(A) It shall be the policy of the department, the village and all other village departments to restrict the use of PHI to the maximum extent possible, and to use or disclose PHI to the minimum extent necessary ("minimum necessary"). When using or disclosing PHI or when requesting PHI from another health care provider or health organization, the department and any and all other village employees or personnel must limit such use, disclosure or requests relating to PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Minimum necessary does not apply in the following circumstances:
(1) Disclosures by a health care provider for treatment (volunteers, staff and trainees are included as health care providers for this purpose);
(2) Uses and disclosures based upon a valid consent to use and disclose PHI for treatment, payment and health care operations or a valid authorization to use and disclose PHI;
(3) Disclosures made to the Secretary of the Department of Health and Human Services;
(4) Uses and disclosures required by law;
(5) Uses and disclosures made to an individual with respect to his or her own PHI; and
(6) Uses and disclosures required by other sections of the HIPAA privacy regulations or for compliance with the HIPAA Transaction Rule.
(B) When this policy permits use or disclosure of an individual's information to another entity, or when the department or the village requests an individual's information from another entity, the department or the village staff and workforce members must make reasonable efforts to limit the amount of information to the minimum necessary needed to accomplish the intended purpose of the use, disclosure, or request.
(C) If the department or the village policy permits making a particular disclosure to another entity, the department or the village staff and workforce may rely on a requested disclosure as being the minimum necessary for the stated purpose when:
(1) Making disclosures to public officials that are permitted under 45 CFR 164.512 if the public official represents the information requested is the minimum necessary for the stated purpose(s).
(2) A "public official" is any employee or workforce member of a government agency who is authorized to act on behalf of that agency in performing the lawful duties and responsibilities of that agency.
(3) The information is requested by another entity that is a "covered entity" under the HIPAA privacy rules. A "covered entity" is a health plan, a health care provider who conducts electronic transactions, or a health care clearinghouse;
(4) The information is requested by a professional who is a member of the workforce of a "covered entity" or is a business associate of the "covered entity" for the purpose of providing professional services to the "covered entity," if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or
(5) Documentation or representations that comply with the applicable requirements of uses and disclosures for research purposes have been provided by a person requesting the information for research purposes.
(D) Access and uses of information. The department or the village will establish role-based categories that identify types of information necessary for staff and workforce members to perform their jobs. The department or the village will identify the category of information needed for persons, or classes of persons, in their respective workforces to carry out their duties, and will further identify any conditions appropriate to such access. Categories will include all information, such as information accessible by computer, kept in files, or other forms of information consistent with administrative, technical and physical safeguards.
(E) Routine and recurring disclosure of an individual's information. For the purposes of this policy, "routine and recurring" means the disclosure of records outside the department or the village, without the authorization of the individual, for a purpose that is compatible with the purpose for which the information was collected. The following identifies several examples of uses and disclosures that the department or the village has determined to be compatible with the purposes for which information is collected:
(1) Routine and recurring uses include disclosures required by law. For example, a mandatory child abuse report by the department or the village employee would be a routine use.
(2) If the department or the village deems it desirable or necessary, the department or the village may disclose information as a routine and recurring use to the State Department of Justice for the purpose of obtaining its advice and legal services.
(3) When federal or state agencies, such as the DHHS Office of Civil Rights, the DHHS Office of Inspector General, the department or the village's State Medicaid Fraud Unit, or the department or the village's Secretary of State, have the legal authority to require the department or the village to produce records necessary to carry out audit or oversight of the department or the village activities, the department or the village will make such records available as a routine and recurring use.
(4) When the department or the village determines that records are subject to disclosure under the department or the village's state laws, the department or the village may make the disclosure as a routine and recurring use.
(5) The department or the village will not disclose an individual's entire medical record unless the record specifically justifies why the entire medical record is needed.
(F) Non-routine disclosure of an individual's information.
(1) For the purpose of this policy, "non-routine disclosure" means the disclosure of records outside the department or the village that is not for a purpose for which it was collected.
(2) The department or the village will not disclose an individual's entire medical record unless the request specifically justifies why the entire medical record is needed, and applicable laws and policies permit the disclosure of all the information in the medical record to the requestor.
(3) Requests for non-routine disclosures must be reviewed on an individual basis in accordance with the criteria set forth in this policy.
(4) For non-routine disclosures, the department or the village will:
(a) Implement procedures to limit the information disclosed to only the minimum amount of information necessary to accomplish the purpose for which the disclosure is sought;
(b) Review requests for non-routine disclosures on an individual basis in accordance with such procedures.
(G) The department or the village's request for an individual's information from another health care provider or entity.
(1) When requesting information about an individual from another health care provider or entity, the department or the village staff and workforce members must limit requests to those that are reasonably necessary to accomplish the purpose for which the request is made.
(2) The department or the village will not request an individual's entire medical record unless the department or the village can specifically justify why the entire medical record is needed.
(H) Disclosures of an individual's information on a routine or recurring basis. For routine and recurring disclosures, the department or the village will:
(1) Determine who is requesting the information and the purpose for the request. If the request is not compatible with the purpose for which it was collected, refer to and apply the "non-routine use" policies;
(2) Confirm that the applicable department or the village policies permit the requested use and/or disclosure;
(3) Identify the kind and amount of information that is necessary to respond to the request; and
(4) If the disclosure is one that must be included in the department or the village accounting of disclosures, include required documentation in an accounting log.
(I) Disclosures of an individual's information on a non-routine basis. For non-routine disclosures, the department or the village will:
(1) Determine who is requesting the information and the purpose for the request. If the request is compatible with the purpose for which it was collected, apply the "routine and recurring use" policies from division (H) of this section;
(2) Determine which information of the individual is within the scope of the request, and what department or village policies apply to the requested use;
(3) If the information requested can be disclosed under the applicable policies, limit the amount of information to the minimum amount necessary to respond to the request; and
(4) Document the disclosure in an accounting log.
(Ord. 0030-03, passed 4-2-03)