Page 8 - agency-policies-sample
P. 8
ADMINISTRATIVE/GENERAL ADMIN: 12.1.1
PAGE: 1
HIPAA COMPLIANCE – USES AND DISCLOSURES OF: 4
REVISED: 01/24
EFFECTIVE: 01/2024 REVIEWED: 01/24
POLICY:
This policy sets forth the uses and disclosures that will routinely occur in the agency and which do not require a
signed authorization from the patient. This is explained to the patient in the Notice of Privacy Practices.
Health Insurance Portability and Accountability Act, (HIPAA), Privacy Rule ensures that personal medical information
shared with physicians, hospitals and others who provide and pay for healthcare is protected.
The Privacy Rule does the following:
• Gives patients control over the use of their health information
• Defines boundaries for the use/disclosure of health records by covered entities
• Establishes national-level standards that healthcare providers must comply with
• Helps to limit the use of PHI and minimizes chances of its inappropriate disclosure
• Strictly investigates compliance-related issues and holds violators accountable with civil or criminal penalties
for violating the privacy of an individual's PHI
• Supports the cause of disclosing PHI without individual consent for individual healthcare needs, public
benefit and national interests
Uses and Disclosures Permitted for the Provider's Treatment, Payment, and Health Care Operations
Patient information can be used for treatment, payment, and operations without obtaining authorization from the
patient as long as it is for the purpose of carrying out treatment, payment or healthcare operations and the
information is limited to a need-to-know basis.
SAMPLE
To Provide Treatment - generally means the provision, coordination, or management of health care and related
services among health care providers or by a health care provider with a third party, consultation between health
care providers regarding a patient, or the referral of a patient from one health care provider to another.
To Obtain Payment - encompasses the various activities of health care providers to obtain payment or be
reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and
provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
To Conduct Health Care Operations - are certain administrative, financial, legal, and quality improvement activities
of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
Uses and disclosures that do not require the patient’s consent and include, but are not limited to, a release of
information contained in financial records and/or medical records, including information concerning communicable
diseases such as Human Immune Deficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS),
drug/alcohol abuse, psychiatric diagnosis and treatment records and/or laboratory test results, medical history,
treatment progress and/or any other related information to:
• Insurance company, self-funded or third-party health plan, Medicare, Medicaid, or any other person or entity
that may be responsible for paying or processing for payment any portion of the bill for services;
• Any person or entity affiliated with or representing for purposes of administration, billing, and quality and risk
management;
• Any hospital, nursing home, or other health care facility to which the patient may be admitted;
• Any assisted living or personal care facility of which the patient is a resident;
• Any physician providing care to the patient;
• Certification, licensing and accrediting entities including the information contained in the OASIS Data Set to
the state agency acting as a representative of the Medicare/Medicaid program;