Disclosure of PHI and Verification

1
Disclosure of PHI and Verification
Presented by Kathy L. Johnson Dean Health Plan,
Inc. Kathy.Johnson_at_deancare.com
2
Agenda

• Review PHI disclosures
• Minimum necessary requirement
• Verification requirement
• To-do list

3
What PHI Can Be Disclosed?

• Routine disclosuresmost dont require an
  authorization.
• Non-routine disclosuresunder some circumstances
  will require an authorization.

Keep WI statute 146 in mindmore stringent
requirements in disclosures.
4
Routine Disclosure of PHIWithout an Authorization

• The entity must implement policies and procedures
  that limit PHI disclosed or requested to the
  minimum necessary to achieve the purpose of the
  request.
• Document nature and amount of PHI REASONABLY
  needed to carry out these routine disclosures.

5
Examples of Routine Disclosures of PHI

• Disclosures to carry out treatment, payment, or
  health care operations (For some purposes
  individual permission is still required.)
• Responses to individual requests to
  inspect/obtain own PHI
• For certain national priority purposes, such as
  public health and oversight activities, but only
  under defined circumstances.

164.506(a)(2)
6
Non-Routine Disclosures of PHI

• Develop criteria for limiting PHI requested or
  disclosed to minimum necessary to accomplish the
  purpose for the request or disclosure.
• Develop criteria for consultation when minimum
  necessary determination is required for
  non-routine disclosures.

7
Minimum Necessary Requirement

• Covered entities MUST HAVE procedures in place to
  limit the scope of the request to the minimum
  amount of information needed to achieve the
  purpose for which the information is requested!

8
Privacy Rule Verification

• Verification Requirements
• Prior to any disclosure permitted by this
  subpart, a covered entity must
• Verify the identity of a person requesting PHI
  and the authority of such person to have access
  to PHI

164.514(h)
9
Verification Requirement

• Obtain any documentation, statements, from the
  person requesting PHI
• Verification requirement applies to ALL
  disclosures of PHI permitted by the rule,
  including treatment, payment, and operations,
  where the identity of the recipient is not known
  to the covered entity.

10
Verification Requirement (continued)

• Verification requirements apply only to
  disclosures of PHI, not to uses.

11
Verify the Identity

• Verify the identity of the requestor where the
  covered entity does not know the person
  requesting PHI.
• Verification must involve obtaining such
  documentation statement or representation. The
  knowledge of the person may take form as a known
  place of business, address, phone or fax number,
  as well as a known person.

12
Verify the Authority

• Verifying the authority for the request means
  taking REASONABLE steps to verify that the
  request is lawful under this regulation.
• Additional proof is required by other provisions
  of the regulation where the request is made
  pursuant to 164.512 for national priority issues.

13
Verification Methods

• Forms of acceptable identification are left to
  the discretion of the covered entity. When a
  person is acting on behalf of another, the
  covered entity is required to make reasonably
  certain the person making the request has the
  authority to do so.

14
Verification Methods (continued)

• Call-backs and letterhead are typically used in
  verification and are acceptable under this rule
  if reasonable under the circumstances.

15
Verification Methods (continued)

• For communications with health plans, the covered
  entity will already have information about each
  individual collected during enrollment that can
  be used to establish identity, especially for
  verbal or electronic inquiries (e.g., social
  security or policy number).

16
Exercise of Professional Judgment

• The verification requirements are met if the
  covered entity relies on the exercise of
  professional judgment in making a disclosure of
  PHI in accordance with 164.510, or acts on good
  faith in making a disclosure in accordance with
  164.512(j).

17
To-Do List

• Review current procedures
• Revise and document procedures
• Provide training to the workforce
• Establish central repository for authorizations
  (have one department responsible for all
  authorizations)

18
Review Current Procedures

• Review current procedures for PHI disclosures
• Identify to whom PHI disclosures are made and the
  type of disclosures made

19
Review Current Procedures (continued)

• Inventory how the entity discloses PHI
• To whom is information disclosed?
• For what purposes?
• Evaluate current disclosures of PHI
• Are these disclosures still permitted?
• Can disclosures be accomplished with less PHI?

20
Review Current Procedures (continued)

• Be sure to identify where state law regarding
  disclosures is more stringent, then the covered
  entity must adhere to state law.

21
Documentation of Policies Procedures

• Develop policies and procedures so that routine
  and recurring disclosures are based on policy,
  not a case by case determination. Guide use by
  policy!

22
Documentation of Policies Procedures (continued)

• Develop polices and procedures to assist in
  making determinations of minimum necessary for
  PHI in applying criteria in non-recurring
  disclosures.
• Designate an individual who is empowered to make
  these decisions and will document these
  determinations.

23
Documentation of Policies Procedures (continued)

• Keep in mind, after evaluation of the
  requirements of the federal, state, or other
  applicable laws, that covered entities should
  develop policies and procedures appropriate to
  their size, business type, structure, and the
  type of business arrangements that exist.

CF 164.520
24
Educate and Train the Workforce

• Provide training to workforce
• Disclosures of PHI
• Verification policies
• Minimum necessary policies

25
Thank you and good luck!