Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 128: Line 128:
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
#When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
===Uses/Disclosure of PHI for Electronic Health Information Exchanges===  
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
====CyncHealth (Previously NeHII)====
=====CyncHealth (Previously NeHII)=====
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].     
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].     
====Epic-integrated HIE Software====
=====Epic-integrated HIE Software=====
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.  
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.  
====eHealth Exchange====
=====eHealth Exchange=====
#Includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
#Includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
Line 141: Line 141:
===Use/Disclosure of PHI for Training Healthcare Professionals ===
===Use/Disclosure of PHI for Training Healthcare Professionals ===
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
IX. Use/Disclosure of PHI Permitted/Required by Law
===Use/Disclosure of PHI Permitted/Required by Law===
Please reference Disclosures of PHI As Permitted or Required by Law policy.
See UNMC Policy No. 6304, [[Disclosures of PHI as Permitted or Required by Law]].  
X. Use/Disclosure of PHI for Law Enforcement Purposes.  
===Use/Disclosure of PHI for Law Enforcement Purposes===
Please reference Disclosures of PHI for Law Enforcement Purposes policy.
See UNMC Policy No. 6305, [[Disclosure of PHI for Law Enforcement Purposes]].
XI.    Use/Disclosure of PHI for Whistleblowing Purposes.
===Use/Disclosure of PHI for Whistleblowing Purposes===
A Workforce member may disclose PHI for whistleblowing purposes when:
A Workforce member may disclose PHI for whistleblowing purposes when:
1. The Workforce member believes in good faith that Nebraska Medicine/UNMC engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by Nebraska Medicine/UNMC potentially endangers one or more patients, other Workforce members, or the public; and  
#The Workforce member believes in good faith that Nebraska Medicine/UNMC engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by Nebraska Medicine/UNMC potentially endangers one or more patients, other Workforce members, or the public; and  
2. The disclosure is to:  
#The disclosure is to:  
a. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of Nebraska Medicine/UNMC or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Nebraska Medicine/UNMC; or  
##A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of Nebraska Medicine/UNMC or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Nebraska Medicine/UNMC; or  
b. An attorney retained by or on behalf of the Workforce member or business associate for the purpose of determining the legal options of the Workforce member or business associate with regard to the conduct described in this section.  
##An attorney retained by or on behalf of the Workforce member or business associate for the purpose of determining the legal options of the Workforce member or business associate with regard to the conduct described in this section.  
XII.  Use/Disclosure of PHI for Marketing  
===Use/Disclosure of PHI for Marketing ===
Refer requests for disclosures of PHI for marketing or fundraising purposes to the Office of Privacy.
Refer requests for disclosures of PHI for marketing or fundraising purposes to the [mailto:privacy@nebraskamed.com Privacy Office].
XIII. Use/Disclosure of PHI for Research
===Use/Disclosure of PHI for Research===
1. All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.   The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please reference UNMC HRPP policy.   
#All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program Policies and Procedures]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.   
2. For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):  
#For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):  
a. A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
##A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
b. Documentation of the death of such Individuals; and  
##Documentation of the death of such Individuals; and  
c. A representation that the requested PHI is necessary for the research purposes.
##A representation that the requested PHI is necessary for the research purposes.
3. Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a "Request for Electronic Health Data" form to the Electronic Health Record Data Access Core to obtain access to such PHI.  This request form is located at: https://www.unmc.edu/cctr/resources/ehr/index.html.
#Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a [https://unmcredcap.unmc.edu/redcap/surveys/?s=NMPNWMEA7W Electronic Health Data Request] Form to the [https://www.unmc.edu/cctr/resources/ehr/index.html Electronic Health Record Data Access Core] to obtain access to such PHI.  
 
#Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
4. Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
##that the use or disclosure is sought solely to review Protected Health Information as necessary to prepare a research protocol or for similar purposes preparatory to research;  
a. that the use or disclosure is sought solely to review Protected Health Information as necessary to prepare a research protocol or for similar purposes preparatory to research;  
##that no PHI is to be removed from the covered entity by the researcher in the course of the review; and  
b. that no Protected Health Information is to be removed from the covered entity by the researcher in the course of the review; and  
##that the PHI for which disclosure and use is sought is necessary for the research purposes.
c. that the Protected Health Information for which disclosure and use is sought is necessary for the research purposes.
===Sale of Protected Health Information===
 
Selling PHI is generally prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where Nebraska Medicine/UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Sale of PHI does not include certain disclosures of PHI:
XIV. Sale of Protected Health Information.
#For public health purposes;
Selling Protected Health Information is generally prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where Nebraska Medicine/UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the Protected Health Information. Sale of Protected Health Information does not include certain disclosures of PHI:
#For research purposes where the only remuneration received by '''Organization''' is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
a. For public health purposes;
#For treatment and payment purposes;
b. For research purposes where the only remuneration received by Organization is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
#To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a Business Associate Agreement with Nebraska Medicine/UNMC);  
c. For treatment and payment purposes;
#To an Individual who is requesting access to his or her own PHI;
d. To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a business associate agreement with Nebraska Medicine/UNMC);  
#As required by law; and
e. To an Individual who is requesting access to his or her own PHI;
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.   
f. As required by law; and
De-identified data is not PHI and therefore is not subject to the remuneration prohibition.  However, limited data sets are PHI and are subject to this provision (see the [https://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&action=edit#Limited_Data_Set).   
g. For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.   
===Minimum Necessary===
 
De-identified data is not PHI and therefore is not subject to the remuneration prohibition.  However, limited data sets are PHI and are subject to this provision (see the Limited Data Set section below).   
 
XV. Minimum Necessary.
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing Protected Health Information or when requesting Protected Health Information, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.   
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing Protected Health Information or when requesting Protected Health Information, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.   
1. The “minimum necessary” standard does not apply to the following requests, uses, and disclosures of PHI:
1. The “minimum necessary” standard does not apply to the following requests, uses, and disclosures of PHI:
Line 195: Line 191:
b. Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.  
b. Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.  
4. Departments that are not responsible for release of information should release records only under the limited conditions identified in Accounting of Disclosures policy.  All other requests should be sent to HIM.
4. Departments that are not responsible for release of information should release records only under the limited conditions identified in Accounting of Disclosures policy.  All other requests should be sent to HIM.
XVI. Limited Data Set.
===Limited Data Set===
1. A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health, or health care operations:  
1. A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health or health care operations:  
a. Names;
a. Names;
b. Postal address information, other than town or city, state, or zip code;
b. Postal address information, other than town or city, state, or zip code;
Line 215: Line 211:


2. The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
2. The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
 
===De-identification/Re-identification of PHI===
XVII.    De-identification/Re-identification of PHI  
1. PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
1. PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
a. The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed, and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
a. The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed, and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
Line 241: Line 236:
a. The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
a. The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
b. The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
b. The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
 
===Disaster Relief Disclosures===
XVIII. Disaster Relief Disclosures
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.


Line 255: Line 249:
c. Determining the identity of victims and survivors.
c. Determining the identity of victims and survivors.


2. The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the Privacy Officer or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan.
#The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the [mailto:debrbishop@nebraskamed.com Privacy Officer] or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. '''need link(s) to plan(s}'''
 
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
3. The minimum necessary standard does not apply to disclosures to disaster relief agencies.
===Authorization Generally Required for All Other Uses/Disclosures===
 
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into .
XIX. Authorization Generally Required for all other Uses/Disclosures.
===Compound Authorizations===
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900). Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy.
 
XX. Compound authorizations.
 
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases:  
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases:  
1. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.  
#An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.  
2. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.  
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
 
 
 
 
== Definitions ==
== Definitions ==
===Health Care Operations===
===Health Care Operations===