Confidentiality of Protected Health Information - AHC - Privacy, University of Minnesota

Return to: Academic Health Center : U of M Home

Gold University of Minnesota M. Skip to main content.University of Minnesota. MyU | One Stop | Directories | Search U of M  
Driven to Discover.
HIPAA Privacy and Security
What's Inside

PRIVACY Home



  Home > Overview of HIPAA Privacy and Security > Frequently Asked Questions > Confidentiality of Protected Health Information
 

Confidentiality of Protected Health Information

Q: Who may access confidential information?
A: Only those people who need access for business reasons and who have been authorized to receive it.

Q: Am I permitted to look up my sick father’s medical record?
A: No, unless your father has authorized it. While parents usually want family involvement in their treatment, it shouldn't be assumed. Sometimes an individual does not want family members to know the details.

Q: What could happen to me if I talked about patients even though I no longer worked here?
A: We are all required to keep patient information confidential "forever." A privacy breach could result in federal legal penalties even if you no longer work here.

Q: We know that diagnoses and test results are confidential. What other information about a patient is confidential? What about billing records?
A: Essentially any information that is patient-identifiable is confidential and must be protected. Confidential information includes the patient's address, insurance information and their medical information. Only when the patient has agreed may it be used or disclosed for specific purposes. Also, removal of the patient's name does not mean the patient's identity is protected; other information such as a medical record number, a zip code or a date of birth could still be used for identification.

Q: Do confidentiality protections cover just a patient’s health-related information or do they also cover information such as address, age, social security number and phone number?
A: Privacy rights extend to demographic and billing information when it can be linked to a specific patient.

Q: May I discuss patients or human research subjects with my spouse if he/she doesn’t work here and promises to keep it secret?
A: No. A patient's and human research subject's health information is confidential and can not be released or discussed unless the individual has consented.

Q: What employees need to protect privacy and confidentiality?
A: All employees, even those who do not use protected health information in their work duties. We all have an obligation to protect privacy and respond to situations that put an individual's privacy in jeopardy.

Q: What is meant by having access to the "minimum necessary" information to do our jobs?
A: We have access to all information that we need to do our jobs, but we should not have access to information not necessary for us to perform our jobs.

Q: Can a University employee or physician who violates the University’s privacy policy be subject to punishments up to and including firing or termination of work privileges?
A: Yes. HIPAA regulations are federally mandated and we must investigate and appropriately respond to each privacy and security incident.

Q: Is an authorization or business associate agreement needed to share information with a medical device company?
A: The following answer was provided by the United States Department of Health and Human Services:

In general, and as explained below, the Privacy Rule permits a covered health care provider (covered provider), without the individual s written authorization, to disclose protected health information to a medical device company representative (medical device company) for the covered provider s own treatment, payment, or health care operation purposes (45 CFR 164.506(c)(1)), or for the treatment or payment purposes of a medical device company that is also a health care provider (45 CFR 164.506(c)(2), (3)). Additionally, the public health provisions of the Privacy Rule permit a covered provider to make disclosures, without an authorization, to a medical device company or other person that is subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity for which the person has responsibility. See 45 CFR 164.512(b)(1)(iii) and the frequently asked questions on public health disclosures for more information.

In certain situations, a covered health care provider may disclose protected health information to a medical device company without an individual s written authorization only if the medical device company is a health care provider as defined by the Rule. A medical device company meets the Privacy Rule s definition of health care provider if it furnishes, bills, or is paid for health care in the normal course of business. Health care under the Rule means care, services or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing health care and, therefore, is a health care provider when engaged in these services. See 65 FR 82569. By contrast, a medical device company is not providing health care if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.
The following are some examples of circumstances in which a covered provider may share protected health information with a medical device company, without the individual s authorization:

  • A covered provider may disclose protected health information needed for an orthopaedic device manufacturer or its representative to determine and deliver the appropriate range of sizes of a prosthesis for the surgeon to use during a particular patient s surgery. (This would be a treatment disclosure to the device company as a health care provider. Exchanges of protected health information between health care providers for treatment of the individual are not subject to the minimum necessary standards. 45 CFR 164.502(b).)
  • The device manufacturer or its representative may be present in the operating room, as requested by the surgeon, to provide support and guidance regarding the appropriate use, implantation, calibration or adjustment of a medical device for that particular patient. (This would be treatment by the device company as a health care provider. As noted in the prior example, treatment disclosures between health care providers are not subject to the minimum necessary standards.)
  • A covered provider may allow a representative of a medical device manufacturer to view protected health information, such as films or patient records, to provide consultation, advice or assistance where the provider, in her professional judgment, believes that this will assist with a particular patient s treatment. (This would also be a treatment disclosure and minimum necessary would not apply.)
  • A covered provider may share protected health information with a medical device company as necessary for the device company to receive payment for the health care it provides. (This would be a disclosure for payment of a health care provider and subject to minimum necessary standards.)
  • A covered provider may disclose protected health information to a medical device manufacturer that is subject to FDA jurisdiction to report an adverse event, to track an FDA-regulated product, or other purposes related to the quality, safety, or effectiveness of the FDA-regulated product. (This would be a public health disclosure and subject to minimum necessary standards.)

A business associate agreement would not usually be required for the disclosures noted above. For example, a business associate agreement would not be needed for disclosures between health care providers for the treatment of the individual (45 CFR 164.502(e)(1)(ii)(A)). Likewise, a medical device company would not be a business associate of a covered provider with respect to public health disclosures to a device company that is subject to FDA jurisdiction or disclosures to a device company as a health care provider for that company s payment purposes, as in neither case is the device company performing a function or activity on behalf of, nor providing a specified service to, the covered provider. See 45 CFR 160.103. In other circumstances, however, a business associate agreement may be required even if the disclosure were permitted without an authorization. For example, a business associate agreement would be required if a covered entity asked the medical device company to provide an estimate of the cost savings it might expect from the use of a particular medical device; and to do so, the device company needed access to the covered entity s protected health information. In this case, the medical device company is performing a health care operations function (business planning and development) on behalf of the covered provider, which requires a business associate agreement even though the disclosure is permitted without an authorization.

Feedback | Notice of Privacy Practices


©2007-2009 Regents of the University of Minnesota. All rights reserved. Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer. Last modified on June 5, 2008