GUIDANCE (June
3, 2008)
USE OF
PROTECTED HEALTH INFORMATION (PHI) IN PUBLICATIONS
Publishing clinical results, departmental activities, and University of Chicago Medical Center (UCMC) advancements in educational/medical literature, newsletters, and other types of publications is fundamental to the UCMC mission. However, it is important that we use and disclose protected health information (PHI) for these purposes in a HIPAA compliant manner. This guidance applies to publications distributed inside and outside UCMC.
What Information is Covered?
PHI is defined as any information that can lead to the identity of a specific individual. Below are examples of PHI that by themselves constitute PHI and therefore must be protected under HIPAA:
| Patient Name |
Patient Address |
Birth Date |
| Discharge Date |
Date of Death |
Admission Date |
| Telephone Number |
Fax Number |
Email Address |
| Social Security Number |
Medical Record Number |
Health Plan Number |
| Account Number |
Certificate/License Number |
Vehicle/License Plate Number |
| Device Identifier & Serial
Number |
Diagnosis |
Lab Tests/Results |
| Full face photographic images and any comparable images |
How Can We Use PHI in Publications?
The HIPAA Privacy Rule allows physicians and staff to use and disclose PHI without a patient's written authorization only for purposes related to treatment, payment, and health care operations. The HIPAA Privacy Rule does not allow the use of PHI in publications (e.g. medical articles, annual reports, newsletters, quality posters, and written case studies, etc), therefore a patient written authorization is required.
As such, UCMC physicians and staff who want to include PHI in publications may do so, but must follow the below guidelines:
- Obtain Patient Written Authorization. The physician, publisher, or marketing department seeks the patient's permission, and the patient signs a HIPAA compliant written authorization - Education Authorization Form (the signed authorization form should be maintained in the patient's medical record). Only the PHI that the patient agrees may be used and that is reflected on the authorization form should be used and disclosed.
- Students must not use PHI in any publication or course work
without a valid written signed authorization from the patient.
- Verify that a patient signed authorization is on file before
printing the publication.
- UCMC physicians and staff may not search UCMC databases or applications (e.g. EPIC, OACIS) to search or "data mine" for interesting patient cases to use in publications. Contact the HIPAA Program Office to discuss your need to access PHI.
| Quick
Links: Accounting of Disclosures HIPAA Privacy Review HIPAA Reference Sheet Quick Reference Guide Useful Links HPO@bsd.uchicago.edu |
Call 4-9716 for more details.
The University of Chicago Medical Center | 5841 South Maryland Avenue | Chicago, IL 60637
HPOwebmaster@bsd.uchicago.edu