Notice of Privacy Practices: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
VisualWikitext
No edit summary
(pROTEC)
Line 26: Line 26:
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
<br /><br />
<br /><br />
Policy No.: '''6058'''<br />
Policy No.: '''6058'''<br />
Effective Date: '''03/17/03''' <br />
Effective Date: '''03/17/03''' <br />
Revised Date: '''11/13/19'''<br />
Revised Date: '''draft 09/22/22'''<br />
Reviewed Date:'''11/13/19'''<br />
Reviewed Date:''' '''<br />
<br />
<br />


<big>'''Notice of Privacy Practices Policy'''</big>  
<big>'''Notice of Privacy Practices Policy'''</big>  
NOTE: These guidelines are provided to assist the UNMC workforce in complying with HIPAA regulations.<br />
== Basis for Policy ==   
== Basis for Policy ==   
It is the policy of the University of Nebraska Medical Center (UNMC) to use and disclose protected health information in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.
It is the policy of the University of Nebraska Medical Center (UNMC) to use and disclose protected health information in accordance with [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)] requirements and [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27].
== Policy ==  
== Policy ==  
Patients receiving treatment at UNMC shall receive the joint Notice of Privacy Practices that describes how Protected Health Information (PHI) about them may be used and disclosed and their rights regarding PHI.
UNMC shall maintain, distribute and post a Notice of Privacy Practices (Notice) in accordance with this policy. <br />
UNMC shall make a good faith effort to obtain a written acknowledgement of receipt of its Notice or document its good faith efforts to do so (and, if applicable, the reason why the acknowledgement was not obtained).<br />
 
UNMC will provide a joint Notice and obtain the written acknowledgement on behalf of the Organized Health Care Arrangement (OHCA).
==Procedure==
===Notice of Privacy Practices (Notice)===
UNMC will adopt and follow a written Notice that meets the requirements of HIPAA’s Privacy Rule. The description of information practices, UNMC’s responsibilities and Individual rights contained in the Notice will govern UNMC’s conduct unless and until the Notice is revised and the revised Notice is posted and the updates are effective. Any revised Notice shall be made available to Individuals upon request. The Notice will be available in the following languages: [https://www.unmc.edu/_documents/hipaa/npp1.pdf English] and [https://www.unmc.edu/_documents/hipaa/npp4.pdf Spanish]. Other translations may be made available upon request.
===Revisions to Notice===
If there is a material change to UNMC’s uses or disclosures of Protected Health Information (PHI), an Individual’s rights with respect to PHI, UNMC’s legal duties with respect to PHI, or other privacy practices stated in the Notice, UNMC will revise the Notice to reflect the change. The [mailto:debrbishop@nebraskamed.com Privacy Officer] shall be responsible for implementing any changes to the Notice. UNMC will make any revised Notice available upon request on or after the effective date of the revision(s). The Privacy Officer shall retain copies of all versions of the Notice, and will substitute any revised Notice in all of UNMC’s postings and in all supplies made available at service delivery sites.
===Posting and Distribution===
UNMC will post and distribute its Notice as follows:
*Except in emergency treatment situations (as described below), patient registration personnel shall provide the Notice to the Individual during the registration process. The Notice shall be provided no later than the date of first service encounter. If an Individual’s first service encounter is delivered electronically, such as via telehealth visit, an electronic version of the Notice will be delivered electronically via e-check in and thereafter in writing if the Individual requests a written copy.
*The Notice is not required to be provided for subsequent encounters (other than upon an Individual’s request) if the current Notice was provided at an earlier encounter and such provision can be determined from documentation in the electronic medical record.
*In emergency treatment situations (as determined by registration personnel), the Individual will be given the Notice as soon as reasonably practical after the emergency treatment situation.  Registration personnel shall attempt to provide the Notice during the next visit when the electronic health record field shows the Notice was not provided during the previous visit.
*UNMC will prominently post its Notice on its website and make the Notice available electronically through the website.
*UNMC also will post the Notice in a clear and prominent location at service sites where it is reasonable to expect Individuals seeking services from UNMC to be able to read the Notice. The Privacy Officer will approve all posting locations.
*UNMC will maintain a supply of its current Notice at each service delivery site and provide copies of the Notice to Individuals upon request.
===Acknowledgement===
UNMC will make a good faith effort to obtain the Individual’s written acknowledgment of receipt of the Notice (whether in paper or electronic form), as follows:
*Except in an emergency treatment situation, UNMC shall obtain an Individual’s written acknowledgement of receipt of the Notice in the Conditions of Treatment form when the Notice is provided. 
*If UNMC is unable to obtain an Individual’s written acknowledgement, registration personnel shall document the good faith effort to obtain such acknowledgement and the reason why the acknowledgement was not obtained on the Conditions of Treatment form. 
*If the Notice is delivered electronically, the Individual's acknowledgement of receipt of the Notice will be documented  in the electronic medical record.
*If UNMC distributes a revised Notice, it will follow the preceding steps to obtain written acknowledgment of receipt of the revised Notice. 
===Documentation===
UNMC will maintain the following documentation of the Notice and acknowledgment process:
*A copy of each Notice posted and distributed by UNMC and the effective date of each Notice.
*The delivery date of the Notice, whether in paper or electronic format, to each Individual.
*Each written acknowledgment of receipt of the Notice(s) obtained, whether in paper or electronic format, from an Individual (or documentation of good faith efforts to obtain such written acknowledgement whenever such acknowledgment is not received).
===Indirect Treatment Relationships===
The [mailto:debrbishop@nebraskamed.com Privacy Officer], working with the department director, area manager or supervisor, may identify certain service sites, certain lines of business or certain encounters as being subject to the rules applicable to covered health care providers with indirect treatment relationships. In such cases, the Privacy Officer may approve protocols under which the distribution and acknowledgment requirements of this policy are waived as to encounters that are indirect treatment relationships.
*Specimen account laboratory services shall be considered indirect treatment services.
===Organized Health Care Arrangement (OHCA) ===
UNMC participates in an organized health care arrangement with the medical staffs of Nebraska Pediatric Practice, Inc. and University Dental Associates.  Its Notice will be written as a joint Notice covering UNMC and the other participants in relation to their information practices at UNMC.
== Definitions ==
== Definitions ==
'''Direct Treatment''' – a treatment relationship in which the health care provider delivers care based on his/her own orders and typically provides services or products, or reports the diagnosis or results associated with the health care directly to the patient rather than through another health care provider (an indirect treatment relationship).<br />
===Individual===
 
The person who is the subject of the Protected Health Information (PHI). Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual.
'''Notice of Privacy Practices (NPP)''' is a document notifying individuals receiving direct treatment at UNMC about the uses and disclosures of their PHI and their rights regarding PHI. The NPP shall be written in plain language and contain the following elements:<br />
===Notice of Privacy Practices (Notice)===
   
A plain language notice of the uses and disclosures that UNMC may make of the Individual’s PHI, and the Individual’s rights and UNMC’s legal duties with respect to such PHI.
* A header that must read: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
===Organized Health Care Arrangement (OHCA) ===
* A list of the covered entities and classes of service delivery sites the joint notice covers
An arrangement among UNMC and members of the medical staff to follow certain common information practices with respect to clinical encounters at UNMC. The OHCA does not encompass the private office practice of participating practitioners or their information practices from other care settings.
* A description of uses and disclosures of PHI expected to be made without individual authorization
===Personal Representative ===
* A statement that all other uses and disclosures would be made with the individual’s authorization and that the individual can revoke such authorization
A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (see Nebraska Medicine’s Consents and Permits policy, MS14, for additional information.)
* Descriptions of the individual’s rights to request restrictions, inspect and copy PHI, amend or correct PHI, and receive an accounting of disclosures of PHI
===Protected Health Information (PHI)===
* Statements about the entities’ legal requirements to protect privacy, provide notice and adhere to the notice
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
* A statement about how the individual would be informed of changes to the joint NPP
*is created or received by UNMC/ACE; and
* Instructions on how to make complaints with UNMC or the Secretary of the Department of Health and Human Services
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
* Name and telephone number of a contact person to answer questions regarding the NPP
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
* The date the NPP is effective<br />
*an Individual’s genetic tests;
'''Protected Health Information (PHI)''' is individually identifiable health information.  Health information means any information, whether oral or recorded in any medium, that:
*the genetic tests of an Individual’s family members; or
* is created or received by UNMC; and
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
Records containing PHI, in any form, are the property of UNMC/Nebraska Medicine. The PHI contained in the record is the property of the individual who is the subject of the record.
PHI excludes:
==Procedure== 
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*Patient registration personnel shall provide the NPP to the patient during the registration process. The NPP shall be provided no later than the date of first direct treatment service delivery, including service delivered electronically (attach NPP to E-mail). If the health care provider's first direct treatment encounter is over the telephone, the NPP shall be mailed to the patient no later than the day of that service delivery. The NPP does not need to be provided during each episode of care. In emergency situations (as determined by Patient Registration personnel), the patient will be given the NPP as soon as reasonably practical after the emergency.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and  
:*Laboratory services shall be considered indirect treatment services.
*employment records held by UNMC in its role as employer.
:*All other services shall be considered direct treatment services.
*The point of service shall be responsible for providing the patient with the NPP and obtaining acknowledgement of receipt when the patient has been pre-registered.
*The patient shall sign the acknowledgement of NPP receipt statement contained in the Conditions of Treatment form. A good faith effort shall be made to provide the patient with the NPP. If the NPP is unable to be delivered to the patient, patient registration personnel shall document the good faith effort to deliver the NPP on the Conditions of Treatment form. In emergency situations, patient registration personnel are not required to make and document the good faith effort to deliver the NPP. If the NPP is delivered electronically, documentation of the patient's receipt of the electronic transmission must be filed in the medical record.
*Patient registration/Point of service personnel shall update the "NPP field" in the electronic health record with a “Received” (NPP provided), “Good Faith” (NPP not provided, i.e. preregistration), or “Good Faith” when the patient registers. Patient Registration/Point of service personnel shall attempt to provide the NPP during the next visit when the electronic health record field shows good faith attempt made, on the previous visit.  
*The NPP shall be placed on the entities' web sites and publicly posted in all patient registration areas in both English and Spanish. Other translations will be made available upon request.
*If the entities' privacy practices materially change, the NPP will be revised to reflect the changes, as appropriate. The Privacy Officer shall be responsible for implementing the changes. Patients may receive the changed NPP upon request. The Privacy Officer shall retain copies of all versions of the NPP.  
==Additional Information==
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer]
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer]
*[https://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices]  
*[https://www.unmc.edu/_documents/hipaa/npp1.pdf Notice of Privacy Practices]  
*[https://www.unmc.edu/hipaa/_documents/mis-0270-S-9-13.pdf Notificación de Prácticas Para Asegurar su Privacidad]  
*[https://www.unmc.edu/_documents/hipaa/npp4.pdf Notificación de Prácticas Para Asegurar su Privacidad]  
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*Nebraska Medicine’s Consents and Permits policy, MS14
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
 


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Revision as of 14:47, September 22, 2022

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6058
Effective Date: 03/17/03
Revised Date: draft 09/22/22
Reviewed Date:

Notice of Privacy Practices Policy

Basis for Policy

It is the policy of the University of Nebraska Medical Center (UNMC) to use and disclose protected health information in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and University of Nebraska Executive Memorandum No. 27.

Policy

UNMC shall maintain, distribute and post a Notice of Privacy Practices (Notice) in accordance with this policy.

UNMC shall make a good faith effort to obtain a written acknowledgement of receipt of its Notice or document its good faith efforts to do so (and, if applicable, the reason why the acknowledgement was not obtained).

UNMC will provide a joint Notice and obtain the written acknowledgement on behalf of the Organized Health Care Arrangement (OHCA).

Procedure

Notice of Privacy Practices (Notice)

UNMC will adopt and follow a written Notice that meets the requirements of HIPAA’s Privacy Rule. The description of information practices, UNMC’s responsibilities and Individual rights contained in the Notice will govern UNMC’s conduct unless and until the Notice is revised and the revised Notice is posted and the updates are effective. Any revised Notice shall be made available to Individuals upon request. The Notice will be available in the following languages: English and Spanish. Other translations may be made available upon request.

Revisions to Notice

If there is a material change to UNMC’s uses or disclosures of Protected Health Information (PHI), an Individual’s rights with respect to PHI, UNMC’s legal duties with respect to PHI, or other privacy practices stated in the Notice, UNMC will revise the Notice to reflect the change. The Privacy Officer shall be responsible for implementing any changes to the Notice. UNMC will make any revised Notice available upon request on or after the effective date of the revision(s). The Privacy Officer shall retain copies of all versions of the Notice, and will substitute any revised Notice in all of UNMC’s postings and in all supplies made available at service delivery sites.

Posting and Distribution

UNMC will post and distribute its Notice as follows:

  • Except in emergency treatment situations (as described below), patient registration personnel shall provide the Notice to the Individual during the registration process. The Notice shall be provided no later than the date of first service encounter. If an Individual’s first service encounter is delivered electronically, such as via telehealth visit, an electronic version of the Notice will be delivered electronically via e-check in and thereafter in writing if the Individual requests a written copy.
  • The Notice is not required to be provided for subsequent encounters (other than upon an Individual’s request) if the current Notice was provided at an earlier encounter and such provision can be determined from documentation in the electronic medical record.
  • In emergency treatment situations (as determined by registration personnel), the Individual will be given the Notice as soon as reasonably practical after the emergency treatment situation. Registration personnel shall attempt to provide the Notice during the next visit when the electronic health record field shows the Notice was not provided during the previous visit.
  • UNMC will prominently post its Notice on its website and make the Notice available electronically through the website.
  • UNMC also will post the Notice in a clear and prominent location at service sites where it is reasonable to expect Individuals seeking services from UNMC to be able to read the Notice. The Privacy Officer will approve all posting locations.
  • UNMC will maintain a supply of its current Notice at each service delivery site and provide copies of the Notice to Individuals upon request.

Acknowledgement

UNMC will make a good faith effort to obtain the Individual’s written acknowledgment of receipt of the Notice (whether in paper or electronic form), as follows:

  • Except in an emergency treatment situation, UNMC shall obtain an Individual’s written acknowledgement of receipt of the Notice in the Conditions of Treatment form when the Notice is provided.
  • If UNMC is unable to obtain an Individual’s written acknowledgement, registration personnel shall document the good faith effort to obtain such acknowledgement and the reason why the acknowledgement was not obtained on the Conditions of Treatment form.
  • If the Notice is delivered electronically, the Individual's acknowledgement of receipt of the Notice will be documented in the electronic medical record.
  • If UNMC distributes a revised Notice, it will follow the preceding steps to obtain written acknowledgment of receipt of the revised Notice.

Documentation

UNMC will maintain the following documentation of the Notice and acknowledgment process:

  • A copy of each Notice posted and distributed by UNMC and the effective date of each Notice.
  • The delivery date of the Notice, whether in paper or electronic format, to each Individual.
  • Each written acknowledgment of receipt of the Notice(s) obtained, whether in paper or electronic format, from an Individual (or documentation of good faith efforts to obtain such written acknowledgement whenever such acknowledgment is not received).

Indirect Treatment Relationships

The Privacy Officer, working with the department director, area manager or supervisor, may identify certain service sites, certain lines of business or certain encounters as being subject to the rules applicable to covered health care providers with indirect treatment relationships. In such cases, the Privacy Officer may approve protocols under which the distribution and acknowledgment requirements of this policy are waived as to encounters that are indirect treatment relationships.

  • Specimen account laboratory services shall be considered indirect treatment services.

Organized Health Care Arrangement (OHCA)

UNMC participates in an organized health care arrangement with the medical staffs of Nebraska Pediatric Practice, Inc. and University Dental Associates. Its Notice will be written as a joint Notice covering UNMC and the other participants in relation to their information practices at UNMC.

Definitions

Individual

The person who is the subject of the Protected Health Information (PHI). Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual.

Notice of Privacy Practices (Notice)

A plain language notice of the uses and disclosures that UNMC may make of the Individual’s PHI, and the Individual’s rights and UNMC’s legal duties with respect to such PHI.

Organized Health Care Arrangement (OHCA)

An arrangement among UNMC and members of the medical staff to follow certain common information practices with respect to clinical encounters at UNMC. The OHCA does not encompass the private office practice of participating practitioners or their information practices from other care settings.

Personal Representative

A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (see Nebraska Medicine’s Consents and Permits policy, MS14, for additional information.)

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
  • any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Additional Information


This page maintained by dkp.

Retrieved from "https://wiki.unmc.edu/index.php?title=Notice_of_Privacy_Practices&oldid=13274"