Protecting privacy: Handling third-party requests

posted October 21st, 2008

In your work at Duke University Health System, you may be asked to share patient health information, or PHI, with a third party.

If not a job responsibility, never disclose the information the third-party requests without discussing it with your supervisor. Contact the DUHS Privacy Officer at 668-2573 if you and your supervisor have questions.

Before disclosing patient information, it’s important to follow these steps:

  1. Identify the third party, and verify the third party’s identity and relationship with Duke. (e.g. party performing request on behalf of Duke, is the requestor an outside vendor or a health care provider).
  2. Verify the ability of the third party to receive PHI. (See steps 3 & 4).
  3. Determine the third party’s purpose for obtaining PHI: a. Is the disclosure permitted under the Privacy Rule? b. Is it for treatment, payment, or health care operations or required by law? i. If not, did the patient provide authorization for his or her PHI to be disclosed?
  4. In circumstances where the third party is performing a function for DUHS, verify that a Business Associate Agreement is in place that defines what information is to be disclosed.
  5. Determine the amount of information that should be disclosed to the third party. Only the minimum amount of PHI needed to accomplish the intended purpose should be disclosed unless for treatment purposes. Do not let the party determine the amount of information to send.
  6. Talk to your supervisor, discuss the information request, and agree on what information you can disclose to the requestor.
  7. Consider if the information requested can be de-identified before disclosing.
  8. Contact your local technical support for assistance. a. Document the disclosure if not for payment, treatment, health care operations, or authorized by the patient. See the DUHS Disclosing Protected Health Information without Patient Authorization or Consent Policy for documentation requirements.
  9. If the request is via fax or hard copy and you and your supervisor determine that the disclosure should be made, a. Securely send the minimum necessary information. (Use a cover sheet if faxing the information, confirm the correct fax number, determine that the fax machine is secure or the receiver is alerted to receive the fax.)
Commenting is not available in this weblog entry.