|
|
 |
|
|
Section 6 Compliance Policies
Subject 6.2 Privacy Related
Policy 6.2.0 General Policy on the Use and Disclosure of PHI
|
04/11/03 -Originated
10/08/07 -Reviewed w/changes
Compliance Office - Author
|
General Policy on the Use and Disclosure of PHI
|
Definitions
|
Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. Demographic information on patients is also considered PHI.
Use: The sharing, utilization, examination, or analysis of information that identifies, or reasonably can be used to identify, a patient within UTMB.
Disclosure: The release of , transfer of , provision of access to, or divulging in any other manner information outside UTMB.
Treatment: The provision, coordination, or management of health care related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or for the referral of a patient for health care from one health care provider to another.
Payment: Any activities undertaken either by a health plan or by a health care provider to obtain premium or fulfill its responsibility for coverage and the provision of benefits or to obtain or provide reimbursement for the provision of health care. These activities include, but are not limited to:
• Determining eligibility, and adjudication or subrogation of health benefit claims
• Risk adjusting amounts due based on enrollee health status and demographic characteristics
• Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care processing
• Review of healthcare services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges
• Utilization review activities, including pre-certification and preauthorization services, concurrent and retrospective review
|
Definitions, continued
|
• of services
• Disclosure to consumer reporting agencies of certain Protected Healthcare Information (PHI) relating to collection of premiums or reimbursement.
Health care operations: Any one of the following activities to the extent the activities are related to providing health care:
• Conducting quality assessment and improvement activities
including outcomes, evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting patients with information about treatment alternatives, and related functions that do not involve treatment
• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities
• Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care
• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs
• Business planning and development, such as conducting cost management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or covered policies
• Business management and general administrative activities:
• Management activities related to HIPAA compliance
• Customer Service
• Resolution of internal grievances
• Sale, transfer, merger, or consolidation of covered entities,
|
|
Definitions (cont’d)
|
creating de-identified health information or limited data set, and fundraising for the benefit of UTMB
Minimum Necessary: When using or disclosing PHI or when requesting PHI from another health care provider or health organization, UTMB personnel must limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Minimum Necessary does not apply in the following circumstances:
1. Disclosures by a health care provider for treatment (students and trainees are included as health care providers for this purpose)
2. Uses and Disclosures based upon a valid authorization to use and disclose PHI
3. Disclosures made to the Secretary of Health and Human Services
4. Uses and disclosures required by law
5. Uses and disclosures required by other sections of the HIPAA privacy regulations.
Workforce: Under HIPAA, this means employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity.
|
Policy
|
UTMB, in an effort to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), maintains that patient information must be kept private and confidential.
Violation of this policy may result in disciplinary action up to and including termination for employees; a termination of employment relationship in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individual may be subject to loss of access privileges and civil and/or criminal prosecution.
|
Use and Disclosure of PHI for TPO Purposes
|
UTMB may use and disclose PHI without an authorization for:
1. UTMB’s own treatment, payment, or healthcare operations (TPO)
2. Treatment activities of another health care provider
3. The payment activities of another covered entity or healthcare provider
The healthcare operation activities of another covered entity or health care provider, if each entity has or had a relationship
|
Use and Disclosure of PHI for TPO Purposes, continued
|
with the individual who is the subject of the PHI being requested, and the disclosure is:
a. For a purpose listed in the definition of health care operations
b. For the purpose of health care fraud and abuse detection or compliance
However, UTMB and its employees must limit PHI use and disclosure to the “Minimum Necessary” amount of information required to complete the desired task. For more information on the Minimum Necessary standard, please refer to IHOP Policy 6.2.14, Minimum Necessary Use and Disclosure of PHI.
|
Use and Disclosure of PHI for non-TPO Purposes
|
UTMB may not use and disclose PHI for non-TPO purposes, unless UTMB has obtained a valid authorization for disclosure of PHI
from the patient or unless the disclosure meets at least one of the conditions outlined in the following policies:
• IHOP Policy 6.2.16, Permitted Use and Disclosure of PHI in Special Situations
• IHOP Policy 6.2.4, Use and Disclosure for Patient Directories
• IHOP Policy 6.2.20, Use and Disclosure of PHI for Judicial or Administrative Proceedings
• IHOP Policy 6.2.7, Use and Disclosure for Disaster Relief Purposes
For the use and disclosure of PHI for non-TPO purposes requiring a valid authorization signed by the patient or personal representative of the patient, please refer to the IHOP Policy 6.2.1, Use and Disclosure of PHI based on Patient Authorization.
PHI shall not be communicated to, or accessed by, any person (including healthcare givers) unless that person has a clear need to know (e.g., other physicians and personnel under the direction of the physician who are participating in the diagnosis, evaluation, or treatment of the patient).
Communicating confidential patient information inappropriately, carelessly, or negligently (e.g., casual discussion regarding a patient,
discussion in public areas, and/or unauthorized release of information
while on or off campus) is a breach of confidentiality.
|
Use and Disclosure of PHI for non-TPO Purposes, continued
|
Please refer to the IHOP Policy 6.2.36, Maintaining Patient Confidentiality for a more detailed explanation on the appropriate and inappropriate use and disclosure of PHI.
|
References
|
45 C.F.R. §164.501
Institutional Handbook of Operating Procedures Policies:
6.2.1, Use and Disclosure of PHI based on Patient Authorization
6.2.4, Use and Disclosure for Patient Directories
6.2.7, Use and Disclosure for Disaster Relief Purposes
6.2.14, Minimum Necessary Use and Disclosure of PHI
6.2.16, Permitted Use and Disclosure of PHI in Special Situations
6.2.20, Use and Disclosure of PHI for Judicial or Administrative Proceedings
6.2.36, Maintaining Patient Confidentiality
|
|
|
