Policies
Uses, Disclosure, and Minimum Necessary Standard
Use and Disclosure of PHI
The Privacy Rule limits the use and disclosure of protected health information to “the minimum necessary” to complete the request. Only the truly necessary amount of information should be in scope for use or sharing PHI, regardless of whether the information is oral, written or electronic.
- Limited Data Set
- Ensure data provided excludes direct identifiers of persons and their affiliates (e.g., family, employer)
- Direct Identifiers
- Names
- Address (excepttown/city, State, zip code)
- Phone numbers
- Fax numbers
- E-mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- License plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers (e.g.,finger, voice prints)
- Full face photographic images
- System Access
- Ensure user access is implemented for all systems containing patient information
- Grant user access through appropriate authorization
- Access only for legitimate business-related purposes
- Audit controls to ensure access is restricted to role-based need
- Access for personal reasons is not allowed (e.g., viewing your own, family or friends’ medical records)
- Ensure data provided excludes direct identifiers of persons and their affiliates (e.g., family, employer)
- Direct Identifiers
- Names
- Address (excepttown/city, State, zip code)
- Phone numbers
- Fax numbers
- E-mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- License plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers (e.g.,finger, voice prints)
- Full face photographic images
- System Access
- Ensure user access is implemented for all systems containing patient information
- Grant user access through appropriate authorization
- Access only for legitimate business-related purposes
- Audit controls to ensure access is restricted to role-based need
- Access for personal reasons is not allowed (e.g., viewing your own, family or friends’ medical records)
- Exceptions to Minimum Necessary
- Disclosures to or requests by a Health Care Provider for Treatment
- Uses or disclosures made to the patient or the patient’s personal representative
- Uses or disclosures to meet terms of a valid patient authorization
- Disclosures to Director, OCR, Health and Human Services for HIPAA compliance
- Uses or disclosures required by law (e.g., state reporting)
- Uses or disclosures required for compliance of HIPAA
- Incidental Uses Or Disclosures
- Secondary use or disclosure that cannot be reasonably prevented, is limited or a by-product of a permitted use or disclosure
- Examples of incidental uses or disclosures include
- Patient sign-in sheets or calling out a patient’s name in a waiting room
- Laboratory results with a patient in a joint treatment room
- Reasonable safeguards to limit incidental disclosures must be put in place
- Disclosures to or requests by a Health Care Provider for Treatment
- Uses or disclosures made to the patient or the patient’s personal representative
- Uses or disclosures to meet terms of a valid patient authorization
- Disclosures to Director, OCR, Health and Human Services for HIPAA compliance
- Uses or disclosures required by law (e.g., state reporting)
- Uses or disclosures required for compliance of HIPAA
- Incidental Uses Or Disclosures
- Secondary use or disclosure that cannot be reasonably prevented, is limited or a by-product of a permitted use or disclosure
- Examples of incidental uses or disclosures include
- Patient sign-in sheets or calling out a patient’s name in a waiting room
- Laboratory results with a patient in a joint treatment room
- Reasonable safeguards to limit incidental disclosures must be put in place
- Categories of Persons with Access to PHI
- Identify persons at Tenet that need access to PHI for their jobs
- Document persons and classes of persons on form “Sample Routine and Recurring Access” and include in standard protocol
- Review job descriptions to determine roles that need access to PHI data for their jobs
- Persons who treat patients
- Billers
- Appointment scheduling clerks
- Medical records staff
- Receptionists
- Categories of PHI for Specific Access Levels
- Determine levels of access for the following categories of PHI and roles
- Medical record-persons who treat patients
- Medical records staff
- Summary or face sheet-appointment scheduling clerks, receptionists
- Document and review regularly the levels of access and PHI categories
- Create access roles for electronic medical records systems
- Monitor access of medical records staff for paper records
- Consider physical, administrative and technical security controls
- Consider other administrative tracking methods(e.g.,sign-in sheets, label per patient)
- Routine or Recurring Disclosure or Request
- Limit PHI that is disclosed or requested to complete the request
- Each Tenet facility must have a form of the “Example of Protocols for Routine or Recurring Disclosures or Requests” document in their standard protocol
- Types of routine disclosures or requests must be identified in protocol
- Non-routine Disclosure or Request
- Criteria to limit PHI that is disclosed or requested to complete the request must be defined
- Reason for the request or disclosure
- Nature and scope of the requested data
- Whether requested data can be pulled from the medical record without significant burden and view of unnecessary parts of the record
- Where the PHI will be viewed or used
- Availability of physical, technical and other security measures at the place of viewing or use
- Urgency of the need for the requested PHI
- Trustworthiness of the person who will access or use the PHI
- Staff administrators must be trained to review Workforce requests
- Requested Disclosure as Minimum Necessary
- Disclosures to public officials’ request
- Information is requested by another cove red entity
- Information is requested by a health care professional (e.g., a physician or nurse) who is part of the workforce or a Business Associate
- Research purposes that comply with Patient Information Privacy Policy
- Reasons that are not for Treatment, Payment or Health Care Operations (TPO) or based on public policy require valid authorization with these requirements
- Description of the information to be used or disclosed
- Name of the person or class of persons authorized to make the request
- Name of the person or class of persons to whom Tenet can make the request
- Purpose for each of the requests
- Expiration date or end event for the request (as applicable
- Statement related to individual's right to revoke and process/exceptions to revoke the authorization
- Statement that treatment and payment are not conditioned on getting the authorization (unless otherwise allowed)
- Statement that authorized information might be disclosed again by the recipient and no longer be protected by this rule
- Statement that individual can inspect or copy the PHI in response to the authorization
- Statement that the use or disclosure of the requested information will result in remuneration to Tenet (if applicable)
- Copy of signed authorization must be provided to individual for their own use or disclosure of PHI
- Signature of the individual and date (representative's authority to act for the individual)
- Other considerations
- Authorization must be written in plain language
- Authorization must be documented on a form such as “Sample Authorization to Use and Disclose Health Information”
- Authorization does not need to expire (i.e., it continues until the “end of the research study” without an end date or event date)
- Authorization may be combined with consent to participate in the research or other legal permission related to the research study
- Description of the information to be used or disclosed
- Name of the person or class of persons authorized to make the request
- Name of the person or class of persons to whom Tenet can make the request
- Purpose for each of the requests
- Expiration date or end event for the request (as applicable
- Statement related to individual's right to revoke and process/exceptions to revoke the authorization
- Statement that treatment and payment are not conditioned on getting the authorization (unless otherwise allowed)
- Statement that authorized information might be disclosed again by the recipient and no longer be protected by this rule
- Statement that individual can inspect or copy the PHI in response to the authorization
- Statement that the use or disclosure of the requested information will result in remuneration to Tenet (if applicable)
- Copy of signed authorization must be provided to individual for their own use or disclosure of PHI
- Signature of the individual and date (representative's authority to act for the individual)
- Other considerations
- Authorization must be written in plain language
- Authorization must be documented on a form such as “Sample Authorization to Use and Disclose Health Information”
- Authorization does not need to expire (i.e., it continues until the “end of the research study” without an end date or event date)
- Authorization may be combined with consent to participate in the research or other legal permission related to the research study
Sample Authorization to Use and Disclose Health Information
Example of Protocols for Routine or Recurring Disclosures or Requests Attachment B
EC.PS.04.02 User Security and Conduct Standard
EC.PS.02.03 Public Interest and Benefit Activities
EC.PS.02.00 Patient Information Privacy Policy
EC.PS.01.00 Information Privacy Security Administration Policy