Dartmouth-Hitchcock logo
Residents In This Section

Privacy & Confidentiality of Patient Information

I. Purpose of Policy

The purpose of this policy is to set forth the standards of the Dartmouth-Hitchcock Privacy Group governing the privacy and security of patients’ Personal Health Information (PHI) and for the appropriately controlled release of such information, consistent with applicable federal and state laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

II. Policy Scope

This Policy Statement applies to all Workforce members of the Dartmouth-Hitchcock Privacy Group (Mary Hitchcock Memorial Hospital (MHMH), Dartmouth-Hitchcock Clinics (D-HC), the Geisel School of Medicine at Dartmouth College, including Dartmouth-Hitchcock Psychiatric Associates (DHPA), and Cheshire Medical Center).

III. Definitions

Dartmouth-Hitchcock Privacy Group (DHPG): A form of an organization under the HIPAA Privacy Rule known as an “organized health care arrangement,” whereby legally separate covered entities that are clinically or operationally integrated may share PHI for the joint management and operation of the arrangement.

Protected Health Information (PHI): All “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data collected from an individual, that is created or received by Dartmouth-Hitchcock (D-H) and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

  • Identifies the individual
  • With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

PHI excludes individually identifiable health information:

  • In educational records covered by the Family Educational Rights and Privacy Act;
  • In employment records held by D-H in its role as an employer;
  • Regarding a person who has been deceased for more than 50 years
  • That has been de-identified in accordance with the HIPAA Privacy Rule.

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for D-H or its Business Associate, is under the direct control of D-H or its Business Associate, whether or not paid by D-H or its Business Associate.

IV. Policy Statement

  1. General Principles
    1. Patients own their personal health information and, with limited exceptions set forth in the HIPAA Privacy Rule and state law (e.g., psychotherapy notes), they have a reasonable right to access their health information and to control access to it by others, to correct or comment on information contained in their medical record, and to be aware of how their personal health information is being used. Although individual Dartmouth-Hitchcock institutions own the media on which personal health information is kept (e.g., paper records, videos, photographs, electronic storage media, etc.), they hold the personal health information stored on those media in trust for the benefit of our patients.

    2. Uses and Disclosure of PHI: DHPG institutions will not use, disclose, or release PHI to persons other than the patient or his/her authorized representative, except in the following circumstances:
      1. To carry out treatment, payment, and health care operations, as authorized by the HIPAA Privacy Rule;
      2. As required by law (e.g., to comply with statutory reporting requirements) or as permitted by law and by our Notice of Privacy Practices (e.g., in medical emergencies, for medical research purposes, or for public health oversight functions);
      3. In some circumstances, after giving the patient the opportunity to agree or object to the use or disclosure (e.g., relevant verbal disclosures to family members or friends involved in the patient’s care or for facility directory purposes); and
      4. Otherwise, only with the patient’s specific written authorization.

    3. Workforce Responsibilities: Members of the DHPG Workforce are held accountable to read, know, and understand this Policy, to adhere to approved policies and procedures for protecting the privacy of patients’ personal health information, and to exercise care and good judgment in accessing, using, or disclosing such information.

    4. Minimum Necessary: An individual provider responsible for the care of a patient may access all or any part of the patient’s record deemed relevant to treatment. In all other circumstances, only the minimum necessary for the relevant purposes will be accessed by or released to those individuals or entities with a professional or administrative need to access such information. For more information, refer to Policy 7488 on Minimum Necessary Uses, Disclosures, and Requests of Protected Health Information.

    5. Notice of Privacy Practices: Patients have a right to receive adequate notice of the uses and disclosures of PHI that may be made by DHPG institutions, and of the patient’s rights and the institution’s legal duties regarding their PHI. Such notice is called the DHPG Notice of Privacy Practices, and is available here. DHPG institutions will provide all patients with this Notice of Privacy Practices, explaining how we use and disclose their personal health information to provide them with care, and we will ask them to acknowledge receipt of that notice. The Notice of Privacy Practices will be updated from time to time to reflect changes in law, organization structure, or policy. Refer to Policy 7489 on our Notice of Privacy Practices for more information.

    6. Personal Representatives: A person other than the patient may authorize access to or release of the patient’s information only when designated by a competent patient, the parent or guardian of a minor child, the guardian or conservator of an incompetent adult patient, or by a court order. For more information, refer to Policy 7436 on Designating a Personal Representative for Purposes of HIPAA Privacy Rule.

  2. Statements on Specific Situations
    1. Treatment: The sharing of medical information required for the patient’s ongoing care is assumed to be in the patient’s best interest. To facilitate a patient’s treatment, disclosure of PHI regularly occurs among DHPG providers. Patient information will also be released to non-DHPG providers when appropriate to do so, such as in a medical emergency, when providing test results and/or reports to referring physicians, or to facilitate follow-up care by other providers. The patient should also be informed that attending, consulting, and referring providers may have access to their medical record for treatment purposes.

    2. Payment: All patients should be informed about the following:
      1. That data from their medical records required to support claims for payment for covered services may be released to primary and secondary payers;
      2. That payers maintain claims databases on their clients;
      3. That payers may contribute patient data to the Medical Information Bureau;
      4. That third-party reviewers may request and receive patient information over the telephone or by electronic transmission for utilization review, pre-authorization of services, or case management purposes, or may review the medical record on the premises.

    3. Health Care Operations: Patient-specific information is essential to many corporate administrative functions required to support modern health care delivery systems. The HIPAA Privacy Rule refers to these as “health care operations” activities. They include, but are not limited to:

      1. Surveys by accrediting bodies and evaluations of clinical outcomes (non-patient specific and non-diagnostic information should be used for these purposes whenever possible, and in all cases, only the minimal amount of information should be accessed and only by those with a need to know the information);
      2. Quality assessment and improvement functions used to evaluate the adequacy and appropriateness of care rendered. (Documentation generated during this process may be protected by state statutes from disclosure. When disseminating information from these reviews at section or department meetings, patient-specific information is to be deleted whenever possible);
      3. Population-based activities related to improving health or reducing health care costs;
      4. Patient safety activities;
      5. Case management and care coordination;
      6. Credentialing of individual providers;
      7. Clinical education programs for medical students and other trainees;
      8. Legal, auditing, and compliance functions; and
      9. Business planning, management, and general administrative functions.

    4. Medical Research: In most circumstances, the use of patient-specific information for medical research must be approved by the appropriate Institutional Review Board, such as the Committee for the Protection of Human Subjects (CPHS), the Institutional Review Board operated by Dartmouth College. Access to PHI held by D-H must be limited to the minimum necessary for purposes of the Research project. Articles or published study results must not include PHI without authorization from the patient or his/her legal representative.

    5. Medical Education: Clinical education and training activities are fundamental to the mission of Dartmouth-Hitchcock. DHPG institutions recognize the necessity of sharing patientrelated information to fulfill that mission. This includes, for example, reviewing a patient’s medical records with residents, medical students, nursing students, and other medical trainees engaged in clinical education under the supervision of a Dartmouth-Hitchcock health care provider. Minimum necessary requirements apply to training programs for clinical education.

    6. Release of Information to News Media: Requests from the news media for patient information must be referred to the public affairs department within each institution (e.g., External Relations or Media Relations. DHPG institutions will only release information to the news media as allowed by the HIPAA Privacy Rule and state law.

    7. Reporting Required by Law: In accordance with state law, certain diagnoses (e.g., communicable diseases) and circumstances (e.g., evidence of child abuse) require reporting to state agencies without patient consent. Each institution will develop policies and procedures regarding the release of information as required by law.

    8. Other Releases Permitted by Law: DHPG institutions will develop specific policies governing requested releases of patients’ personal health information that are permitted but not required by law, e.g., in connection with public health oversight activities, judicial and administrative proceedings, and law enforcement activities.

    9. Release of Sensitive Information: State and federal law contain special confidentiality provisions regarding some categories of diagnoses, referred to herein as “sensitive information.” These include, but are not limited to, HIV test results, mental health records, and substance abuse treatment records. Such laws require special authorizations or court orders for release of information. Each institution will develop policies and procedures regarding the release of sensitive information.

    10. Releases to Business Associates: DHPG institutions have many relationships with independent contractors (known as “business associates” under the HIPAA Privacy Rule) who assist in performing essential health care functions, which requires disclosure of PHI to them. These business associates include consultants, attorneys, auditors, utilization reviewers, debt collection agencies, software vendors, data analysts and aggregators, research sponsors, accreditation agencies, and others. In each case, a business associate agreement must be in place between the contractor and the covered entity, which includes specific provisions governing the use and disclosure of PHI by the business associate, as required by the HIPAA Privacy Rule. Direct questions regarding business associates, including acquiring the approved business associate agreement template, to the institution’s Privacy Office.

  3. Electronic Health Records and the Legal Health Record
    DHPG institutions utilize computerized patient records (electronic health records), and believe that electronic technology enhances the effectiveness and efficiency of medical care. DHPG institutions will monitor accesses to electronic records to ensure that access is appropriate and in accordance with state and federal law and regulation.

    All records that fall within the definition of the covered entity’s legal health record should be structured so they can be admitted as evidence in court as a business record. This means, in general, that patient records must:
    • Be kept during the ordinary course of business
    • Be created contemporaneously with the event being documented
    • Include documentation dates, times, and the identity of every individual making or modifying any entry (maintaining the original plus the modified entry)
    • Be protected by publicized and enforced rules against unauthorized access to and disclosure of personal health information.

  4. Implementation Policies and Procedures
    This document is intended as the basic policy foundation for the DHPG institutions with respect to the privacy of our patients’ PHI. Clinical departments, sections, and program offices will adopt and implement more specific policies and procedures, consistent with the HIPAA Privacy Rule, other applicable state and/or federal laws, and this Policy. These more specific implementation policies and procedures will include, without limitation:

    • A notice to patients of our privacy policies and procedures (in paper, electronic, and any other media used for communication with patients)
    • An acknowledgement of receipt of that notice, to be signed by patients (when possible)
    • Authorizations for other specific disclosures of PHI
    • Minimum necessary use and disclosure protocols and criteria
    • Release of information policies and procedures
    • Procedures for statutory reporting requirements
    • Information Services policies and procedures, including technical security policies appropriate to the range of technologies used within Information Services
    • Business Associate contracts
    • Affiliate Information Services agreements
    • Billing and claims policies and procedures
    • Employment policies and procedures relating to role-based access to PHI
    • Complaints, investigations, and sanctions policies and procedures
    • Workforce training standards

  5. Review and Amendment of Privacy Policies and Procedures
    Because of the rapidly changing healthcare environment and technologies, we anticipate that this Policy and the implementation policies and procedures can represent only the current thinking and law at any point in time and, therefore, will need periodic reviewing and updating. This review will be coordinated by each institution’s appropriate internal governing bodies or their designees.

  6. Questions about this Policy
    Questions about this Policy should be referred to the Dartmouth-Hitchcock Privacy Office:

    Dartmouth-Hitchcock Privacy Office
    One Medical Center Drive
    Lebanon, NH 03756
    (603) 650-8483

V. References

HIPAA Privacy Rule: 42 C.F.R. Part 164

D-H Policy ID: 7563