Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 132: Line 132:
:#Disclosures about military personnel to military command authority in limited circumstances.
:#Disclosures about military personnel to military command authority in limited circumstances.


===Use/Disclosure of PHI for LAw Enforcement Purposes===
PHI may be disclosed to law enforcement under the following circumstances:
:#Law requires reporting violent wounds to law enforcement
:#A valid subpoena or warrant is presented (contact the Health Information Management Department during normal business hours, or the Resource Coordinator or Administrator on call after normal business hours)
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person.  May provide the following information only:  name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics. 
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent.  If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement.  Use professional judgment.
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.
:#Crime (or suspected crime) occurred on UNMC campus.
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)


===Use/Disclosure of PHI for Marketing===
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization.  Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.  If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.
Additionally the following activities are not marketing under HIPAA:
:#Communication for treatment of the individual.
:#Communications for case management or care coordinator for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual. 
:#Providing refill reminders or otherwise communication about a drug or biological that is currently being prescribed for the individual, only if any financial remuneration received by UNMC in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication (such as the cost of mailing); and
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization.  The authorization must state that UNMC will receive remuneration for the marketing activity.
===Use/Disclosure of PHI for Fundraising===
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.
:#Only the following patient information may be used or disclosed to business associates and institutionally-related foundations for fundraising. Fundraising involving PHI should be coordinated with the NU Foundation. Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth
:#Dates of healthcare provided to an individual
:#Department of service information
:#Treating physician
:#Outcome information; and
:#Health insurance status
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization. 
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising.  The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs.  If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.
===Use/Disclosure of PHI for Research===
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval.  See UNMC Human Research Protection Policies and Procedures.  The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA. 
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI.  The form is located at: http://www.unmc.edu/cctr/ehr_research.htm
===Sale of Protected Health Informatin===
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale.  This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information.  Sale of protected health information does not include a disclosure of PHI:
:#For public health purposes
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
:#For treatment and payment purposes
:#To an individual where the individual is requesting access to their own PHI
:#Required by law; and
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.  The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.
De-identified data is not PHI and therefore is not subject to the remuneration prohibition.  However, limited data sets are PHI and are subject to this provision.
===Authorization Required for all other Uses/Disclosures===
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074).  Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Note policy.
===Minimum Necessary===
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. [45 CFR 164.502(b)]
:#Role-based Access; access to PHI shall be based on role performed as specified in the following:
:##Computer security matrices maintained by electronic health record system security and other system administrators listing staff roles, job codes/titles and associated levels of access to PHI
:#Individuals who are performing treatment, payment and healthcare operations functions on behalf of UNMC, or who require access as otherwise specified by the individual’s position description, may have access to the entire medical record to perform assigned duties.
:#Use/Disclosure of PHI: Departments who provide PHI in response to requests shall ensure the minimum necessary requirements are met.
:##Routine/recurring disclosures: department managers who routinely release PHI on a recurring basis shall establish minimum necessary written protocols for standard releases of PHI internally and externally (i.e. Health Information Management, Decision Support Departments, etc.).
:##Non-routine disclosures:  department managers shall review non-routine requests for PHI on an individual basis and verify that minimum necessary requirements are met.
:#The following uses/disclosures of PHI are not subject to the minimum necessary requirement:
:##Disclosure of healthcare providers for treatment purposes
:##Disclosures required by law
:##Disclosures made to the individual or pursuant to an authorization initiated by the individual
:##Disclosure made to the Secretary of HHS for enforcement purposes
:##Electronic data elements transmitted in electronic claims
===Limited Data Set===
A limited data set of PHI may be used and disclosed for the purposes of research, public healthcare operations that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:
:#Names
:#Postal address information, other than town or city, state or zip code
:#Telephone numbers
:#Fax numbers
:#Electronic mail addresses
:#Social security numbers
:#Medical record numbers
:#Health plan beneficiary numbers
:#Account numbers
:#Certificate/license numbers
:#Vehicle identifiers and serial numbers, including license numbers
:#Device identifiers and serial numbers
:#Web Universal Resources Locators (URLs)
:#Internet Protocol (IP) address numbers
:#Biometric identifiers, including finger and voice prints; and
:#Full face photographic images and any comparable images
The recipient of the limited data set must enter into a data use agreement.  If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.




This page updated on Monday, February 16, 2004, by dkp.
This page updated on Monday, February 16, 2004, by dkp.
25

edits