Use and Disclosure of Protected Health Information: Difference between revisions

Jump to navigation Jump to search
no edit summary
mNo edit summary
No edit summary
(One intermediate revision by the same user not shown)
Line 84: Line 84:
##Pull the dividers or partitions between the patient and other patients or visitors; and
##Pull the dividers or partitions between the patient and other patients or visitors; and
##Ask if the patient would prefer to talk in a more private location.
##Ask if the patient would prefer to talk in a more private location.
===Disclosures to the Patient===
===Disclosures to the Individual===
Nebraska Medicine/UNMC may disclose PHI to the patient or his/her Personal Representative.   
Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative.   
The patient has a right to see and obtain copies of PHI maintained in the patient’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set].
The Individual has a right to see and obtain copies of PHI maintained in the Individual’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set].
#For Other Disclosures to Patient
#For Other Disclosures to Individual
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
###Notation in the medical, billing or other record from which the material was obtained
###Notation in the medical, billing or other record from which the material was obtained
###Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
###Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
##It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies. This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
##It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies. This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
##When disclosing to the patient, appropriate safeguards should be taken to reduce the risk that people other than the patient or people permitted by the patient will hear the disclosure. Examples of such safeguards would include:
##When disclosing to the Individual, appropriate safeguards should be taken to reduce the risk that people other than the Individual or people permitted by the Individual will hear the disclosure. Examples of such safeguards would include:
###Asking the patient if the patient would prefer to talk in a more private location.
###Asking the Individual if the Individual would prefer to talk in a more private location.
###Confirming with the patient that it is okay to proceed with the conversation while friends, relatives or others are present.
###Confirming with the Individual that it is okay to proceed with the conversation while friends, relatives or others are present.
###Speaking in a lower voice.
###Speaking in a lower voice.
###Pulling the dividers or partitions between the patient and other patients or visitors.
###Pulling the dividers or partitions between the Individual and other patients or visitors.
###Providing more privacy through partitions and room arrangements.
###Providing more privacy through partitions and room arrangements.
#The minimum necessary standard does not apply to disclosures to the patient.
#The minimum necessary standard does not apply to disclosures to the Individual.
===Disclosures to Family, Friends and Others===
===Disclosures to Family, Friends and Others===
====Facility Directory====
====Facility Directory====
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #'''
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #'''
====Disclosures with Patient’s Permission====
====Disclosures with Individual’s Permission====
#You may disclose PHI to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
#You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the Individual's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the patient’s care. They may simply be visiting the patient. Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the Individual’s care. They may simply be visiting the Individual. Therefore, try to give the Individual every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure.
#Do not rely on this authority if the Individual is incapacitated or otherwise unable to agree or object to such disclosure.
====Disclosures Based on Role or Involvement in Patient Care====
====Disclosures Based on Role or Involvement in Patient Care====
##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the patient’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
##Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment.
##Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
##Give an involved family member the patient’s prescription, so the family member can fill it for the patient.
##Give an involved family member the Individual’s prescription, so the family member can fill it for the patient.
##Talk to a family member at discharge, if they play a role in post-discharge care.
##Talk to a family member at discharge, if they play a role in post-discharge care.
##Talk to the patient’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
##Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
##Talk to a family member or friend when the patient indicates you can or should do so, e.g., if the person accompanies the patient for an appointment or procedure, or is invited and present at admission or discharge.
##Talk to a family member or friend when the Individual indicates you can or should do so, e.g., if the person accompanies the Individual for an appointment or procedure, or is invited and present at admission or discharge.
#If the patient is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
#If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
##Obtain the patient’s consent to such disclosure;
##Obtain the Individual’s consent to such disclosure;
##Provide the patient with an opportunity to object, and disclose only if the patient does not object; or
##Provide the Individual with an opportunity to object, and disclose only if the patient does not object; or
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object.
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.
#If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
#If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
''Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.''
''Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.''
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
====Disclosure for Notification Purposes====
====Disclosure for Notification Purposes====
Nebraska Medicine/UNMC may disclose PHI about a patient in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
#Ask the patient, if possible, whether they consent to such disclosure and rely on what the patient says.#
#Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
#If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them.
#If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care, and make an effort to limit contact to them.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
Line 249: Line 249:
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand-alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes. '''Is psychotherapy notes policy deleted as a separate stand-alone policy and being incorporated into unmc policy # 6059, access to designated record set'''?
== Definitions ==
== Definitions ==
 
===Affiliated Covered Entity (ACE)===
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
===Designated Record Set (DRS)===
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS. 
===Health Care Operations
The following activities related to the Organization's functions as a health care provider and sponsor of a self-insured health plan:
#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities, otherwise these activities may be classified as research if PHI is included;
#Population-based activities relating to improving health or reducing health care costs;
#Protocol development;
#Contacting health care providers and patients with information about treatment alternatives;
#Case management and care coordination;
#Patient safety activities;
#Risk assessment;
#Reviewing the competence or qualifications and accrediting/licensing of health care providers;
#Training health care professionals;
#Conducting or arranging for medical review, legal services, and auditing functions (including fraud and abuse detection and compliance programs);
#Business planning and development;
#Business management activities
#General administrative and business functions;
#Insurance activities relating to the renewal of a contract of health insurance;
#Evaluating healthcare provider and plan performance;
#Resolution of internal grievances; and
#Fundraising (see restrictions below).
===Health Information Exchange (HIE)===
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems. 
===Individual===
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14).
===Payment===
Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.
===Personal Representative ===
A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (See Nebraska Medicine Consents and Permits policy, MS14)
===Protected Health Information (PHI)===
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. 
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests; 
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and
*employment records held by UNMC in its role as employer.
===Research ===
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE. 
===Sale of Protected Health Information ===
Disclosure of Protected Health Information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. 
===Treatment===
The provision, coordination or management of health care and related services by one or more health care providers including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.
===Workforce===
Employees, medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
==Additional Information==
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
'''*UNMC Policy No. 6066, [[Psychotherapy Notes]] is this being deleted or kept? If being kept, it should be reviewed, even if not changed.'''
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]

Navigation menu