Section 3364-15-10 - Confidentiality of patient information(A) Policy statement The university of Toledo ("UToledo") requires that all workforce members with access to protected health information (PHI) be committed to ensuring that PHI is protected and kept confidential. PHI shall be used and disclosed in accordance with applicable laws and UToledo policies.
(B) Purpose of policy The purpose of this policy is to outline the appropriate use of PHI consistent with the Health Insurance Portability and Accountability Act (HIPAA) privacy rule and all updates allowing for the use and disclosure of PHI for treatment, payment, or health care operations. PHI includes all health and financial information pertaining to a patient and the relatives or household members of the patient (rule 3364-70-05 of the Administrative Code, protections of human subjects in research for confidentiality of research information.)
(C) Scope This policy applies to all UToledo covered components (hybrid) and university of Toledo physicians (ACE) and their respective workforce members. Healthcare components are determined by the privacy and security committee as outline in rule 3364-15-01 of the Administrative Code (HIPAA organizational structure and administrative responsibilities). The hybrid list is maintained on UToledo privacy website.
(D) Definitions(1) "Affiliate": a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.(2) "Covered entity": a health plan, a healthcare clearinghouse or a healthcare provider who transmits any health information in an electronic form in connection with a transaction. See 45 C.F.R. 160.103 for the few statutory exemptions. See rule 3364-15-01 of the Administrative Code.(3) "De-identification": in accordance with the HIPAA privacy rule, requires that the expert determination method be used or the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:(p) Social security number;(q) Medical record number;(t) Certificate/license number;(u) Vehicle ID number and license plate;(w) Web location, Internet Address;(x) Biometric identifier;(z) Any unique ID. Note: Ages over eighty-nine and all elements of date (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety or older.
(4) "Financial information": for the purpose of this policy includes but is not limited to:(a) Health care claims information (including diagnostic and procedure codes, services rendered, and charges associated with those services);(b) Insurance or other payment information;(d) Coordination of benefits;(f) Referral certifications and authorizations;(g) Health claim attachments; and(h) Collection activity documentation.(5) "Health plan": any individual or group that provides or pays the cost of medical care, including public and private health insurance issuers, HMOs, or other managed care organizations, employee benefit plans, the medicare and medicaid programs, military/veterans plans, and other "policy, plan or programs" for which a principal purpose it to provide or pay for health care services.(6) "Healthcare provider": (as defined in section 1861(u) of the Social Security Act, 42 U.S.C. 1395x(u)) : a provider of medical or health services, as defined in this rule (as defined in section 1861(u) of the Social Security Act, 42 U.S.C. 1395x(u)), any other person or organizations who furnishes, bills, or is paid for health care in the normal course of business.(7) "Workforce member": an employee, volunteer, trainee, and other person whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.(E) Procedure All patient information that identifies or can be used to identify an individual is confidential and must be safeguarded.(1) PHI may be accessed by the UToledo workforce members who are directly or indirectly involved in the patient's care or finances and those who have a need to know the information to perform specific tasks or provides specific services.(2) Affiliates must maintain the confidentiality of patient information in compliance with the privacy and security regulations and UToledo policies.(3) Persons not involved with a patient's care or finances and/or who do not have a specific need to know patient information for the performance of specific tasks or to provide specific services shall neither have nor seek access to patient information.(4) Access to use and disclosure of PHI shall be limited to the minimum necessary to perform a specific task or provide a specific service except when a healthcare provider accesses for treatment purposes, See rule 3364-90-02 of the Administrative Code (UToledo policy minimum necessary guidelines for use/disclosure of protected health information requirements to protected health information).(5) Release of health information must be safeguarded by following the HIPAA regulations and UToledo policies.(6) Covered entity should limit uses, disclosures and request for Patient information to the minimum necessary and it is good practice to de-identify per 45 C.F.R. 164.514.(7) Reasonable effort must be taken to maintain the confidentiality of PHI, by using appropriate physical, technical and administrative safeguards, including but not limited to:(a) Selecting private settings to conduct interviews, refraining from discussing patient information in public area, assuring location of records and files in non-public area, and placing computers and electronic devices in appropriate locations and positions.(b) Electronic devices that contain PHI must incorporate the use of password protection. The physical security of the device must always be maintained by the user.(c) When accessing patient information computers should not be left unattended, if one must leave their computer unattended, it should be locked or logged off.(d) Use of electronic mail system for PHI must follow rule 3364-65-07 of the Administrative Code (electronic communication policy).(e) Voice mail messages containing PHI generally should not be left on recorders. Messages to patient should be messages containing confidential patient information generally should not be left on recorders. Messages to patient recorders should be limited to pre-registration information, confirmation of appointments, or to solicit a return call, unless otherwise agreed or requested by a patient.(f) PHI must be appropriately disposed of, see rule 3364-90-16 of the Administrative Code (medical record retention and destruction; disposal of protected health information).(g) To mitigate security risks to individuals for the secondary use of data for example: comparative studies, policy assessment, and research, patient information should be de-identified. The privacy rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.
(8) A confidentiality statement acknowledging that an individual is aware of and understands the UToledo's confidentiality policy shall be signed prior to any person obtaining access or exposure to patient information.(9) Individuals with access to patient health information are educated about confidentiality during orientation and during training on the hospital information system. Access to the hospital information system requires identification and password as defined by rule 3364-65-02 of the Administrative Code (information security and technology administrative safeguards policy).(10) Breaches and other incidents involving PHI must be reported to and investigated by the privacy officer in accordance with institutional corrective action/disciplinary policies. Replaces: 3364-15-10
Ohio Admin. Code 3364-15-10
Effective: 8/5/2021
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364
Prior Effective Dates: 07/11/2016