Medical Privacy of Protected Health Information

advertisement
Disclaimer
This presentation is intended only for use by Tulane
University faculty, staff, and students. No copy or
use of this presentation should occur without the
permission of Tulane University. Tulane University
retains all intellectual property interests associated
with the presentation. Tulane University makes no
claim, promise, or guarantee of any kind about the
accuracy, completeness, or adequacy of the content
of the presentation and expressly disclaims liability
for errors and omissions in such content.
Medical Privacy of
Protected Health Information
(PHI)
Clarification of the Privacy Rule’s
protections for personal health
information, and permitted
disclosures needed for patient care
and other important purposes.
Read Before Proceeding
Physicians and Staff may earn one compliance credit by
viewing this slide show, completing the Assessment
(Quiz), and faxing the assessment to the University
Privacy and Contracting Office: 504-988-7777
This presentation may be viewed for compliance
credit only once in a fiscal year
(July 1 - June 30).
To check how many compliance credits you have and to
see which training sessions you have completed, contact
the University Privacy and Contracting Office at
504-988-7739
The HIPAA Privacy Rule:
Background:



The HIPAA Privacy Rule establishes Federal
protection for personal health information.
It is balanced to avoid creating unnecessary barriers
to delivery of quality health care.
The rule prohibits a covered entity’s use or disclosure
of PHI without patient authorization, except where
this prohibition would result in unnecessary
interference with access to quality health care.
HIPAA does not require patients
to sign consent forms before
doctors, hospitals, or ambulances
can share information for
treatment purposes:

Providers can freely share information with
other providers where treatment is
concerned, without getting a signed patient
authorization or “jumping through [other]
hoops.”
To avoid interfering with a patient’s
access to quality health care,
the Privacy Rule permits a covered
entity (e.g., physician) to use and
disclose protected health
information, with certain limits and
protections, in order to treat the
patient.
Treatment means…



Provision
Coordination, or
Management
of health care and related services among
health care providers, or with a third party,
consultation between health care providers
regarding a patient, or the referral of a
patient from one health care provider to
another.
A covered entity may, without
the patient’s authorization


Use or disclose PHI about the patient to
provide health care to the patient
Consult with other health care providers
about the patient’s treatment
For example…


A primary care provider may send a
copy of a patient’s medical record to a
specialist who needs this information to
treat the patient.
A hospital may send a patient’s health
care instructions to a nursing home to
which the patient is transferred.
Except:

Except when psychotherapy notes
are used by the originator to carry
out treatment, or by the covered
entity for certain other limited
health care operations, uses and
disclosures of psychotherapy notes
for treatment require the
individual’s authorization.
Consent: A covered entity may choose,
but is not required, to obtain a patient’s
consent for it to use and disclose
information about him or her for
treatment.

A “consent” document is not a valid
permission to use or disclose Protected
Health Information for purposes that
require an “authorization” under the
Privacy Rule (see 45CFR 164.522(a).
Right to Request Privacy
Protection


Patients have the right to request
restrictions on how a covered entity will
use and disclose PHI about them for
treatment, but,
A covered entity is not required to
agree to a patient’s request for a
restriction. It is, however, bound by any
restriction to which it agrees.
Any use or disclosure of PHI
for treatment must be
consistent with the covered
entity’s “Notice of Privacy
Practices”.
HIPAA does not cut off
all communications
between providers and
the families and friends
of patients:
Doctors and other providers covered by HIPAA
may share needed information with family,
friends, or anyone else a patient identifies as
involved in his care as long as the patient
does not object.
Unless a patient objects, doctors, hospitals and
other providers may disclose information when
needed to notify a family member, or anyone
responsible for the patient’s care, about the
patient’s location or general condition.
Even when the patient is
incapacitated, a provider may
share appropriate information
for these purposes if he
believes that doing so is in the
best interest of the patient.
The HIPAA Privacy Rule
specifically permits covered
entities to share information
that is directly relevant to the
involvement of a spouse,
family members, friends, or
other persons identified by a
patient, in the patient’s care.
If the patient is present, or is
otherwise available prior to the
disclosure, and has the capacity
to make health care decisions,
the covered entity may discuss
this information with the family
and other persons if the patient
agrees, or, when given the
opportunity, does not object.
The covered entity may also
share relevant information
with the family and these
other persons if it can
reasonable infer, based on
professional judgment, that
the patient does not object.
Even when the patient is not
present, or it is impracticable due to
emergency circumstances to ask the
patient about discussing his care
with a family member or another
person, a covered entity may share
this information with the person
when, in exercising professional
judgment, it determines that doing
so would be in the patient’s best
interest.
Disclosures for Public Health
Activities



The HIPAA Privacy Rule recognizes a legitimate need
for public health authorities and others responsible
for enduring public health/safety to have access to
PHI to carry out their mission.
The Rule understands that public health reports
made by covered entities are an important means of
identifying threats to the health/safety of the public
and of individuals.
Accordingly, the Rule permits covered entities to
disclose PHI without authorization for specified public
health purposes.
The Privacy Rule permits covered
entities to disclose PHI, without
authorization, to Public Health
personnel who are legally
authorized to receive such
reports for the purpose of
preventing or controlling disease,
injury, or disability.
HIPAA does not prevent the
reporting of child abuse.



Doctors may continue to report child
abuse or neglect to appropriate
government authorities,
If the report is made to a public health
authority authorized by law to receive
such reports,
Including reporting such cases to the
Police Department.
Persons at risk of contracting
or spreading a disease

A covered entity may disclose Protected
Health Information to a person who is
at risk of contracting or spreading a
disease or condition if other law
authorizes the covered entity to notify
such individual(s) as necessary to carry
out public health interventions or
investigations.
For more information:




About discussing a patient’s health
status:
www.hhs.gov/hipaafaq/notice/488.html
Reporting child abuse:
www.hhs.gov/ocr/hipaa/guidelines/publi
chealth.pdf
For a summary of the Privacy Rule:
www.hhs.gov/ocr/privacysummary.pdf
Download