Title: Disclosure of PHI and Verification
1Disclosure of PHI and Verification
Presented by Kathy L. Johnson Dean Health Plan,
Inc. Kathy.Johnson_at_deancare.com
2Agenda
- Review PHI disclosures
- Minimum necessary requirement
- Verification requirement
- To-do list
3What PHI Can Be Disclosed?
- Routine disclosuresmost dont require an
authorization. - Non-routine disclosuresunder some circumstances
will require an authorization.
Keep WI statute 146 in mindmore stringent
requirements in disclosures.
4Routine Disclosure of PHIWithout an Authorization
- The entity must implement policies and procedures
that limit PHI disclosed or requested to the
minimum necessary to achieve the purpose of the
request. - Document nature and amount of PHI REASONABLY
needed to carry out these routine disclosures.
5Examples of Routine Disclosures of PHI
- Disclosures to carry out treatment, payment, or
health care operations (For some purposes
individual permission is still required.) - Responses to individual requests to
inspect/obtain own PHI - For certain national priority purposes, such as
public health and oversight activities, but only
under defined circumstances.
164.506(a)(2)
6Non-Routine Disclosures of PHI
- Develop criteria for limiting PHI requested or
disclosed to minimum necessary to accomplish the
purpose for the request or disclosure. - Develop criteria for consultation when minimum
necessary determination is required for
non-routine disclosures.
7Minimum Necessary Requirement
- Covered entities MUST HAVE procedures in place to
limit the scope of the request to the minimum
amount of information needed to achieve the
purpose for which the information is requested!
8Privacy Rule Verification
- Verification Requirements
- Prior to any disclosure permitted by this
subpart, a covered entity must - Verify the identity of a person requesting PHI
and the authority of such person to have access
to PHI
164.514(h)
9Verification Requirement
- Obtain any documentation, statements, from the
person requesting PHI - Verification requirement applies to ALL
disclosures of PHI permitted by the rule,
including treatment, payment, and operations,
where the identity of the recipient is not known
to the covered entity.
10Verification Requirement (continued)
- Verification requirements apply only to
disclosures of PHI, not to uses.
11Verify the Identity
- Verify the identity of the requestor where the
covered entity does not know the person
requesting PHI. - Verification must involve obtaining such
documentation statement or representation. The
knowledge of the person may take form as a known
place of business, address, phone or fax number,
as well as a known person.
12Verify the Authority
- Verifying the authority for the request means
taking REASONABLE steps to verify that the
request is lawful under this regulation. - Additional proof is required by other provisions
of the regulation where the request is made
pursuant to 164.512 for national priority issues.
13Verification Methods
- Forms of acceptable identification are left to
the discretion of the covered entity. When a
person is acting on behalf of another, the
covered entity is required to make reasonably
certain the person making the request has the
authority to do so.
14Verification Methods (continued)
- Call-backs and letterhead are typically used in
verification and are acceptable under this rule
if reasonable under the circumstances.
15Verification Methods (continued)
- For communications with health plans, the covered
entity will already have information about each
individual collected during enrollment that can
be used to establish identity, especially for
verbal or electronic inquiries (e.g., social
security or policy number).
16Exercise of Professional Judgment
- The verification requirements are met if the
covered entity relies on the exercise of
professional judgment in making a disclosure of
PHI in accordance with 164.510, or acts on good
faith in making a disclosure in accordance with
164.512(j).
17To-Do List
- Review current procedures
- Revise and document procedures
- Provide training to the workforce
- Establish central repository for authorizations
(have one department responsible for all
authorizations)
18Review Current Procedures
- Review current procedures for PHI disclosures
- Identify to whom PHI disclosures are made and the
type of disclosures made
19Review Current Procedures (continued)
- Inventory how the entity discloses PHI
- To whom is information disclosed?
- For what purposes?
- Evaluate current disclosures of PHI
- Are these disclosures still permitted?
- Can disclosures be accomplished with less PHI?
20Review Current Procedures (continued)
- Be sure to identify where state law regarding
disclosures is more stringent, then the covered
entity must adhere to state law.
21Documentation of Policies Procedures
- Develop policies and procedures so that routine
and recurring disclosures are based on policy,
not a case by case determination. Guide use by
policy!
22Documentation of Policies Procedures (continued)
- Develop polices and procedures to assist in
making determinations of minimum necessary for
PHI in applying criteria in non-recurring
disclosures. - Designate an individual who is empowered to make
these decisions and will document these
determinations.
23Documentation of Policies Procedures (continued)
- Keep in mind, after evaluation of the
requirements of the federal, state, or other
applicable laws, that covered entities should
develop policies and procedures appropriate to
their size, business type, structure, and the
type of business arrangements that exist.
CF 164.520
24Educate and Train the Workforce
- Provide training to workforce
- Disclosures of PHI
- Verification policies
- Minimum necessary policies
25Thank you and good luck!