Section 3364-90-02 - Minimum necessary guidelines for use/disclosure of protected health information(A) Policy statement The university of Toledo ("UToledo") will make reasonable efforts to limit the use and disclosure of individually identifiable protected health information to the minimum necessary to comply with any requests and make reasonable efforts to limit its own request to other organizations to similar minimum necessary request.
(B) Purpose of policy To comply with the minimum necessary use and disclosure guidelines for protected health information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Administrative Simplification Act Privacy Rule 45 C.F.R. 160, 162 and 164 and HITECH Act.
(C) Scope This policy applies to university of Toledo physicians ("UTP") affiliated covered entities ("ACE") and all UToledo covered components (hybrid) and their respective workforce members. Covered components are determined by the privacy and security committee and documented on the hybrid list that can be located on the UToledo healthcare compliance and privacy website located at: https://www.utoledo.edu/offices/compliance/
(D) Procedure (1) The exceptions to the minimum necessary restrictions set forth in this policy and under HIPAA, do not apply to the following uses and disclosures: (a) A healthcare provider for treatment purposes, including for emergencies;(b) The individual who is the subject of the information seeks access;(c) Request is made as a result of a valid authorization;(d) Accounting of disclosures;(e) Uses or disclosures required for compliance with HIPAA; and(f) The secretary of the department of health and human services as may be required for compliance and enforcement purposes;(g) Disclosures required by law.(2) Access for treatment purposes Complete access to a patient's entire medical record, both paper and computerized, in order to provide appropriate and efficient treatment to a patient during the patient care episode is required for the following:
(a) Direct care providers: physicians, residents, nurses and allied health care providers, case management personnel, medical assistants and direct support personnel.(b) Students: medical, nursing, and other allied health.(c) Faculty: medical, nursing and other allied health.(d) Indirect care providers involved in provision of diagnostic testing, i.e., laboratory, radiology and heart and vascular require access to PHI necessary to perform the test. (3) Minimum necessary requests for PHI must be limited to what is reasonably necessary to accomplish the purpose of the request. Request made on a routine and recurring basis must be limited to the PHI necessary to accomplish the purpose of the request. (a) Verbal communications: personnel will not engage in verbal communication of PHI in public areas if possible, and in cases where necessary, will use reasonable precautions to reduce the risk of being overheard by others such as using lowered tones.(b) PHI listed on white boards or sign in sheets used in the provision of healthcare will be posted out of the public view to the extent possible and contain only those elements necessary to accomplish their purpose (i.e., diagnosis information would "not" be necessary on a sign in sheet).(c) Requests for PHI from other healthcare providers for continuity of care is permitted.(d) Requests for PHI made, other than continuity of care, will be limited to that which is reasonably necessary to accomplish the purpose for which the request was made.(e) Requests for PHI made from hybrid and affiliate covered entities from other healthcare providers, other than for treatment, will be reviewed by the health information management department or the privacy officer to determine the amount of PHI necessary to release to accomplish the purpose of the request.(4) Health information management ("HIM"), is the office responsible for the full legal medical record. The inpatient full legal medical record is the onecontent application. HIM in conjunction with health information technology ("HIT") will be responsible for granting direct access to the medical record system. A detailed matrix of access to PHI will be held by health information management with input from clinical informatics. The minimum necessary PHI access matrix is based on the role of the individual and the "need to know criteria" in the performance of their job and in some cases their job location.
See addendum A (full access), addendum B (limited access), addendum C (outside access).
Replaces: 3364-90-02
Ohio Admin. Code 3364-90-02
Effective: 4/2/2020
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364
Prior effective dates: 7/9/2018