Confidentiality at Beth Israel Deaconess Medical Center
Policy #: PV-04
To provide a clear policy on confidentiality to members of the Beth Israel Deaconess Medical Center Organized Health Care Arrangement (OHCA)
For purposes of this policy:
A) Protected Health Information (PHI) is defined by 45 CFR § 164.501 is information that is a subset of health information, including demographic information collected from an individual that:
Is created or received by the medical center or any health care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
That identifies the individual; or
With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
B) Identifiers defined by 45 CFR § 164.514(b)(2) are:
All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
i. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
ii. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
Electronic mail addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code
C) De-Identified - Information from which all of the above mentioned identifies have been removed.
D) Covered Entity - All Covered Entities must comply with the HIPAA Privacy Rule. A Covered Entity includes health care providers (hospital, physician practices) health plans (third party payor), and healthcare clearinghouses (data processors, billing companies)
E) Workforce defined by Part II, 45 CFR 160.103 are employees, medical staff, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity.
F) Notice of Privacy Practices describes how medical information about patients' medical information may be used and disclosed and how they can obtain access to this information.
G) Treatment, Payment and Health Care Operations (TPO) refers to the different ways that the BIDMC OHCA is permitted to use and disclose medical information. TPO includes information for Treatment, Payment or Healthcare Operations and does not require a specific authorization from the patient. (Refer to BIDMC OHCA Privacy Notice for more information).
H) Limited Data Set -The compilation of a limited amount of data that does not include directly identifiable information for purposes of research, public health, and health care operations. A Limited Data Set may only include certain dates (i.e. dates of birth, death, admission, discharge) and addresses (i.e. town and city, state, 5 digit zip code BUT NOT street or post office box addresses). Disclosure of a Limited Data Set by a Covered Entity to any recipient requires that they enter into a Data Use Agreement. A Limited Data Set may only be used for research, public health, or health care operations. It cannot be used for marketing or fundraising purposes.
I) Data Use Agreement - A Limited Data Set may only be disclosed to a recipient pursuant to a written Data Use Agreement in which the recipient would agree to limit the use of the data set for the purposes for which it was given, and to ensure the security of the data, as well as not to identify the information or use it to contact any individual.
J) Business Associate means, with respect to a covered entity, a person to whom the covered entity discloses PHI so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. "Business associate" includes contractors or other persons who receive PHI from the covered entity (or from another business associate of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities.
K) Minimum Necessary - The Privacy Rule requires that reasonable steps are taken to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose
L) Use and Disclosure - The sharing of patient information may be shared without specific authorization from the patient for TPO.
M) Research - Is a systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge.
N) Personal Representative - An individual authorized under the laws of Massachusetts permitted to make health care decisions on behalf of the patient.
It is the policy of the BIDMC OCHA to comply with all Federal and Massachusetts General laws, regulations, and guidelines regarding confidentiality. Information about patients (present or former), employees and business records is strictly confidential and will never be given nor confirmed to anyone who is not authorized to receive the information. This policy applies to confidential information including spoken, written, or electronic. It is the obligation of every member of the BIDMC OHCA workforce who may have access to (PHI) and BIDMC employee and business records to keep such information strictly confidential.
The unauthorized possession, use, copying or reading of BIDMC OHCA information or disclosure of any information of a confidential or personal nature to unauthorized person(s) is strictly forbidden. All PHI and BIDMC OHCA records must be maintained in a manner, which ensures confidentiality. Failure to adhere to this policy may result in immediate dismissal or termination of contractual relationship with the medical center (refer to PM-04 Employee Corrective Action).
Access to electronic information is on a "need to know" basis and shall be governed by Information Systems procedures and policies for access and security. It is the responsibility for the Information Systems to maintain specific policies and procedures governing access to and security of the BIDMC OHCA networks and information contained within them (see PV-03). It is the responsibility of all employees and staff to be aware of those Information Systems procedures and policies that apply to them and their work.
All members of the BIDMC OHCA workforce will be required to complete an annual privacy and confidentiality training.