Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 43: Line 43:
#Each use or disclosure of PHI must be an authorized use or disclosure (either by a written patient authorization or Nebraska Medicine/UNMC policy). Some of the authorized uses and disclosures are described in this policy and associated policies.
#Each use or disclosure of PHI must be an authorized use or disclosure (either by a written patient authorization or Nebraska Medicine/UNMC policy). Some of the authorized uses and disclosures are described in this policy and associated policies.
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Workforce Workforce] member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy, and the Nebraska Medicine Consents and Permits policy, MS14, Authorized Consenting Persons section.) '''need Nebr Med policy #s'''
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy and the Nebraska Medicine Consents and Permits policy, MS14, Authorized Consenting Persons section.) '''need Nebr Med policy #s'''
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
Line 51: Line 51:
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
#Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
#Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.  
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.  
==Procedures==
==Procedures==
Protected Health Information (PHI) may be used and disclosed within the [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Affiliated_Covered_Entity_.28ACE.29 Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the Individual supporting its need for such use or disclosure of such information, without having to obtain the Individual’s authorization. ACE entities also may share PHI with one another without Individual authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />
Protected Health Information (PHI) may be used and disclosed within the [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Affiliated_Covered_Entity_.28ACE.29 Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the Individual supporting its need for such use or disclosure of such information, without having to obtain the Individual’s authorization. ACE entities also may share PHI with one another without Individual authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />


Members of the Workforce may access Individual information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
Members of the [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Workforce Workforce] may access Individual information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
===Treatment===
===Treatment===
Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.
Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.  
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.  
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the Individual was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the Individual was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#Release/disclosure of Individual's information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#Release/disclosure of Individual's information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
Line 65: Line 65:
Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.
===Health Care Operations===
===Health Care Operations===
Nebraska Medicine/UNMC may disclose PHI to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.  
Nebraska Medicine/UNMC may disclose PHI to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.  
Line 85: Line 85:
##Ask if the Individual would prefer to talk in a more private location.
##Ask if the Individual would prefer to talk in a more private location.
===Disclosures to the Individual===
===Disclosures to the Individual===
Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative.
Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative.
The Individual has a right to see and obtain copies of PHI maintained in the Individual’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set].
The Individual has a right to see and obtain copies of PHI maintained in the Individual’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]).
#For Other Disclosures to Individual
#For Other Disclosures to Individual
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
Line 101: Line 101:
===Disclosures to Family, Friends and Others===
===Disclosures to Family, Friends and Others===
====Facility Directory====
====Facility Directory====
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #'''
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Nebraska Medicine Private Designation policy, for additional details.) '''need Nebr Med policy #'''
====Disclosures with Individual’s Permission====
====Disclosures with Individual’s Permission====
#You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the Individual does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the Individual.
#You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the Individual does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the Individual.
Line 124: Line 124:
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
#Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
#Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
#If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care, and make an effort to limit contact to them.
#If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care and make an effort to limit contact to them.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Nebraska Medicine Consents and Permits policy, MS14.) Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Nebraska Medicine Consents and Permits policy, MS14.) Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Information_Exchange_.28HIE.29 Health Information Exchanges (HIEs)]. Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs:
=====CyncHealth (Previously NeHII)=====
=====CyncHealth (Previously NeHII)=====
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].  
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].  
Line 137: Line 137:
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
===Business Associate Agreements/Addendums===
===Business Associate Agreements/Addendums===
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Contract Management policy, FN18).  
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Nebraska Medicine Contract Management policy, FN18).  
===Use/Disclosure of PHI for Training Health Care Professionals ===
===Use/Disclosure of PHI for Training Health Care Professionals ===
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
Line 153: Line 153:
Refer requests for disclosures of PHI for marketing or fundraising purposes to the [mailto:privacy@nebraskamed.com Privacy Office].
Refer requests for disclosures of PHI for marketing or fundraising purposes to the [mailto:privacy@nebraskamed.com Privacy Office].
===Use/Disclosure of PHI for Research===
===Use/Disclosure of PHI for Research===
#All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program Policies and Procedures]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.
#All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program Policies and Procedures]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.  
#For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):  
#For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):  
##A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
##A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
Line 171: Line 171:
#To an Individual who is requesting access to their own PHI;
#To an Individual who is requesting access to their own PHI;
#As required by law; and
#As required by law; and
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.  
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]).  
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]).
===Minimum Necessary===
===Minimum Necessary===
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit PHI used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit PHI used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
##Uses, disclosures or requests among health care providers for treatment purposes.
##Uses, disclosures or requests among health care providers for treatment purposes.
Line 183: Line 183:
#Workforce. The minimum necessary standard applies to access and use of PHI by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing PHI except as authorized by Nebraska Medicine/UNMC’s policies.  
#Workforce. The minimum necessary standard applies to access and use of PHI by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing PHI except as authorized by Nebraska Medicine/UNMC’s policies.  
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles, and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
##Individuals who are performing treatment, payment and health care operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.  
##Individuals who are performing treatment, payment and health care operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.  
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
Line 207: Line 207:
##Biometric identifiers, including finger and voice prints; and  
##Biometric identifiers, including finger and voice prints; and  
## Full-face photographic images and any comparable images.
## Full-face photographic images and any comparable images.
#The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
#The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
===De-identification/Re-identification of PHI===
===De-identification/Re-identification of PHI===
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:  
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
##Names;
##Names;
##All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code);
##All geographic subdivisions smaller than a state (including street address, city, county, precinct and zip code);
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);  
##All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);  
##Telephone numbers;  
##Telephone numbers;  
Line 252: Line 252:
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
===Designated Record Set (DRS)===
===Designated Record Set (DRS)===
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.  
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.  
===Health Care Operations  
===Health Care Operations ===
The following activities related to the Organization's functions as a health care provider and sponsor of a self-insured health plan:
The following activities related to the Organization's functions as a health care provider and sponsor of a self-insured health plan:
#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities, otherwise these activities may be classified as research if PHI is included;
#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities, otherwise these activities may be classified as research if PHI is included;
Line 264: Line 264:
#Reviewing the competence or qualifications and accrediting/licensing of health care providers;
#Reviewing the competence or qualifications and accrediting/licensing of health care providers;
#Training health care professionals;
#Training health care professionals;
#Conducting or arranging for medical review, legal services, and auditing functions (including fraud and abuse detection and compliance programs);
#Conducting or arranging for medical review, legal services and auditing functions (including fraud and abuse detection and compliance programs);
#Business planning and development;
#Business planning and development;
#Business management activities
#Business management activities
Line 273: Line 273:
#Fundraising (see restrictions below).
#Fundraising (see restrictions below).
===Health Information Exchange (HIE)===
===Health Information Exchange (HIE)===
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.  
===Individual===
===Individual===
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)
===Organization===
'''Do we have a definition for this that we can/should use? It seems pretty specific (capital O instead of l.c. o).'''
===Payment===
===Payment===
Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.  
Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.  
Line 283: Line 285:
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
*is created or received by UNMC/ACE; and
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests;
*an Individual’s genetic tests;  
*the genetic tests of an Individual’s family members; or
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
Line 294: Line 296:
*employment records held by UNMC in its role as employer.
*employment records held by UNMC in its role as employer.
===Research ===
===Research ===
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.  
===Sale of Protected Health Information ===
===Sale of Protected Health Information ===
Disclosure of Protected Health Information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.  
Disclosure of Protected Health Information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.
===Treatment===
===Treatment===
The provision, coordination or management of health care and related services by one or more health care providers including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.
The provision, coordination or management of health care and related services by one or more health care providers including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.
===Workforce===
===Workforce===
Employees, medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
==Additional Information==
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Legal Services department '''UNMC or Nebr med? best contact info ??'''
*Enterprise Applications Executive Director '''need email and/or phone, dept contact info'''
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]
*UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]
*'''UNMC Policy No. 6066, [[Psychotherapy Notes]] is this being deleted or kept? If being kept, it should be reviewed and review date note on policy 6066, even if not changed.'''
*'''UNMC Policy No. 6066, [[Psychotherapy Notes]] is this being deleted or kept? If being kept, it should be reviewed and review date note on policy 6066, even if not changed.'''
*UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
*UNMC Policy No. 6304, [[Disclosures of PHI as Permitted or Required by Law]]
*UNMC Policy No. 6305, [[Disclosure of PHI for Law Enforcement Purposes]]
*UNMC Policy No. 8009, [[Contracts]]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices]
*Nebraska Medicine Verification and Authority policy, '''need Nebr Med policy #'''
*Nebraska Medicine Consents and Permits policy, MS14.
*Nebraska Medicine Consents and Permits policy, MS14.
 
*Nebraska Medicine Confidential Address policy, '''need Nebr Med policy #'''
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]
*Nebraska Medicine Private Designation policy, for additional details.) '''need Nebr Med policy #'''
*Nebraska Medicine Contract Management policy, FN18
*[https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment and Health Care Operations]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]