Treatment
Payment Operations Policy
Use and Disclosure of Protected Health
Information for Treatment, Payment and Health Care
Operations
SCOPE:
All Louisiana State University (LSU) System health care
facilities and providers including, but not limited to
hospitals, physician practices, clinics, schools, etc. on
the LSU Health Sciences Center New Orleans Academic Campus.
Nota Bene: All LSU System health care facilities and
providers including, but not limited to hospitals, physician
clinics, schools, etc. on the LSU Health Sciences Center New
Orleans Academic Campus, are referred to in this policy as
LSUHSC-NO.
PURPOSE:
To provide guidance to the health care facilities and
providers affiliated with the LSUHSC-NO regarding the
requirements of the Health Insurance Portability and
Accountability Act,
Standards for Privacy of Individually Identifiable Health
Information (HIPAA Privacy Regulations), and any other
applicable state or Federal laws or regulations for using
and disclosing Protected Health Information to carry out
treatment, obtain payment or conduct health care operations.
POLICY:
All LSUHSC-NO health care facilities and providers should
follow the requirements of the HIPAA Privacy Regulations
when using or disclosing Protected Health Information as
outlined in this policy to carry out treatment, obtain
payment for services, or to conduct certain health care
operations.
DEFINITIONS:
Covered Entity – A health care
provider who transmits billing information electronically,
health care clearinghouse, or health care plan.
Designated Record Set – is a
group of records maintained by or for LSUHSC- NO that are:
-
The medical records and billing records
about individuals maintained by or for LSUHSC- NO ; or
-
Any records used, in whole or part, by
or for the LSUHSC- NO to make decisions about individuals.
- Any record that meets this
definition of Designated Record Set and are held by
a HIPAA Business Associate of LSUHSC- NO are part of
LSUHSC- NO’s Designated Record Set.
- The term record means any item,
collection, or grouping of information that includes
PHI and is maintained, collected, used or
disseminated by or for LSUHSC- NO.
- The term record also includes
patient information originated by another health
care provider and used by LSUHSC- NO to make
decisions about a patient.
- The term record includes
tracings, photographs, videotapes, digital and other
images that may be recorded to document care of the
patient.
Disclosure:
The release, transfer, provision of access to, or
divulging in any other manner of information outside
the entity holding the information.
Health care operations:
Any one of the following activities to the extent the
activities are related to providing health care:
- Conducting quality assessment and
improvement activities, including outcomes,
evaluation and development of clinical guidelines,
provided that the obtaining of generalizable
knowledge is not the primary purpose of such
activities; population-based activities relating to
improving health or reducing health care costs,
protocol development, case management and care
coordination, contacting patients with information
about treatment alternatives, and related functions
that do not involve treatment;
- Reviewing the competence or
qualifications of health care professionals,
evaluating practitioner and provider performance,
health plan performance, conducting training
programs in which students, trainees, or
practitioners in areas of health care learn under
supervision to practice or improve their skills as
health care providers, training of non-health care
professionals, accreditation, certification,
licensing, or credentialing activities;
- Underwriting, premium rating, and
other activities relating to the creation, renewal
or replacement of a contract of health insurance or
health benefits, and ceding, securing or placing a
contract for reinsurance of risk relating to claims
for health care;
- Conducting or arranging for
medical review, legal services, and auditing
functions, including fraud and abuse detection and
compliance programs;
- Business planning and
development, such as conducting cost management and
planning related analyses related to managing and
operating the entity, including formulary
development and administration, development or
improvement of methods of payment or covered
policies, and
- Business management and general
administrative activities:
- Management activities related
to HIPAA compliance,
- Customer Service,
- Resolution of internal
grievances,
- Sale, transfer, merger, or
consolidation of covered entities,
- Creating de-identified health
information or limited data set, and fundraising
for the benefit of the LSUHSC-NO facility.
Indirect
Treatment Relationship: A relationship between
an individual and health care provider in which:
- The health care provider delivers
health care to the individual based on the orders of
another health care provider; and
- The health care provider
typically provides services or products, or
- reports the diagnosis or results
associated with the health care, directly to another
health care provider, who provides the services,
products or reports to the individual. Personal
Representative, Minors, and Deceased Individuals:
For information regarding proper uses and
disclosures for Personal Representative, Minors, and
Deceased Individuals, LSU Policy for Personal
Representative, Minors, and Deceased Individuals.
Policy LSUHSC-NO facility employees may use and
disclose PHI for Treatment, payment and healthcare
Operations (TPO). However, the LSUHSC-NO facility
and its employees must limit PHI use and disclose to
the “Minimum Necessary” amount of information
required to complete the desired task.
Minimum
Necessary: When using or disclosing PHI or when
requesting PHI from another health care provider or
health organization, the LSUHSC-NO facility personnel
must limit PHI to the minimum necessary to accomplish
the intended purpose of the use, disclosure or
request. Minimum Necessary does not apply in the
following circumstances:
- Disclosures by a health care
provider for treatment (students and trainees are
included as health care providers for this purpose),
- Uses and Disclosures based upon a
valid authorization to use and disclose PHI,
- Disclosures made to the Secretary
of Health and Human Services,
- Uses and disclosures required by
law, and
- Uses and disclosures required by
other sections of the HIPAA
privacy regulation.
Organized
Health Care Arrangement (OHCA) – A clinically
integrated care setting in which individuals typically
receive health care from more than one health care
provider. An example is a hospital setting where
physicians are on staff at the hospital.
Payment: Any activities
undertaken either by a health plan or by a healthcare
provider to obtain premiums, determine or fulfill its
responsibility for coverage and the provision of
benefits or to obtain or provide reimbursement for the
provision of health care. These activities include,
but are not limited to:
- Determining eligibility, and
adjudication or subrogation of health benefit
claims;
- Risk adjusting amounts due based
on enrollee health status and demographic
characteristics;
- Billing, claims management,
collection activities, obtaining payment under a
contract for reinsurance, and related health care
processing;
- Review of healthcare services
with respect to medical necessity, coverage under a
health plan, appropriateness of care, or
justification of charges;
- Utilization review activities,
including pre -certification and preauthorization
services, concurrent and retrospective review of
services; and
- Disclosure to consumer reporting
agencies of certain PHI relating to collection of
premiums or reimbursement.
Psychotherapy
Notes – means notes recorded by a health care
provider who is a mental health professional
documenting or analyzing the contents of conversation
during a private counseling session or a group, joint
or family counseling session that are separated from
the rest of the individual’s record. Psychotherapy
notes do not include: medication prescription and
monitoring, counseling session start and stop times,
the modalities and frequencies of treatment furnished,
results of clinical tests, and any summary of the
following items: diagnosis, functional status, the
treatment plan, symptoms, prognosis, and progress to
date.
Privacy Officer – Person
designated by the facilities and clinics as the
Privacy Officer.
Protected Health Information
(sometimes referred to as “PHI”) – for purposes
of this policy means individually identifiable health
information, that relates to the past, present or
future health care services provided to an individual.
Examples of Protected Health Information include
medical and billing records of the patient.
Treatment: The provision,
coordination, or management of health care related
services by one or more health care providers,
including the coordination or management of health
care by a health care provider with a third party;
consultation between health care providers relating to
a patient; or for the referral of a patient for health
care from one health care provider to another.
Use with respect to individually
identifiable health information: the sharing,
employment, application, utilization, examination, or
analysis of information that identifies, or reasonably
can be used to identify, an individual within an
entity that maintains such information.
PROCEDURE:
| 1.0 |
LSUHSC-NO
may use and disclose PHI in the following
scenarios without an individual’s signed
authorization: |
| 1.1 |
LSUHSC- NO
may use or disclose a patient’s PHI for its own
treatment, payment or health care operations. |
| 1.2 |
LSUHSC- NO
may disclose PHI for treatment activities of a
health care provider. Note: The health care
provider need not be considered a “covered entity”
under the Health Insurance Portability and
Accountability Act (HIPAA). |
| 1.3 |
LSUHSC- NO
may disclose PHI to another Covered Entity or a
health care provider for the payment activities of
the entity that receives the information. |
| 1.4 |
LSUHSC- NO
may disclose PHI to another Covered Entity for
Health Care Operations activities of the entity
that receives the information, if each entity
either has or had a relationship with the patient
who is the subject of the PHI being requested; and
| 1.4.1 |
The PHI
pertains to such relationship;
and |
| 1.4.2 |
The
disclosure is for the following
health care operations purposes
only:
- Conducting
quality assessment and
improvement activities,
including outcomes evaluation
and development of clinical
guidelines, provided that the
obtaining of generalizable
knowledge is not the primary
purpose of any studies
resulting from such
activities; population-based
activities relating to
improving health or reducing
health care costs, protocol
development, case management
and care coordination,
contacting of health care
providers and patients with
information about treatment
alternatives; and related
functions that do not include
treatment; or
- Reviewing
the competence or
qualifications of health care
professionals, evaluating
practitioner and provider
performance, health plan
performance, conducting
training programs in which
students, trainees, or
practitioners in areas of
health care learn under
supervision to practice or
improve their skills as
healthcare providers, training
of non-health care
professionals, accreditation,
certification, licensing, or
credentialing activities.
- The
disclosure is for the purpose
of health care fraud and abuse
detection or compliance.
- If
LSUHSC-NO participates in an
Organized Health Care
Arrangement (OHCA) the
facility may disclose PHI
about an individual to another
covered entity that
participates in the OHCA for
any health care operations
activities of the OHCA.
|
|
|
| 2.0 |
The uses and
disclosures for purposes of Payment
and Health Care Operations are
subject to the Minimum Necessary
standard. |
| 3.0 |
LSUHSC- NO
must have appropriate
administrative, technical and
physical safeguards in place to
protect the privacy of PHI from any
intentional or unintentional use or
disclosure that is in violation of
the HIPAA Privacy Regulations. |
| 4.0 |
LSUHSC- NO must
reasonably safeguard PHI to limit
incidental uses and disclosures made
pursuant to an otherwise permitted
or required use or disclosure. |
REFERENCES:
45 C.F.R. § 164.506
45 C.F.R. § 164.508 |
