HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

Similar documents
HIPAA PRIVACY RULE: ACCESS TO PROTECTED HEALTH INFORMATION. A. General Right to Access Protected Health Information 1

1303A West Campus Drive

HIPAA Policies and Procedures Manual

SAMPLE CARE COORDINATION AGREEMENT

I. Preamble: II. Parties:

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

Module: Research and HIPAA Privacy Protections ( )

Southwest Acupuncture College /PWFNCFS

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

NOTICE OF PRIVACY PRACTICES

Privacy Board Standard Operating Procedures

VHA Privacy Policy Training FY VHA Privacy Office

PATIENT INFORMATION. In Case of Emergency Notification

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

HIPAA Privacy Rule and Sharing Information Related to Mental Health

Notice of Privacy Practices for Protected Health Information (PHI)

always legally required to follow the privacy practices described in this Notice.

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

New Patient Information

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Privacy Rule Overview

GRAVES-GILBERT CLINIC NOTICE OF CURRENT PRIVACY PRACTICES

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

OREGON HIPAA NOTICE FORM

Access to Patient Information for Research Purposes: Demystifying the Process!

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

2/24/2017 USC EMR 1. Academic Medical Center Compliance: Tips, Traps, and Emerging Best Practices. USC Health System. Compliance Governance Structure

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

NEW BRIGHTON CARE CENTER

NOTICE OF PRIVACY PRACTICES

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

HIPAA-HITECH HELPBOOK NJ Physician Practices

An Introduction to the HIPAA Privacy Rule. Prepared for

Health Information Privacy Policies and Procedures

The Arizona HIO Statute

Notice of Privacy Practices for Protected Health Information (PHI)

A general review of HIPAA standards and privacy practices 2016

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

JOINT NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Agency for Health Care Administration

Patient Consent Form

Information Sharing in Criminal Justice Mental Health Collaborations

SANTA RITA CARE CENTER Notice of Information Practices

Senior Care Pharmacy Wichita

Notice of Privacy Practices

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

The Impact of The HIPAA Privacy Rule on Research

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Stanford University Privacy Guidelines Fundraising

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

UNIVERSITY OF PENNSYLVANIA HEALTH SYSTEM

Parental Consent For Minors to Receive Services

OAK HAMMOCK AT THE UNIVERSITY OF FLORIDA, INC. NOTICE OF PRIVACY PRACTICES. Privacy Office: (352) Effective Date: September 23, 2013

Department of Health and Human Services. Centers for Medicare & Medicaid Services. Medicaid Integrity Program

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

ADVANCE HEALTH CARE DIRECTIVE (California Probate Code Section 4701)

HIPAA PRIVACY TRAINING

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

COMPLIANCE PLAN PRACTICE NAME

NOTICE OF PRIVACY PRACTICES Revised

Research Compliance Oversight in the Department of Veterans Affairs

SUNY DOWNSTATE MEDICAL CENTER POLICY AND PROCEDURE

The Health Insurance Portability and Accountability Act (HIPAA) Implementation via Case Law

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

POLICIES OF THE ASSESSMENT CENTER AT OAK HILL ACADEMY

Review of Existing Center for Drug Evaluation and Research Regulatory and Information

Associates in ear, nose, throat/ Head & Neck surgery, pllc

Request for Proposals (RFP) # School Health Transactional System. Release Date: July 24, 2018

Greenwood Connections Notice of Privacy Practice

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

The HIPAA privacy rule and long-term care : a quick guide for researchers

CLINICIAN S GUIDE TO HIPAA PRIVACY

Proposed Regulations NEW YORK STATE DEPARTMENT OF HEALTH Return to Public Health Forum

In the entire Finland: Juha Tuominen, Chief Medical Officer Suomen Terveystalo Oy, Group Administration

SENATE, No STATE OF NEW JERSEY. 216th LEGISLATURE INTRODUCED APRIL 28, 2014

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

Compliance Program Code of Conduct

For Payment. We will use and disclose your personal health information to obtain payment for health care services we have provided to you.

Massachusetts Department of Public Health. Privacy of Health Data

Balance Fitness and Nutrition

Federal Occupational Health (FOH) Employee Assistance Program

Privacy and Consent Primer

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

Notice of Privacy Practices

Protecting Health Information: Health Data Security Training

CHI Mercy Health. Definitions

Transcription:

PAGE 1 OF 5 SUBJECT: HIPAA CITES: HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY 45 CFR 164.502(b); 164.514(d) POLICY NUMBER: GEN - 104 ISSUED: April 14, 2003 I. POLICY: A. Minimum Standard. When using or disclosing Protected Health Information 1 or when requesting Protected Health Information from another entity covered by the HIPAA privacy regulations, the University of Southern California (USC) 2 makes reasonable efforts to limit Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request, except as set forth in Section I.B. below. The minimum necessary standard applies to uses and disclosures for payment and health care operations. B. Exceptions to Minimum Standard. USC is not required to apply the minimum necessary standard under the following circumstances: 1. For Treatment. Disclosures to or requests by a health care provider for purposes of diagnosing or treating a patient. 2. To Patient. Uses or disclosures made to the patient. 3. Pursuant to Patient s Authorization. Uses or disclosures pursuant to a valid patient authorization. USC's use or disclosure of information must be consistent with any limitations imposed by the authorization. 1 Protected Health Information is defined as identifiable information that relates to the individual's past, present or future physical or mental health condition or to payment for health care. 2 For purposes of the HIPAA Privacy Rule, USC is defined as those components/units that provide clinical services within the School of Pharmacy, the School of Dentistry and the Independent Health Professions (e.g., Physical Therapy, Occupational Therapy, Nursing) as well as USC Care Medical Group, Inc., the USC-affiliated faculty practice plan corporations at the Keck School of Medicine, the USC affiliated faculty practice plans of Physical Therapy and Occupational Therapy, clinical researchers who conduct research that involves clinical treatment and those units that support the clinical functions, such as the Office of the General Counsel and the Office of Audit and Compliance.

Page 2 of 5 4. To HHS. Disclosures to the Director, Office for Civil Rights of the U.S. Department of Health and Human Services ( HHS ) for HIPAA compliance purposes. 5. Required by Law. Uses or disclosures that are required by law (i.e., a mandate that is contained in law that compels USC to use or disclose Protected Health Information and that is enforceable in a court of law, e.g., court orders, court-ordered subpoenas, civil or authorized investigative demands, Medicare conditions of participation). 6. Required for Compliance with HIPAA Administrative Simplification Provisions. Uses or disclosures that are required for compliance with the regulations implementing the HIPAA transactions and code sets standard, security and electronic signature standards, etc. II. PROCEDURES: A. General Procedures for Implementing Minimum Standard This policy recognizes that each unit at USC that uses or discloses Protected Health Information has a unique organizational structure and that an employee of the unit may perform various functions for the unit that require different levels of access to Protected Health Information. Further, the responsibilities designated to these functions vary across each unit at USC and cannot be determined solely based on job title or description. For these reasons, it is the responsibility of each unit at USC that uses and discloses Protected Health Information to determine the level of access required to perform particular functions and responsibilities within that unit. As an example, an individual who performs the function of a receptionist who registers patients most likely will not require access to that patient's entire medical record to perform that responsibility. However, the resident that is assisting a physician in treating the patient would require access to the entire medical record. B. Limitation of Access. Once persons within USC who need access to Protected Health Information and categories of information are identified, USC must make reasonable efforts to limit access of such identified persons only to their respective identified categories of Protected Health Information. The unit should consider reasonable physical, administrative and technical security controls when using or disclosing Protected Health Information, including the following:

Page 3 of 5 1. Sign-In Sheets. The Privacy Rule does not require USC to abandon the practice of using sign-in sheets. However, ideally, patient intake should be handled to minimize patient contact with another patient's health information. 2. Waiting Rooms. USC employees should be mindful that waiting rooms are public areas, not clinical treatment spaces. Staff should be mindful not to divulge clinical information in the waiting room, such as diagnoses or scheduled tests. 3. Medical Records Use and Storage. The Privacy Rule requires clinical units to keep medical records secure (for example, in locked cabinets and not left in treatment rooms overnight). When a patient is expected in the office, care should be taken to keep the medical record shielded and inaccessible to other patients. Staff should avoid placing patient information on the outside of the patient file. For computerized medical records systems, the unit should consider creating access codes that limit access to identified persons and identified categories of Protected Health Information. 4. Treatment Rooms. Consistent with common sense and good clinical judgment, health care providers and their staff should seek to maintain privacy in patient treatment rooms. 5. Wallboards/Displays. If a practitioner office uses a wallboard to track patient information, the practitioner and staff should consider whether the wallboard is viewable by patients or visitors and should make reasonable efforts to minimize the information kept on public wallboards. Where information is highly sensitive, it should not be placed on a wallboard. C. Type of Disclosure or Request. The type of use, disclosure or request dictates what procedures are required: 1. Routine. When a use, disclosure or request is of the type that occurs on a routine or recurring basis, USC, through the relevant clinical unit, shall implement a standard protocol that limits the Protected Health Information disclosed or requested to the amount reasonably necessary to achieve the purpose of the disclosure. For example, for billing purposes, the protocol may be to disclose

Page 4 of 5 only records for service at issue. For outside billers, the protocol may be to disclose only that portion of the medical record that the biller needs to prepare the bill. 2. Non-Routine. Each clinical unit at USC shall develop a process for evaluating non-routine uses, disclosures and requests and shall incorporate criteria to limit the Protected Health Information disclosed to the amount reasonably necessary to accomplish the purpose of the disclosure or request. In addition, all designated staff administrators must be trained to review workforce requests for use or disclosure of Protected Health Information on an individual basis in accordance with such criteria. Appropriate criteria for evaluating non-routine requests should include the following: i. The purpose of the request or disclosure; ii. The nature and extent of information requested; iii. The extent to which requested Protected Health Information can be extracted from the rest of the medical record without undue burden and without viewing unnecessary parts of the record; iv. The location where Protected Health Information will be viewed or used; v. The availability of physical, technical and other security measures at the place of viewing or use; and vi. The immediacy or urgency of the need for the requested Protected Health Information D. Responding to Requests for Disclosures. USC faculty, staff and other covered workforce may rely on a requested disclosure as the minimum necessary for the stated purpose (if reliance is reasonable under the circumstances) in the following situations: 1. When making disclosures to public officials under USC HIPAA Policy GEN - 103 [concerning disclosures based on public policy considerations without a patient s authorization) if the requesting official represents that the information requested is the minimum necessary for the stated purpose. 2. When the information is requested by another covered entity. 3. When the information is requested by a health care professional (e.g., a physician or nurse) who is a member of USC s workforce or is a

Page 5 of 5 business associate of USC for the purpose of providing professional services to USC, if the professional represents that the information requested is the minimum necessary for the stated purpose(s). 4. When the information is requested for research purposes and the person requesting the information has provided documentation or representations that comply with USC HIPAA Policy RES - 301. E. Entire Medical Record. As a general rule, USC should not use, disclose or request an entire medical record of a patient unless the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure or request. For example, access to the entire medical record is appropriate for treating practitioners as well as fellows, residents and students who are performing clinical functions as part of their training.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback