HIPAA-P01 Uses and Disclosures of Protected Health Information Policy

Transcription

1 HIPAA-P01 Uses and Disclosures of Protected Health Information Policy FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions Sanctions ADDITIONAL DETAILS Additional Contacts Web Address Related Information History Effective: 7/22/13 Last Updated: 7/11/13 Responsible University Office: HIPAA Privacy and Security Compliance Office Responsible University Administrator Vice President for University Clinical Affairs Policy Contact: University HIPAA Privacy Officer Scope This policy applies to all personnel, regardless of affiliation, who have access to Protected Health Information ( PHI ) under the auspices of Indiana University, designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Please refer to the HIPAA Affected Areas document for a full list of units impacted within Indiana University. This policy addresses the uses and disclosures of PHI, including determination of required authorization and verification, for research, health plans, health services, business associates and affiliates. Reason for Policy The purpose of this policy is to provide requirements concerning the protection of PHI, according to the United States Department of Health and Human Services (DHHS) HIPAA and HITECH privacy and security regulations, in-conjunction with existing state laws, federal laws, and Indiana University Policy covering human subjects, security and privacy. 1

2 This policy also provides standards for identifying the need for, and completion of, a valid Authorization prior to the use and disclosure of PHI, including a Business Associates Agreement for those Affiliates identified as Covered Affected Areas. Policy Statement Indiana University (IU) HIPAA Affected Areas will appropriately use and disclose PHI for purposes permitted or required under the HIPAA and HITECH Acts, and other applicable rules, regulations, and laws. IU HIPAA Affected Areas are expected to evaluate and implement the university-wide policy and determine whether more stringent or more detailed policies and procedures are necessary as appropriate and applicable to the environment. 1. Permitted Uses and Disclosures. IU HIPAA Affected Areas may use and disclose Protected Health Information (PHI) as follows: a. to an Individual who is the subject of the information; b. for treatment, payment or health care operations, as defined by HIPAA; c. pursuant to and in compliance with a valid authorization that complies with the requirements of HIPAA; d. for Incidental Uses and Disclosures, as long as HIPAA Affected Areas take reasonable measures to safeguard that information and minimize such uses and disclosures; e. obtain informal permission in circumstances that clearly give an individual the opportunity to agree or object before: including that individual s information in a facility directory; or disclosing to the individual s family, friends, or others identified by that individual. Such uses or disclosures must be witnessed and documented in accordance with Indiana state law. f. where, in an emergency situation, the individual is incapacitated or not available, and if in the exercise of professional judgment, the use or disclosure is determined to be in the best interests of the individual; g. to persons involved in the health care of the Individual, (such as a relative, close personal friend or any other person identified by the Individual), as follows: PHI directly related to the person s involvement in the current health care of the Individual or payment for the Individual s health care; or To notify a family member, personal representative regarding the Individual s location, general condition or death; h. for certain set of Public Interest purposes as permitted by HIPAA; and i. to the Secretary of the U.S. Department of Health and Human Services (HHS) for an investigation or compliance review pursuant to HIPAA. 2

3 2. Required Disclosures. IU HIPAA Affected Areas will disclose PHI to an Individual, when requested for access or accounting of disclosures; and when required by the Secretary of HHS for investigations of compliance. 3. Authorizations. A signed Authorization shall be obtained from an individual before using or disclosing that individual s PHI, unless otherwise permitted or required as described in this policy. Authorizations shall also be obtained prior to using and disclosing PHI for research purposes, except for very limited circumstances permitted by HIPAA and IU Standard Operating Procedures for Human Subject Research. 4. Minimum Necessary. IU HIPAA Affected Areas will make reasonable efforts to limit the use, disclose, and request of PHI to only the minimum amount of PHI needed to accomplish the intended purpose. There are limited exceptions where the minimum necessary does not apply. For details, see Policy # HIPAA-P De-Identification of PHI. IU HIPAA Affected Areas may use or disclose de-identified data without obtaining an individual s authorization, as long as the information cannot be used alone, or in conjunction with other information, to identify an individual. The standard for deidentification involves removing a range of nineteen different types of identifying information concerning the individual, the individual s employer, relatives and household members. For more details regarding de-identified data, see Policy # HIPAA-P06 (draft 7/22/13) 6. Decedent PHI. Decedent PHI may be used and disclosed in limited circumstances, as permitted by HIPAA, including: To coroners and medical examiners for identification of a deceased person or to determine cause of death. When an IU HIPAA Affected Entity is disclosing PHI for it duties as a coroner or medical examiner. Disclosures to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to a decedent. These disclosures may occur prior to and in reasonable anticipation of the individual s death. To law enforcement officials if the individual s death is suspected to have resulted from criminal conduct. 7. Limited Data Sets. A limited data set may be used or disclosed only for the purposes of research, public health or health care operations, so long as the IU HIPAA Affected Areas enters into a data use agreement with the recipient prior to the use or disclosure of the limited data set. As further described in Policy HIPAA-P06, the IU HIPAA Affected Areas may use or disclose PHI to a Business Associate for the creation of a limited data set. 3

4 8. Fundraising. IU HIPAA Affected Areas may use or disclose certain PHI for the purpose of raising funds for the benefit of HIPAA covered entities, without an authorization, in accordance with Policy HIPAA-P Research. IU may use or disclose certain PHI for the purpose of research purposes in accordance with IU Standard Operating Procedures for Human Subject Research. 10. Marketing. An individual s PHI shall not be used or disclosed for Marketing purposes without obtaining an authorization from the individual who is the subject of the PHI, or their personal representative. 11. Underwriting. If the IUs health plan receives PHI for the purpose of underwriting, premium rating or other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the IUs health plan, then the IUs health plan may not use or disclose such PHI for any other purpose, except as required by law. 12. Verification Requirements. As further described in PHI may not be disclose without proper verification of the identity of a person requesting / receiving an individual s PHI, including that person s authority to receive the information. Definitions IU HIPAA Affected Areas Any covered entity or business associate function within IU that is subject to HIPAA, as documented in the IU HIPAA Hybrid Entity Designation Memo. Affiliate Non-IU health care organizations with which IU is affiliated or with which IU collaborates often (e.g. weekly); especially those with whom IU may share PHI. Affiliates may or may not be Business Associates. Authorization A document signed and dated by the individual who authorizes use and disclosure of protected health information for reasons other than treatment, payment or health care operations. An authorization must contain a description of the protected health information, the names or class of persons permitted to make a disclosure, the names or class of persons to whom the covered entity may disclose, an expiration date or event, an explanation of the individual s right to revoke and how to revoke and a statement about potential re-disclosures. Business Associate (BA) A person who, on behalf of a covered entity, conducts a function involving the creation, receipt, maintenance or transmission of protected health information (PHI). A covered entity may be a business associate of another covered entity. 4

5 Covered entity 1. A health plan; 2. A health care clearinghouse; 3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter; or 4. A business associate of any covered entity listed above Decedent Protected Health Information Individually identifiable health information related to individuals who are deceased is subject to the same protections as living individuals for the first 50 years following the decedent s date of death. In addition, HIPAA rules permit certain uses and disclosures of PHI related to the deceased since it is not practicable to obtain authorizations from decedents or their living personal representatives. Disclosure With respect to individually identifiable health information: the action of releasing, transferring, provision of, access to, or divulging in any other manner of information outside the entity holding the information. For details, see Policy # HIPAA-P01. Use With respect to individually identifiable health information: the sharing, employment, application, utilization, examination, or analysis of information that maintains such information. For details, see Policy # HIPAA-P01. Healthcare Operations Activities of a covered entity to the extent the activities are related to covered functions include but are not limited to: 1. Conducting quality assessments and improvement activities, 2. patient safety activities; 3. Training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills; 4. Certification, licensing or credentialing activities; 5. Business planning and development; 6. Business management activities Health Insurance Portability and Accountability Act (HIPAA) Federal rule that protects and balances the disclosure of personal health information held by covered entities and gives patients an array of rights with respect to that information; specifies administrative, physical, and technical safeguards for covered entities to assure confidentiality and integrity. Health Information Technology for Economic and Clinical Health (HITECH) Federal law that promotes the adoption and meaningful use of health information technology, addressing the privacy and security concerns associated with the electronic transmission of health information through provisions that strengthen the civil and criminal enforcement of HIPAA rules. 5

6 Incidental Uses and Disclosures When PHI is inadvertently used or disclosed as a by-product of an otherwise permitted purpose under HIPAA, so long as the information has been reasonably safeguarded; and the amount and type of PHI was limited to fulfill the purpose or task. Marketing To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Minimum Necessary The Privacy Rule requires covered entities evaluate their practices and enhance safeguards as needed to limit the amount of information used, disclosed or requested to the minimum necessary to achieve the specified goal [45 CFR (d)(1)]. There are limited exceptions where minimum necessary does not apply. For details, see Policy # HIPAA-P02. Protected Health Information (PHI) PHI is individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. See Part II, 45 CFR * Individually identifiable health information regarding persons who have been deceased for more than 50 years is not considered PHI. Public Interest Purposes Shall include circumstances permitted by Section of the HIPAA Privacy Rule, which relates to the use and disclosure of PHI, without obtaining an individual s authorization or providing an individual an opportunity to object. Safeguard Privacy and security measures developed, implemented and maintained by a covered entity or business associate to protect individually identifiable health information as required by the rules. These measures include policies and procedures as well as administrative, physical and technical measures implemented for the purpose of protecting PII and PHI. Treatment The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. 6

7 Web Address for this Policy Related Information HIPAA Regulations 45 CFR CFR CFR CFR CFR CFR HITECH Regulations 42 CFR: Parts 412, 413, 422 and CFR: Subtitle A Subchapter D Related IU Policies HIPAA-P02 Minimum Necessary HIPAA-P04 IU Fundraising IT-12 Security of Information Technology Resources IT-12.1 Security of Mobile Devices Other Related IU Resources History 7/1/12 Draft Reviewed Approved / Awaiting Final Rule 5/13/13 Draft Updated/Reviewed by HIPAA Privacy and Security Compliance Council 7/10/13 Draft Final Review by HIPAA Privacy and Security Compliance Council 7/22/13 Final Published Date 7