Use and Disclosure of Protected Health Information: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 63: | Line 63: | ||
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the patient who is the subject of such PHI. | #The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the patient who is the subject of such PHI. | ||
===Payment=== | ===Payment=== | ||
Nebraska Medicine/UNMC may disclose | Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information. | ||
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure. | #Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of HIM should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure. | ||
#The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes. | #The minimum necessary standard does apply to disclosures to another provider or covered entity for its payment purposes. | ||
Line 75: | Line 75: | ||
#The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it. | #The minimum necessary standard does apply to a disclosure of PHI to another health care provider for its health care operations purposes. Therefore, limit the information accessed or disclosed to the minimum necessary for the operational purposes of the party receiving it. | ||
===Incidental Disclosures=== | ===Incidental Disclosures=== | ||
Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties. | Nebraska Medicine/UNMC may use and disclose PHI for permitted purposes, even though doing so may result in incidental disclosure to third parties. In such cases, the following standards should be met: | ||
#The unintended disclosure of PHI must be a consequence of a permitted use or disclosure. | #The unintended disclosure of PHI must be a consequence of a permitted use or disclosure. | ||
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable. | #The permitted disclosure of PHI must have met the minimum necessary standard, as applicable. | ||
Line 84: | Line 84: | ||
##Pull the dividers or partitions between the patient and other patients or visitors; and | ##Pull the dividers or partitions between the patient and other patients or visitors; and | ||
##Ask if the patient would prefer to talk in a more private location. | ##Ask if the patient would prefer to talk in a more private location. | ||
===Disclosures to the Patient=== | |||
Nebraska Medicine/UNMC may disclose PHI to the patient or his/her Personal Representative. | Nebraska Medicine/UNMC may disclose PHI to the patient or his/her Personal Representative. | ||
The patient has a right to see and obtain copies of PHI maintained in the patient’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]. | The patient has a right to see and obtain copies of PHI maintained in the patient’s designated record set. Information, including billing information, may be sent to a minor for treatment to which the minor appropriately consented. (See UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]. | ||
#For | #For Other Disclosures to Patient | ||
##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways: | ##For disclosures in written or electronic form, staff should document the disclosure/release in one of the following ways: | ||
###Notation in the medical, billing or other record from which the material was obtained | ###Notation in the medical, billing or other record from which the material was obtained | ||
Line 100: | Line 100: | ||
#The minimum necessary standard does not apply to disclosures to the patient. | #The minimum necessary standard does not apply to disclosures to the patient. | ||
===Disclosures to Family, Friends and Others=== | ===Disclosures to Family, Friends and Others=== | ||
====Facility Directory | ====Facility Directory==== | ||
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy # | Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the patient by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #''' | ||
====Disclosures with | ====Disclosures with Patient’s Permission==== | ||
#You may disclose PHI to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient. | #You may disclose PHI to the patient in the presence of others if the patient is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient. | ||
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or | #When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the patient's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care. | ||
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. | #Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the patient’s care. They may simply be visiting the patient. Therefore, try to give the patient every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence. | ||
#Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure. | #Do not rely on this authority if the patient is incapacitated or otherwise unable to agree or object to such disclosure. | ||
====Disclosures Based on Role or Involvement in Patient Care==== | ====Disclosures Based on Role or Involvement in Patient Care==== | ||
#Follow this policy when disclosing | ##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the patient’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you: | ||
##Talk to the patient’s child, other relative, or friend who customarily drives the patient to appointments to confirm the date and time of the next appointment. | |||
##Give an involved family member the patient’s prescription, so the family member can fill it for the patient. | |||
##Talk to a family member at discharge, if they play a role in post-discharge care. | |||
##Talk to the patient’s spouse to obtain information necessary to file a claim through the spouse’s group plan. | |||
##Talk to a family member or friend when the patient indicates you can or should do so, e.g., if the person accompanies the patient for an appointment or procedure, or is invited and present at admission or discharge. | |||
#If the patient is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following: | |||
##Obtain the patient’s consent to such disclosure; | |||
##Provide the patient with an opportunity to object, and disclose only if the patient does not object; or | |||
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object. | |||
#If the patient is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the patient. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br /> | |||
Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual. | |||
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient. | |||
====Disclosure for Notification Purposes==== | |||
Nebraska Medicine/UNMC may disclose PHI about a patient in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps: | |||
#Ask the patient, if possible, whether he or she consents to such disclosure and rely on what the patient says.# | |||
#If the patient is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the patient’s care, and make an effort to limit contact to them. | |||
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom. | |||
#When the patient has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the patient’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the patient’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the patient’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information. | |||
===Uses/Disclosure of PHI for Electronic Health Information Exchanges=== | |||
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved Health Information Exchanges (HIEs). Members of the Workforce may not access their own medical records via the HIE. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The Enterprise Applications Executive Director '''need email or dept contact info''' authorizes individual access to the HIE. The ACE is a member of the following HIEs: | |||
====CyncHealth (Previously NeHII)==== | |||
CyncHealth participants may access CyncHealth PHI pursuant to [https://cynchealth.org/privacy-security/ CyncHealth’s Privacy and Information Security Policies and Procedures]. If unsure as to whether a particular use or disclosure is permissible, contact the [mailto:privacy@nebraskamed.com Privacy Office]. | |||
====Epic-integrated HIE Software==== | |||
Epic-integrated HIE Software, includes but is not limited to Care Everywhere. Use or disclosure of PHI available via Care Everywhere is generally restricted to treatment purposes only per Epic’s current Rules of the Road agreement. It generally may not be used for payment, health care operations or any other purposes, regardless if otherwise permitted under HIPAA. | |||
====eHealth Exchange==== | |||
#Includes federal and non-federal organizations. Veterans Administration (VA) is a participant of this HIE. Members of the ACE access this HIE via Care Everywhere; as such, PHI obtained via the eHealth Exchange generally may only be used or disclosed for treatment purposes. | |||
#All users of the eHealth Exchange are required to cooperate with Nebraska Medicine/UNMC on related investigations or issues; request, use and disclose eHealth Exchange message content only for treatment purposes; comply with all applicable laws and report any suspected breach of PHI to the Privacy Office immediately. Users must not disclose passwords or any other security measures to anyone. | |||
===Business Associate Agreements/Addendums=== | |||
Nebraska Medicine/UNMC shall enter into a Business Associate Agreement with each outside entity performing services on its behalf before disclosing PHI to such entity (see UNMC Policy No. 8009, [[Contracts]] or Contract Management policy, FN18). | |||
===Use/Disclosure of PHI for Training Healthcare Professionals === | |||
See UNMC Policy No. 6303, [[Use and Disclosure of PHI for Training Health Care Professionals]] | |||
Nebraska Medicine/UNMC may access and disclose PHI through ACE-approved HIEs. | |||
Nebraska Medicine/UNMC shall enter into a | |||
IX. Use/Disclosure of PHI Permitted/Required by Law | IX. Use/Disclosure of PHI Permitted/Required by Law | ||
Please reference Disclosures of PHI As Permitted or Required by Law policy. | Please reference Disclosures of PHI As Permitted or Required by Law policy. | ||
Line 335: | Line 320: | ||
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Research|Use and Disclosure of PHI for Research]].<br /> | '''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See [[Protected_Health_Information_(PHI)#Use.2FDisclosure_of_PHI_for_Research|Use and Disclosure of PHI for Research]].<br /> | ||
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the | '''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the | ||
==Additional Information== | ==Additional Information== | ||
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?''' | *Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?''' |