|
|
 |
|
UTMB HANDBOOK OF OPERATING PROCEDURES
|
Section 6 Compliance Policies
Subject 6.2 Privacy Related
Policy 6.2.1 Use and Disclosure of PHI Based on Patient Authorization
|
04/11/03 - Originated
10/08/07 -Reviewed w/ changes
- Reviewed w/o changes
Compliance Office - Author
|
Use and Disclosure of PHI Based on Patient Authorization
|
Definitions
|
Authorization: An "authorization" allows for the use and disclosure of PHI for purposes other than Treatment, Payment, and Healthcare Operations (TPO).
Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.
Medical Record Custodian: The person or department responsible for the maintenance, retention, access, data integrity, and data quality of Protected Healthcare Information (PHI); including protecting patient privacy and providing information security, analyzing clinical data for research and public policy, preparing PHI for accreditation surveys, and complying with standards and regulations regarding PHI.
Referring Physician: The source behind a particular episode of health care. The referring physician may be the primary care physician, may be a faculty member, and may be the consulting physician to whom the primary care physician referred the patient.
Primary Care Physician: The regular source of health care to whom a patient goes for regular check ups, when sick or for on-going health care. A primary care physician may also be the family practitioner. The primary care physician may be a facility such as a clinic or a health department or a senior center.
Unit Medical Record (UMR): The UTMB medical record maintained by the Health Information Management (HIM)Department that is designed to contain a composite of all significant hospital and clinical information gathered on a given patient, whether as an inpatient, outpatient, or emergency care patient. Portions of the UMR may be housed at various locations throughout the UTMB system. The UMR has a permanent retention schedule.
Case Management Record/Shadow Medical Record (CMR): The medical record maintained by a specific physician or department, other than HIM. This record includes duplicate information also found in the
|
Definitions, continued
|
UMR. A CMR does not contain any pertinent patient care information that cannot be found in the UMR. A CMR is considered a convenience copy and has no record retention schedule.
Source Data: Source Data includes health information stored in any original media. Examples of Source Data include, but are not limited to, paper diagnostic tests or tools, x-rays, videotapes, ultrasounds, fetal monitor strips, photographs (either conventional photos, scanned or digital images), EKG strips, and ancillary or supporting systems (e.g . pharmacy information systems and radiation oncology information systems). These forms of Source Data have unique retention schedules. The UMR must contain a written interpretation of all Source Data. Source Data is distinct from the written interpretations of significant clinical information that has been forwarded to the UMR.
|
Policy
|
In compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), UTMB, maintains that patient information must be kept private and confidential.
This policy will address the following issues relating to Use and Disclosure of PHI permitted as a result of a patient authorization.
• General Rules on the Use and Disclosure of PHI
• When a Patient Authorization is required
• Other Occasions When Patient Authorization is not required
• Compound Authorizations
• Conditioning Authorizations
• Defective Authorization
• Authorizations Requiring Special Instructions
• Revocation of Authorizations
Violation of this policy may result in disciplinary action up to and including termination for employees; a termination of employment relationship in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals may be subject to loss of access privileges and civil and/or criminal prosecution.
|
General Rules on the Use and Disclosure of PHI
|
As outlined in detail in Policy 6.2.0 General Policy on Use and Disclosures of PHI, UTMB may use and disclose PHI without a patient’s authorization for certain Treatment, Payment or Healthcare Operations (TPO) activities. In addition, the HIPAA Privacy Rule permits the release of PHI without a valid authorization pursuant to specific
|
General Rules on the Use and Disclosure of PHI,
continued
|
exceptions that are set forth in the Rule. These exceptions include disclosures required by law and are outlined later in the policy. For all other uses and disclosures of PHI for non TPO purposes, UTMB will require a patient’s signed authorization form.
|
When a Patient Authorization is Required
|
In order to use and disclose PHI for non TPO purposes, UTMB must obtain a signed authorization form from the patient or the patient’s representative.
The patient or the patient’s personal representative must have signed a valid authorization in order to receive copies of PHI contained in their medical record.
Examples of non-TPO disclosures are disclosures to life insurance companies, non court ordered subpoenas, disclosures for research purposes or disclosures to employers).
|
When a Patient Authorization is Required
|
HIM is the custodian of the Unit Medical Record (UMR) and shall have the sole authority to disclose PHI when a patient authorization is required. Custodians of Case Management Records (CMR) or Custodians of Source Data (SD) must NOT disclose or release any PHI and must direct all persons requesting PHI requiring an authorization to HIM.
All parties requesting the release of PHI must complete a valid authorization form. HIM can accept an authorization form from an outside entity if it determines the authorization form is valid. Only the HIM Department is authorized to make this determination. However, the use of the UTMB Authorization Form may expedite the disclosure of PHI.
HIM will document each disclosure and retain all signed authorizations. UTMB does NOT require a patient or personal representative to sign a valid authorization form in order to use or disclose PHI for the following purposes:
1. UTMB clinics and providers may share PHI with other UTMB patient care areas for treatment, payment or health care operations.
|
When Patient Authorization is not Required
|
2. UTMB may share PHI with providers with a known relationship to the patient, (such as physicians who refer patients to UTMB for a consult or specialty procedure, or providers to whom UTMB refers patients).
3. In emergency health care situations, PHI can be shared with non-UTMB providers.
4. UTMB clinics and providers can share a limited amount (1-2 pages) of information with patients. The information that can be shared with patients is recent lab results or medical reports that have been received or created within the last 30 days of the patient’s most recent visit. All requests for lab results and medical reports that are older than 30 days must be sent to HIM for release. For example, it is acceptable for a UTMB clinic to release a copy of recent lab results to the patient. If the patient requested copies of all lab results for the past five years, the request should be sent to HIM for release..This policy does not limit treatment discussions regarding the medical care between a patient and a provider. For limited disclosures of recent PHI, the following rules apply:
a. Telephone Requests for the Disclosure of PHI
UTMB clinics and providers may only disclose lab results or medical reports over the phone if the UTMB employee has followed the IHOP Policy 6.2.32, Verifying Identity and Authority of Individuals Requesting PH
b. Requests to Mail PHI
UTMB employees may mail a limited amount of medical information to patients after verifying the address provided by the patient is the same as the address in Invision..
c. Office Visit Requests for Disclosures of PHI
UTMB clinics and providers may disclose, at their discretion, a limited amount of medical information.
5. UTMB billing personnel may disclose PHI to family and friends if the information is solely limited to the amount owed. If the caller wishes to obtain more detailed support of the amount owed including medical information contained in the bill, the UTMB billing personnel must obtain oral permission from the patient and the UTMB employee must adhere to IHOP Policy 6.2.32, Verifying Identity and Authority of Individuals Requesting PHI. If the patient is not available for verification and approval, the UTMB employee must obtain a valid written
|
When Patient Authorization is not Required, continued
|
authorization form from the patient or a medical power of attorney justifying the disclosure of information to the caller.
PHI may be disclosed without a valid authorization pursuant to an exception permitted by the HIPAA Privacy Rule, including any disclosure required by law. The following is list of policies under which UTMB is permitted to disclose PHI for reasons other than for TPO purposes as required by law or without the need for a valid authorization:
• IHOP Policy 6.2.2, Use and Disclosure to Family and Friends
• IHOP Policy 6.2.4, Use and Disclosure for Patient Directories
• IHOP Policy 6.2.16, Permitted Use and Disclosure of PHI in Special Situations
• IHOP Policy 6.2.20, Use and Disclosure of PHI for Judicial or Administrative Proceedings
• IHOP Policy 6.2.7, Use and Disclosure for Disaster Relief Purposes
All disclosures for non-TPO purposes and without patient authorization must comply with the IHOP Policy 6.2.28, Accounting of Disclosure, which mandates the tracking of disclosures of PHI.
|
|
Compound Authorizations
|
An authorization for use and disclosure of PHI may only be combined with another document in the following situations:
1. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use and disclosure of PHI for such research or a consent to participate in such research, see IHOP Policy 6.2.30, Use and Disclosure of PHI for Research;
An authorization for the use and disclosure of psychotherapy notes may only be combined with another authorization for use and disclosure of psychotherapy notes;
An authorization, other than for a use and disclosure of psychotherapy notes, may be combined with any other such authorization unless
|
Compound Authorizations, continued
|
UTMB has conditioned the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits as prohibited by the section outlining Conditional Authorizations.
|
|
Conditioning Treatment Upon an Authorization
|
UTMB may not condition treatment on an authorization except in the event of:
1. Provision of research-related treatment upon receiving an authorization for such research.
2. Provision of health care that is solely for the purpose of creating PHI for disclosure to a third party on the provision of an authorization to such third party
|
|
Defective Authorizations
|
An authorization is considered defective and invalid if any material information in the authorization is known to be false by UTMB or its employees or if any of the following defects exist:
1. The expiration date has passed;
2. The authorization has not been filled out completely or lacks an element required by the HIPAA Privacy rule to be a valid authorization.;
3. The authorization is known by the covered entity to have been revoked;
4. The authorization violates the compound authorizations requirement or the conditioning of authorizations requirement.
|
Authorizations Requiring Special Instructions
|
Authorizations and Psychotherapy Notes
For specific rules governing the use and disclosure of psychotherapy notes, see IHOP Policy 6.2.7, Use and Disclosure of Psychotherapy Notes.
Authorizations for Marketing and Fundraising Purposes
For specific rules governing the use and disclosure of PHI for marketing and fundraising purposes, see IHOP Policy, Use and Disclosure of PHI for Marketing Purposes IHOP Policy 6.2.18, Use and Disclosure of PHI for Fundraising.
|
|
Authorizations Requiring Special Instructions, continued
|
Research Authorization
For specific rules governing the use and disclosure of PHI for research purposes, see IHOP Policy 602.30, Use and Disclosure of PHI for Research .
|
Revocation of Authorizations
|
An individual may revoke an authorization at any time, provided that the revocation is in writing, However, UTMB will not be able to get the PHI back if it has already been disclosed. As soon as the revocation is processed by Health Information Management (HIM), UTMB will stop using and disclosing the PHI.
When a patient requests a revocation of a prior authorization, the revocation form will be forwarded to HIM for proper documentation in the Unit Medical Record. A patient may submit a request for revocation in a signed letter and UTMB will accept this without requiring a signed revocation form.
It is the responsibility of the Case Management Records custodians to forward all original revocation forms to HIM. HIM will be responsible for notifying the departments or individuals authorized to use the patient’s PHI that the patient has revoked his/her authorization.
Once notified by HIM of the revocation, the departments or individuals are responsible for ensuring the patient’s PHI is no longer subject to further use or disclosure.
|
References
|
45 C.F.R. § 164.508
|
|
|
