Use and Disclosure of Protected Health Information: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
No edit summary
No edit summary
(37 intermediate revisions by 3 users not shown)
Line 20: Line 20:
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
width="20">[[Intellectual Property]]</td>
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</tr>
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
<br /><br />
<br /><br />
POLICY NO: '''6057'''<br />
Policy No.: '''6057'''<br />
EFFECTIVE DATE: '''03/17/03'''<br />
Effective Date: '''03/17/03'''<br />
REVISED DATES: '''05/29/2013'''<br />
Revised Date: '''draft 09/20/22'''<br />
LAST REVIEWED DATE: '''05/29/2013'''<br />
Reviewed Date: ''' '''<br />


<big>'''Use and Disclosure of Protected Health Information Policy'''</big>  
<big>'''Use and Disclosure of Protected Health Information Policy'''</big>  
== Basis for Policy ==  
== Basis for Policy ==  
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA. ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])<br />
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
<br />
 
== Policy ==  
== Policy ==  
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.<br />
Nebraska Medicine/UNMC shall limit the use and disclosure of Protected Health Information (PHI) to the right people, for the right purposes, with the right authority, and always subject to reasonable safeguards -- all as defined by the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and Nebraska Medicine/UNMC policies.  
<br />
==Purpose==
 
To establish guidelines for the use and disclosure of PHI.
== Definitions ==
===General Policies Governing the Use and Disclosure of PHI===
<br />
#Each use or disclosure of PHI must be an authorized use or disclosure (either by a written patient authorization or Nebraska Medicine/UNMC policy). Some of the authorized uses and disclosures are described in this policy and associated policies.
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
 
#The [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Workforce Workforce] member using or disclosing the PHI must do so only as necessary to perform assigned duties.
'''Payment''' means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy and the Nebraska Medicine Consents and Permits policy, MS14, Authorized Consenting Persons section.) '''need Nebr Med policy #s'''
 
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
'''Healthcare operations''' means the following activities related to UNMC’s function as an affiliated healthcare provider:
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
   
#If a disclosure of PHI is subject to an Individual’s right to an accounting, it must be documented per UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. Also note the documentation requirements listed throughout this policy and associated policies.
:#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included
#Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The [mailto:debrbishop@nebraskamed.com Privacy Officer] is the designated decision-maker unless someone else is designated by the [mailto:privacy@nebraskamed.com Privacy Office] (at 402-559-5136) for a particular policy or situation. (See Nebraska Medicine Consents and Permits policy, MS14.)
:#Population-based activities relating to improving health or reducing health care costs
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
:#Protocol development
#Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
:#Contacting of health care providers and patients with information about treatment alternatives
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.  
:#Case management and care coordination
==Procedures==
:#Risk assessment
Protected Health Information (PHI) may be used and disclosed within the [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Affiliated_Covered_Entity_.28ACE.29 Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the Individual supporting its need for such use or disclosure of such information, without having to obtain the Individual’s authorization. ACE entities also may share PHI with one another without Individual authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />
:#Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans
:#Training future healthcare professionals (students and residents)
:#Conducting or arranging for legal services
:#Business planning and development
:#Business management activities
:#General administrative and business functions
:#Conducting or arranging for medical review and auditing services
:#Insurance activities relating to the renewal of a contract of insurance
:#Evaluating healthcare provider and plan performance
:#Resolution of internal grievances
:#Fundraising
 
'''Protected Health Information (PHI)''' is individually identifiable health information.  Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
   
:#Is created or received by ACE; and
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
 
Protected Health Information includes genetic information containing individual identifiers which is defined as:
:#Information about an individual's gentic tests; or
:#The genetic tests of family members of the individual; or
:#The manifestation of a disease or disorder in family members of such individual (i.e., family medical history)
 
Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.
 
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.
 
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.
 
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.
 
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.
 
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE.  See Use and Disclosure of PHI for Research below.
 
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.


Members of the [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Workforce Workforce] may access Individual information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
===Treatment===
Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the Individual was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#Release/disclosure of Individual's information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the Individual who is the subject of such PHI.
===Payment===
Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.
===Health Care Operations===
Nebraska Medicine/UNMC may disclose PHI to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.
#Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose PHI is requested; and (iii) is requesting and will use PHI for a qualifying health care operations use.
#Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
##Quality assessment activities, utilization management activities and activities designed to measure or improve care or reduce costs.
##Peer review activities.
##Health care fraud and abuse detection or compliance efforts.
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.
===Incidental Disclosures===
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties. In such cases, the following standards should be met:
#The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
##Use common sense and judgment--look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside Individual's room should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; Individuals in public areas or being transported should be draped in a manner that respects the Individual’s modesty or dignity).
##Speak in a lower voice;
##Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of Individuals receiving treatment through the use of curtains or other visual barriers whenever possible);
##Pull the dividers or partitions between the Individual and other patients or visitors; and
##Ask if the Individual would prefer to talk in a more private location.
===Disclosures to the Individual===
Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative.
The Individual has a right to see and obtain copies of PHI maintained in the Individual’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]).
#For Other Disclosures to Individual
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
###Notation in the medical, billing or other record from which the material was obtained
###Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
##It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies. This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
##When disclosing to the Individual, appropriate safeguards should be taken to reduce the risk that people other than the Individual or people permitted by the Individual will hear the disclosure. Examples of such safeguards would include:
###Asking the Individual if the Individual would prefer to talk in a more private location.
###Confirming with the Individual that it is okay to proceed with the conversation while friends, relatives or others are present.
###Speaking in a lower voice.
###Pulling the dividers or partitions between the Individual and other patients or visitors.
###Providing more privacy through partitions and room arrangements.
#The minimum necessary standard does not apply to disclosures to the Individual.
===Disclosures to Family, Friends and Others===
====Facility Directory====
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Nebraska Medicine Private Designation policy, for additional details.) '''need Nebr Med policy #'''
====Disclosures with Individual’s Permission====
#You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the Individual does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the Individual.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the Individual's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the Individual’s care. They may simply be visiting the Individual. Therefore, try to give the Individual every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Do not rely on this authority if the Individual is incapacitated or otherwise unable to agree or object to such disclosure.
====Disclosures Based on Role or Involvement in Patient Care====
Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
#Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
#Give an involved family member the Individual’s prescription, so the family member can fill it for the Individual.
#Talk to a family member at discharge, if they play a role in post-discharge care.
#Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
#Talk to a family member or friend when the Individual indicates you can or should do so, e.g., if the person accompanies the Individual for an appointment or procedure, or is invited and present at admission or discharge.
If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
#Obtain the Individual’s consent to such disclosure;
#Provide the Individual with an opportunity to object, and disclose only if the Individual does not object; or
#Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.
If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />


== Procedures ==
'''Note:''' Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.<br />
<br />
===Use/Disclosure of PHI Related to Healthcare===
 
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above).  These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.).  If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment.  However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone.  Only information relevant to such person’s involvement with the individual’s care should be shared.
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.
 
The ACE may disclose PHI for the treatment activities of a healthcare provider.
 
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.
 
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.
 
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed.  See [[Notice_of_Privacy_Practices|Notice of Privacy Practices Policy]].
 
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:
:#Use of their name, location and general condition in the facility directory.
:#Disclosure of religious affiliation to clergy members.
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.
 
===Request for restrictions=== 
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care.  Requests for restrictions can be denied, with one exception.  Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics.  The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval.  If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction.  Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.
 
===Use/Disclosure of PHI Related for Training Healthcare Professionals===
Training healthcare professionals is a category of healthcare operations.  Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution.  Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.


These procedures are not applicable to Personal Representatives because they generally have the same access to information as the Individual.
====Disclosure for Notification Purposes====
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
#Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
#If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care and make an effort to limit contact to them.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Nebraska Medicine Consents and Permits policy, MS14.) Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Information_Exchange_.28HIE.29 Health Information Exchanges (HIEs)]. Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director authorizes individual access to the HIE. The ACE is a member of the following HIEs:
=====CyncHealth (Previously NeHII)=====
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office].
=====Epic-integrated HIE Software=====
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.
=====eHealth Exchange=====
#Includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.
===Business Associate Agreements/Addendums===
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Nebraska Medicine Contract Management policy, FN18).
===Use/Disclosure of PHI for Training Health Care Professionals ===
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
===Use/Disclosure of PHI Permitted/Required by Law===
===Use/Disclosure of PHI Permitted/Required by Law===
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:
See UNMC Policy No. 6304, [[Disclosures of PHI as Permitted or Required by Law]].  
:#Disclosure required by law
:#Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.
:#Disclosures for law enforcements purposes.  See Use/Disclosure of PHI for Law Enforcement Purposes below.
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.
:#Disclosure about decedents to medical examiners and coroners consistent with law.
:#Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.
:#Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.
:#Disclosures to prevent serious threat to health or safety consistent with applicable law.
:#Disclosures about military personnel to military command authority in limited circumstances.
 
===Use/Disclosure of PHI for Law Enforcement Purposes===
===Use/Disclosure of PHI for Law Enforcement Purposes===
PHI may be disclosed to law enforcement under the following circumstances:
See UNMC Policy No. 6305, [[Disclosure of PHI for Law Enforcement Purposes]].
:#Laws require reporting violent wounds to law enforcement
===Use/Disclosure of PHI for Whistleblowing Purposes===
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.
A Workforce member may disclose PHI for whistleblowing purposes when:
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person.  May provide the following information only:  name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. 
#The Workforce member believes in good faith that Nebraska Medicine/UNMC engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by Nebraska Medicine/UNMC potentially endangers one or more patients, other Workforce members, or the public; and
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples
#The disclosure is to:  
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent.  If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement.  Use professional judgment.
##A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of Nebraska Medicine/UNMC or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Nebraska Medicine/UNMC; or
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.
##An attorney retained by or on behalf of the Workforce member or business associate for the purpose of determining the legal options of the Workforce member or business associate with regard to the conduct described in this section.  
:#Crime (or suspected crime) occurred on UNMC campus.
===Use/Disclosure of PHI for Marketing ===
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)
Refer requests for disclosures of PHI for marketing or fundraising purposes to the [mailto:privacy@nebraskamed.com Privacy Office].
 
===Use/Disclosure of PHI for Marketing===
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization.  Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.  If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.
Additionally the following activities are not marketing under HIPAA:
:#Communication for treatment of the individual.
:#Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. 
:#Providing refill reminders or otherwise communicating about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits
 
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization.  The authorization must state that UNMC will receive remuneration for the marketing activity.
 
===Use/Disclosure of PHI for Fundraising===
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.
 
Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising.
:#Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth
:#Dates of healthcare provided to an individual
:#Department of service information
:#Treating physician
:#Outcome information; and
:#Health insurance status
 
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. 
 
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising.  The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs.  If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.
 
===Use/Disclosure of PHI for Research===
===Use/Disclosure of PHI for Research===
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.
#All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC's [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures]]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.
 
#For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI.  The form is located at: http://www.unmc.edu/cctr/ehr_research.htm
##A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
 
##Documentation of the death of such Individuals; and
##A representation that the requested PHI is necessary for the research purposes.
#Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a [https://unmcredcap.unmc.edu/redcap/surveys/?s=NMPNWMEA7W Electronic Health Data Request] Form to the [https://www.unmc.edu/cctr/resources/ehr/index.html Electronic Health Record Data Access Core] to obtain access to such PHI.  
#Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
##that the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
##that no PHI is to be removed from the covered entity by the researcher in the course of the review; and
##that the PHI for which disclosure and use is sought is necessary for the research purposes.
===Sale of Protected Health Information===
===Sale of Protected Health Information===
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:
Selling PHI is generally prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where Nebraska Medicine/UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Sale of PHI does not include certain disclosures of PHI:
:#For public health purposes
#For public health purposes;
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
#For research purposes where the only remuneration received by '''Organization''' is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
:#For treatment and payment purposes
#For treatment and payment purposes;
:#To an individual where the individual is requesting access to their own PHI
#To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a Business Associate Agreement with Nebraska Medicine/UNMC);
:#Required by law; and
#To an Individual who is requesting access to their own PHI;
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.
#As required by law; and
 
#For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Limited_Data_Set Limited Data Set]).
 
===Authorization Required for all other Uses/Disclosures===
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in the [[Psychotherapy_Notes|Psychotherapy Note Policy]].
 
===Minimum Necessary===
===Minimum Necessary===
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]]
Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit PHI used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:
#The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI
##Uses, disclosures or requests among health care providers for treatment purposes.
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.
##Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.
##Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).
##Disclosures made to the Secretary of Health and Human Services or their designee.
:##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.
##Uses or disclosures required for compliance with the '''''Privacy Rule'''''.
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:
#Workforce. The minimum necessary standard applies to access and use of PHI by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing PHI except as authorized by Nebraska Medicine/UNMC’s policies.
:##Disclosure to healthcare providers for treatment purposes
##When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
:##Disclosures required by law
##Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual
##Individuals who are performing treatment, payment and health care operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.  
:##Disclosure made to the Secretary of HHS for enforcement purposes
#Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.  
:##Electronic data elements transmitted in electronic claims
##Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
 
##Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.  
#Departments that are not responsible for release of information should release records only under the limited conditions identified in UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. All other requests should be sent to HIM.
===Limited Data Set===
===Limited Data Set===
A limited data set of PHI may be used and disclosed for the purposes of research, public health or healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:
#A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health or health care operations:  
:#Names
##Names;
:#Postal address information, other than town or city, state or zip code
##Postal address information, other than town or city, state, or zip code;
:#Telephone numbers
##Telephone numbers;
:#Fax numbers
##Fax numbers;
:#Electronic mail addresses
##Electronic mail addresses;
:#Social security numbers
##Social security numbers;
:#Medical record numbers
##Medical record numbers;
:#Health plan beneficiary numbers
##Health plan beneficiary numbers;
:#Account numbers
##Account numbers;
:#Certificate/license numbers
##Certificate/license numbers;
:#Vehicle identifiers and serial numbers, including license numbers
##Vehicle identifiers and serial numbers, including license numbers;
:#Device identifiers and serial numbers
##Device identifiers and serial numbers;
:#Web Universal Resources Locators (URLs)
##Web Universal Resource Locators (URLs);
:#Internet Protocol (IP) address numbers
##Internet Protocol (IP) address numbers;
:#Biometric identifiers, including finger and voice prints; and
##Biometric identifiers, including finger and voice prints; and  
:#Full face photographic images and any comparable images
## Full-face photographic images and any comparable images.
 
#The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.  
===De-identification/Re-identification of PHI===
 
#PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:
===De-Identification /Re-Identification of PHI (164.514)===
##The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:
###Names;
:#Names
###All geographic subdivisions smaller than a state (including street address, city, county, precinct and zip code);
:#All geographic subdivisions smaller than a state
###All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);
:#All elements of dates except year, for dates related to individual
###Telephone numbers;
:#Telephone numbers
###Fax numbers;
:#Fax numbers
###Electronic mail addresses;
:#Electronic mail addresses
###Social Security Numbers;
:#Social security numbers
###Medical record numbers;
:#Medical record numbers
###Health plan beneficiary numbers;
:#Health plan beneficiary numbers
###Account numbers;
:#Accounts numbers
###Certificate/license numbers;
:#Certificate/license numbers
###Vehicle identifiers and serial numbers, including license plate numbers;
:#Vehicle identifiers and serial numbers
###Device identifiers and serial numbers;
:#Device Identifiers and serial numbers
###Web Universal Resource Locators (URLs);
:#Web Universal Resource Locators (URLs)
###Internet Protocol (IP) address numbers;
:#Internet Protocol (IP) address numbers
###Biometric identifiers, including finger and voice prints;
:#Biometric identifiers, including finger and voice prints
###Full face photographic images and any comparable images; and
:#Full face photographic images and other comparable images and
###Any other unique identifying number, characteristic, or code.
:#Any other unique identifying number, characteristic/code, except as permitted under the Re-identification section below
##A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department '''UNMC or Nebr med? best contact info ??''' and/or [mailto:privacy@nebraskamed.com Privacy Office] must approve of the use of this de-identification method and the person who performs it.
 
#Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:  
'''Re-Identification of PHI.''' A code or other means of record identification may be assigned to allow information de-identified under De-Identification of PHI (above) about to be re-identified by UNMC, provided that:
##The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and  
:#The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
##The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.
:#The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.  
===Disaster Relief Disclosures===
 
Nebraska Medicine/UNMC may disclose PHI to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.<br />
==Staff Accountability==
[mailto:swrobel@unmc.edu Privacy Officer]


'''''Disaster relief agency''''' means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.
#Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as:
##Coordinating availability of care,
##Notification of family and friends, or
##Determining the identity of victims and survivors.
#The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the [mailto:debrbishop@nebraskamed.com Privacy Officer] or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. '''need link(s) to plan(s}'''
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
===Authorization Generally Required for All Other Uses/Disclosures===
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Nebraska Medicine Consents and Permits policy, MS14) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy Nos. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set] and 6066, [[Psychotherapy Notes]].
===Compound Authorizations===
An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:
#An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.
#An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes.
== Definitions ==
===Affiliated Covered Entity (ACE)===
Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
===Designated Record Set (DRS)===
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.
===Health Care Operations===
The following activities related to the Organization's functions as a health care provider and sponsor of a self-insured health plan:
#Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities, otherwise these activities may be classified as research if PHI is included;
#Population-based activities relating to improving health or reducing health care costs;
#Protocol development;
#Contacting health care providers and patients with information about treatment alternatives;
#Case management and care coordination;
#Patient safety activities;
#Risk assessment;
#Reviewing the competence or qualifications and accrediting/licensing of health care providers;
#Training health care professionals;
#Conducting or arranging for medical review, legal services and auditing functions (including fraud and abuse detection and compliance programs);
#Business planning and development;
#Business management activities
#General administrative and business functions;
#Insurance activities relating to the renewal of a contract of health insurance;
#Evaluating healthcare provider and plan performance;
#Resolution of internal grievances; and
#Fundraising (see [https://wiki.unmc.edu/index.php?title=Use_and_Disclosure_of_Protected_Health_Information&action=edit#Use.2FDisclosure_of_PHI_for_Marketing Use/Disclosure of PHI for Marketing]).
===Health Information Exchange (HIE)===
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.
===Individual===
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)
===Organization===
'''Do we have a definition for this that we can/should use? It seems pretty specific (capital O instead of l.c. o).'''
===Payment===
Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.
===Personal Representative ===
A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)
===Protected Health Information (PHI)===
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests;
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and
*employment records held by UNMC in its role as employer.
===Psychotherapy Notes===
Notes recorded (in any medium) by a mental health provider including psychiatrists, psychologists and other mental health professionals documenting or analyzing the contents of a conversation during a private counseling session or group, joint or family counseling session. Psychotherapy notes are kept separate from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. Psychotherapy notes are not progress notes and are created at the discretion of the mental health care provider. (HIPAA: 45 CFR §164.501)
===Research ===
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.
===Sale of Protected Health Information ===
Disclosure of Protected Health Information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.
===Treatment===
The provision, coordination or management of health care and related services by one or more health care providers including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.
===Workforce===
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
==Additional Information==
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Legal Services department '''UNMC or Nebr med? best contact info ??'''
*Enterprise Applications Executive Director '''need email and/or phone, dept contact info'''
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]
*UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]
*UNMC Policy No. 6066, [[Psychotherapy Notes]] If being kept, this should be reviewed and review date noted on policy 6066, even if not changed.'''
*UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]]
*UNMC Policy No. 6304, [[Disclosures of PHI as Permitted or Required by Law]]
*UNMC Policy No. 6305, [[Disclosure of PHI for Law Enforcement Purposes]]
*UNMC Policy No. 8009, [[Contracts]]
*UNMC [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices]
*Nebraska Medicine Verification and Authority policy, '''need Nebr Med policy #'''
*Nebraska Medicine Consents and Permits policy, MS14.
*Nebraska Medicine Confidential Address policy, '''need Nebr Med policy #'''
*Nebraska Medicine Private Designation policy, for additional details.) '''need Nebr Med policy #'''
*Nebraska Medicine Contract Management policy, FN18
*Nebraska Medicine Form CON-MR-0074, '''need form name and URL '''
*Nebraska Medicine Form CON-MR-1900, '''need form name and URL '''
*[https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment and Health Care Operations]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]


This page is maintained by [mailto:dpanowic@unmc.edu dkp].
This page is maintained by [mailto:dpanowic@unmc.edu dkp].

Revision as of 10:48, October 28, 2022

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6057
Effective Date: 03/17/03
Revised Date: draft 09/20/22
Reviewed Date:

Use and Disclosure of Protected Health Information Policy

Basis for Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

Nebraska Medicine/UNMC shall limit the use and disclosure of Protected Health Information (PHI) to the right people, for the right purposes, with the right authority, and always subject to reasonable safeguards -- all as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Nebraska Medicine/UNMC policies.

Purpose

To establish guidelines for the use and disclosure of PHI.

General Policies Governing the Use and Disclosure of PHI

  1. Each use or disclosure of PHI must be an authorized use or disclosure (either by a written patient authorization or Nebraska Medicine/UNMC policy). Some of the authorized uses and disclosures are described in this policy and associated policies.
  2. The use or disclosure of PHI must be in accordance with the Nebraska Medicine/UNMC Notice of Privacy Practices.
  3. The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
  4. The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy and the Nebraska Medicine Consents and Permits policy, MS14, Authorized Consenting Persons section.) need Nebr Med policy #s
  5. Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
  6. Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) need Nebr Med policy #
  7. If a disclosure of PHI is subject to an Individual’s right to an accounting, it must be documented per UNMC Policy No. 6061, Accounting of Protected Health Information Disclosures. Also note the documentation requirements listed throughout this policy and associated policies.
  8. Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The Privacy Officer is the designated decision-maker unless someone else is designated by the Privacy Office (at 402-559-5136) for a particular policy or situation. (See Nebraska Medicine Consents and Permits policy, MS14.)
  9. All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
  10. Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
  11. All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.

Procedures

Protected Health Information (PHI) may be used and disclosed within the Affiliated Covered Entity (ACE) for each member’s own treatment, Payment and Health Care Operations if it has or is about to have a treatment relationship with the Individual supporting its need for such use or disclosure of such information, without having to obtain the Individual’s authorization. ACE entities also may share PHI with one another without Individual authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations.

Members of the Workforce may access Individual information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, Privacy, Confidentiality and Security of Patient and Proprietary Information.)

Treatment

Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.

  1. If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.
  2. If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the Individual was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
  3. Release/disclosure of Individual's information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
  4. The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the Individual who is the subject of such PHI.

Payment

Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its Payment purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.

  1. Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
  2. The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes.

Health Care Operations

Nebraska Medicine/UNMC may disclose PHI to another covered entity (including members of its medical staff) for certain health care operations of the requesting covered entity if the following steps are followed. Requests of this type are expected to be infrequent.

  1. Nebraska Medicine/UNMC should confirm and document that the requesting covered entity: (i) is a covered entity; (ii) has a relationship with the Individual whose PHI is requested; and (iii) is requesting and will use PHI for a qualifying health care operations use.
  2. Only the following health care operations of the requesting covered entity support a disclosure to the covered entity for its use of PHI in health care operations:
    1. Quality assessment activities, utilization management activities and activities designed to measure or improve care or reduce costs.
    2. Peer review activities.
    3. Health care fraud and abuse detection or compliance efforts.
  3. The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it.

Incidental Disclosures

Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties. In such cases, the following standards should be met:

  1. The unintended disclosure of PHI must be a consequence of a permitted use or disclosure.
  2. The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
  3. Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
    1. Use common sense and judgment--look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside Individual's room should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; Individuals in public areas or being transported should be draped in a manner that respects the Individual’s modesty or dignity).
    2. Speak in a lower voice;
    3. Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of Individuals receiving treatment through the use of curtains or other visual barriers whenever possible);
    4. Pull the dividers or partitions between the Individual and other patients or visitors; and
    5. Ask if the Individual would prefer to talk in a more private location.

Disclosures to the Individual

Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative. The Individual has a right to see and obtain copies of PHI maintained in the Individual’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, Access and Amendment of Designated Record Set).

  1. For Other Disclosures to Individual
    1. For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways:
      1. Notation in the medical, billing or other record from which the material was obtained
      2. Electronic notation such as Quick Disclosure (Epic) in the database from which the information was obtained
    2. It is not necessary to document oral disclosures to Individuals, unless required by nursing, medical staff or other policies. This policy recognizes that there is constant exchange of information between health care providers and Individuals during episodes of care.
    3. When disclosing to the Individual, appropriate safeguards should be taken to reduce the risk that people other than the Individual or people permitted by the Individual will hear the disclosure. Examples of such safeguards would include:
      1. Asking the Individual if the Individual would prefer to talk in a more private location.
      2. Confirming with the Individual that it is okay to proceed with the conversation while friends, relatives or others are present.
      3. Speaking in a lower voice.
      4. Pulling the dividers or partitions between the Individual and other patients or visitors.
      5. Providing more privacy through partitions and room arrangements.
  2. The minimum necessary standard does not apply to disclosures to the Individual.

Disclosures to Family, Friends and Others

Facility Directory

Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Nebraska Medicine Private Designation policy, for additional details.) need Nebr Med policy #

Disclosures with Individual’s Permission

  1. You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the Individual does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the Individual.
  2. When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the Individual's care or Payment for care.
  3. Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the Individual’s care. They may simply be visiting the Individual. Therefore, try to give the Individual every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
  4. Do not rely on this authority if the Individual is incapacitated or otherwise unable to agree or object to such disclosure.

Disclosures Based on Role or Involvement in Patient Care

Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or Payment for health care). For example, follow this policy when you:

  1. Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
  2. Give an involved family member the Individual’s prescription, so the family member can fill it for the Individual.
  3. Talk to a family member at discharge, if they play a role in post-discharge care.
  4. Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
  5. Talk to a family member or friend when the Individual indicates you can or should do so, e.g., if the person accompanies the Individual for an appointment or procedure, or is invited and present at admission or discharge.

If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:

  1. Obtain the Individual’s consent to such disclosure;
  2. Provide the Individual with an opportunity to object, and disclose only if the Individual does not object; or
  3. Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.

If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement.

Note: Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.

These procedures are not applicable to Personal Representatives because they generally have the same access to information as the Individual.

Disclosure for Notification Purposes

Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:

  1. Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
  2. If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care and make an effort to limit contact to them.
  3. If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Nebraska Medicine Consents and Permits policy, MS14.) Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
  4. When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the Privacy Office to disclosure additional information.

Uses/Disclosure of PHI for Electronic Health Information Exchanges

Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director authorizes individual access to the HIE. The ACE is a member of the following HIEs:

CyncHealth (Previously NeHII)

CyncHealth participants may access CyncHealth PHI pursuant to CyncHealth’s Privacy and Information Security Policies and Procedures. If unsure as to whether a particular use or disclosure is permissible, contact the Privacy Office.

Epic-integrated HIE Software

Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA.

eHealth Exchange
  1. Includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes.
  2. All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone.

Business Associate Agreements/Addendums

Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, Contracts or Nebraska Medicine Contract Management policy, FN18).

Use/Disclosure of PHI for Training Health Care Professionals

See UNMC Policy No. 6303, Use and Disclosure of PHI for Training Health Care Professionals

Use/Disclosure of PHI Permitted/Required by Law

See UNMC Policy No. 6304, Disclosures of PHI as Permitted or Required by Law.

Use/Disclosure of PHI for Law Enforcement Purposes

See UNMC Policy No. 6305, Disclosure of PHI for Law Enforcement Purposes.

Use/Disclosure of PHI for Whistleblowing Purposes

A Workforce member may disclose PHI for whistleblowing purposes when:

  1. The Workforce member believes in good faith that Nebraska Medicine/UNMC engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by Nebraska Medicine/UNMC potentially endangers one or more patients, other Workforce members, or the public; and
  2. The disclosure is to:
    1. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of Nebraska Medicine/UNMC or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Nebraska Medicine/UNMC; or
    2. An attorney retained by or on behalf of the Workforce member or business associate for the purpose of determining the legal options of the Workforce member or business associate with regard to the conduct described in this section.

Use/Disclosure of PHI for Marketing

Refer requests for disclosures of PHI for marketing or fundraising purposes to the Privacy Office.

Use/Disclosure of PHI for Research

  1. All research requests using PHI must be submitted to the UNMC Institutional Review Board (IRB) for review and approval. See UNMC's Human Research Protection Program (HRPP) Policies and Procedures]. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as the ACE’s Privacy Board and approves all waivers of authorization as permitted under HIPAA. To learn more about such waivers, please see UNMC Human Research Protection Program Policies and Procedures.
  2. For research requests involving use of a decedent's information, Nebraska Medicine/UNMC must obtain from the researcher (before making such disclosure):
    1. A representation that the requested use or disclosure of PHI is solely for research on the PHI of decedents;
    2. Documentation of the death of such Individuals; and
    3. A representation that the requested PHI is necessary for the research purposes.
  3. Review of PHI Preparatory to Research. Nebraska Medicine/UNMC staff and students who wish to review PHI to prepare a research proposal must submit a Electronic Health Data Request Form to the Electronic Health Record Data Access Core to obtain access to such PHI.
  4. Access to PHI for reviews preparatory to research requires that the researcher provide the following representations in advance of such disclosure and use:
    1. that the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
    2. that no PHI is to be removed from the covered entity by the researcher in the course of the review; and
    3. that the PHI for which disclosure and use is sought is necessary for the research purposes.

Sale of Protected Health Information

Selling PHI is generally prohibited unless the patient signs an authorization specifically permitting the sale. This includes any disclosure of PHI where Nebraska Medicine/UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Sale of PHI does not include certain disclosures of PHI:

  1. For public health purposes;
  2. For research purposes where the only remuneration received by Organization is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
  3. For treatment and payment purposes;
  4. To a business associate for activities that the business associate undertakes on Nebraska Medicine/UNMC’s behalf (if such business associate executes a Business Associate Agreement with Nebraska Medicine/UNMC);
  5. To an Individual who is requesting access to their own PHI;
  6. As required by law; and
  7. For any other HIPAA permitted purpose where the only remuneration received by Organization is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting the PHI, including labor, material and supplies.

De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision (see the section on Limited Data Set).

Minimum Necessary

Subject to the exceptions listed in this or any other Nebraska Medicine/UNMC policy, when using or disclosing PHI or when requesting PHI, members of the Workforce must make reasonable efforts to limit PHI used, disclosed or requested to the minimum information necessary (both type of information and quantity) to accomplish the intended purpose of such use, disclosure or request.

  1. The “minimum necessary” standard does not apply to the following requests, uses and disclosures of PHI:
    1. Uses, disclosures or requests among health care providers for treatment purposes.
    2. Uses or disclosures required by law, so long as the use or disclosure complies with and is limited to the relevant requirements of the law.
    3. Disclosures made to the Individual or pursuant to an authorization signed by the Individual.
    4. Disclosures made to the Secretary of Health and Human Services or their designee.
    5. Uses or disclosures required for compliance with the Privacy Rule.
  2. Workforce. The minimum necessary standard applies to access and use of PHI by members of the Workforce. Each member of the Workforce must avoid intentionally accessing, using or disclosing PHI except as authorized by Nebraska Medicine/UNMC’s policies.
    1. When using, disclosing, or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Disclosure of the entire medical record is prohibited unless specifically justified and documented in the medical record as the minimum necessary for the request or otherwise required by law.
    2. Role-based Access: access to PHI shall be based on the role performed as specified in computer security matrices maintained by electronic health record system security and other system administrators that lists staff roles, job codes/titles and associated levels of access to PHI. Reference Electronic Health Record Access Control policy.
    3. Individuals who are performing treatment, payment and health care operations functions on behalf of Nebraska Medicine/UNMC, or who require access as otherwise specified by the individual's position description, may access the entire medical record only as necessary to perform assigned duties.
  3. Departments who provide PHI in response to valid requests shall ensure that minimum necessary requirements are met.
    1. Routine/recurring disclosures: managers of departments who routinely release PHI on a recurring basis (e.g., HIM, Decision Support depts., etc.) shall establish minimum necessary written protocols for standard releases of PHI internally and externally.
    2. Non-routine disclosures: department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.
  4. Departments that are not responsible for release of information should release records only under the limited conditions identified in UNMC Policy No. 6061, Accounting of Protected Health Information Disclosures. All other requests should be sent to HIM.

Limited Data Set

  1. A limited data set of PHI that excludes certain direct identifiers of the Individual or of relatives, employers, or household members of the Individual may be used and disclosed for the purposes of research, public health or health care operations:
    1. Names;
    2. Postal address information, other than town or city, state, or zip code;
    3. Telephone numbers;
    4. Fax numbers;
    5. Electronic mail addresses;
    6. Social security numbers;
    7. Medical record numbers;
    8. Health plan beneficiary numbers;
    9. Account numbers;
    10. Certificate/license numbers;
    11. Vehicle identifiers and serial numbers, including license numbers;
    12. Device identifiers and serial numbers;
    13. Web Universal Resource Locators (URLs);
    14. Internet Protocol (IP) address numbers;
    15. Biometric identifiers, including finger and voice prints; and
    16. Full-face photographic images and any comparable images.
  2. The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, Nebraska Medicine/UNMC shall take reasonable steps to cure the breach or end the violation and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.

De-identification/Re-identification of PHI

  1. PHI may be used to create information that is not individually identifiable health information (i.e., de-identified information). The HIPAA privacy rules do not apply to de-identified information that does not identify an Individual and cannot be used to identify an Individual. PHI is de-identified when one of the following methods is used:
    1. The 18 identifiers of the Individual or of the Individual’s relatives, employers, or household members are removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify the Individual who is the subject of the information. The identifiers are:
      1. Names;
      2. All geographic subdivisions smaller than a state (including street address, city, county, precinct and zip code);
      3. All elements of dates except year, for dates related to Individual (e.g., birth date, admission date, discharge date, date of death);
      4. Telephone numbers;
      5. Fax numbers;
      6. Electronic mail addresses;
      7. Social Security Numbers;
      8. Medical record numbers;
      9. Health plan beneficiary numbers;
      10. Account numbers;
      11. Certificate/license numbers;
      12. Vehicle identifiers and serial numbers, including license plate numbers;
      13. Device identifiers and serial numbers;
      14. Web Universal Resource Locators (URLs);
      15. Internet Protocol (IP) address numbers;
      16. Biometric identifiers, including finger and voice prints;
      17. Full face photographic images and any comparable images; and
      18. Any other unique identifying number, characteristic, or code.
    2. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an Individual who is a subject of the information; and documents the methods and results of the analysis that justify such determination. The Legal Services department UNMC or Nebr med? best contact info ?? and/or Privacy Office must approve of the use of this de-identification method and the person who performs it.
  2. Re-identification of PHI. A code or other means of record identification may be assigned to allow information de-identified above to be re-identified by Organization, provided that:
    1. The code or other means of record identification is not derived from or related to information about the Individual and is not otherwise capable of being translated so as to identify the Individual; and
    2. The code or other means of record identification is not used for other purposes and the mechanism for re-identification is not disclosed.

Disaster Relief Disclosures

Nebraska Medicine/UNMC may disclose PHI to public or private relief organizations authorized by law or the HIPAA Privacy Rule to assist in disaster relief efforts.

Disaster relief agency means a public or private agency or program which is authorized by law or its charter to assist in disaster relief efforts. Examples of private disaster relief agencies would be the American Red Cross or the Salvation Army.

  1. Limit releases of information to the information needed by the agencies to perform their disaster relief efforts. Often, this includes such uses as:
    1. Coordinating availability of care,
    2. Notification of family and friends, or
    3. Determining the identity of victims and survivors.
  2. The same requirements that apply to disclosures to family, friends and others, apply to disclosures to disaster relief organizations, unless Nebraska Medicine/UNMC, in the exercise of professional judgment, determines that those requirements interfere with the ability to respond to the emergency circumstances. Professional judgment under this policy may be exercised and documented by the Privacy Officer or individuals designated in Nebraska Medicine/UNMC’s Disaster Plan. need link(s) to plan(s}
  3. The minimum necessary standard does not apply to disclosures to disaster relief agencies.

Authorization Generally Required for All Other Uses/Disclosures

Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Nebraska Medicine Consents and Permits policy, MS14) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) need URL for forms. Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy Nos. 6059, Access and Amendment of Designated Record Set and 6066, Psychotherapy Notes.

Compound Authorizations

An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:

  1. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research. When the ACE has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the Individual with an opportunity to opt in to the research activities described in the unconditioned authorization.
  2. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.

Designated Record Set (DRS)

Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.

Health Care Operations

The following activities related to the Organization's functions as a health care provider and sponsor of a self-insured health plan:

  1. Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities, otherwise these activities may be classified as research if PHI is included;
  2. Population-based activities relating to improving health or reducing health care costs;
  3. Protocol development;
  4. Contacting health care providers and patients with information about treatment alternatives;
  5. Case management and care coordination;
  6. Patient safety activities;
  7. Risk assessment;
  8. Reviewing the competence or qualifications and accrediting/licensing of health care providers;
  9. Training health care professionals;
  10. Conducting or arranging for medical review, legal services and auditing functions (including fraud and abuse detection and compliance programs);
  11. Business planning and development;
  12. Business management activities
  13. General administrative and business functions;
  14. Insurance activities relating to the renewal of a contract of health insurance;
  15. Evaluating healthcare provider and plan performance;
  16. Resolution of internal grievances; and
  17. Fundraising (see Use/Disclosure of PHI for Marketing).

Health Information Exchange (HIE)

The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.

Individual

The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)

Organization

Do we have a definition for this that we can/should use? It seems pretty specific (capital O instead of l.c. o).

Payment

Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.

Personal Representative

A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
  • any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Psychotherapy Notes

Notes recorded (in any medium) by a mental health provider including psychiatrists, psychologists and other mental health professionals documenting or analyzing the contents of a conversation during a private counseling session or group, joint or family counseling session. Psychotherapy notes are kept separate from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. Psychotherapy notes are not progress notes and are created at the discretion of the mental health care provider. (HIPAA: 45 CFR §164.501)

Research

A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.

Sale of Protected Health Information

Disclosure of Protected Health Information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.

Treatment

The provision, coordination or management of health care and related services by one or more health care providers including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Additional Information

This page is maintained by dkp.