Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur without the permission of Tulane University. Tulane University retains all intellectual property interests associated with the presentation. Tulane University makes no claim, promise, or guarantee of any kind about the accuracy, completeness, or adequacy of the content of the presentation and expressly disclaims liability for errors and omissions in such content. Medical Privacy of Protected Health Information (PHI) Clarification of the Privacy Rule’s protections for personal health information, and permitted disclosures needed for patient care and other important purposes. Read Before Proceeding Physicians and Staff may earn one compliance credit by viewing this slide show, completing the Assessment (Quiz), and faxing the assessment to the University Privacy and Contracting Office: 504-988-7777 This presentation may be viewed for compliance credit only once in a fiscal year (July 1 - June 30). To check how many compliance credits you have and to see which training sessions you have completed, contact the University Privacy and Contracting Office at 504-988-7739 The HIPAA Privacy Rule: Background: The HIPAA Privacy Rule establishes Federal protection for personal health information. It is balanced to avoid creating unnecessary barriers to delivery of quality health care. The rule prohibits a covered entity’s use or disclosure of PHI without patient authorization, except where this prohibition would result in unnecessary interference with access to quality health care. HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes: Providers can freely share information with other providers where treatment is concerned, without getting a signed patient authorization or “jumping through [other] hoops.” To avoid interfering with a patient’s access to quality health care, the Privacy Rule permits a covered entity (e.g., physician) to use and disclose protected health information, with certain limits and protections, in order to treat the patient. Treatment means… Provision Coordination, or Management of health care and related services among health care providers, or with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. A covered entity may, without the patient’s authorization Use or disclose PHI about the patient to provide health care to the patient Consult with other health care providers about the patient’s treatment For example… A primary care provider may send a copy of a patient’s medical record to a specialist who needs this information to treat the patient. A hospital may send a patient’s health care instructions to a nursing home to which the patient is transferred. Except: Except when psychotherapy notes are used by the originator to carry out treatment, or by the covered entity for certain other limited health care operations, uses and disclosures of psychotherapy notes for treatment require the individual’s authorization. Consent: A covered entity may choose, but is not required, to obtain a patient’s consent for it to use and disclose information about him or her for treatment. A “consent” document is not a valid permission to use or disclose Protected Health Information for purposes that require an “authorization” under the Privacy Rule (see 45CFR 164.522(a). Right to Request Privacy Protection Patients have the right to request restrictions on how a covered entity will use and disclose PHI about them for treatment, but, A covered entity is not required to agree to a patient’s request for a restriction. It is, however, bound by any restriction to which it agrees. Any use or disclosure of PHI for treatment must be consistent with the covered entity’s “Notice of Privacy Practices”. HIPAA does not cut off all communications between providers and the families and friends of patients: Doctors and other providers covered by HIPAA may share needed information with family, friends, or anyone else a patient identifies as involved in his care as long as the patient does not object. Unless a patient objects, doctors, hospitals and other providers may disclose information when needed to notify a family member, or anyone responsible for the patient’s care, about the patient’s location or general condition. Even when the patient is incapacitated, a provider may share appropriate information for these purposes if he believes that doing so is in the best interest of the patient. The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and other persons if the patient agrees, or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonable infer, based on professional judgment, that the patient does not object. Even when the patient is not present, or it is impracticable due to emergency circumstances to ask the patient about discussing his care with a family member or another person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the patient’s best interest. Disclosures for Public Health Activities The HIPAA Privacy Rule recognizes a legitimate need for public health authorities and others responsible for enduring public health/safety to have access to PHI to carry out their mission. The Rule understands that public health reports made by covered entities are an important means of identifying threats to the health/safety of the public and of individuals. Accordingly, the Rule permits covered entities to disclose PHI without authorization for specified public health purposes. The Privacy Rule permits covered entities to disclose PHI, without authorization, to Public Health personnel who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability. HIPAA does not prevent the reporting of child abuse. Doctors may continue to report child abuse or neglect to appropriate government authorities, If the report is made to a public health authority authorized by law to receive such reports, Including reporting such cases to the Police Department. Persons at risk of contracting or spreading a disease A covered entity may disclose Protected Health Information to a person who is at risk of contracting or spreading a disease or condition if other law authorizes the covered entity to notify such individual(s) as necessary to carry out public health interventions or investigations. For more information: About discussing a patient’s health status: www.hhs.gov/hipaafaq/notice/488.html Reporting child abuse: www.hhs.gov/ocr/hipaa/guidelines/publi chealth.pdf For a summary of the Privacy Rule: www.hhs.gov/ocr/privacysummary.pdf