operations purposes. Refer to the [http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures] or contact the Privacy Office if you are unsure whether a particular use of NeHII PHI is permissible.
:#EPIC Care Everywhere and Care Elsewhere. Use of EPIC Care Everywhere and Care Elsewhere is restricted to treatment purposes only. It cannot be used for payment, healthcare operations or other purposes otherwise permitted under HIPAA.<br />
 
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
 
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See UNMC Policy No. 6058, [[Notice_of_Privacy_Practices|Notice of Privacy Practices]].<br />
 
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:
:#Use of their name, location and general condition in the facility directory.
:#Disclosure of religious affiliation to clergy members.
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.
===Request for restrictions=== 
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.
===Use/Disclosure of PHI Related for Training Healthcare Professionals===
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.
===Use/Disclosure of PHI Permitted/Required by Law===
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:
:#Disclosure required by law
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.
:#Disclosures for law enforcements purposes. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Law_Enforcement_Purposes|Use and Disclosure of PHI for Law Enforcement Purposes]].
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.
:#Disclosure about decedents to medical examiners and coroners consistent with law.
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.
:#Disclosures about military personnel to military command authority in limited circumstances.
===Use/Disclosure of PHI for Law Enforcement Purposes===
PHI may be disclosed to law enforcement under the following circumstances:
:#Laws require reporting violent wounds to law enforcement
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only:  name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. 
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.
:#Crime (or suspected crime) occurred on UNMC campus.
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)
===Use/Disclosure of PHI for Marketing===
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.
Additionally the following activities are not marketing under HIPAA:
:#Communication for treatment of the individual.
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. 
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
 
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.
===Use/Disclosure of PHI for Fundraising===
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
 
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising.
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth
:#Dates of healthcare provided to an individual
:#Department of service information
:#Treating physician
:#Outcome information; and
:#Health insurance status
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization.  <br />
 
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.
===Use/Disclosure of PHI for Research===
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.  <br />


Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a [https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] form to the Electronic Health Record Core to obtain access to PHI.
===Sale of Protected Health Information===
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale.  This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:
:#For public health purposes
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
:#For treatment and payment purposes
:#To an individual where the individual is requesting access to their own PHI
:#Required by law; and
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />


De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.
   
===Authorization Required for all other Uses/Disclosures===
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy No. 6066, [[Psychotherapy Notes]].
===Minimum Necessary===
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html 45 CFR 164.502(b)]
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:
:##Disclosure to healthcare providers for treatment purposes
:##Disclosures required by law
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual
:##Disclosure made to the Secretary of HHS for enforcement purposes
:##Electronic data elements transmitted in electronic claims
===Limited Data Set===
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:
:#Names
:#Postal address information, other than town or city, state or zip code
:#Telephone numbers
:#Fax numbers
:#Electronic mail addresses
:#Social security numbers
:#Medical record numbers
:#Health plan beneficiary numbers
:#Account numbers
:#Certificate/license numbers
:#Vehicle identifiers and serial numbers, including license numbers
:#Device identifiers and serial numbers
:#Web Universal Resources Locators (URLs)
:#Internet Protocol (IP) address numbers
:#Biometric identifiers, including finger and voice prints; and
:#Full face photographic images and any comparable images
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
===De-Identification /Re-Identification of PHI (164.514)===
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:
:#Names
:#All geographic subdivisions smaller than a state
:#All elements of dates except year, for dates related to individual
:#Telephone numbers
:#Fax numbers
:#Electronic mail addresses
:#Social security numbers
:#Medical record numbers
:#Health plan beneficiary numbers
:#Accounts numbers
:#Certificate/license numbers
:#Vehicle identifiers and serial numbers
:#Device Identifiers and serial numbers
:#Web Universal Resource Locators (URLs)
:#Internet Protocol (IP) address numbers
:#Biometric identifiers, including finger and voice prints
:#Full face photographic images and other comparable images and
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
==Additional Information==
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''