Name of Policy: Policy Number: Department: Approving Officer: Responsible Agent: Scope:

Release of Health Information

nit; UNIVIiRSITY eli'

3364-100-90-01 Hospital Administration Vice President & Executive Director Vice President & Executive Director The University of Toledo Medical Center and its other Health Care Components

TOLEDO
11:171

Effective Date: October 12, 2010 Initial Effective Date: January, 1978

x
(A)

New policy proposal Major revision of existing policy

Minor/technical revision of existing policy Reaffirmation of existing policy

Policy Statement

Protected health information of patients is confidential and may only be released in accordance with law and University policy and in celiain circumstances is required to be released to the patient or the patient's representative. (B) Purpose of Policy

To assure that health information is protected and released in accordance with all state, federal and University guidelines including but not limited to the Health Insurance Portability and Accountability Act of 1996, Administrative Simplification Act Privacy Rule 45 CFRPmis 160, 162 and 164 ("HIPAA") and the Family Education Rights and Privacy Act, 20 U.S.C. 1232g; 34 CFT Part 99 ("FERP A").
(C)

Procedure 1. Generally a. Protected Health Information (PHI AND SEE DEFINITIONS FOR CAPITALIZED TERMS IN ARTICLE D) under HIPAA may not be used or disclosed by a member of the University Workforce or by business associates except as permitted in this policy or other University HIPAA policies and applicable law. PHI may also be incidentally used or disclosed in conjunction with a use or disclosure permitted under law and University policy, as long as the minimum necessary specifications ofHIPAA apply, including but not limited to limiting access to PHI to delineated members of the University Workforce. All requests for PHI that are not specifically addressed in this policy should be referred to the Health Information Management Department who will follow up with the Privacy Officer or the Office of Legal Affairs as necessary.

b.

2. 3.

Limit Use or Disclosure ofInformation to Minimum Necessary Requests for the use or disclosure of PHI must be responded to with the minimum information necessary to accomplish the intended purpose of the use or disclosure. The requirements for "minimum necessary" information are set forth in Policy #3364-100-90-02. The minimum necessary limitations do not apply to the following uses and disclosures: (i) to or by a health care provider for treatment purposes; (ii) to the individual who is the subject of the information; (iii) made pursuant to a proper patient authorization; (iv) required for the University's compliance with HIPAA; or (v) to the Secretary of Health and Human Services or designee ("HHS Secretary") as may be required for investigation or review. Verification of the Identity of a Person Requesting PHI a. Verification of the identity and authority of the person-requesting PHI must be confirmed. This may include either use of the call back procedure, verification of a patient's signature with that which is present in the patient's record, obtaining a copy of the ID of the requesting party or by obtaining a written request for the protected health information on requesting agency letterhead, or by other reasonable methods to verify under the circumstances. The verification of identity or attempts to obtain verification should be documented.

Policy #3364-100-90-1 Release of Health Information Page 2

4.

Release ofInformation to Individual, Authorized Representative a. b. Release of PHI to the individual who is the subject of the infotmation is required subject to verification of the individual's identity. Minimum necessary limitations do not apply. Release of PHI to the Patient, Family Member or Friend. PHI may be released to a family member, other relative, close personal friend or any other person identified by the individual either (i) if such person is involved with the individual's care or payment related to care (and then information may only be released that is directly relevant), or (ii) to notify such person of an individual's location, general condition, or death, subject to the following conditions: 1) IF THE INDIVIDUAL IS PRESENT and able to make health care decisions, PHI may be disclosed if (i) the individual agrees to the disclosure, (ii) the individual does not object to the disclosure, or (iii) the health care provider reasonably infers that the individual does not object to the disclosure. 2) IF THE INDIVIDUAL IS NOT present or not able to make health care decisions, the health care provider may, in the exercise of professional judgment, determine whether disclosure of PHI is in the best interests of the individual and disclose PHI that is directly relevant to the person's involvement with the individual's care. Reasonable inferences can be made regarding allowing a person to act on behalf of the patient for the purposes of picking up prescriptions, medical supplies, x-rays, and similar items that contain protected health information. c. Authorized or Personal Representative. Generally, an authorized personal representative of an individual (invoked health care power of attorney, guardian or executor) shall be treated as the individual with respect to PHI so long as such information is relevant to the personal representative's authority. 1) A health care provider may elect NOT to treat a person as a personal representative if: (i) the health care provider believes that an individual has been or may be subjected to domestic violence, abuse or neglect by such person, or that treating such person as the personal representative could endanger the individual; and (ii) the health care provider decides that it is not in the best interest of the individual to treat such person as the individual's personal representative. 2) For release of information regarding minors, see Section 8 below. d. Copies of Medical Records requested by the Patient. Specific procedures for review of medical records; fees for copies of records and patient requests for amendments of records are handled through the Health Information Management Depmtment and also set fOlth in Policy 3364-100-90-07. Medical Records should not be printed and handed to patients directly without contacting the Health Information Management Depattment. Release of PHI for the Hospital Directory. The University will maintain a hospital directory for inpatients of the hospital. Upon admission as an inpatient, the patient will be asked whether they consent to being included in the hospital directory. The directory will include the following: the individual's name, location, religious affiliation and condition described in terms that do not contain specific medical information about the individual. This information may only be released to persons who ask for the individual by name. Workforce members accessing own PHI. Except for the limitations placed on access from time to time by the University, a Workforce member is permitted to access that Workforce member's own individual PHI through available University computing systems to which the Workforce member otherwise has access to as permitted by applicable University access policies. A person not granted access to the health record portal may not access that person's own health care record through someone with permitted access. Limitations placed on access by the University may include a denial of access to: psychotherapy notes, information compiled in reasonable anticipation of a legal proceeding; certain information that is part of a research study before completion of the study or laboratory results or information. Workforce members may not access PHI of family member or other persons to which they may otherwise have access through University computing systems and must comply with the request for PHI through Policy 3364-100-90-07. Workforce members will only be provided access to University computing systems

e.

f.

Policy #3364-100-90-1 Release of Health Information Page 3

with PHI only in conformance with the legitimate business need as set fOlth in the Workforce member's job description. 5. Release ofInformation for Treatment, Payment and Hospital Operations a. Use or disclosure of health infonnation, including PHI, for the purpose of treatment (including current treatment and continuity of care), consultative or other services related to care), payment of a patient bill or related services (including payment, service reviews, and requests involving insurers, billing and collection services or other payors), or Health Care operations (collectively referred to as "TPO") is permitted without patient consent or authorization. Patient Authorization to Release PHI Proper Authorization. Except with respect to subsection d. below, release of PHI other than to the individual where not for TPO and except where expressly permitted by law and University policy, a properly executed AUTHORIZATION TO RELEASE form is required. Special rules apply for psychotherapy notes and marketing. Questions regarding these matters should be referred to the Privacy Officer or the Health Information Management Department. University Form. Whenever possible, the University's AUTHORIZATION TO RELEASE form should be used. If the University's Authorization to Release form is not used, the authorization will have no less than the following elements written in plain language: a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion; 2) the name of the person authorized to make the request for use/disclosure; 3) the name of the person to whom the University may make the requested use/disclosure; 4) a description of the purpose of the request (when the individual initiates the request, "at the request of the individual" is sufficient); 5) an expiration date or expiration event; 6) a statement of the individual's right to revoke the authorization in writing, the exceptions to that right and the how to revoke an authorization as referenced in the NOTICE OF PRIVACY PRACTICES; 7) a statement that information used/disclosed may be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule; 8) a statement indicating that the authorization may not condition treatment or payment on the signing of the authorization;; 9) signature of the individual and date (if signed by a personal representative, authorization should also have a description of the representative's authority to act for the individual). Record Keeping for Release of PHI. Following authorized release of PHI from the Health Information Management Depmtment, the signed authorization will be retained in the health record with a notation of what specific information was released, the date of the release and the signature ofthe individual who released the information. 1)

b.

c.

d.

6.

Release of PHI Concerning Alcohol and Drug Abuse or HIV Records a. The release of information concerning alcohol and drug abuse prevention records or human immunodeficiency virus (HIV) testing records or acquired immunodeficiency syndrome (AIDS) records is controlled by state and federal laws and has a higher obligation of confidentiality (See 42 U.S.c. 290dd-3, 42CFR part 2 and Ohio Revised Code 3701.243 and related statutes). Any release of such records must specifically meet specific statutes or regulations for authorization for release. Releases and issues involving these matters should be referred to the Health Information Management Department or the Office of Legal Affairs. Not only must patients be informed of federal privacy rights upon admission related to treatment for alcohol and drug abuse, in releasing ALCOHOL AND/OR DRUG ABUSE prevention records pursuant to an appropriate authorization, a re-disclosure statement must accompany the released information. An authorization is not required when disclosing in a bona fide emergency, if authorized by a court order or for one of the other federally permitted uses. If an authorization is required, the authorization must also state:

b.

Policy #3364-100-90-1 Release of Health Information Page 4

"This information has been disclosed to you from records protected by federal confidentiality rules (42CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless this further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient." c. In releasing information on HIV/AIDS RECORDS, a redisclosure statement must accompany the released information. This will state "This information has been disclosed to you from confidential records protected from disclosure by state law. You shall make no further disclosure of this information without the specific, written, and informed release of the individual to whom it pertains, or as otherwise permitted by state law. A general authorization for the release of medical or other information is not sufficient for the purpose of the release of HIV test results or diagnoses". d. 7. See also the HIV/AIDS disclosure protocol found within the Health Information Management Department as required by Ohio Revised Code 3701.243(B)(3).

Release of PHI on Minors a. For individuals who are MINORS, a parent, guardian or other authorized person generally has the authority to act on behalf of the minor for the purpose of release of information. There are exceptions to when a parent, guardian, or other person does not have authority which are: When the minor has the authority under law to consent to health care treatment, the minor holds the authority to provide, and the minor has not requested that such person be treated as the personal representative; 2) when the minor may lawfully obtain health care services without the consent of a parent, guardian or other authorized person and the minor, a court or other person authorized by law consents to such treatment; 3) when the parent, guardian or other authorized person agrees that the minor and healthcare provider may have a confidential relationship; and 4) when the provider reasonably believes in his or her professional jUdgment that the minor has been or may be subjected to abuse or neglect, or that treating the parent, guardian or other authorized person as the minor's personal representative could endanger the minor. In these circumstances the provider is permitted not to treat the parent, guardian or other authorized person as the minor's personal representative with respect to health information. b. In the case of a MINOR of divorced parents, generally the custodial parent may authorize use or disclosure of PHI but legal documents may authorize either parent to authorize the use or disclosure of PHI. If University personnel are alelied to a potential problem in this regard, these cases should be referred to the Office of Legal Affairs; or In the State of Ohio, if a minor has been treated for sexually transmitted conditions without the consent of the parent, the minor has the right to authorize use/disclosure of PHI without the signature of parent. 1)

c. 8.

Release of PHI on Deceased Patients a. b. For release of PHI of deceased patients, an executor, administrator or other person authorized by law to act on behalf of a decedent may authorize release of PHI of the deceased. No authorization is required for release of PHI for coroner's cases or when releaseing PHI to funeral directors.

Policy #3364-100-90-1 Release of Health Information Page 5

9.

Release of PHI to Law Enforcement officials or the HHS Secretary a. In response to a law enforcement official's request for PHI, which includes University policy, and subject to the verification of the official's identity, health information may be disclosed for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that only the following information is released: 1) 2) 3) 4) 5) 6) 7) 8) b. c. Name and address Date and place of birth Social Security Number ABO blood type and Rh factor Type of injury Date and time of treatment Date and time of death Description of distinguishing physical characteristics including height, weight, gender, race, hair, eye color, presence or absence of facial hair, scars and tattoos.

The patient's DNA, dental, records or typing, samples or analysis of body fluids or tissues may not be released, except as otherwise permitted by law. Information regarding any tests to detelmine the presence of alcohol or a substance of abuse may be released to a police officer involved in an official criminal investigation or proceeding upon the receipt ofa "Written Statement Requesting the Release of Records" as set forth by Ohio Revised Code 2317.022(B). Release of PHI in order to prevent, avert or lessen a serious and imminent threat to health or safety of a person 01' public is permissible to a person reasonably able to prevent or lessen the threat. PHI may be disclosed to law enforcement officials about an individual or deceased individual who is or is suspected to be a victim of a crime if the individual is unable to consent because of incapacity or other emergency circumstance and the law enforcement official represent that such information is needed to determine whether a violation by a person other than the victim has occUlTed. It must be shown that such information is not intended to be used against the victim and that the information is material to the investigation and waiting for the individual to agree to the disclosure would adversely affect the investigation and disclosure is in the best interests of the individual in the professional judgment of the caregiver. PHI may be released without an authorization to law enforcement officials on a patient who has died for the purpose of alelting law enforcement of the death if there is a suspicion that such death may have resulted from criminal conduct. PHI may also be released without an authorization to law enforcement officials on a patient who in good faith believes that criminal conduct occurred on the premises of the health care facility. When emergency care provided to a patient due to a crime other than abuse or neglect, PHI disclosure is permissible when it appears necessary to alert law enforcement to determine: 1) the commission and nature of a crime 2) location of such crime or victims of such crime 3) the identity, description, and location of the perpetrator of such crime.

d. e.

f.

g. h.

i.

To the HHS Secretary, Release of PHI to the HHS Secretary for purposes of an investigation or compliance with HIPAA is required by the University. All such requests should be directed to the Office of Legal Affairs or the Privacy Officer.

10. Release of PHI to Social or Protective Services Release of PHI to social services or protective services about an individual who may be a victim of abuse, neglect or domestic violence shall be made as required by law and limited to the relevant requirements of such law. Such disclosures should be done upon the permission of the individual, unless the health care provider

Policy #3364-100-90-1 Release of Health Information Page 6

believes disclosure is necessary to prevent serious harm to the individual or other potential victims. The individual should promptly be informed of the disclosure unless this would place the individual at risk of serious harm or notifying a personal representative would not be in the best interests of the individual as determined by the health care professional. In the case of a child, release of PHI without an authorization is permitted to a public health authority authorized by law to receive such reports of child abuse or neglect. 11. Release of PHI requested by Subpoena or Court Order PHI may be released without an authorization in response to a court order signed by a judge. PHI requested by subpoena, discovery request or other lawful process in a civil action that is not accompanied by a COUlt order signed by a judge or by a patient authorization will not be released. PHI requested by subpoena, administrative request relevant to a legitimate law enforcement or governmental agency inquiry will be directed to Health Information Management Depmtment or the Office of Legal Affairs, HSC. 12. Release of PHI Information as authorized by Statute, Workplace Surveillance, Health Oversight and Organ Procurement, FDA a. PHI may be disclosed without a patient authorization to agencies that are authorized by statute to receive such PHI for public health reasons, for the reporting of disease, deaths, public health investigations, exposure to communicable diseases. PHI may be released to the patient's employer without a patient authorization for the purposes of conducting an evaluation relating to the medical surveillance of the workplace or to evaluate whether the individual has a work related illness or injury only if the provider provided health care services to the individual at the request of the employer. The PHI that can be disclosed may only consist of findings concerning a work-related injury or a workplace related medical surveillance. PHI may be released to a health oversight agency without a patient authorization for oversight activities authorized by law or necessary for the appropriate oversight of the health care system. PHI may be released without authorization to organ procurement organizations for the purpose of facilitating organ, eye or tissue donation and transplantation. PHI may be used or disclosed to a public or private organization authorized by law to assist in disaster relief effOlts for the purpose of coordinating with these organizations. PHI may be disclosed to the Food and Drug Administration to repOlt adverse events, product defects, recalls, replacements or post marketing surveillance under the direction of the FDA.

b.

c. d. e. f.

13. Release of PHI to Workers Compensation Release of PHI directly related to the injury for workers compensation does not require patient authorization per the Ohio Bureau of Workers' Compensation (BWC) regulations, as permitted under HIPAA. BWC requests for patient records not related to the injury require patient authorization. 14. Release of PHI for Marketing or Fund Raising PHI of patients for marketing communications may be released without authorization when: a. b. communication with the patient occurs in a face to face encounter with the practitioner or covered entity products or services are considered to be promotional gifts of nominal value. All other marketing to patients requires a patient authorization. If the marketing is expected to result in a direct or indirect remuneration to the University, the authorization must so state this fact. For disclosures to a business associate or an institutionally related fund raising foundation for the purpose of raising funds for an entity's own benefit without patient authorization (unless the patient has previously opted out of receiving these communications), only the following will be released: 1) demographic information relating to an individual

c.

Policy #3364-100-90-1 Release of Health Information Page 7

2)

dates ofheaIth care provided.

15. Release of PHI for Research Specific procedures for the use or disclosure of PHI for research are described in Policy 3364-70-05. 16. Release of PHI to Students a. Health records kept by the University for students emolled in the University, and where such persons are not employees of the University are not subject to the rules with respect to HIP AA, but instead the Family Education Rights and Privacy Act. Release of PHI to Business Associates PHI may be disclosed to a business associate of the University if the provider obtains satisfactory assurance that the business associate will protect the PHI. The health care provider and the business associate must have a written agreement that complies with HIP AA, and the use and disclosure of protected health information to business associates will adhere to the business associate agreement.

b.

c.

(D)

Definitions
1. "Business Associate(s)" mean "Business Associate" means a person or entity that either (i) performs or assists the provider in the performance of an operational function or activity involving PHI, such as claims processing; data analysis, processing or administration; utilization review; billing, or (ii) provides an operational service to or for the provider involving the disclosure of PHI, such as accounting; consulting; data aggregation, accreditation. "Covered Component(s)" or "Designated Health Care Component" mean the University of Toledo Medical Center, the UT Medical Staff, UT Clinics, including the University of Toledo student and employee health clinics, the entire Health Science Campus and other covered components as designated by the Privacy Officer (legal, audit, compliance). "Health information" is defined by HIP AA to include any information, whether oral or recorded in any form or medium, that is created or received by a health care provider and relates to the past, present or future physical or mental health or condition of an individual, the provision of health care services to an individual, or the payment for the provision of health care services. Health information may be found in medical records, patient information stored in computerized databases, patient census lists, operating room schedules, "white patient boards" and admission/discharge lists "Protected Health Information" (PHI) is health information that identifies or can be used to identify an individual is considered Protected Health Information (PHI) under HIP AA. Any of the following information pertaining to a patient or the relatives, employees or household members of the patient can be used to identify a patient which include: name, street address, city, county, precinct, zip code, geocode, birth date, admission date, discharge date, date of death, age, telephone number, fax number, e-mail, social security number, medical records number, health plan number, account number, certificate/license number, vehicle ID number and license plate, device identifier, web location, Internet Address, biometric identifier, photographs or any unique ID. PHI does not include: (1) individually identifiable health information in education records covered by FERPA; (2) records on a student of the University which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in that person's professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice; and also (3) employment records held by the University in its role as employer. "Health Care Operations" means any of the following activities to the extent that the activities are related to covered functions: conducting quality assessment and improvement activities; credentialing activities, including the reviewing the competence or qualifications of health care professionals, evaluating performance and health plan performance; underwriting or premium rating; conducting or arranging for medical, legal or auditing review; business management and general administrative activities of the University, including

2.

3.

4.

5.

Policy #3364-100-90-1 Release of Health Information Page 8

customer service, complaint resolution and merger or consolidation with another entity any other general business use consistent with de-identification or limited data set or permitted fundraising uses. 6. "Workforce" means employees, faculty, medical staff members, residents, students, trainees or other persons whose conduct, in the performance of health care related work for a Covered Component of the University, is under the direct control of the University, whether or not they are paid by the Covered Component.

Scott Scarborough Interim Executive Director Senior Vice President for Finance & Administration
Review/Revision Completed By: HAS Health Information Management Risk Management Chie 0 Sta

Date

Review/Revision Date: 5/79 10/87 5/80 12/88 6/81 12/18/89 11/81 3/11/92 3/83 3/5/93 7/84 2/9/94 11/85 9/11/96 10/86 3/10/99

7/10/02 4/14/03 8/9/06 10/12/2010

Next Review Date:

10/1/2013

Policies Superseded by This Policy: 7-90-1 Release ofInfol'mation; 3364-15-02