Use and Disclosure of Protected Health Information: Difference between revisions

Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Confidential Information | Protected Health Information (PHI) | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information

POLICY NO: 6057
EFFECTIVE DATE: 03/17/03
REVISED DATES: 02/04/2010, 05/29/2013
LAST REVIEWED DATE: 05/29/2013

Basis for Policy

To establish guidelines for the use and disclousre of protected health information (PHI) in accordance with HIPAA. (45 CFR 164.502)

Policy

The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with HEalth Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.

Definitions

Treatment means the provision, coordination of management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.

Payment means activities undertaken by a healthcare provider or health plan to obtain reimbursement for the provision of healthcare. Activities include determinations of insurance coverage, premiums, provision of benefits under a health plan, adjudication of health benefit claims, billing, collection activities, claims management, medical data processing, medical necessity determinations, utilization review activities including pre-certification and pre-authorization, disclosure to consumer reporting agencies related to collection of premiums or reimbursement, and healthcare data processing related to the above listed activities

Healthcare operations means the following activities related to UNMC’s function as an affiliated healthcare provider and sponsor of a self-insured health plan:

1. Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; otherwise these activities may be classified as research if PHI is included
2. Population-based activities relating to improving health or reducing health care costs
3. Protocol development
4. Contacting of health care providers and patients with information about treatment alternatives
5. Case management and care coordination
6. Risk assessment
7. Reviewing the competence or qualifications and accrediting/licensing of healthcare providers and plans
8. Training future healthcare professionals (students and residents)
9. Conducting or arranging for legal services
10. Business planning and development
11. Business management activities
12. General administrative and business functions
13. Conducting or arranging for medical review and auditing services
14. Insurance activities relating to the renewal of a contract of insurance
15. Evaluating healthcare provider and plan performance
16. Resolution of internal grievances
17. Fundraising

Protected Health Information (PHI) is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that

1. Is created or received by ACE; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Protected Health Information includes genetic information containing individual identifiers which are defined as:

1. Information about an individual's gentic tests; or
2. The genetic tests of family members of the individual; or
3. The manifestation of a disease or disorder in family members of such individual (i.e., family medical history)

Protected health information excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years.

Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.

Affiliated Covered Entity (ACE) means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.

Individual means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.

Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing

Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research

Sale of Protected Health Information means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information

Procedures

Use/Disclosure of PHI Related to Healthcare

Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.

1. Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.
2. The ACE may disclose a decedent’s PHI to family member and other who were involved in the care of payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.

The ACE may disclose PHI for the treatment activities of a healthcare provider.

The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.

UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that required PHI to perform the services. See Contracts Policy.

Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See Notice of Privacy Practices Policy.

Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:

1. Use of their name, location and general condition in the facility directory.
2. Disclosure of religious affiliation to clergy members.
3. Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment.

Request for restrictions. Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.

1. All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Medical Director of Information Technology for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.
2. Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.

Use/Disclosure of PHI RElated for Trainign Healthcare Professionals

Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.

Use/Disclosure of PHI Permitted/Required by Law

Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:

1. Disclosure required by law
2. Disclosures for public health activities when the public health authority is authorized by law to receive reports; (i.e., controlling disease; vital events such as birth/death; public health surveillance; FDA device tracking; requests related to workers’ compensation)
   1. Disclosures to a school, limted to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.
3. Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.
4. Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes.
5. Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.
6. Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.
7. Disclosure about decedents to medical examiners and coroners consistent with law.
8. Disclosures to funeral directors, consistent with law to carry out their duties regarding decedents.
9. Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations.
10. Disclosures to prevent serious threat to health or safety consistent with applicable law.
11. Disclosures about military personnel to military command authority in limited circumstances.

This page updated on Monday, February 16, 2004, by dkp.