Privacy & Confidentiality of Patient Information
I. Purpose of Policy
The purpose of this policy is to set forth the standards of the Dartmouth-Hitchcock Privacy Group governing the privacy and security of patients’ Personal Health Information (PHI) and for the appropriately controlled release of such information, consistent with applicable federal and state laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
II. Policy Scope
This Policy Statement applies to all Workforce members of the Dartmouth-Hitchcock Privacy Group (Mary Hitchcock Memorial Hospital (MHMH), Dartmouth-Hitchcock Clinics (D-HC), the Geisel School of Medicine at Dartmouth College, including Dartmouth-Hitchcock Psychiatric Associates (DHPA), and Cheshire Medical Center).
Dartmouth-Hitchcock Privacy Group (DHPG): A form of an organization under the HIPAA Privacy Rule known as an “organized health care arrangement,” whereby legally separate covered entities that are clinically or operationally integrated may share PHI for the joint management and operation of the arrangement.
Protected Health Information (PHI): All “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data collected from an individual, that is created or received by Dartmouth-Hitchcock (D-H) and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- Identifies the individual
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
PHI excludes individually identifiable health information:
- In educational records covered by the Family Educational Rights and Privacy Act;
- In employment records held by D-H in its role as an employer;
- Regarding a person who has been deceased for more than 50 years
- That has been de-identified in accordance with the HIPAA Privacy Rule.
Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for D-H or its Business Associate, is under the direct control of D-H or its Business Associate, whether or not paid by D-H or its Business Associate.
IV. Policy Statement
- General Principles
- Patients own their personal health information and, with limited exceptions set forth in the
HIPAA Privacy Rule and state law (e.g., psychotherapy notes), they have a reasonable right
to access their health information and to control access to it by others, to correct or comment
on information contained in their medical record, and to be aware of how their personal
health information is being used. Although individual Dartmouth-Hitchcock institutions own
the media on which personal health information is kept (e.g., paper records, videos,
photographs, electronic storage media, etc.), they hold the personal health information stored
on those media in trust for the benefit of our patients.
- Uses and Disclosure of PHI: DHPG institutions will not use, disclose, or release PHI to
persons other than the patient or his/her authorized representative, except in the following
- To carry out treatment, payment, and health care operations, as authorized by
the HIPAA Privacy Rule;
- As required by law (e.g., to comply with statutory reporting requirements) or
as permitted by law and by our Notice of Privacy Practices (e.g., in medical
emergencies, for medical research purposes, or for public health oversight
- In some circumstances, after giving the patient the opportunity to agree or
object to the use or disclosure (e.g., relevant verbal disclosures to family
members or friends involved in the patient’s care or for facility directory
- Otherwise, only with the patient’s specific written authorization.
- To carry out treatment, payment, and health care operations, as authorized by the HIPAA Privacy Rule;
- Workforce Responsibilities: Members of the DHPG Workforce are held accountable to read,
know, and understand this Policy, to adhere to approved policies and procedures for
protecting the privacy of patients’ personal health information, and to exercise care and good
judgment in accessing, using, or disclosing such information.
- Minimum Necessary: An individual provider responsible for the care of a patient may access
all or any part of the patient’s record deemed relevant to treatment. In all other
circumstances, only the minimum necessary for the relevant purposes will be accessed by or
released to those individuals or entities with a professional or administrative need to access
such information. For more information, refer to Policy 7488 on Minimum Necessary Uses,
Disclosures, and Requests of Protected Health Information.
- Notice of Privacy Practices: Patients have a right to receive adequate notice of the uses and
disclosures of PHI that may be made by DHPG institutions, and of the patient’s rights and
the institution’s legal duties regarding their PHI. Such notice is called the DHPG Notice of
Privacy Practices, and is available here. DHPG institutions will provide all patients with this
Notice of Privacy Practices, explaining how we use and disclose their personal health information to provide them with care, and we will ask them to acknowledge receipt of that
notice. The Notice of Privacy Practices will be updated from time to time to reflect changes
in law, organization structure, or policy. Refer to Policy 7489 on our Notice of Privacy
Practices for more information.
- Personal Representatives: A person other than the patient may authorize access to or release
of the patient’s information only when designated by a competent patient, the parent or
guardian of a minor child, the guardian or conservator of an incompetent adult patient, or by
a court order. For more information, refer to Policy 7436 on Designating a Personal
Representative for Purposes of HIPAA Privacy Rule.
- Patients own their personal health information and, with limited exceptions set forth in the HIPAA Privacy Rule and state law (e.g., psychotherapy notes), they have a reasonable right to access their health information and to control access to it by others, to correct or comment on information contained in their medical record, and to be aware of how their personal health information is being used. Although individual Dartmouth-Hitchcock institutions own the media on which personal health information is kept (e.g., paper records, videos, photographs, electronic storage media, etc.), they hold the personal health information stored on those media in trust for the benefit of our patients.
- Statements on Specific Situations
- Treatment: The sharing of medical information required for the patient’s ongoing care is
assumed to be in the patient’s best interest. To facilitate a patient’s treatment, disclosure of
PHI regularly occurs among DHPG providers. Patient information will also be released to
non-DHPG providers when appropriate to do so, such as in a medical emergency, when
providing test results and/or reports to referring physicians, or to facilitate follow-up care by
other providers. The patient should also be informed that attending, consulting, and referring
providers may have access to their medical record for treatment purposes.
- Payment: All patients should be informed about the following:
- That data from their medical records required to support claims for payment for
covered services may be released to primary and secondary payers;
- That payers maintain claims databases on their clients;
- That payers may contribute patient data to the Medical Information Bureau;
- That third-party reviewers may request and receive patient information over the
telephone or by electronic transmission for utilization review, pre-authorization of
services, or case management purposes, or may review the medical record on the
- That data from their medical records required to support claims for payment for covered services may be released to primary and secondary payers;
- Health Care Operations: Patient-specific information is essential to many corporate
administrative functions required to support modern health care delivery systems. The
HIPAA Privacy Rule refers to these as “health care operations” activities. They include, but
are not limited to:
- Surveys by accrediting bodies and evaluations of clinical outcomes (non-patient
specific and non-diagnostic information should be used for these purposes whenever
possible, and in all cases, only the minimal amount of information should be accessed
and only by those with a need to know the information);
- Quality assessment and improvement functions used to evaluate the adequacy and
appropriateness of care rendered. (Documentation generated during this process may
be protected by state statutes from disclosure. When disseminating information from
these reviews at section or department meetings, patient-specific information is to be
deleted whenever possible);
- Population-based activities related to improving health or reducing health care costs;
- Patient safety activities;
- Case management and care coordination;
- Credentialing of individual providers;
- Clinical education programs for medical students and other trainees;
- Legal, auditing, and compliance functions; and
- Business planning, management, and general administrative functions.
- Surveys by accrediting bodies and evaluations of clinical outcomes (non-patient specific and non-diagnostic information should be used for these purposes whenever possible, and in all cases, only the minimal amount of information should be accessed and only by those with a need to know the information);
- Medical Research: In most circumstances, the use of patient-specific information for medical
research must be approved by the appropriate Institutional Review Board, such as the
Committee for the Protection of Human Subjects (CPHS), the Institutional Review Board
operated by Dartmouth College. Access to PHI held by D-H must be limited to the minimum
necessary for purposes of the Research project. Articles or published study results must not
include PHI without authorization from the patient or his/her legal representative.
- Medical Education: Clinical education and training activities are fundamental to the mission
of Dartmouth-Hitchcock. DHPG institutions recognize the necessity of sharing patientrelated
information to fulfill that mission. This includes, for example, reviewing a patient’s
medical records with residents, medical students, nursing students, and other medical trainees
engaged in clinical education under the supervision of a Dartmouth-Hitchcock health care
provider. Minimum necessary requirements apply to training programs for clinical
- Release of Information to News Media: Requests from the news media for patient
information must be referred to the public affairs department within each institution (e.g.,
External Relations or Media Relations. DHPG institutions will only release information to
the news media as allowed by the HIPAA Privacy Rule and state law.
- Reporting Required by Law: In accordance with state law, certain diagnoses (e.g.,
communicable diseases) and circumstances (e.g., evidence of child abuse) require reporting
to state agencies without patient consent. Each institution will develop policies and
procedures regarding the release of information as required by law.
- Other Releases Permitted by Law: DHPG institutions will develop specific policies
governing requested releases of patients’ personal health information that are permitted but
not required by law, e.g., in connection with public health oversight activities, judicial and
administrative proceedings, and law enforcement activities.
- Release of Sensitive Information: State and federal law contain special confidentiality
provisions regarding some categories of diagnoses, referred to herein as “sensitive
information.” These include, but are not limited to, HIV test results, mental health records,
and substance abuse treatment records. Such laws require special authorizations or court
orders for release of information. Each institution will develop policies and procedures
regarding the release of sensitive information.
- Releases to Business Associates: DHPG institutions have many relationships with
independent contractors (known as “business associates” under the HIPAA Privacy Rule)
who assist in performing essential health care functions, which requires disclosure of PHI to
them. These business associates include consultants, attorneys, auditors, utilization
reviewers, debt collection agencies, software vendors, data analysts and aggregators, research
sponsors, accreditation agencies, and others. In each case, a business associate agreement
must be in place between the contractor and the covered entity, which includes specific
provisions governing the use and disclosure of PHI by the business associate, as required by
the HIPAA Privacy Rule. Direct questions regarding business associates, including acquiring the approved business associate agreement template, to the institution’s Privacy
- Treatment: The sharing of medical information required for the patient’s ongoing care is assumed to be in the patient’s best interest. To facilitate a patient’s treatment, disclosure of PHI regularly occurs among DHPG providers. Patient information will also be released to non-DHPG providers when appropriate to do so, such as in a medical emergency, when providing test results and/or reports to referring physicians, or to facilitate follow-up care by other providers. The patient should also be informed that attending, consulting, and referring providers may have access to their medical record for treatment purposes.
- Electronic Health Records and the Legal Health Record
DHPG institutions utilize computerized patient records (electronic health records), and believe that electronic technology enhances the effectiveness and efficiency of medical care. DHPG institutions will monitor accesses to electronic records to ensure that access is appropriate and in accordance with state and federal law and regulation.
All records that fall within the definition of the covered entity’s legal health record should be structured so they can be admitted as evidence in court as a business record. This means, in general, that patient records must:
- Be kept during the ordinary course of business
- Be created contemporaneously with the event being documented
- Include documentation dates, times, and the identity of every individual making or
modifying any entry (maintaining the original plus the modified entry)
- Be protected by publicized and enforced rules against unauthorized access to and
disclosure of personal health information.
- Be kept during the ordinary course of business
- Implementation Policies and Procedures
This document is intended as the basic policy foundation for the DHPG institutions with respect to the privacy of our patients’ PHI. Clinical departments, sections, and program offices will adopt and implement more specific policies and procedures, consistent with the HIPAA Privacy Rule, other applicable state and/or federal laws, and this Policy. These more specific implementation policies and procedures will include, without limitation:
- A notice to patients of our privacy policies and procedures (in paper, electronic, and any
other media used for communication with patients)
- An acknowledgement of receipt of that notice, to be signed by patients (when possible)
- Authorizations for other specific disclosures of PHI
- Minimum necessary use and disclosure protocols and criteria
- Release of information policies and procedures
- Procedures for statutory reporting requirements
- Information Services policies and procedures, including technical security policies
appropriate to the range of technologies used within Information Services
- Business Associate contracts
- Affiliate Information Services agreements
- Billing and claims policies and procedures
- Employment policies and procedures relating to role-based access to PHI
- Complaints, investigations, and sanctions policies and procedures
- Workforce training standards
- A notice to patients of our privacy policies and procedures (in paper, electronic, and any other media used for communication with patients)
- Review and Amendment of Privacy Policies and Procedures
Because of the rapidly changing healthcare environment and technologies, we anticipate that this Policy and the implementation policies and procedures can represent only the current thinking and law at any point in time and, therefore, will need periodic reviewing and updating. This review will be coordinated by each institution’s appropriate internal governing bodies or their designees.
- Questions about this Policy
Questions about this Policy should be referred to the Dartmouth-Hitchcock Privacy Office:
Dartmouth-Hitchcock Privacy Office
One Medical Center Drive
Lebanon, NH 03756
HIPAA Privacy Rule: 42 C.F.R. Part 164
D-H Policy ID: 7563
- Table of Contents
- ACGME Competencies
- Eligibility & Selection
- Agreement of Appointment
- Confidential Reporting
- GME Policies
- Institutional Policies
- Code of Ethical Conduct
- Conflict of Interest – General and Business Affairs
- Conflict of Interest – Personal Gifts, Meals, Travel, Education
- Conflict of Interest – Consulting and Vendor Sponsored Activities
- Disability and Accommodation Policy
- Disruptive Behavior
- Equal Employment Opportunity and Non-Discrimination Policy
- Fitness for Duty Policy - Employees, Covered Individuals
- Harassment Policy
- Nepotism and Relationships at Work
- Privacy & Confidentiality of Patient Information
- Substance Abuse and Drug Free Workplace Policy