2,654
edits
No edit summary |
No edit summary |
||
Line 173: | Line 173: | ||
#As required by law; and | #As required by law; and | ||
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies. | #For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies. | ||
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. | De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]). | ||
===Minimum Necessary=== | ===Minimum Necessary=== | ||
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing | Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit Protected Health Information used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request. | ||
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI: | |||
##Uses, disclosures or requests among healthcare providers for treatment purposes. | |||
##Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law. | |||
##Disclosures made to the Individual or pursuant to an authorization signed by the Individual. | |||
##Disclosures made to the Secretary of Health and Human Services or his or her designee. | |||
##Uses or disclosures required for compliance with the '''''Privacy Rule'''''. | |||
#Workforce. The minimum necessary standard applies to access and use of Protected Health Information by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing Protected Health Information except as authorized by Nebraska Medicine/UNMC’s policies. | |||
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law. | |||
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy. | |||
##Individuals who are performing treatment, payment and healthcare operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties. | |||
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met. | |||
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally. | |||
##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met. | |||
#Departments that are not responsible for release of information should release records only under the limited conditions identified in UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. All other requests should be sent to HIM. | |||
===Limited Data Set=== | ===Limited Data Set=== | ||
#A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health or health care operations: | |||
##Names; | |||
##Postal address information, other than town or city, state, or zip code; | |||
##Telephone numbers; | |||
##Fax numbers; | |||
##Electronic mail addresses; | |||
##Social security numbers; | |||
##Medical record numbers; | |||
##Health plan beneficiary numbers; | |||
##Account numbers; | |||
##Certificate/license numbers; | |||
##Vehicle identifiers and serial numbers, including license numbers; | |||
##Device identifiers and serial numbers; | |||
##Web Universal Resource Locators (URLs); | |||
##Internet Protocol (IP) address numbers; | |||
##Biometric identifiers, including finger and voice prints; and | |||
## Full-face photographic images and any comparable images. | |||
#The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. | |||
===De-identification/Re-identification of PHI=== | ===De-identification/Re-identification of PHI=== | ||
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used: | |||
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are: | |||
##Names; | |||
##All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code); | |||
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death); | |||
##Telephone numbers; | |||
##Fax numbers; | |||
##Electronic mail addresses; | |||
##Social Security Numbers; | |||
##Medical record numbers; | |||
##Health plan beneficiary numbers; | |||
##Account numbers; | |||
##Certificate/license numbers; | |||
##Vehicle identifiers and serial numbers, including license plate numbers; | |||
##Device identifiers and serial numbers; | |||
##Web Universal Resource Locators (URLs); | |||
##Internet Protocol (IP) address numbers; | |||
##Biometric identifiers, including finger and voice prints; | |||
##Full face photographic images and any comparable images; and | |||
##Any other unique identifying number, characteristic, or code. | |||
#A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department '''UNMC or Nebr med? best contact info ??''' and/or [mailto:privacy@nebraskamed.com Privacy Office] must approve of the use of this de-identification method and the person who performs it. | |||
#Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that: | |||
##The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and | |||
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. | |||
===Disaster Relief Disclosures=== | ===Disaster Relief Disclosures=== | ||
Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts. | Nebraska Medicine/UNMC may disclose Protected Health Information to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts. | ||
''Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.'' | |||
Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army. | #Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as: | ||
##Coordinating availability of care, | |||
##Notification of family and friends, or | |||
##Determining the identity of victims and survivors. | |||
#The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the [mailto:debrbishop@nebraskamed.com Privacy Officer] or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. '''need link(s) to plan(s}''' | #The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the [mailto:debrbishop@nebraskamed.com Privacy Officer] or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. '''need link(s) to plan(s}''' | ||
#The minimum necessary standard does not apply to disclosures to disaster relief agencies. | #The minimum necessary standard does not apply to disclosures to disaster relief agencies. | ||
===Authorization Generally Required for All Other Uses/Disclosures=== | ===Authorization Generally Required for All Other Uses/Disclosures=== | ||
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into . | Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set. | ||
===Compound Authorizations=== | ===Compound Authorizations=== | ||
An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases: | An authorization for use or disclosure of Protected Health Information generally may not be combined with any other document to create a compound authorization, except in the following cases: | ||
Line 258: | Line 250: | ||
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand alone policy and being incorporated into unmc policy # 6059, access to designated record set'''? | #An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand alone policy and being incorporated into unmc policy # 6059, access to designated record set'''? | ||
== Definitions == | == Definitions == | ||
==Additional Information== | ==Additional Information== | ||
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?''' | *Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?''' |