/depts/,/depts/uwhc/,/depts/uwhc/compliance/,/depts/uwhc/compliance/privacy/,/depts/uwhc/compliance/privacy/hipaa/,/depts/uwhc/compliance/privacy/hipaa/protected-health-information-phi/,

/depts/uwhc/compliance/privacy/hipaa/protected-health-information-phi/

201407203

page

100

UWHC,

Nursing,Clinicians,Business,

Departments & Programs,UW Hospital and Clinics,Compliance,Privacy,HIPAA

Protected Health Information (PHI)

Protected Health Information (PHI) - Departments & Programs, UW Hospital and Clinics, Compliance, Privacy, HIPAA

Focus

Patient information (also called protected health information or PHI) is written, spoken or electronic information that includes a patient's: Name, geographic identifiers (e.g., street, city, etc.), dates (e.g., birth date, discharge date), telephone or fax numbers, e-mail address, Social Security numbers, medical record numbers, health plan beneficiary numbers or other unique characteristics. 

Examples 

Patient information can be written:

Patient information can be spoken:

Patient information can be electronic:

FAQ

What is PHI?

Patient information (also called protected health information or PHI) is written, spoken or electronic information that includes a patient's name, geographic identifiers (e.g., street, city), dates (e.g., birth date, discharge date), telephone or fax numbers, e-mail address, Social Security numbers, medical record numbers, health plan beneficiary numbers or other unique characteristics.

Examples of PHI

Patient information can be written:

Patient information can be spoken:

Patient information can be electronic:

Uses and Disclosures of Patient Information

Nearly every worker at the UW Health facilities is nearby patient information at times. Of course, many workers work directly with patient-related issues, and make many uses and disclosures of patient information.

Use

Use means workers' handling or exchanging patient information within UW Health facilities. Examples of "uses" include:

Disclosure means providing patient information to a person or organization that is not part of UW Health providers' workforce. Examples of "disclosures" include:

Work Activities Requiring a Patient's Signed Authorization (Written Permission)

Before workers can perform certain activities, you must have a patient, or the patient's legally authorized representative, sign a written authorization form. As a general rule, authorizations are not required for workers' everyday activities. In particular, you don't need authorizations to do "treatment," "payment" and "health care operations" activities (TPO, discussed more below).

However, there are several fairly-common activities that you must get a patient authorization for, including:

These are the relatively common activities for which an authorization is required. If you ever do an uncommon (or "oddball") activity that you don't see mentioned in this HIPAA discussion, chances are you will need an authorization for that activity as well. For example, if you wanted to disclose news of a star athlete's injury to a TV news reporter, you would have to present the athlete (patient) with an authorization form that described this specific disclosure. The disclosure to the reporter would not be allowed unless the patient signed the authorization.

Some workers are already getting patient-signed permission forms for the activities above. Further, some of you are getting signed forms for other activities as well, such as releasing medical records to outside providers. None of these procedures will change much under HIPAA (though we may replace your permission form with an authorization form). If you are already getting written permission for an activity, keep it up: HIPAA does not remove any of our current patient permission and signature rules. Workers affected by HIPAA's authorization rules will receive additional training.

Workers Affected by the Authorization Rule

Given UW Health providers' diverse functions, almost any worker who deals with patient information could have to do unusual or "oddball" activities that require authorizations. Further, many workers-clinical and non-clinical- use and disclose patient information for activities like research, fundraising, and marketing, as these are important and common functions at UW Health.

Work Activities Requiring a Chance to Object (Spoken Permission)

You can't do the following activities with patient information, unless you first give the patient a chance to object.

Workers Affected by the Chance-to-Object Rule

The facility directory requirement only applies to UWHC workers, most specifically, those in registration, admissions, hospital information and some clinical workers. The rule about disclosures to family and friends applies across UW Health - those of you involved in clinical, billing, and patient relations settings should especially keep this requirement in mind. The disaster relief rule is most likely to affect workers in clinical and public affairs settings.

TPO: Terms You Should Know

Under HIPAA, you do not need patient permission to use or disclose patient information for the everyday activities of Treatment, Payment, and health care Operations (TPO). Here are some common examples of TPO:

Treatment

Treatment is defined as the provision, coordination, or management of health care and related services by one or more health care providers, and includes:

Coordination or management of health care by a provider with a third party
Consultation between providers
Referral of a patient from one provider to another

Payment

Payment means those activities undertaken by a provider to obtain reimbursement for the provision of health care; and those activities undertaken by a health plan to obtain premiums or to fulfill its responsibilities for coverage and the provision of benefits under the plan. Examples of payment activities include:

Health Care Operations

Health Care Operations includes most all other activities necessary to the operation of a covered entity (e.g., health care provider, health plan or clearinghouse). These activities include:

Under HIPAA, you don't have to get patient permission if you are doing any activity that falls under these broad TPO definitions. However, some of you are currently getting permission for certain TPO activities, because state laws or UW Health provider policies require it.

And this brings up an important point about HIPAA. HIPAA sets a minimum standard for patient privacy. If state law or UW Health providers' own policies require us to do more for patients, then we must do more. So if you are already getting written permission for an activity, keep it up: HIPAA does not remove any of our current patient permission and signature rules. Workers involved with TPO will receive additional HIPAA training.

Workers Involved With Everyday/TPO Activities

Nearly every worker that works with patients, or patient information, is likely to perform everyday/TPO activities. These activities do not require patient permission under HIPAA.

Workers Don't Need Permission to Do Certain Activities that Benefit the Public

In addition to everyday/TPO activities, there are other activities workers can do without getting patients' permission. No patient permission is needed to do certain activities that benefit the public.

HIPAA allows these uses and disclosures of patient information without permission. However, if you perform the publicly-beneficial activities above, please pay close attention to the "accounting of disclosures" requirement (described later in the text). Workers must record a list (i.e., an "account") of all publicly-beneficial disclosures to outside entities that you make. Workers affected by the accounting of disclosures rule will receive additional training.

Workers Involved With Publicly Beneficial Activities

HIS, IS, and continuity of care workers are the most likely to make the "publicly-beneficial" uses and disclosures listed above. These activities do not require patient permission under HIPAA, though disclosures to outside entities must be recorded and kept in a list (for the "accounting of disclosures" requirement, as described later).