Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 37: Line 37:
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
== Policy ==  
== Policy ==  
Nebraska Medicine/UNMC shall limit the use and disclosure of Protected Health Information (PHI) to the right people, for the right purposes, with the right authority, and always subject to reasonable safeguards -- all as defined by the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and Nebraska Medicine/UNMC policies.  
Nebraska Medicine/UNMC shall limit the use and disclosure of Protected Health Information (PHI) to the right people, for the right purposes, with the right authority, and always subject to reasonable safeguards -- all as defined by the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]. Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and Nebraska Medicine/UNMC policies.  
==Purpose==
==Purpose==
To establish guidelines for the use and disclosure of PHI.  
To establish guidelines for the use and disclosure of PHI.  
Line 44: Line 44:
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The use or disclosure of PHI must be in accordance with the [https://www.nebraskamed.com/patients/rights-responsibilities/notice-privacy-practices Nebraska Medicine/UNMC Notice of Privacy Practices].
#The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The Workforce member using or disclosing the PHI must do so only as necessary to perform assigned duties.
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy, and the Authorized Consenting Persons section of the Consents and Permits policy.) '''need Nebr Med policy #s'''
#The person or entity to which PHI is disclosed must be authorized to receive it and their identity and authority must be verified prior to such disclosure. (See Verification and Authority policy, and the Nebraska Medicine Consents and Permits policy, MS14, Authorized Consenting Persons section.) '''need Nebr Med policy #s'''
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Use and disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose of such use or disclosure. (See Minimum Necessary section below.)
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
#Uses and disclosures of PHI may be subject to requests for confidential communications. (See Confidential Address policy.) '''need Nebr Med policy #'''
#If a disclosure of PHI is subject to a patient’s right to an accounting, it must be documented per UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. Also note the documentation requirements listed throughout this policy and associated policies.  
#If a disclosure of PHI is subject to an Individual’s right to an accounting, it must be documented per UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]. Also note the documentation requirements listed throughout this policy and associated policies.  
#Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The [mailto:debrbishop@nebraskamed.com Privacy Officer] is the designated decision-maker unless someone else is designated by the [mailto:privacy@nebraskamed.com Privacy Office] (at 402-559-5136) for a particular policy or situation. (See Consents and Permits policy.) '''need Nebr Med policy #'''
#Requests for uses and disclosures of PHI that are not clearly addressed in Nebraska Medicine/UNMC policies must be considered and resolved by a designated decision-maker. The [mailto:debrbishop@nebraskamed.com Privacy Officer] is the designated decision-maker unless someone else is designated by the [mailto:privacy@nebraskamed.com Privacy Office] (at 402-559-5136) for a particular policy or situation. (See Nebraska Medicine Consents and Permits policy, MS14.)  
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
#All uses and disclosures of PHI should be made in accordance with safeguards adopted by Nebraska Medicine/UNMC to further protect the privacy of PHI.
#Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
#Improper uses and disclosures of PHI should be immediately brought to Privacy Office’s attention so it can consider and facilitate the implementation of any effective mitigation or remedial steps.
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.   
#All members of the Workforce are required to be familiar with the policies and procedures which affect them in their role at Nebraska Medicine/UNMC and will be held accountable for their individual compliance with such policies and procedures.   
==Procedures==
==Procedures==
Protected Health Information (PHI) may be used and disclosed within the [ Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the patient supporting its need for such use or disclosure of such information, without having to obtain the patient’s authorization. ACE entities also may share PHI with one another without patient authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />
Protected Health Information (PHI) may be used and disclosed within the [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Affiliated_Covered_Entity_.28ACE.29 Affiliated Covered Entity (ACE)] for each member’s own treatment, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] and [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Health_Care_Operations_2 Health Care Operations] if it has or is about to have a treatment relationship with the Individual supporting its need for such use or disclosure of such information, without having to obtain the Individual’s authorization. ACE entities also may share PHI with one another without Individual authorization as permitted by HIPAA and necessary for the delivery of health care treatment, payment and operations. <br />


Members of the Workforce may access patient information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
Members of the Workforce may access Individual information for a current, work-related purpose, and shall access only those portions of the medical record as required for the current, work-related purpose. Members of the Workforce shall not access or alter their own medical record. (See UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information].)
===Treatment===
===Treatment===
Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.   
Nebraska Medicine/UNMC may disclose PHI to another health care provider for its treatment purposes if the requesting provider has or is about to have a treatment relationship with the Individual to be entitled to the information.   
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.   
#If the requesting provider is a member of Nebraska Medicine/UNMC’s medical staff, no further verification of the relationship is needed, and the information may be shared for the requesting provider’s treatment purposes.   
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the patient was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#If the request is from a health care provider who is not a member of Nebraska Medicine/UNMC’s medical staff, Nebraska Medicine/UNMC staff should request confirmation that there is a treatment relationship or determine, based on the medical record, that there is a treatment relationship. For example, if the record includes documentation that the Individual was brought by the local emergency squad, the treatment relationship between Nebraska Medicine/UNMC and the EMS provider is confirmed.
#Release/disclosure of patient information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#Release/disclosure of Individual's information should be documented by the department/Workforce member releasing the information. Releases of information outside of the Health Information Management department (HIM) should be documented in the medical record, such as by using Epic/One Chart’s Quick Disclosure.
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the patient who is the subject of such PHI.
#The minimum necessary standard does not apply to disclosures of PHI made to another health care provider for treatment purposes involving the Individual who is the subject of such PHI.
===Payment===
===Payment===
Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
Nebraska Medicine/UNMC may disclose PHI to another provider or covered entity for its [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] purposes after confirming that the other provider or covered entity has a treatment relationship that supports the request for information.
Line 79: Line 79:
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#The permitted disclosure of PHI must have met the minimum necessary standard, as applicable.
#Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
#Workforce members must have employed reasonable safeguards to prevent the unintended disclosure of PHI:
##Use common sense and judgment--look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside patient rooms should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; patients in public areas or being transported should be draped in a manner that respects the patient’s modesty or dignity).
##Use common sense and judgment--look for ways to lessen the risk and any potential impact of an incidental disclosure (e.g., signage visible outside Individual's room should not contain PHI, except information necessary for safe clinical care, such as infection control and fall precaution notices; Individuals in public areas or being transported should be draped in a manner that respects the Individual’s modesty or dignity).
##Speak in a lower voice;
##Speak in a lower voice;
##Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of patients receiving treatment through the use of curtains or other visual barriers whenever possible);
##Provide more privacy through partitions and room arrangements (e.g., protect the visual privacy of Individuals receiving treatment through the use of curtains or other visual barriers whenever possible);
##Pull the dividers or partitions between the patient and other patients or visitors; and
##Pull the dividers or partitions between the Individual and other patients or visitors; and
##Ask if the patient would prefer to talk in a more private location.
##Ask if the Individual would prefer to talk in a more private location.
===Disclosures to the Individual===
===Disclosures to the Individual===
Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative.   
Nebraska Medicine/UNMC may disclose PHI to the Individual or his/her Personal Representative.   
Line 103: Line 103:
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #'''
Nebraska Medicine/UNMC may include limited information about an Individual in the facility directory or census and may disclose that information to people who ask about the Individual by name, or to members of the clergy, in accordance with applicable policies. (See Private Designation policy, for additional details.) '''need Nebr Med policy #'''
====Disclosures with Individual’s Permission====
====Disclosures with Individual’s Permission====
#You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the patient does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the patient.
#You may disclose PHI to the Individual in the presence of others if the Individual is asked and consents or is given a chance to object and does not verbally object to such disclosure and you reasonably infer from the circumstances that the Individual does not object. Disclosures of sensitive information, such as mental health or sexually transmitted disease diagnoses, should only be disclosed with the permission of the Individual.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the Individual's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care.
#When relying on this authority, disclose only the minimum amount of information needed to achieve the purpose of the disclosure, unless you know that the individuals present are all involved in the Individual's care or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for care.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the Individual’s care. They may simply be visiting the Individual. Therefore, try to give the Individual every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
#Remember – people who are present when a disclosure of PHI is made may be mere friends, visitors or onlookers. They may have no role in the Individual’s care. They may simply be visiting the Individual. Therefore, try to give the Individual every opportunity to agree or object to a disclosure of his or her PHI when it will otherwise be made in their presence.
Line 110: Line 110:
##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
##Follow this policy when disclosing PHI to a person other than a Personal Representative whom you believe plays a role in the Individuals’s health care (or [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information#Payment_2 Payment] for health care). For example, follow this policy when you:
##Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
##Talk to the Individual’s child, other relative or friend who customarily drives the Iatient to appointments to confirm the date and time of the next appointment.
##Give an involved family member the Individual’s prescription, so the family member can fill it for the patient.
##Give an involved family member the Individual’s prescription, so the family member can fill it for the Individual.
##Talk to a family member at discharge, if they play a role in post-discharge care.
##Talk to a family member at discharge, if they play a role in post-discharge care.
##Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
##Talk to the Individual’s spouse to obtain information necessary to file a claim through the spouse’s group plan.
Line 116: Line 116:
#If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
#If the Individual is available prior to a disclosure and has the capacity to make health care decisions, explain the proposed disclosure and do one of the following:
##Obtain the Individual’s consent to such disclosure;
##Obtain the Individual’s consent to such disclosure;
##Provide the Individual with an opportunity to object, and disclose only if the patient does not object; or
##Provide the Individual with an opportunity to object, and disclose only if the Individual does not object; or
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.
##Reasonably infer from the circumstances, based on the exercise of professional judgment, that the Individual does not object.
#If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
#If the Individual is not available prior to the disclosure, use and document professional judgment to determine whether the disclosure would be in the best interest of the Individual. If so, disclose only the PHI directly relevant to the recipient’s involvement in the Individual’s health care. A code or password should not be used as a substitute for use of professional judgement to determine an Individual’s involvement in the patient's care to disclose information relevant to the Individual’s involvement. <br />
''Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.''
''Nebraska Medicine/UNMC may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the Individual.''
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the patient.
#These procedures are not applicable to Personal Representatives because they generally have the same access to information as the Individual.
====Disclosure for Notification Purposes====
====Disclosure for Notification Purposes====
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the patient’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
Nebraska Medicine/UNMC may disclose PHI about an Individual in order to notify family, friends or others of the Individual’s whereabouts, general condition or death. In these cases, Nebraska Medicine/UNMC may not know the details of the involvement of others in the patient’s care or payment for care. Therefore, in these cases, try to follow these steps:
#Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
#Ask the Individual, if possible, whether they consent to such disclosure and rely on what the patient says.
#If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care, and make an effort to limit contact to them.
#If the Individual is not able or available, make an effort to determine from the record the identity of others who may be Personal Representatives or involved in the Individual’s care, and make an effort to limit contact to them.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Consents and Permits policy '''need Nebr Med policy #''' ). Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#If following the above steps does not work, use your best judgment in making contact with family, friends or others for notification purposes. Try asking for the person by order of priority (See Nebraska Medicine Consents and Permits policy, MS14.) Try to limit disclosures to individuals in the highest priority you can locate. In the end, use your best professional judgment in deciding how much you can say and to whom.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
#When the Individual has been deemed not competent, and is not expected to regain competence, and no family or friend has been located to act on the Individual’s behalf, Care Transitions and/or Pastoral Services staff may reach out to resources, such as the Individual’s landlord or employer (if known), agencies contracted for such purposes with the assistance of Legal Services, or local enforcement. In all such cases, the disclosure of PHI shall be limited solely to the Individual’s name and date of birth unless permission has been obtained from the [mailto:privacy@nebraskamed.com Privacy Office] to disclosure additional information.
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
====Uses/Disclosure of PHI for Electronic Health Information Exchanges====
Line 243: Line 243:
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
#The minimum necessary standard does not apply to disclosures to disaster relief agencies.
===Authorization Generally Required for All Other Uses/Disclosures===
===Authorization Generally Required for All Other Uses/Disclosures===
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Consents and Permits policy,) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set.
Unless otherwise permitted by this policy, any use or disclosure of PHI is prohibited unless the patient or the patient’s representative (see Nebraska Medicine Consents and Permits policy, MS14) signs an authorization specifically permitting the use/disclosure (e.g., Form CON-MR-0074, CON-MR-1900) '''need URL for forms'''. Restrictions on the use and disclosure of psychotherapy notes are explained in the Psychotherapy Notes policy is that policy being redone, or is it being incorporated into unmc policy # 6059, access to designated record set.
===Compound Authorizations===
===Compound Authorizations===
An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:  
An authorization for use or disclosure of PHI generally may not be combined with any other document to create a compound authorization, except in the following cases:  
Line 275: Line 275:
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.   
The electronic movement of health-related information among organizations according to nationally recognized standards. The goal of a HIE is to facilitate health care providers’ access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. Health Information exchange organizations (HIOs) provide the capability to electronically move information between disparate health care information systems.   
===Individual===
===Individual===
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14).
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)
===Payment===
===Payment===
Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.  
Activities undertaken by a health care provider or health plan to obtain premiums, to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or to obtain or provide reimbursement for the provision of health care. Some of these types of activities include determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), billing, collection activities, claims management, medical necessity determinations, utilization review activities including pre-certification and pre-authorization of services, disclosure to consumer reporting agencies related to collection of premiums or reimbursement and health care data processing related to the above-listed activities.  
===Personal Representative ===
===Personal Representative ===
A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (See Nebraska Medicine Consents and Permits policy, MS14)  
A person who, under HIPAA or State law, is empowered to act or exercise rights on behalf of an Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)  
===Protected Health Information (PHI)===
===Protected Health Information (PHI)===
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
Line 304: Line 304:
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*Contact the [mailto:debrbishop@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136 '''is this phone # still correct?'''
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
'''*UNMC Policy No. 6066, [[Psychotherapy Notes]] is this being deleted or kept? If being kept, it should be reviewed, even if not changed.'''
*'''UNMC Policy No. 6066, [[Psychotherapy Notes]] is this being deleted or kept? If being kept, it should be reviewed and review date note on policy 6066, even if not changed.'''
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT Request for Electronic Health Data] Form
*Nebraska Medicine Consents and Permits policy, MS14.
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]
*[http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html Uses and Disclosures for Treatment, Payment, and Health Care Operations]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf University of Nebraska Executive Memorandum No. 27]
*[http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures]
*[http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]  
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]  
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]  
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]  


This page is maintained by [mailto:dpanowic@unmc.edu dkp].
This page is maintained by [mailto:dpanowic@unmc.edu dkp].