Current through all regulations passed and filed through September 16, 2024
(A)
Policy
statement
The university of Toledo ("UToledo")
requires that all workforce members with access to protected health information
(PHI) be committed to ensuring that PHI is protected and kept confidential. PHI
shall be used and disclosed in accordance with applicable laws and UToledo
policies.
(B)
Purpose of policy
The purpose of this policy is to
outline the appropriate use of PHI consistent with the Health Insurance
Portability and Accountability Act (HIPAA) privacy rule and all updates
allowing for the use and disclosure of PHI for treatment, payment, or health
care operations. PHI includes all health and financial information pertaining
to a patient and the relatives or household members of the patient (rule
3364-70-05
of the Administrative Code, protections of human subjects in research for
confidentiality of research information.)
(C)
Scope
This policy applies to all UToledo
covered components (hybrid) and university of Toledo physicians (ACE) and their
respective workforce members. Healthcare components are determined by the
privacy and security committee as outline in rule
3364-15-01
of the Administrative Code (HIPAA organizational structure and administrative
responsibilities). The hybrid list is maintained on UToledo privacy
website.
(D)
Definitions
(1)
"Affiliate": a person or entity that performs certain
functions or activities that involve the use or disclosure of protected health
information on behalf of, or provides services to, a covered entity. A covered
health care provider, health plan, or health care clearinghouse can be a
business associate of another covered entity.
(2)
"Covered entity":
a health plan, a healthcare clearinghouse or a healthcare provider who
transmits any health information in an electronic form in connection with a
transaction. See
45
C.F.R. 160.103 for the few statutory
exemptions. See rule
3364-15-01
of the Administrative Code.
(3)
"De-identification": in accordance with the HIPAA privacy
rule, requires that the expert determination method be used or the following
identifiers of the individual or of relatives, employers, or household members
of the individual are removed:
(a)
Name;
(b)
Street
address;
(c)
City;
(d)
County;
(e)
Precinct;
(f)
Zip
code;
(g)
Gender;
(h)
Birth
date;
(i)
Admission date;
(j)
Discharge
date;
(k)
Date of death;
(l)
Age;
(m)
Telephone number;
(n)
Fax
number;
(o)
E-mail;
(p)
Social security
number;
(q)
Medical record number;
(r)
Health plan
number;
(s)
Account number;
(t)
Certificate/license number;
(u)
Vehicle ID number
and license plate;
(v)
Device identifier;
(w)
Web location,
Internet Address;
(x)
Biometric identifier;
(y)
Photographs;
or
(z)
Any unique ID.
Note: Ages over eighty-nine and all
elements of date (including year) indicative of such age, except that such ages
and elements may be aggregated into a single category of age ninety or
older.
(4)
"Financial information": for the purpose of this policy
includes but is not limited to:
(a)
Health care claims information (including diagnostic
and procedure codes, services rendered, and charges associated with those
services);
(b)
Insurance or other payment information;
(c)
Payment
activity;
(d)
Coordination of benefits;
(e)
Claim
status;
(f)
Referral certifications and
authorizations;
(g)
Health claim attachments; and
(h)
Collection
activity documentation.
(5)
"Health plan":
any individual or group that provides or pays the cost of medical care,
including public and private health insurance issuers, HMOs, or other managed
care organizations, employee benefit plans, the medicare and medicaid programs,
military/veterans plans, and other "policy, plan or programs" for which a
principal purpose it to provide or pay for health care
services.
(6)
"Healthcare provider": (as defined in section 1861(u)
of the Social Security Act,
42
U.S.C. 1395x(u)) : a
provider of medical or health services, as defined in this rule (as defined in
section 1861(u) of the Social Security Act,
42
U.S.C. 1395x(u)), any other
person or organizations who furnishes, bills, or is paid for health care in the
normal course of business.
(7)
"Workforce
member": an employee, volunteer, trainee, and other person whose conduct, in
the performance of work for a covered entity, is under the direct control of
such entity, whether or not they are paid by the covered
entity.
(E)
Procedure
All patient information that identifies
or can be used to identify an individual is confidential and must be
safeguarded.
(1)
PHI may be accessed by the UToledo workforce members who are
directly or indirectly involved in the patient's care or finances and those who
have a need to know the information to perform specific tasks or provides
specific services.
(2)
Affiliates must maintain the confidentiality of patient
information in compliance with the privacy and security regulations and UToledo
policies.
(3)
Persons not involved with a patient's care or finances
and/or who do not have a specific need to know patient information for the
performance of specific tasks or to provide specific services shall neither
have nor seek access to patient information.
(4)
Access to use and
disclosure of PHI shall be limited to the minimum necessary to perform a
specific task or provide a specific service except when a healthcare provider
accesses for treatment purposes, See rule
3364-90-02
of the Administrative Code (UToledo policy minimum necessary guidelines for
use/disclosure of protected health information requirements to protected health
information).
(5)
Release of health information must be safeguarded by
following the HIPAA regulations and UToledo policies.
(6)
Covered entity
should limit uses, disclosures and request for Patient information to the
minimum necessary and it is good practice to de-identify per
45
C.F.R. 164.514.
(7)
Reasonable effort
must be taken to maintain the confidentiality of PHI, by using appropriate
physical, technical and administrative safeguards, including but not limited
to:
(a)
Selecting private settings to conduct interviews, refraining
from discussing patient information in public area, assuring location of
records and files in non-public area, and placing computers and electronic
devices in appropriate locations and positions.
(b)
Electronic
devices that contain PHI must incorporate the use of password protection. The
physical security of the device must always be maintained by the
user.
(c)
When accessing patient information computers should not
be left unattended, if one must leave their computer unattended, it should be
locked or logged off.
(d)
Use of electronic mail system for PHI must follow rule
3364-65-07
of the Administrative Code (electronic communication policy).
(e)
Voice mail
messages containing PHI generally should not be left on recorders. Messages to
patient should be messages containing confidential patient information
generally should not be left on recorders. Messages to patient recorders should
be limited to pre-registration information, confirmation of appointments, or to
solicit a return call, unless otherwise agreed or requested by a
patient.
(f)
PHI must be appropriately disposed of, see rule
3364-90-16 of the Administrative Code (medical record retention and
destruction; disposal of protected health information).
(g)
To mitigate
security risks to individuals for the secondary use of data for example:
comparative studies, policy assessment, and research, patient information
should be de-identified. The privacy rule does not restrict the use or
disclosure of de-identified health information, as it is no longer considered
protected health information.
(8)
A confidentiality
statement acknowledging that an individual is aware of and understands the
UToledo's confidentiality policy shall be signed prior to any person obtaining
access or exposure to patient information.
(9)
Individuals with
access to patient health information are educated about confidentiality during
orientation and during training on the hospital information system. Access to
the hospital information system requires identification and password as defined
by rule
3364-65-02
of the Administrative Code (information security and technology administrative
safeguards policy).
(10)
Breaches and other incidents involving PHI must be
reported to and investigated by the privacy officer in accordance with
institutional corrective action/disciplinary policies.
Replaces: 3364-15-10
