Use & Disclosure of Health Information

Use & Disclosure of Health Information

Abstract:
This policy establishes guidelines for the use and disclosure of health information by UAB/UAB Health System Covered entities in compliance with the Health Insurance Portability and Accountability Act and Alabama state law.
Effective Date:
9/23/2013
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Keyword(s):
Material Original Source:

1. PURPOSE: To establish guidelines for the use and disclosure of health information by UAB/UAB Health System (“UAB”) Covered Entities, in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Alabama state law.

2. PHILOSOPHY: UAB values and promotes business practices respecting the confidentiality of health information.

3. APPLICABILITY: This standard applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, and other UAB entities that may be added from time-to-time) and to the following UABHS Covered Entities: University Hospital, The Kirklin Clinic, The Kirklin Clinic at Acton Road, Callahan Eye Hospital, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time-to-time). For purposes of this standard, UAB and UABHS Covered Entities shall be collectively referred to as “UAB.”

4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.

4.1. Authorization: A document that is required to be signed by the patient to use and disclose specified protected health information for specified purposes.

4.2. Business Associate: A person or entity (other than an employee of a UAB Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, repricing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Business associates include a health information organization, e-prescribing gateway, or other vendors who provide data transmission services that require access to PHI on a routine basis; entities that offer personal health records; and subcontractors that receive PHI on behalf of the business associate. A business associate of one UAB Covered Entity does not become a business associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.

4.3. Covered Entity: A health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form.

4.4. Direct Treatment Relationship: A treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.

4.5. Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside a UAB Covered Entity maintaining the information.

4.6. Healthcare Operations: Any of the activities set forth in the regulations that includes, but is not limited to the following:

4.6.1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs; protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

4.6.2. Reviewing the competence or qualifications of health care professionals, evaluating performance, conducting training programs for healthcare and non-healthcare professionals, and participating in accreditation, certification, licensing or credentialing activities;

4.6.3. Underwriting, premium rating and other activities relating to health plan contracts;

4.6.4. Conducting medical review, legal services auditing and compliance functions;

4.6.5. Business planning and development and business management and general administrative activities, including, but not limited to, customer service, resolution of internal grievances, and due diligence.


4.7. Indirect Treatment Relationship: A relationship between an individual and a UAB Covered Entity in which the Covered Entity delivers health care to the individual based on the orders of another health care provider and the Covered Entity typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the patient.

4.8. Minimum Necessary: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the least amount of PHI necessary to accomplish the intended purpose of the use or disclosure.

4.9. Payment: The activities described in the regulation, including, but not limited to, those undertaken by a provider to obtain or provide reimbursement for the provision of health care, including, but not limited to determinations of eligibility or coverage; risk adjusting amounts due; billing, claims management, and collection activities; review of health care services with respect to medical necessity and coverage; utilization review activities, including precertification and preauthorization of services; and disclosure to consumer reporting agencies of the following information: name/address, date of birth, social security number, payment history, account number, and name and address of the provider.

4.10. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and excepted by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.11. Psychotherapy Notes: Notes recorded by a provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

4.12. Treatment: The provision, coordination, or management of health care services by providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for health care from one provider to another.

4.13. Use: The sharing, employment, application, utilization, examination or analysis of PHI within an entity that maintains the PHI.


5. POLICY STATEMENTS:

5.1. Use and Disclosure of PHI – General Rule

5.1.1. UAB Covered Entities will only use or disclose PHI in accordance with the requirements set forth in this standard.

5.1.2. With certain exceptions noted below, when using, disclosing or requesting PHI, UAB Covered Entities will limit PHI to the Minimum Necessary to accomplish the intended purpose of the use, disclosure or request.

5.1.2.1. Each UAB Covered Entity shall be responsible for developing policies and procedures that identify the classes of persons within the Covered Entity who need access to PHI to carry out their job duties, the types of PHI needed and appropriate conditions to the use and disclosure, and protocols or criteria for reviewing requests for use and disclosure of PHI.

5.1.2.1.1. For routine and recurring disclosures and requests for disclosure, the Covered Entities may develop standard protocols that limit PHI to the minimum necessary.

5.1.2.1.2. For all other disclosures and requests for disclosure, the Covered Entities may develop criteria for the minimum necessary and must have the requests reviewed on an individual basis.

5.1.2.2. The Minimum Necessary standard does not apply to:

5.1.2.2.1. disclosures to or requests by healthcare providers for treatment

5.1.2.2.2. disclosures to the individual who is the subject of the disclosure

5.1.2.2.3. uses or disclosures made pursuant to authorizations

5.1.2.2.4. uses or disclosures required by law

5.1.2.2.5. disclosures to the Secretary of the Department of Health and Human Services

5.1.3. Whenever an individual’s authorization or opportunity to object is required by this standard, UAB Covered Entities will treat Personal Representatives as the individual for purposes of this standard.

5.1.3.1. Personal Representatives are described as follows:

5.1.3.1.1. Individuals with authority to act on behalf of an adult or emancipated minor in making decisions related to healthcare

5.1.3.1.2. Executors or administrators acting on behalf of a deceased individual or the individual’s estate.

5.1.3.2. Unemancipated Minors.

5.1.3.2.1. If adults have the authority of personal representatives and are furnishing consent for healthcare treatment for minors, UAB Covered Entities will honor the request, consent, or authorization from the adults with that authority.

5.1.3.2.2. Minors may independently request, consent, or authorize the use and disclosure of PHI under this standard for healthcare services for which they are legally authorized and do consent, independent of any other consent, including that of their parents or other personal representatives.

5.1.3.3. UAB Covered Entities are not required to honor the requests of personal representatives if the entities have a reasonable belief the personal representative is abusing or neglecting the patient or if the entities, in the exercise of professional judgment, decide that it is not in the best interest of the patient to treat the person as the patient’s personal representative.

5.2. Required Disclosures – UAB Entities must disclose PHI

5.2.1. To an individual who requests their own PHI. The disclosure must follow the procedure set forth in the UAB Patient Health Information Rights standard.

5.2.2. To the Secretary of the Department of Health and Human Services to investigate UAB’s compliance with HIPAA.

5.3. Permitted Uses and Disclosures – Treatment, Payment or Healthcare Operations

5.3.1. Use of PHI within and among UAB Covered Entities. UAB Covered Entities may use PHI for treatment, payment or healthcare operations except as set forth in Section 5.8 related to psychotherapy notes

5.3.2. Disclosure of PHI to Covered Entities outside UAB.

5.3.2.1. For Treatment. UAB Covered Entities may disclose PHI to another Provider for Treatment activities of that Provider.

5.3.2.2. For Payment. UAB Covered Entities may disclose PHI to another Covered Entity for Payment activities of that Entity.

5.3.2.3. For Healthcare Operations. UAB Covered Entities may disclose PHI to another Covered Entity for Healthcare Operations if:

5.3.2.3.1. the Covered Entity has a relationship with the individual and

5.3.2.3.2. the Healthcare Operations are quality assessment and improvement activities; case management and care coordination; reviewing the competence or qualification of health care professionals; training programs; accreditation and licensing activities; and compliance activities.

5.4. Permitted Uses and Disclosures – Business Associates

5.4.1. A UAB Covered Entity may disclose PHI to a Business Associate IF the Business Associate has executed a Business Associate Agreement with the UAB Covered Entity.

5.4.2. Business Associates include parties furnishing services on behalf of UAB that require their access to PHI. Examples of business associates are third parties performing the following functions: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, repricing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, a health information organization, e-prescribing gateway or other data transmission services that require access to PHI on a routine basis; and subcontractors that receive PHI on behalf of the business associate.

5.4.3. The following disclosures of PHI do not require Business Associate Agreements:

5.4.3.1. to providers for treatment

5.4.3.2. to health plans for payment

5.4.3.3. to any entity that is merely serving as a conduit for transmission of the PHI (i.e. telephone companies)

5.4.3.4. incidental disclosures of PHI (i.e. janitorial staff)

5.4.3.5. within an organized healthcare arrangement

5.4.4. UAB Covered Entities must promptly report to UAB Legal Counsel or UAB HIPAA Privacy or Security Officer/Coordinator any instances of a pattern of activity of the Business Associate that constitutes a material breach or violation of the Business Associate’s obligations under the Agreement so that reasonable steps may be taken to cure the breach, end the violation, or terminate the Agreement.

5.5. Permitted Uses and Disclosures – UAB Covered Entities may use or disclose PHI with no patient consent, authorization, or opportunity to object under any one of the following circumstances:

5.5.1. Required by law. UAB Covered Entities may use or disclose PHI as required by law.

5.5.2. Public Health activities. UAB Covered Entities may use or disclose PHI to the following:

5.5.2.1. outside public health or legal authorities charged with preventing or controlling disease or injury;

5.5.2.2. a person subject to the jurisdiction of the FDA for which that person has responsibility for quality safety or effectiveness of FDA-regulated products;

5.5.2.3. a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting a disease, if authorized by law to do so;

5.5.2.4. an employer about an employee if the health care is furnished at the request of the employer for medical surveillance of the workplace or a work-related illness or injury and the UAB Covered Entity provides written notice to the employee that PHI is disclosed to the employer.

5.5.3. Reporting of victims of abuse, neglect or domestic violence. UAB Covered Entities may use or disclose PHI to outside entities charged with overseeing victims of abuse, neglect or domestic violence, consistent with reporting obligations under law.

5.5.4. Health oversight activities. UAB Covered Entities may use or disclose PHI to a health oversight agency for activities authorized by law, i.e. government, licensing, or accreditation agencies.

5.5.5. Judicial and administrative proceedings.

5.5.5.1. UAB Covered Entities may use or disclose PHI in the course of any judicial or administrative proceeding:

5.5.5.1.1. in response to an order of a court or administrative tribunal

5.5.5.1.2. in response to a subpoena, discovery request, or other lawful process, if the subpoena or discovery request is accompanied by one of the following:

5.5.5.1.2.1. written documentation from the requesting party that a qualified protective order has been entered or applied for that limits disclosure to the proceedings and requires return or destruction of the PHI at the end of the proceeding;

5.5.5.1.2.2. written documentation from the requesting party that the individual has been notified, given an opportunity to object and did not object.

5.5.6. Law enforcement purposes. UAB Covered Entities may use or disclose PHI for law enforcement purposes, as follows:

5.5.6.1. pursuant to process and as otherwise required by law, i.e. court subpoenas or orders

5.5.6.2. pursuant to a law enforcement official’s request for information to identify and locate a suspect, fugitive, material witness, or missing person provided

5.5.6.2.1. only the following information is disclosed: name, address, date of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, if applicable, and a description of distinguishing physical characteristics

5.5.6.2.2. the following information will not be disclosed: any PHI related to the individual’s DNA or DNA analysis, dental records, or typing samples of analysis of body fluids or tissue

5.5.6.3. pursuant to a law enforcement official’s request for information about an individual who is a victim of a crime, provided that the individual consents to the disclosure

5.5.6.3.1. If the individual is unable to consent because of incapacity or other emergency circumstances, the information may be released only if the law enforcement official represents that the information is needed for an investigation and will not be used against the victim

5.5.6.4. to alert law enforcement officials about an individual who has dies if the death may have resulted from criminal conduct

5.5.6.5. to report evidence of criminal conduct on the premises

5.5.7. Family Members of Decedent. UAB Covered Entities may disclose PHI to a family member, other relative, or close personal friend who was involved in the individual’s care or payment for care prior to the individual’s death, unless the patient previously instructed not to do so.

5.5.8. Coroners, medical examiners and funeral directors. UAB Covered Entities may use or disclose PHI to coroners, medical examiners, and funeral directors, as necessary for them to perform their functions.

5.5.9. Cadaveric, organ, eye or tissue donation. UAB Covered Entities may use or disclose PHI to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donor bank.

5.5.10. Avert a serious threat to health or safety. UAB Covered Entities may use or disclose PHI to prevent a serious threat to the patient’s health and safety or the health and safety of the public or another person. The disclosure may only be made to someone able to help prevent the threat.

5.5.11. Specialized government functions, such as military and veterans activities. UAB Covered Entities may use or disclose PHI to military command authorities and federal officials for intelligence and national security activities.

5.5.12. Workers Compensation. UAB Covered Entities may use and disclose PHI to employers and administrators for workers’ compensation or similar programs.

5.6. Permitted Uses and Disclosures – UAB Covered Entities may use or disclose PHI in accordance with the UAB Policies referenced below:

5.6.1. Research – see UAB/UABHS HIPAA core standard on Use of Health Information for Research

5.6.2. Marketing – see UAB/UABHS HIPAA core standard on Use of Health Information for Marketing

5.6.3. Fundraising – see UAB /UABHS HIPAA core standard on Use of Health Information for Fundraising

5.7. Permitted Uses and Disclosures – UAB Covered Entities may use or disclose PHI to third parties under any one of the following circumstances IF the patient is given an opportunity to agree or object as set forth:

5.7.1. Facility Directories. Unless the patient chooses to opt out of the Directory, UAB Covered Entities may disclose the patient’s name, location, and general condition that does not communicate specific medical information to individuals who ask for the patient by name. In addition, clergy may receive the patient’s religious affiliation and are not required to ask for the patient by name.

5.7.2. Individuals involved in the patient’s care or in payment for the patient’s care.

5.7.2.1. If the patient is present or otherwise available, UAB Covered Entities should ask the patient whether or not it is okay to discuss their medical condition in front of or with other individuals that are present. A UAB Covered Entity may also use its professional judgment and experience to infer that the patient does not object to the disclosure. A UAB Covered Entity may only disclose PHI that is relevant to the individual’s involvement in the patient’s care or payment for care.

5.7.2.2. If the patient is not available or incapable of communicating, a UAB Covered Entity may, in the exercise of professional judgment and if believed to be in the best interests of the patient, disclose the patient’s health information to a person involved in the care to the extent relevant to the person’s involvement with the patient’s health care.

5.7.3. Individuals involved in disaster relief.

5.7.4. Individuals shall be informed of these possible uses and disclosures of PHI and of their right to object to these uses in the UAB Notice of Health Information Practices.

5.8. Permitted Uses and Disclosures – Psychotherapy Notes may only be used or disclosed by UAB Covered Entities under the following conditions:

5.8.1. Without an Authorization from the individual, if use and disclosure is limited to:

5.8.1.1. use by the originator of the psychotherapy notes for treatment;

5.8.1.2. use or disclosure by the UAB Covered Entity in mental health training programs; or

5.8.1.3. use or disclosure to defend legal actions or other proceedings brought by the patient.

5.8.2. As required by law.

5.8.3. With an Authorization signed by the patient.

5.9. Permitted Disclosures – Incidental Disclosures.

5.9.1. Disclosures of PHI that are incidental and secondary to a permitted use or disclosure of PHI as set forth in this standard are permitted if they cannot reasonably be prevented, are limited in nature, are a by-product of an otherwise permitted use and if the UAB Covered Entity has established reasonable safeguards to ensure that the minimum necessary amount of disclosure will occur.

5.9.2. Incidental disclosures include, but are not limited to, teaching rounds, sign-in sheets in clinics, and overhead pages.

5.10. Permitted Uses and Disclosures -- Limited Data Sets

5.10.1. UAB Covered Entities may use or disclose a “Limited Data Set” if the Entity enters into a Data Use Agreement with the recipient and the recipient certifies that the use is for research, certain healthcare operations, or public health activities.

5.10.1.1. A Limited Data Set is PHI that excludes the following:

5.10.1.1.1. names

5.10.1.1.2. postal address information, other than town or city, State, and zip code;

5.10.1.1.3. telephone numbers;

5.10.1.1.4. fax numbers

5.10.1.1.5. electronic mail addresses

5.10.1.1.6. social security numbers

5.10.1.1.7. medical record numbers

5.10.1.1.8. health plan beneficiary numbers

5.10.1.1.9. account numbers

5.10.1.1.10. certificate/license numbers

5.10.1.1.11. vehicle identifiers and serial numbers, including license plate numbers

5.10.1.1.12. device identifiers and serial numbers

5.10.1.1.13. web universal resource locators (URLs)

5.10.1.1.14. internet protocol (IP) address numbers

5.10.1.1.15. biometric identifiers, including finger and voice prints; and

5.10.1.1.16. full face photographic images and any comparable images

5.10.2. The UAB Covered Entity disclosing the Limited Data Set to a UAB employee or to a non-UAB Covered Entity must enter into a Data Use Agreement with the employee or entity receiving the Limited Data Set.

5.11. Permitted Uses and Disclosures – Authorizations are required for all uses and disclosures of PHI not otherwise addressed in this standard.

5.11.1. Authorizations must be on an approved HIPAA compliant authorization form.

5.11.2. Compound authorizations are not permitted for psychotherapy notes or for instances in which a UAB Covered Entity conditioned treatment on execution of an Authorization.

5.11.3. UAB Covered Entities cannot condition the furnishing of treatment or enrollment in a health plan on signing Authorizations for release of PHI, except:

5.11.3.1. participating in research projects can be conditioned on the individual signing an Authorization to use and disclose PHI in the research

5.11.3.2. initial enrollment in health plans can be conditioned on signing an Authorization for the health plan to review PHI to make eligibility determinations

5.11.3.3. furnishing healthcare services to an individual at the request of a third party can be conditioned on the individual signing an Authorization for disclosure of the PHI to the third party requesting the treatment

5.11.4. Individuals may revoke Authorizations by submitting a written revocation to a UAB Covered Entity. The revocation will not be effective for any actions taken in reliance on the Authorization prior to receipt of the written revocation.

5.11.5. UAB Covered Entities are responsible for developing processes to ensure appropriate Authorizations are obtained for use and disclosure of PHI, when required, and that copies of the Authorizations and any revocations are maintained for a period of six years.

5.11.6. Exceptions for certain disclosures by employees of UAB Covered Entities.

5.11.6.1. An employee who is a victim of a criminal act may disclose PHI to a law enforcement official if the disclosure is about the suspected perpetrator of the criminal act and the PHI is limited to name/address, birthdate, social security number, ABO blood type and rh factor, type of injury, date/time of treatment and distinguishing physical characteristics.

5.11.6.2. An employee or business associate of UAB Covered Entities may disclose PHI to oversight agencies if they believe the entities are engaging in unlawful conduct of which the employee has notified the entity and the entity has not responded to the employee.

5.12. Notice of Health Information Practices

5.12.1. UAB Covered Entities shall maintain a Notice of Health Information Practices (Notice). This Notice shall be maintained on UAB’s Web Site; must be posted in locations within the Covered Entities; and must be available to patients at their request.

5.12.2. UAB Covered Entities who have a Direct Treatment Relationship with an individual must provide the Notice to the individual no later than the date of the first service delivery, including service delivered electronically.

5.12.2.1. Exception for emergency treatment: The Notice must be given to the individual as soon as reasonably practicable after the emergency treatment is furnished

5.12.3. UAB Covered Entities who have a Direct Treatment Relationship with an individual must make a good faith effort to obtain written acknowledgement of
the individual’s receipt of the Notice, absent an emergency treatment situation. If the individual’s acknowledgement is not obtained, the Covered Entities must document their good faith efforts to obtain the acknowledgement and the reason why the acknowledgement was not obtained.

5.12.4. UAB Covered Entities must revise the Notice if the use and disclosure practices change.

5.12.5. UAB Covered Entities must keep copies of all versions of the Notice and all acknowledgements received for a period of six years.

5.12.6. VIVA Health, Inc. must furnish the Notice to all enrollees; thereafter, upon initial enrollment, to new enrollees; and within 60 days of a material revision to the Notice. In addition, every three years, VIVA Health Inc. must inform enrollees about the availability of the Notice.

5.13. Each UAB Covered Entity shall develop processes and policies to implement the standards of this standard.

6. REFERENCES: None

7. SCOPE: This policy applies to all UAB Covered Entities and to UABHS Covered Entities identified in Section 3.

8. ATTACHMENTS: Note: All HIPAA forms may be found at the UAB/UABHS HIPAA website: www.HIPAA.uab.edu.


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.