Current through all regulations passed and filed through September 16, 2024
(A)
Policy
statement
The university of Toledo ("UToledo")
will make reasonable efforts to limit the use and disclosure of individually
identifiable protected health information to the minimum necessary to comply
with any requests and make reasonable efforts to limit its own request to other
organizations to similar minimum necessary request.
(B)
Purpose of
policy
To comply with the minimum necessary
use and disclosure guidelines for protected health information ("PHI") in
accordance with the Health Insurance Portability and Accountability Act of 1996
("HIPAA"), Administrative Simplification Act Privacy Rule 45 C.F.R. 160, 162
and 164 and HITECH Act.
(C)
Scope
This policy applies to university of
Toledo physicians ("UTP") affiliated covered entities ("ACE") and all UToledo
covered components (hybrid) and their respective workforce members. Covered
components are determined by the privacy and security committee and documented
on the hybrid list that can be located on the UToledo healthcare compliance and
privacy website located at: https://www.utoledo.edu/offices/compliance/
(D)
Procedure
(1)
The exceptions to
the minimum necessary restrictions set forth in this policy and under HIPAA, do
not apply to the following uses and disclosures:
(a)
A healthcare
provider for treatment purposes, including for emergencies;
(b)
The individual
who is the subject of the information seeks access;
(c)
Request is made
as a result of a valid authorization;
(d)
Accounting of
disclosures;
(e)
Uses or disclosures required for compliance with HIPAA;
and
(f)
The secretary of the department of health and human
services as may be required for compliance and enforcement
purposes;
(g)
Disclosures required by law.
(2)
Access for
treatment purposes
Complete access to a patient's entire
medical record, both paper and computerized, in order to provide appropriate
and efficient treatment to a patient during the patient care episode is
required for the following:
(a)
Direct care providers: physicians, residents, nurses
and allied health care providers, case management personnel, medical assistants
and direct support personnel.
(b)
Students:
medical, nursing, and other allied health.
(c)
Faculty: medical,
nursing and other allied health.
(d)
Indirect care
providers involved in provision of diagnostic testing, i.e., laboratory,
radiology and heart and vascular require access to PHI necessary to perform the
test.
(3)
Minimum necessary requests for PHI must be limited to
what is reasonably necessary to accomplish the purpose of the request. Request
made on a routine and recurring basis must be limited to the PHI necessary to
accomplish the purpose of the request.
(a)
Verbal
communications: personnel will not engage in verbal communication of PHI in
public areas if possible, and in cases where necessary, will use reasonable
precautions to reduce the risk of being overheard by others such as using
lowered tones.
(b)
PHI listed on white boards or sign in sheets used in
the provision of healthcare will be posted out of the public view to the extent
possible and contain only those elements necessary to accomplish their purpose
(i.e., diagnosis information would "not" be necessary on a sign in
sheet).
(c)
Requests for PHI from other healthcare providers for
continuity of care is permitted.
(d)
Requests for PHI
made, other than continuity of care, will be limited to that which is
reasonably necessary to accomplish the purpose for which the request was
made.
(e)
Requests for PHI made from hybrid and affiliate covered
entities from other healthcare providers, other than for treatment, will be
reviewed by the health information management department or the privacy officer
to determine the amount of PHI necessary to release to accomplish the purpose
of the request.
(4)
Health
information management ("HIM"), is the office responsible for the full legal
medical record. The inpatient full legal medical record is the onecontent
application. HIM in conjunction with health information technology ("HIT") will
be responsible for granting direct access to the medical record system.
A detailed matrix of access to PHI will
be held by health information management with input from clinical informatics.
The minimum necessary PHI access matrix is based on the role of the individual
and the "need to know criteria" in the performance of their job and in some
cases their job location.
See addendum A (full access), addendum
B (limited access), addendum C (outside access).
Replaces: 3364-90-02
