Policies
Patient Information Privacy Policy
Patient Information Privacy
Personal health information(“PHI”)is information used to enable treatment, payment and healthcare operations. This type of information might include patient name, demographic info, photos, images, test results and case information. The general rule of thumb is that only those with a legitimate “need to know” work-related reason should access, use or disclose information so they can do their job. The level of access a person has does not allow the person to access more than they need to.
Unless required by federal and state laws, Tenet policies, or authorized by the patient, the unauthorized use or disclosure of a patient’s protected information is strictly prohibited. Consult Privacy and Security Compliance Officer for any questions.
Unless required by federal and state laws, Tenet policies, or authorized by the patient, the unauthorized use or disclosure of a patient’s protected information is strictly prohibited. Consult Privacy and Security Compliance Officer for any questions.
- Individual Request for Access
- Individuals or their representatives ask to see their PHI
- Health and Human Services Request for Access
- Agency is investigating, reviewing or conducting an enforcement action
- Individuals or their representatives ask to see their PHI
- Health and Human Services Request for Access
- Agency is investigating, reviewing or conducting an enforcement action
- Disclosure for Treatment, Payment, and Health Care Operations (TPO)
- Tenet’s treatment, payment and healthcare operations purposes
- Tenet’s and other covered entities’ treatment and payment purposes
- Another covered entity for their health care operations when:
- Current or former relationship with individual attached to the PHI exists
- Exchanged PHI is about that relationship
- Disclosure is for health care operations’
- Quality assessment and improvement activities
- Population-based activities for improving health
- Population-based activities for reducing health care costs
- Case management and care coordination
- Training programs, accreditation, certification
- Licensing or credentialing activities
- Health care fraud and abuse detection or compliance
- Patient Authorization
- Patient authorizes Tenet for non TPO reasons
- Complete Tenet Authorization to Use And Disclose Health Information Form
- Patient care is not conditional to receiving patient authorization for PHI use unless
- Care to be provided is solely to create PHI to be disclosed to third party and authorization permits Tenet to release PHI to third party
- Care to be provided is research related treatment and authorization is related to research
- Patient may change their mind about PHI authorization unless if the facility already acted on the prior authorization or it is needed to obtain patient’s insurance coverage
- Psychotherapy Notes
- Author of the notes must be contacted first before any use of disclosure of the notes
- Individual’s authorization is obtained be fore using or disclosing the notes except for:
- Oversight of the author of the notes
- Training for facility’s mental health to learn to practice or improve their skills
- Legal defense in legal proceedings brought by the individual
- HHS investigation or review of entity’s compliance with Privacy Rules
- To prevent a serious and imminent threat to public health or safety
- To health oversight agency for oversight of the author of the notes
- Activities of a coroner or medical examiner
- When required by law
- Marketing
- Facility obtains an authorization before use or disclosure of PHI for marketing
- Research
- Uses and disclosure of PHI for research generally requires a patient’s Authorization
- Exceptions when authorization may not be required are:
- Institutional Review Board (IRB) or Privacy Board approved a waiver for the use or disclosure of PHI for research purposes
- Representation that PHI is being used or disclosed for developing a research protocol, the PHI is not going to be removed and is necessary for the research
- Representation that PHI is being used or disclosed for research on decedents and PHI is necessary for the research
- Opportunity to Agree or Object
- Patient shall be offered and opportunity to agree or object to disclosure of PHI prior to disclosure (when clinically appropriate)
- If no objection, Tenet may
- Disclose PHI to family member, other relative or close personal friend of patient or other person designated by patient PHI related to person’s involvement in patient’s care or payment for care
- Use or disclose PHI to notify of patient’s location, general condition or death
- Disclose PHI to public or private entities authorized by law or charter to assist in disaster relief efforts to coordinate notification efforts
- Use or disclose in Facility directories to those asking for individual by name
- Name
- General condition
- Religious affiliation
- Location in the facility
- Clergy not required to ask for individual by name when asking about regious affiliation
- Tenet will not
- Disclose PHI not relevant to current care and could be embarrassing to patient
- Assume patient agreement or lack of objection means agreement to disclose PHI indefinitely in the future
- Prohibition on Sale of PHI or e-PHI
- Selling PHI or ePHI is only allowed when it’s for:
- Public health activities
- Research activities(price reflects cost of preparing and transmitting data)
- Treatment of the individual
- PHI exchange is related to the sale, transfer or merger of a Tenet facility
- Business associate function specified on a business associate agreement
- Providing an individual with a copy of his/her PHI
- Other activity deemed necessary and appropriate by the Secretary of HHS
- Minimum Necessary
- Only the minimal amount of information should be used, disclosed or requested
- Full medical record only when absolutely necessary for the legitimate use and purpose
- Limited Data Set
- Data set for research, health care operations and public health use may be provided
- Data Use Agreement (DUA) must be in place with recipient
- DUA is in Contract Arrangements Manual (CAM)
- Public Interest and Benefit Activities
- Legally authorized public health authorities may receive PHI to prevent or control disease, injury, or disability
- General Information for Disclosure
- Individual directly participating in patient’s care or payment for patient’s health care
- Patient’s family member or representative about the patient’s location, condition or death
- Use or disclose the patient’s PHI for the facility’s directory (e.g., patient name, condition, religious affiliation, location in the hospital)
- Tenet’s treatment, payment and healthcare operations purposes
- Tenet’s and other covered entities’ treatment and payment purposes
- Another covered entity for their health care operations when:
- Current or former relationship with individual attached to the PHI exists
- Exchanged PHI is about that relationship
- Disclosure is for health care operations’
- Quality assessment and improvement activities
- Population-based activities for improving health
- Population-based activities for reducing health care costs
- Case management and care coordination
- Training programs, accreditation, certification
- Licensing or credentialing activities
- Health care fraud and abuse detection or compliance
- Patient Authorization
- Patient authorizes Tenet for non TPO reasons
- Complete Tenet Authorization to Use And Disclose Health Information Form
- Patient care is not conditional to receiving patient authorization for PHI use unless
- Care to be provided is solely to create PHI to be disclosed to third party and authorization permits Tenet to release PHI to third party
- Care to be provided is research related treatment and authorization is related to research
- Patient may change their mind about PHI authorization unless if the facility already acted on the prior authorization or it is needed to obtain patient’s insurance coverage
- Psychotherapy Notes
- Author of the notes must be contacted first before any use of disclosure of the notes
- Individual’s authorization is obtained be fore using or disclosing the notes except for:
- Oversight of the author of the notes
- Training for facility’s mental health to learn to practice or improve their skills
- Legal defense in legal proceedings brought by the individual
- HHS investigation or review of entity’s compliance with Privacy Rules
- To prevent a serious and imminent threat to public health or safety
- To health oversight agency for oversight of the author of the notes
- Activities of a coroner or medical examiner
- When required by law
- Marketing
- Facility obtains an authorization before use or disclosure of PHI for marketing
- Research
- Uses and disclosure of PHI for research generally requires a patient’s Authorization
- Exceptions when authorization may not be required are:
- Institutional Review Board (IRB) or Privacy Board approved a waiver for the use or disclosure of PHI for research purposes
- Representation that PHI is being used or disclosed for developing a research protocol, the PHI is not going to be removed and is necessary for the research
- Representation that PHI is being used or disclosed for research on decedents and PHI is necessary for the research
- Opportunity to Agree or Object
- Patient shall be offered and opportunity to agree or object to disclosure of PHI prior to disclosure (when clinically appropriate)
- If no objection, Tenet may
- Disclose PHI to family member, other relative or close personal friend of patient or other person designated by patient PHI related to person’s involvement in patient’s care or payment for care
- Use or disclose PHI to notify of patient’s location, general condition or death
- Disclose PHI to public or private entities authorized by law or charter to assist in disaster relief efforts to coordinate notification efforts
- Use or disclose in Facility directories to those asking for individual by name
- Name
- General condition
- Religious affiliation
- Location in the facility
- Clergy not required to ask for individual by name when asking about regious affiliation
- Tenet will not
- Disclose PHI not relevant to current care and could be embarrassing to patient
- Assume patient agreement or lack of objection means agreement to disclose PHI indefinitely in the future
- Prohibition on Sale of PHI or e-PHI
- Selling PHI or ePHI is only allowed when it’s for:
- Public health activities
- Research activities(price reflects cost of preparing and transmitting data)
- Treatment of the individual
- PHI exchange is related to the sale, transfer or merger of a Tenet facility
- Business associate function specified on a business associate agreement
- Providing an individual with a copy of his/her PHI
- Other activity deemed necessary and appropriate by the Secretary of HHS
- Minimum Necessary
- Only the minimal amount of information should be used, disclosed or requested
- Full medical record only when absolutely necessary for the legitimate use and purpose
- Limited Data Set
- Data set for research, health care operations and public health use may be provided
- Data Use Agreement (DUA) must be in place with recipient
- DUA is in Contract Arrangements Manual (CAM)
- Public Interest and Benefit Activities
- Legally authorized public health authorities may receive PHI to prevent or control disease, injury, or disability
- General Information for Disclosure
- Individual directly participating in patient’s care or payment for patient’s health care
- Patient’s family member or representative about the patient’s location, condition or death
- Use or disclose the patient’s PHI for the facility’s directory (e.g., patient name, condition, religious affiliation, location in the hospital)
- Training
- On-Line Training
- Documented and maintained in Tenet’s onlinE education system
- Classroom Training
- Attendance is documented and maintained by HR
- Training Materials
- Maintained per records management and record retention policy
- Training Completion
- Documentation includes time, date, place and content for training session
- Mitigation
- Violations or Allegations
- Reported to the Privacy Security Compliance Officer or Privacy Incident Response Team (PIRT)
- Investigations
- Privacy Security Compliance Officer investigates all violations and allegations
- Patient Reporting
- Patient, visitor or other individual may report to any Tenet person
- Mitigation
- PIRT and business unit leader mitigates harmful results that have occurred
- Sanctions
- Documentation
- HR documents imposed sanctions on the workforce member
- Documentation is maintained per records and retention schedule
- On-Line Training
- Documented and maintained in Tenet’s onlinE education system
- Classroom Training
- Attendance is documented and maintained by HR
- Training Materials
- Maintained per records management and record retention policy
- Training Completion
- Documentation includes time, date, place and content for training session
- Mitigation
- Violations or Allegations
- Reported to the Privacy Security Compliance Officer or Privacy Incident Response Team (PIRT)
- Investigations
- Privacy Security Compliance Officer investigates all violations and allegations
- Patient Reporting
- Patient, visitor or other individual may report to any Tenet person
- Mitigation
- PIRT and business unit leader mitigates harmful results that have occurred
- Sanctions
- Documentation
- HR documents imposed sanctions on the workforce member
- Documentation is maintained per records and retention schedule
Ethics and Compliance Training
Confidentiality of Information
Public Interest and Benefit Activities Standard
Personal Representatives and Minors Standard
Uses, Disclosure, and Minimum Necessary Standard
Disciplinary Guidelines Standard
Information Privacy Security Administration Policy