OsbyCorp Safe Guarding Medical Records Policy
PURPOSE
The purpose of this policy is to provide guidelines for the safeguarding of Protected Health Information (“PHI”) in the facility and to limit unauthorized disclosures of PHI that is contained in a resident’s Medical Record, while at the same time ensuring that such PHI is easily accessible to those involved in the treatment of the resident.
POLICY
The policy of this facility is to ensure, to the extent possible, that PHI is not intentionally or unintentionally used or disclosed in a manner that would violate the HIPAA Privacy Rule or any other federal or state regulation governing confidentiality and privacy of health information. The following procedure is designed to prevent improper uses and disclosures of PHI and limit incidental uses and disclosures of PHI that is, or will be, contained in a resident’s Medical Record. At the same time, the facility recognizes that easy access to all or part of a resident’s Medical Record by health care practitioners involved in a resident’s care (nurses, attending and consulting physicians, therapists, and others) is essential to ensure the efficient quality delivery of health care.
The Administrator is responsible for the security of all Medical Records. All staff members are responsible for the security of the active Medical Records at the nursing stations.
PROCEDURE
The Administrator, whom is the Facilities Privacy Official, shall periodically monitor the Facility’s compliance regarding its reasonable efforts to safeguard PHI.
Safeguards for Verbal Uses
These procedures shall be followed, if reasonable by the facility, for any meeting or conversation where PHI is discussed.
Meetings during which PHI is discussed:
1. Specific types of meetings where PHI may be discussed include, but are not limited to:
a. Shift Change Report
b. Daily Standup or Department Head meetings
c. Interdisciplinary Plan of Care meeting
d. Medicare meeting
e. Bill review meetings
f. Family Care Conference
2. Meetings will be conducted in an area that is not easily accessible to unauthorized persons.
3. Meetings will be conducted in a room with a door that closes, if possible.
4. Voices will be kept to a moderate level to avoid unauthorized persons from overhearing.
5. Only staff members who have a “need to know” the information will be present at the meeting.
6. The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI.
Telephone conversations:
1. Telephones used for discussing PHI are located in as private an area as possible.
2. Staff members will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI. Reasonable measures may include:
a. Lowering the voice
b. Requesting that unauthorized persons step away from the telephone area
c. Moving to a telephone in a more private area before continuing the conversation
3. PHI shared over the phone will be limited to the minimum amount necessary to accomplish the purpose of the use or disclosure.
In-Person conversations:
• In resident rooms
• With resident/family in public areas
• With authorized staff in public areas
Reasonable measures will be taken to assure that unauthorized persons do not overhear conversations involving PHI. Such measures may include:
1. Lowering the voice
2. Moving to a private area within the Facility
3. If in resident room, pulling the privacy curtain
Safeguards for Written PHI
All documents containing PHI should be stored appropriately to reduce the potential for incidental use or disclosure. Documents should not be easily accessible to any unauthorized staff or visitors.
Active Records on Nursing Unit:
1. Active Medical Records shall be stored in an area that allows staff providing care to residents to access the records quickly and easily as needed.
2. Authorized staff shall review the Medical Record at the nursing station, unless it is signed out in accordance with Facility procedure.
3. Active Medical Records shall not be left unattended on the nurses’ station desk or other areas where residents, visitors and unauthorized individuals could easily view the records.
4. Medication Administration Records, Treatment Administration Records, report sheets and other documents containing PHI shall not be left open and/or unattended.
5. Only authorized staff shall review the Medical Records. All authorized staff reviewing Medical Records shall do so in accordance with the minimum necessary standards.
6. Medical Records shall be protected from loss, damage and destruction.
Active Business Office Files:
Active Business Office Files shall be stored in a secure area that allows authorized staff access as needed.
Thinned Records, Inactive Medical Records:
1. Thinned and inactive Medical Records will be filed in a systematic manner in a location that ensures the privacy and security of the information. The Health Information Manager or a designee shall monitor storage and security of such Medical Records. When records are left unattended, records will be in a locked room, file cabinet or drawer.
2. The Administrator will identify and document those staff members with keys to stored Medical Records. The minimum number of staff necessary to assure that records are secure yet accessible shall have keys allowing access to stored Medical Records. Staff members with keys shall assure that the keys are not accessible to unauthorized individuals.
3. Inactive Medical Records must be signed out if removed from their designated storage area. Only authorized persons shall be allowed to sign out such records.
4. Records must be returned to storage promptly.
5. In the event that the confidentiality or security of PHI stored in an active or inactive Medical Record has been breached, the Administrator shall be notified immediately.
6. Facility procedure will be followed if Medical Records are missing.
7. In the event of a change in ownership of the Facility, the Medical Records shall be maintained as specified in the Purchase and Sale Agreement.
Inactive Business Office Files:
Inactive Business Office Files shall be stored in a systematic manner in a location that ensures privacy and security of the information.
PHI Not a Part of the Designated Record Set:
1. Use of “shadow” charts or files is discouraged.
2. Any documentation of PHI shall be stored in a location that ensures, to the extent possible, that such PHI is accessible only to authorized individuals.
Office Equipment Safeguards
Computer access:
1. Only staff members who need to use computers to accomplish work-related tasks shall have access to computer workstations or terminals.
2. All users of computer equipment must have unique login and passwords.
3. Passwords shall be changed every 90 days.
4. Posting, sharing and any other disclosure of passwords and/or access codes is strongly discouraged.
5. Access to computer-based PHI shall be limited to staff members who need the information for treatment, payment or health care operations.
6. Facility staff members shall log off their workstation when leaving the work area.
7. Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen.
8. Employee access privileges will be removed promptly following their departure from employment.
9. Employees will immediately report any violations of this Policy to their supervisor, or the Administrator.
Printers, copiers and fax machines:
1. Printers will be located in areas not easily accessible to unauthorized persons.
2. If equipment cannot be relocated to a secure location, a sign will be posted near the equipment indicating that unauthorized persons are prohibited from viewing documents from the equipment. Sample language: “Only authorized staff may view documents generated by this (indicate printer, copier, fax, etc). Access to such documents by unauthorized persons is prohibited by federal law.”
3. Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location.
4. Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding or by placing the document in a secure recycling or shredding bin until destroyed.
Destruction
Written:
Documentation that is not part of the Medical Record and will not become part of the Medical Record (e.g., report sheets, shadow charts or files, notes, lists of vital signs, weights, etc.) shall be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed.
Electronic:
Prior to the disposal of any computer equipment, including donation, sale or destruction, the Facility must determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment.
OsbyCorp Notice of Privacy Practices
This notice describes how medical information about the resident may be used and disclosed and how you can get access to this information. Please review it carefully.
Protected Health Information
While receiving care from this facility, information regarding your medical history, treatment, and payment for your health care may be originated and/or received by us. Information which can be used to identify you and which relates to your past, present, or future medical condition, receipt of health care or payment for health care (“Protected Health Information”).
How Your Information is Maintained
Information may be maintained by the facility in a variety of ways. This may include paper documents, electronic documents, data tapes and images of various types as well as the use of email, secure messaging systems, electronic systems, the internet, cloud providers, and participation in third-party networks such as the Iowa Health Information Network.
Our Responsibilities
Federal law imposes certain obligations and duties upon us as covered health care provider with respect to your Protected Health Information. Specifically, we are required to:
• Provide you with notice of our legal duties and our facility’s policies regarding the use and disclosure of your Protected health Information;
• Maintain the confidentially of your Protected Health Information in accordance with state and federal law;
• Honor your requested restrictions regarding the use and disclosure of your Protected Health Information unless under the law we are authorized or required to release your Protected Health Information without your authorization, in which case you will be notified within a reasonable period of time allowed by law;
• Allow you to inspect and copy your Protected Health Information during our regular business hours;
• Act on your request to amend Protected Health Information within sixty (60) days and notify you of any delay which would require us to extend the deadline by the permitted thirty (30) days extension;
• Accommodate reasonable requests to communicate Protected Health Information by alternative means or methods; and
• Abide by the terms of this notice.
How Your Protected Health Information May be Used and Disclosed
Generally, your Protected Health Information may be used and disclosed by us only with your express written authorization. However, there are some exceptions to this general rule.
Treatment, Payment, or Health Care Operations
General Use
As part of our treatment, payment, and operations we may also release information to business associates who may perform various treatment, payment or operation functions. Information may also be exchanged, stored, or listed with records locator services, record repositories, and other third-parties such as the Iowa Health Information Network. If information is provided to another person or entity, such as another facility or physician from whom you seek treatment, that facility or physician may treat the information received as part of its protected information.
Treatment Purposes
We may use or disclose your Protected Health Information for treatment purposes. During your care at Parkview Care Center, it may be necessary for various personnel involved in your care to have access to your Protected Health Information in order to provide you with quality care. For example, we may inform dietary personnel of any condition which requires you have a special diet. In addition, we may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services which may be of interest to you.
Situations may also arise when it is necessary to disclose your Protected Health Information to health care providers outside our facility who may also be involved in your care or to facilitate referral to another provider or care facility. For example, we may inform your physician of medications you are currently taking, provide other information for continuity of care.
Payment Purposes
Your Protected Health Information may also be used or disclosed for payment purposes. It is necessary for us to use or disclose Protected Health Information so that treatment and services provided by us may be billed and collected from you, your insurance company, or other third party payer. For example, we may disclose your Protected Health Information to your health insurance carrier to obtain prior approval for a service. We may also release your Protected Health Information to another health care provider or individual or entity covered by the HIPAA regulations who has a relationship with you for their payment activities. For example, we may disclose information to your health insurance carrier upon its request for additional information necessary for it to determine whether a service is covered.
Health Care Operations
Your Protected Health Information may also be used for health care operations, which are necessary to ensure our facility provides the highest quality of care. For example, your Protected Health Information may be used for quality assurance or risk management purposes or disclosed to our accountant for auditing purposes. We may at times removed information which could identify you from your record so as to prevent others from learning who the specific patients are. In addition, we may release your Protected Health Information to another individual or entity covered by the HIPAA privacy regulations that has a relationship with you for their fraud and abuse detection or compliance purposes, quality assessment and improvement activities, or review, evaluation or training health care professionals or students. For example, we may disclose information to another health care provider involved in your care if the provider requests the information is necessary for its evaluation of one of its medical students. We may also release information to business associates who may perform various treatment, payment or operation functions.
Patient Directory
Some of our facilities maintain a patient directory. Unless you object, your name, location in the facility, general condition, and religious affiliation will be contained in the directory. The directory is disclosed to members of the clergy and except for religious affiliation, to other persons who specifically ask for the information by your name. You are not obligated, however, in any way, to consent to the inclusion of your information in the facility directory. Please notify facility personnel if you do not wish to be included in the directory or if you wish for information or disclosure to be limited in some way.
Notification and Communications to Individuals Involved in Your Care
Unless you have informed us otherwise, your Protected Health Information may be used or disclosed by us to notify or assist in notifying a family member or other person responsible for your care. In most cases, Protected Health Information disclosed for notification purposes will be limited to your name, location, and general condition. In addition, unless you have informed us otherwise, Protected Health Information may be released to a family member, relative or close personal friend who is involved in your care to the extent necessary for them to participate in your care. In the event you wish for any of these uses or disclosures to be limited, please contact facility personnel.
Disaster Relief
In the event of a disaster we may provide information to public or private entities as needed to facilitate treatment, locate family members, or caregivers, and to facilitate public health needs.
Psychotherapy Notes
In the event psychotherapy notes are maintained as part of your health information, those notes will not be used or disclosed except in limited circumstances without your authorization. Such authorization is not needed and will not be obtained if such notes are used by the person who created them, in a reasonable training program for the facility, or as otherwise allowed by law.
Research Purposes
In some instances, your Protected Health Information may be used or disclosed for research purposes. All research projects which use Protected Health Information are subject to a special approval process which will, among other things, evaluate the precautions used to protect patient medical information. In many cases, information which identifies you as the patient will be removed.
Authorized by Law
We may also use or disclosure your Protected Health Information without your authorization as permitted or required by law. Examples include: public health activities, health oversight activities, judicial and administrative proceedings, abuse reporting, law enforcement, organ donation, medical examiners and corners, workers compensation process and research purposes. Information will only be used/disclosed without your authorization as permitted by the applicable state or federal law.
More Stringent Laws
Some of your Protected Health Information may be subject to other laws and regulations and afforded greater protection than what is outlined in this Notice. For instance, HIV/AIDS, substance abuse, mental health, information and genetic information are often given more protection. In the event your Protected Health Information is afforded greater protection under federal or state law, we will comply with the applicable law.
Other uses and disclosures of Protected Health Information not covered by this notices or the laws that apply to us will be made only with your written permission. For example, we need your written authorization to disclose your entire medical record to a family member (other than personal representatives as allowed by law) although some information may be disclosed under limited circumstances without permission. We must also have your written authorization to disclose your Protected Health Information to an attorney who represents you. If you provide us permission to use or disclose Protected Health Information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose Protected Health Information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provide to you.
Your Rights
Federal law grants you certain rights with respect to your Protected Health Information. Specifically, you have the right to:
• Receive notices of our policies and procedures used to protect your Protected Health Information;
• Request that certain uses and disclosures of your Protected Health Information be restricted; provided, however, if we may release the information without your consent or authorization, we have the right to refuse your request;
• You may restrict disclosure to a health plan of your information where you have paid the full out of pocket costs for the services rendered. This restriction would apply only to those services where you had paid the full out of pocket costs, it would not apply to other information relating to treatment which was paid for by or submitted to an insurer;
• Access to your Protected Health Information; provided, however, the request must be in writing and may be denied in certain limited situations;
• Request that your Protected Health Information be amended;
• Obtain any prior authorizations or consents for use or disclosure of Protected Health Information, except to the extent that action has already been taken;
• Revoke any prior authorizations or consents for use or disclosure of Protected Health Information, except to the extent that action has already been taken;
• Request communications of your Protected Health Information are done by alternative means or at alternative locations; and
• Notification of any breach of unsecured Protected Health Information relating to you and actions you may take in relationship to such a breach.
Important Contact Information
This notice has been provided to you as a summary of how we will use your Protected Health Information and your rights with respect to your Protected Health Information. If you have any questions or for more information regarding your Protected Health Information, please contact the facilities Administrator at 641-472-5022. Information can also be found on our website at www.pvccfairfieldiowa.com
If you believe your privacy rights have been violated you may file a complaint with our office by contacting the Administrator at 641-472-5022. You may also file a complaint with the Secretary of Health and Human Services. There will be no retaliation for the filing of a complaint. The following website: www.HHS.gov contains most reporting instructions general information regarding these matters.
Effective Date
This notice was revised November 6th, 2013. Please note, we reserve the right to revise this notice at any time. A current notice of our privacy practices may be obtained from our Business Office at 641-472-5022.