HIPAA, PHI Use, and Disclosure Policy

Effective: July 27, 2022

1. Introduction

1.1 Overview
  • To ensure that disclosure of Protected Health Information (“PHI”) is made consistent with applicable laws, regulations and health information standards.
  • To ensure that any disclosures of a patient’s PHI to a patient’s family members, other relatives, close friends or other persons designated by the patient are appropriate.

1.2 Scope

  • All persons or entities that have access to company-held PHI.

2 Policy

2.1 Use and Disclosure

  • Disclosure of PHI will only be allowed with a properly completed and signed authorization except:
  1. When required or allowed by law (see “Request and Disclosure Table” following this Policy).
  2. As defined in the Notice of Privacy Practices:
  1. For continuing care (treatment)
  2. To obtain payment for services (payment)
  3. For the day-to-day operations of the company and the care given to the patients (health care operations)

In some instances, the Company HIPAA Compliance Officer will need to track information that is disclosed. All disclosures designated as trackable on the “Request and Disclosure Table” must enable the Company to provide an accounting of disclosures when requested.

Disclosure of PHI will be carried out in accordance with all applicable legal requirements and in accordance with Company policy.

2.2 Minimum Necessary Principle

  1. It is the policy of the Company to make a reasonable effort to use or disclose, or to request from another health care provider, the minimum amount of PHI required to achieve the particular use or disclosure unless an exception applies.
  2. The Company will identify people or classes of people in its work force who need access to PHI to carry out their duties, the category or categories of PHI to which access is needed, and any conditions appropriate to such access.
  3. For any non-routine request for disclosure of PHI that does not meet an exception, the Company will review the request for disclosure on an individual basis
  4. Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.

2.3 Designated Record Set

  1. HIPAA requires that patients be permitted to request access and amendment to their Protected Health Information (“PHI”) that is maintained in a Designated Record Set. This policy documents the contents of the Designated Record Set.

2.4 Emailing PHI

  1. It is the policy of this Company to protect the electronic transmission of PHI as well as to fulfill our duty to protect the confidentiality and integrity of patient PHI as required by law, professional ethics and accreditation requirements. The information released will be limited to the minimum necessary to meet the requestor’s needs. Whenever possible, de-identified information will be used.

2.5 Faxing PHI

  1. It is the policy of this Company to allow the use of facsimile machines to transmit and receive PHI. The information released will be limited to the minimum necessary to meet the requestor’s needs.

2.6 De-identification of PHI

  1. When patient PHI is used or disclosed for purposes other than treatment, payment or health care operations and/or without patient or personal representative authorization, the PHI must be converted into a format that does not identify the patient. This conversion process is called de-identification of PHI.
  2. HIPAA does not apply to de-identified health information.
  3. The Company meets the de-identification standard if it has removed all of the required identifiers and if the Company has no actual knowledge that the information could be used to identify a patient.


3.1 Use and disclosure of PHI

3.1.1 Receiving a Request for Health records:

  1. Requests for Health records shall be managed by the Company HIPAA Compliance Officer.
  2. Other staff members will not release PHI without approval of the Company HIPAA Compliance Officer.
  3. Only emergency release of information will be done after hours or on weekends.
  4. After hours and on weekends, release of information for continuing care is allowed.

3.1.2 Responding to Specific Types of Disclosures:

  1. See the “Request and Disclosure Table” following this Policy for applicable requirements in responding to requests by specific entities/individuals.
  2. Media: No PHI shall be released to the news media or commercial organizations without the authorization of the patient or his personal representative.
  3. Telephone Requests: Staff members receiving requests for PHI via the telephone will make reasonable efforts to identify and verify that the requesting party is entitled to receive such information.

3.1.3 Disclosures to Persons Involved with a Patient’s Care:

  1. The Company may disclose to a family member, other relative, close friend, or any other person identified by the patient, PHI:
    1. That is directly relevant to that person’s involvement with the patient’s care or payment for care; or
    2. To notify such person of the patient’s location, general condition, or death.
  1. Conditions if the Patient is Present: If the patient is present for, or otherwise available, prior to a permitted disclosure, then the Company may use or disclose the PHI only if the Company:
    1. Obtains the patient’s agreement
    2. Provides the patient with an opportunity to object to the disclosure, and the patient does not express an objection (this opportunity to object and the patient’s response may be done orally)
    3. May reasonably infer from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure
  1. Conditions if the Patient is Not Present or is Incapacitated. The Company may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the patient, and, if so, disclose only that PHI which is directly relevant to the person’s involvement with the patient’s care if:
    1. The patient is not present
    2. The opportunity to agree/object to the use or disclosure cannot practicably be provided because of the patient’s incapacity
    3. In an emergency
  1. Confirming Identity. The Company shall take reasonable steps to confirm the identity of a patient’s family member or friend. The Company is permitted to rely on the circumstances as confirmation of involvement in care. For example, the fact that a person admits a patient to the Company and visits weekly is sufficient confirmation of involvement in the patient’s care.

3.2 Minimum Necessary Principle

  1. The Company will identify role-based access to PHI per job description, including:
  1. People or classes of people in its workforce who need access to PHI to carry out their duties
  2. The category or categories of PHI to which access is needed, including any conditions that may be relevant to such access
  1. The Company, for any type of disclosure or request for disclosure that is made on a routine and recurring basis, will limit the disclosed PHI, or the request for disclosure, to that which is reasonably necessary to achieve the purpose of the disclosure or request.
  2. The Company, for disclosures or requests for that are not made on a routine and recurring basis (non-routine disclosures), will review the request to verify that PHI disclosed or requested is the minimum necessary.
  3. All requests for non-routine disclosures or requests that do not meet an exception will be reviewed using standard criteria.
  4. Exceptions to minimum necessary requirements: The Company will release information without concern for the minimum necessary standard as follows:
  1. Disclosures to or requests by a health care provider for treatment
  2. Uses or disclosures made to the individual who is the subject of the PHI
  3. Uses or disclosures made pursuant to an authorization signed by the individual
  4. Disclosures made to the Secretary of the Department of Health and Human Services
  5. Disclosures that are required by law (such as for Department of Health state surveys, federal surveys, public health reportable events, FDA as related to product quality, safety, effectiveness or recalls etc.).
  6. Uses and disclosures that are required for compliance with the HIPAA Privacy Rule
  1. The Company may use or disclose an individual’s entire Health record only when such use or disclosure is specifically justified as the amount that is reasonably necessary to accomplish the intended purpose or one of the exceptions noted above applies.
  2. Requests for entire Health records that are not covered by an exception will be reviewed using standard criteria.
  3. Reasonable Reliance: The Company may rely on a requested disclosure as minimum necessary for the stated purpose(s) when:
  1. Making disclosures to public officials, if the official represents that the information is the minimum necessary for the stated purpose(s)
  2. The information is requested by another covered entity (health care provider, clearinghouse or health plan)
  3. The information is requested by a professional who is a member of the Company’s workforce or is a Business Associate of the Company for the purpose of providing professional services to the Company, if the professional represents that the information requested is the minimum necessary for the stated purpose(s)
  1. The Company, upon determination that the use, disclosure or request for PHI is the minimum necessary or one of the above exceptions apply, will release the PHI to the requestor.
  2. Company Requests for PHI from Another Covered Entity: When requesting PHI from another Covered Entity, the Company must limit its request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made. For requests that are made on a routine and recurring basis, the Company shall take reasonable steps to ensure that the request is limited to the amount of PHI reasonably necessary to accomplish the purpose for which the request is made.

For requests that are not on a routine or recurring basis, the Company shall evaluate the request according to the following criteria:

  1. Is the purpose for the request stated with specificity?
  2. Is the amount of PHI to be disclosed limited to the intended purpose?
  3. Have the requirements for supporting documentation, statements, or representations been satisfied?
  4. Have all applicable requirements of the HIPAA Privacy Rule been satisfied with respect to the request?

3.3 Designated Record Set

  1. The Designated Record Set is a group of records maintained by or for the Company that consists of the Health records and delivery history of the patient. The term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the Company.
  2. The Company maintains the following as the Designated Record Set:
  1. The patient’s delivery information
  2. The patient’s prescription delivery history
  3. The patient’s Personal Health Records
  4. The company does not maintain the patient’s Personal Health Records, nor source data, including photographs, films, monitoring strips, videotapes, slides, worksheets and daily communication sheets, and shadow files or charts, unless such data is used to make decisions related to the patient’s care.
  1. If records from other providers are used by the Company to make decisions related to prescription delivery to the patient, then these records are considered part of the Designated Record Set as well as the Health record
  2. The Patient’s Office File includes, for example, the following:
  1. Delivery address
  2. Prescription ordering records
  3. Special delivery instructions
  1. Personal Health Records consist of the patient’s personal health information provided to the Company by the patient. If such records are used by the Company to make health care related decisions, provide care services, or document observations, actions or instructions, then the records will be considered part of the Designated Record Set.
  2. The following are excluded from the Designated Record Set:
  1. Administrative data, such as audit trails, appointment schedules and practice guidelines that do not imbed PHI.
  2. Also excluded are incident reports, quality assurance data, vital certificate worksheets, and derived data such as accreditation reports, anonymous patient data for research purposes, public health records and statistical reports.
  1. The Designated Record Set is to be retained according to state and federal regulations and following Company or company retention procedures.

3.4 Emailing PHI

  1. Email users will be set up with a unique identity complete with unique password and file access controls.
  2. Email users may not intercept, disclose or assist in intercepting and disclosing email communications.
  3. Patient specific information regarding highly sensitive health information must not be sent via email
  4. Users will restrict their use of email for communicating normal business information such as information about delivery disruptions, and other operational and administrative matters.
  5. Users should verify the accuracy of the email address before sending any PHI and, if possible, use email addresses loaded in the system address book.
  6. PHI may be sent unprotected via email within a properly secured, internal network of the organization. When sending PHI outside of this network, such as over the Internet, every effort should be made to secure the confidentiality and privacy of the information. Sample security measures include password protecting the document(s) being sent or encrypting the message.
  7. All email containing PHI will contain a confidentiality statement (see sample below).
  8. Users should exercise extreme caution when forwarding messages. Sensitive information, including patient information, must not be forwarded to any party outside the organization without using the same security safeguards as specified above.
  9. Users should periodically purge email messages that are no longer needed for business purposes, per the organization’s records retention policy.
  10. Employee email access privileges will be removed promptly following their departure from the organization.
  11. Email messages, regardless of content, should not be considered secure and private. The amount of information in any email will be limited to the minimum necessary to meet the needs of the recipient.
  12. Employees should immediately report any violations of this guideline to their supervisor, Administrator or Company HIPAA Compliance Officer.
  13. Sample Confidentiality Statement

The information contained in this email is legally privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, or copy of this email message is strictly prohibited. If you have received and/or are viewing this email in error, please immediately notify the sender by reply email, and delete this email from your system. Thank you.

3.5 Faxing PHI

  1. The fax machine should be located in an area that is not easily accessible to unauthorized persons. If possible, the fax machine should not be located in a public area where confidentiality of PHI might be compromised.
  2. Received documents will be removed promptly from the fax machine.
  3. Unless otherwise prohibited by state law, information transmitted via facsimile is acceptable and may be included in the patient’s Health record.
  4. Steps should be taken to ensure that the fax transmission is sent to the appropriate destination. These include:
  1. Pre-programming and testing destination numbers whenever possible to eliminate errors in transmission due to misdialing.
  2. Asking frequent recipients to notify the Company of a fax number change.
  3. Confirming the accuracy of the recipient’s fax number before pressing the send/start key.
  4. If possible, printing a confirmation of each fax transmission.
  1. A cover page should be attached to any facsimile document that includes PHI. The cover page should include:
  1. Destination of the fax, including name, fax number and phone number
  2. Name, fax number and phone number of the sender
  3. Date
  4. Number of pages transmitted
  5. Confidentiality Statement (See sample below)
  1. If a fax transmission fails to reach a recipient or if the sender becomes aware that a fax was misdirected, the internal logging system should be checked to obtain incorrect recipient’s fax number. Fax a letter to the receiver and ask that the material be returned or destroyed.
  2. A written Authorization for any use or disclosure of PHI will be obtained when the use or disclosure is not for treatment, payment or healthcare operations or required by federal or state law or regulation.
  3. The PHI disclosed will be the minimum necessary to meet the requestor’s needs.
  4. Highly sensitive health information should not be sent by fax.

Sample Confidentiality Statement:

The documents accompanying this transmission contain confidential protected health information that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled.

If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.

3.6 De-identification of PHI

  1. The Company will convert patient PHI into a format that does not identify the patient (de-identify) when:
  1. PHI is used or shared for purposes other than treatment, payment or health care operations (OR)
  2. Information is used or shared without patient authorization.
  1. The Company will de-identify the PHI by one of the following methods:
  1. Elimination of the 18 identifiers of PHI:
  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if the geographic area contains more than 20,000 people. If less than 20,000 people are found to be in this area based on the first three digits of the zip code, the code must be changed to 000
  3. All elements of dates (except year) for date directly related to a patient including birth date, admission date, discharge date, date of death: and all ages over 90 and al elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail address
  7. Social security numbers
  8. Health record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voiceprints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Note: In addition to removing the above identifiers, the Company must not have actual knowledge that the information could be used alone or in combination with other information to identify a patient who is a subject of the information.

  1. Statistical De-Identification: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applies such principles and determines that the risk is very small that the information could be used to identify the patient. The methods and the results of the analysis must be documented.
  2. Re-Identification: The Company may assign a code that would allow the information to be re-identified by the Company if the code is not derived from or related to information about the patient and is not otherwise capable of being translated so as to identify the patient. The Company must not use or disclose the code or any other means of record identification for any other purpose and must not disclose the mechanism for re-identification.