OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Similar documents
Senior Care Pharmacy Wichita

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

Balance Fitness and Nutrition

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

CAPITAL SURGEONS GROUP, PLLC

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

HIPAA THE PRIVACY RULE

NOTICE OF PRIVACY PRACTICES

For Payment. We will use and disclose your personal health information to obtain payment for health care services we have provided to you.

HIPAA PRIVACY NOTICE

Notice of HIPAA Privacy Practices Updates

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Southwest Acupuncture College /PWFNCFS

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

HIPAA Notice of Privacy Practices

Commonwealth Health Corporation Notice of Privacy Practices CHC COMMONWEALTH HEALTH CORPORATION

NOTICE OF PRIVACY PRACTICES MedQuest Effective April 2003 Revised January 2014

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Pain Specialists of Greater Chicago Notice of Privacy Practices

Orthopedic Specialty Clinic, Ltd. Updated 05/2014

JOINT NOTICE OF PRIVACY PRACTICES

GREATER HUDSON VALLEY HEALTH SYSTEM ORANGE REGIONAL MEDICAL CENTER CATSKILL REGIONAL MEDICAL CENTER Policy/Procedure

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

CHI Mercy Health. Definitions

NYU Langone Health Notice of Privacy Practices

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Privacy Practices Home Visit Doctor, LLC July 2017

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices for Protected Health Information (PHI)

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

HIPAA Policies and Procedures Manual

J.C. Blair Memorial Hospital Huntingdon, PA

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

HIPAA NOTICE OF PRIVACY PRACTICES

Notice of Health Information Privacy Practices Acknowledgement

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Ashe Memorial Hospital, Inc. 200 Hospital Avenue, Jefferson, NC (336) JOINT NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHOUT AUTHORIZATION

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Johns Hopkins Notice of Privacy Practices for Health Care Providers

JOINT NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA RIVERSIDE CAMPUS HEALTH CENTER

Notice of Privacy Practices

Parental Consent For Minors to Receive Services

NOTICE OF PRIVACY PRACTICES

Southwest Idaho Ear, Nose and Throat, P.A. Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

BASSIN CENTER FOR PLASTIC SURGERY. Dr. Roger Bassin NOTICE OF PRIVACY PRACTICES

Health Information Privacy Policies and Procedures

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Patient Privacy Requirements Beyond HIPAA

Notice of Privacy Practices

MAIN STREET RADIOLOGY

HIPAA Education Program

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

OUR LEGAL DUTY PERSONS COVERED BY THIS NOTICE

FAMILY PHARMACEUTICAL SERVICES NOTICE OF PRIVACY PRACTICES effective 9/23/2013

S.E. Wisconsin Hearing Center Inc.

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

Form B - For those enrolled in other insurance

NuSpine Chiropractic NOTICE OF PRIVACY PRACTICES. This notice takes effect on March1, 2007 and remain in effect until we replace it.

Patient Consent Form

Patient name (print) Signature of Patient/ Legal Representative. Relationship to Patient FOR OFFICE USE ONLY

Mental Health. Notice of Privacy Practices

HIPAA-HITECH HELPBOOK NJ Physician Practices

NORTH COUNTRY HEALTHCARE

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

NOTICE OF PRIVACY PRACTICES

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PRIVACY POLICIES AND PROCEDURES

Transcription:

PRIVACY 24.0 OVERVIEW OF THE USES AND DISCLOSURES OF PHI Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have direct or indirect access to patient protected health information (PHI) created, held or maintained by any subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities ). To provide an overview of permissible uses and disclosures of PHI and to cross reference applicable UHS privacy policies addressing uses and disclosures in these situations. Definitions: Terms not defined in this Policy or the HIPAA Terms and Definitions maintained by the UHS Compliance Office will have the meaning as defined in any related State or Federal privacy law including the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ( HIPAA ) and regulations promulgated thereunder by the U.S. Department of Health and Human Services ( HHS ) at 45 CFR Part 160 and 164, Subparts A and E ( Privacy Regulations or Privacy Rule ) and Subparts A and C ( Security Regulations or Security Rule ), the Health Information Technology for Economic and Clinical Health Act ( HITECH ) privacy and security provisions of the American Recovery and Reinvestment Act (Stimulus Act) for Long Term Care, Public Law 111-5, the American Recovery and Reinvestment Act of 2009 ( ARRA ), Title XIII and related regulations. Policy: PHI will not be used or disclosed by Facility workforce members except as permitted or required by HIPAA and applicable state laws. Whenever required by the Privacy Rule, the workforce member will make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Each Facility must reasonably safeguard PHI: (i) from any intentional or unintentional use or disclosure that violates UHS or Facility HIPAA policies, and (ii) to limit incidental uses or disclosures. State law may impose additional requirements on the use and disclosure of PHI Facilities will contact the UHS Legal Department if they have any questions regarding the state laws applicable to them. Procedure: This Policy discusses the use and disclosure of PHI, addressed in sections as follows: Permitted Uses and Disclosures Required disclosures

Minimum necessary applies Safeguards Uses and disclosures subject to an agreed-upon restriction Uses and disclosures of de-identified PHI, and to create de-identified PHI Disclosure to business associates Deceased Individuals Personal representatives Confidential communications Uses and disclosures consistent with the Notice of Privacy Practices Disposal of PHI State Laws Permitted Uses and Disclosures PHI may not be used or disclosed except as permitted or required by HIPAA and applicable state law. PHI may be used or disclosed as follows: To the patient (or their authorized personal representative, as applicable) (the individual); For treatment, payment, or health care operations, as described in UHS Privacy 5.0 Use and Disclosure for Treatment, Payment and Health Care Operations. Incidental uses or disclosures that occur as a byproduct of a permissible or required use or disclosure, as long as the Facility has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, for the primary use or disclosure. Pursuant to and in compliance with a valid authorization from the individual under the UHS HIPAA policy Use and Disclosure Requiring Authorization. Pursuant to an agreement under or as otherwise permitted by UHS Privacy 25.0 Uses and Disclosure Requiring an Opportunity to Agree/Object -- including, subject to that Policy, uses and disclosures: o for facility directories; o to persons involved in a patient s care or payment; o for notification; o for disaster relief; and

o to a family member or other persons involved in the care or payment for care of a deceased patient prior to death (limited to the PHI of a deceased individual that is relevant to such person s involvement) unless the disclosure would be inconsistent with any prior expressed preference of the individual that is known to the Facility. As permitted by and in compliance with UHS Privacy 26.0 Use and Disclosure Not Requiring Authorization or an Opportunity to Agree/Object. These include, subject to that Policy, uses and disclosures: o for public health activities; o for health oversight activities; o required by law; o about immunizations of a student or prospective student to their school; o about victims of abuse, neglect or domestic violence; o for judicial and administrative proceedings; o for law enforcement purposes; o to avert a serious threat to health and safety; o about decedents; o for cadaveric organ, eye or tissue donation; o for research purposes; o for specialized government functions; and o for workers compensation. As permitted by and in compliance with UHS Privacy 7.0 Limited Data Sets and Data Use Agreements. Required Disclosures Facilities are required to disclose PHI: To an individual upon request and subject to UHS Privacy 19.0 Patient Requests to Access PHI;

For an accounting of disclosures of PHI provided to an individual upon request and subject to the UHS HIPAA policy Accounting of Disclosures; When required by the Secretary of Health and Human Services (HHS) to determine the Facility s HIPAA compliance. Minimum Necessary Applies When using or disclosing PHI or when requesting PHI from another covered entity or a business associate, a Facility must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, as described in the UHS HIPAA Minimum Necessary Policy. Safeguards Each Facility must reasonably safeguard PHI: (i) from any intentional or unintentional use or disclosure that violates UHS or Facility HIPAA policies, and (ii) in order to limit incidental uses or disclosures. Uses and Disclosures of PHI Subject to an Agreed-Upon Restriction A Facility that has agreed to a restriction under UHS Privacy 21.0 Patient Requests for Disclosure Restrictions or for Alternative Communications may not use or disclose the PHI covered by the restriction in any manner that would violate the restriction, unless an exception applies as addressed in the policy. Uses and Disclosures of De-Identified PHI and to Create De-Identified PHI A Facility may use PHI to create de-identified PHI or may disclose PHI only to a business associate for de-identification. Health information that meets the standard and implementation specifications for de-identification as described in UHS Privacy 8.0 De-Identification of PHI is not considered to be PHI and can therefore be used or disclosed for any lawful purpose, as long as: if a code or other identification is used to enable re-identification or for any other purpose does not constitute PHI; and the de-identified information is not re-identified. Disclosures to Business Associates A Facility may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf, if the Facility obtains satisfactory assurance that the business

associate will appropriately safeguard the information and enters into a business associate agreement, as described in UHS Privacy 27.0 Business Associates and Business Associate Agreements. The minimum necessary standards in UHS Privacy 6.0 Minimum Necessary Policy apply to disclosures to business associates. Deceased Individuals A Facility must comply with the same use and disclosure requirements described in this Policy with respect to the PHI of a deceased individual. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to PHI relevant to such personal representation. Other permitted uses and disclosures of the PHI of deceased individuals are addressed in UHS Privacy 16.0 Disclosures for Law Enforcement Purposes, UHS Privacy 25.0 Use and Disclosure Requiring an Opportunity to Agree/Object, and UHS Privacy 26.0 Use and Disclosure not Requiring an Opportunity to Agree/Object. Personal Representatives Except for unemancipated minors and/or abuse, neglect, and endangerment situations, a Facility must treat an authorized personal representative as the patient with respect to PHI for purposes of HIPAA. An authorized personal representative is a person authority with authority under applicable law to act on behalf of a patient in making decisions related to health care. The requirements for personal representatives are described in UHS Privacy 28.0 Personal Representatives. Confidential communications If a Facility has granted a patient s request that they receive communications of PHI from the Facility by alternative means or at alternative locations, the Facility must comply with the applicable requirements of UHS Privacy 21.0 Patient s Right to Request Use or Disclosure Restrictions and Alternative Communications in communicating the PHI. Uses and Disclosures Consistent with the Facility s Notice of Privacy Practices Facilities may not use or disclose PHI in a manner that is inconsistent with their Notice of Privacy Practice. Disposal of PHI Facilities must implement reasonable safeguards, including appropriate workforce training on the Facility s disposal policies and procedures, to limit incidental and avoid prohibited uses and disclosures of PHI in connection with the disposal of the information. In determining what is

reasonable, Facilities should consider potential risks to patient privacy, as well as the form, type and amount of PHI to be disposed. Although no particular disposal method is required by HIPAA, proper disposal methods may include, for example: Shredding, burning, pulping, or pulverizing paper records so PHI is rendered essentially unreadable, indecipherable and cannot be reconstructed; Maintaining labeled prescription bottles and other PHI-containing material in opaque bags in a secure area and shredding or using another mechanism to destroy the PHI; For electronic media: clearing, purging, destroying, and other sanitization methods; Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy PHI; Using a business associate to appropriately dispose of PHI on the Facility s behalf Workforce members may not dispose PHI in a dumpster or other containers accessible by the public without using proper methods of rendering PHI essentially unreadable. State Laws State law may impose additional requirements Facilities will contact the UHS Legal Department if they have any questions regarding the state laws applicable to them. References: 45 C.F.R. 164.502 45 C.F.R. 164.504 45 C.F.R. 164.506 45 C.F.R. 164.508 45 C.F.R. 164.510 45 C.F.R. 164.512 45 C.F.R. 164.530(c) Related UHS Policies: UHS Privacy 23.0 Accounting of Disclosures

UHS Privacy 27.0 Business Associates and Business Associate Agreements UHS Privacy 8.0 De-Identification of PHI UHS Privacy 16.0 Disclosures for Law Enforcement Purposes UHS Privacy 17.0 Disclosures to Correctional Institutions or Law Enforcement with Lawful Custody UHS Privacy 7.0 Limited Data Sets and Data Use Agreements UHS Privacy 6.0 Minimum Necessary Policy UHS Privacy 19.0 Patient Requests to Access PHI UHS Privacy 21.0 Patient Requests for Use or Disclosure Restrictions or for Alternative Communications UHS Privacy 28.0 Personal Representatives UHS Privacy 5.0 Use and Disclosure for Treatment, Payment and Health Care Operations UHS Privacy 14.0 Use and Disclosure for Research and Reviews Preparatory to Research UHS Privacy 9.0 Disclosure for Armed Services, National Security, and other Specialized Government Functions UHS Privacy 26.0 Use and Disclosure Not Requiring Authorization or an Opportunity to Agree/Object UHS Privacy 3.0 Use and Disclosure Requiring Authorization UHS Privacy 25.0 Use and Disclosure Requiring an Opportunity to Agree/Object Revision Dates: 10-12-2017; 11-16-2015; 07-22-2013 Implementation Date: 07-25-2011 Reviewed and Approved by: UHS Compliance Committee

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback