2,654
edits
No edit summary |
|||
Line 25: | Line 25: | ||
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | ||
<br /><br /> | <br /><br /> | ||
Policy No.: '''6057'''<br /> | |||
Effective Date: '''03/17/03'''<br /> | |||
Revised Date: '''10/30/2013'''<br /> | |||
Review Date: '''10/29/2013'''<br /> | |||
<big>'''Use and Disclosure of Protected Health Information Policy'''</big> | <big>'''Use and Disclosure of Protected Health Information Policy'''</big> | ||
== Basis for Policy == | == Basis for Policy == | ||
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502]) | To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502]) | ||
== Policy == | == Policy == | ||
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27. | The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27. | ||
== Definitions == | == Definitions == | ||
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br /> | |||
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another. | |||
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities | '''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities.<br /> | ||
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider: | '''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider: | ||
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included | :#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included | ||
:#Population-based activities relating to improving health or reducing health care costs | :#Population-based activities relating to improving health or reducing health care costs | ||
Line 64: | Line 58: | ||
:#Resolution of internal grievances | :#Resolution of internal grievances | ||
:#Fundraising | :#Fundraising | ||
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that: | '''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that: | ||
:#Is created or received by ACE; and | :#Is created or received by ACE; and | ||
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. | :#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. | ||
Protected Health Information includes genetic information containing individual identifiers which is defined as: | Protected Health Information includes genetic information containing individual identifiers which is defined as: | ||
:#Information about an individual's genetic tests; or | :#Information about an individual's genetic tests; or | ||
:#The genetic tests of family members of the individual; or | :#The genetic tests of family members of the individual; or | ||
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) | :#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history) | ||
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.<br /> | |||
Protected health information excludes | Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br /> | ||
'''Health information Exchange (HIE)''' is the electronic movement of health-related information among organizations according to nationally recognized standards. The goal of health information exchange is to facilitate access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. '''Health information exchange organizations (HIOs)''' provide the capability to electronically move clinical information between disparate health care information systems. <br /> | |||
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA. | '''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br /> | ||
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual. | '''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br /> | ||
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below. | '''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br /> | ||
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below. | '''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br /> | ||
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below. | '''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below. | ||
== Procedures == | == Procedures == | ||
===Use/Disclosure of PHI Related to Healthcare=== | ===Use/Disclosure of PHI Related to Healthcare=== | ||
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations. | Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations. | ||
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared. | :#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared. | ||
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual. | :#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual. | ||
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br /> | |||
The ACE may disclose PHI for the | The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br /> | ||
The ACE may disclose PHI to | Use of electronic health information exchanges (HIEs). The ACE may access and disclose PHI through ACE-approved HIEs. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The ACE is a member of two HIEs: | ||
:#Nebraska Health Information Initiative (NeHII). NeHII participants may access NeHII PHI for treatment, payment and limited health care operations purposes. Refer to the NeHII Privacy and Information Security Policies and Procedures or contact the Privacy Office if you are unsure whether a particular use of NeHII PHI is permissible. | |||
EPIC Care Everywhere and Care Elsewhere. Use of EPIC Care Everywhere and Care Elsewhere is restricted to treatment purposes only. It cannot be used for payment, healthcare operations or other purposes otherwise permitted under HIPAA.<br /> | |||
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services. | UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br /> | ||
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See [[Notice_of_Privacy_Practices|Notice of Privacy Practices | Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See UNMC Policy No. 6058, [[Notice_of_Privacy_Practices|Notice of Privacy Practices]].<br /> | ||
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI: | Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI: | ||
Line 109: | Line 101: | ||
:#Disclosure of religious affiliation to clergy members. | :#Disclosure of religious affiliation to clergy members. | ||
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject. | :#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject. | ||
===Request for restrictions=== | ===Request for restrictions=== | ||
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance. | Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance. | ||
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information. | :#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information. | ||
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes. | :#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes. | ||
===Use/Disclosure of PHI Related for Training Healthcare Professionals=== | ===Use/Disclosure of PHI Related for Training Healthcare Professionals=== | ||
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA. | Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA. | ||
===Use/Disclosure of PHI Permitted/Required by Law=== | ===Use/Disclosure of PHI Permitted/Required by Law=== | ||
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes: | Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes: | ||
Line 132: | Line 121: | ||
:#Disclosures to prevent serious threat to health or safety consistent with applicable law. | :#Disclosures to prevent serious threat to health or safety consistent with applicable law. | ||
:#Disclosures about military personnel to military command authority in limited circumstances. | :#Disclosures about military personnel to military command authority in limited circumstances. | ||
===Use/Disclosure of PHI for Law Enforcement Purposes=== | ===Use/Disclosure of PHI for Law Enforcement Purposes=== | ||
PHI may be disclosed to law enforcement under the following circumstances: | PHI may be disclosed to law enforcement under the following circumstances: | ||
Line 143: | Line 131: | ||
:#Crime (or suspected crime) occurred on UNMC campus. | :#Crime (or suspected crime) occurred on UNMC campus. | ||
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.) | :#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.) | ||
===Use/Disclosure of PHI for Marketing=== | ===Use/Disclosure of PHI for Marketing=== | ||
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA. | The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA. | ||
Line 150: | Line 137: | ||
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. | :#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. | ||
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and | :#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and | ||
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits | :##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br /> | ||
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity. | Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity. | ||
===Use/Disclosure of PHI for Fundraising=== | ===Use/Disclosure of PHI for Fundraising=== | ||
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved. | Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br /> | ||
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. | Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. | ||
Line 164: | Line 150: | ||
:#Outcome information; and | :#Outcome information; and | ||
:#Health insurance status | :#Health insurance status | ||
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. <br /> | |||
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. | |||
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications. | All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications. | ||
===Use/Disclosure of PHI for Research=== | ===Use/Disclosure of PHI for Research=== | ||
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. | All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. <br /> | ||
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm. | |||
===Sale of Protected Health Information=== | ===Sale of Protected Health Information=== | ||
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI: | Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI: | ||
Line 181: | Line 164: | ||
:#To an individual where the individual is requesting access to their own PHI | :#To an individual where the individual is requesting access to their own PHI | ||
:#Required by law; and | :#Required by law; and | ||
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies. | :#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br /> | ||
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision. | De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision. | ||
===Authorization Required for all other Uses/Disclosures=== | ===Authorization Required for all other Uses/Disclosures=== | ||
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in | All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy No. 6066, [[Psychotherapy Notes]]. | ||
===Minimum Necessary=== | ===Minimum Necessary=== | ||
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. | When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)] | ||
:#Role-based Access; access to PHI shall be based on role performed as specified in the following: | :#Role-based Access; access to PHI shall be based on role performed as specified in the following: | ||
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI | :##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI | ||
Line 202: | Line 183: | ||
:##Disclosure made to the Secretary of HHS for enforcement purposes | :##Disclosure made to the Secretary of HHS for enforcement purposes | ||
:##Electronic data elements transmitted in electronic claims | :##Electronic data elements transmitted in electronic claims | ||
===Limited Data Set=== | ===Limited Data Set=== | ||
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual: | A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual: | ||
Line 221: | Line 201: | ||
:#Biometric identifiers, including finger and voice prints; and | :#Biometric identifiers, including finger and voice prints; and | ||
:#Full face photographic images and any comparable images | :#Full face photographic images and any comparable images | ||
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. | The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient. | ||
===De-Identification /Re-Identification of PHI (164.514)=== | ===De-Identification /Re-Identification of PHI (164.514)=== | ||
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are: | '''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are: | ||
Line 244: | Line 222: | ||
:#Full face photographic images and other comparable images and | :#Full face photographic images and other comparable images and | ||
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below | :#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below | ||
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that: | '''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that: | ||
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and | :#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and | ||
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. | :#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed. | ||
==Staff Accountability== | ==Staff Accountability== | ||
[mailto:swrobel@unmc.edu Privacy Officer] | [mailto:swrobel@unmc.edu Privacy Officer] | ||
==Additional Information== | |||
*UNMC Policy No. 6058, [[Notice of Privacy Practices]] | |||
*UNMC Policy No. 6066, [[Psychotherapy Notes]] | |||
*NeHII Privacy and Information Security Policies and Procedures | |||
*Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements | |||
*University of Nebraska Executive Memorandum No. 27 | |||
This page is maintained by [mailto:dpanowic@unmc.edu dkp]. | This page is maintained by [mailto:dpanowic@unmc.edu dkp]. |