| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

View
 

Confidentiality and Release of Information

Page history last edited by Sabina Harte 9 years, 7 months ago

AHIMA's Long-Term Care Health Information Practice & Documentation Guidelines

Printable version of this page (click <ctrl>+P, or use your browser's print function)

 

Confidentiality/ and Release of Information Privacy and Disclosure of Protected Health Information md

 

Contents



 HIM STANDARD:

 

  • The medium in which protected health  information are stored, whether paper based or computer based, is the property of the healthcare organization and is maintained to serve the resident, the healthcare professional, and the healthcare organization in accordance with legal, accrediting, licensing, regulatory, and ethical standards.
  • Residents’ protected health information, regardless of the medium in which they are stored, belong to the resident and are protected accordingly.

  • Confidentiality/Privacy and security policies and procedures specify that protected health information is used within the healthcare organization only for the purposes for which the data and information were collected. 

  • Disclosure of protected health information is restricted to those individuals who possess knowledge of applicable federal and state laws and regulations and training in the legal ramifications of subpoenas and court orders.

 

One of the most critical roles of the health information department is to monitor and apply regulations, professional practice standards, and facility procedures for protecting resident confidentiality/privacy, information security, and release disclosure of information.  A comprehensive set of policies and procedures to comply with the Heatlh Health Insurance Portability and Accountability (HIPAA) privacy and security rules in regards to confidentiality and release of information must be in place in all long term care facilities.  The following guidelines provide direction on common issues related to confidentiality and release of information.  The guidelines take into consideration federal laws and professional practice standards, but not individual state regulations.  If there is a state specific law with more stringent requirements or that allows greater privacy protections, follow the laws of your state.   See Resource page for additional information 

 

Federal Regulation:  42 C.F.R. § 483.75 (4) states:  The facility must keep confidential all information contained in the residents’ records, regardless of the form or storage method of the records, except when release is required by – (i) transfer to another health care institution; (ii) law; (iii) third party payment contract; or (iv) the resident.

 

HIPAA is a federal law that requires healthcare facilities and payers who utilize standardized transactions (such as electronic billing) to comply with the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule).  The HIPAA privacy rule became final on April 14, 2001 with compliance required by April 14, 2003.  The HITECH Act (part of the Affordable Care Act) of 2013 further revised the HIPAA regulations.  This section refers to various components of the privacy rule, but does not go into full detail on all requirements.  It is recommended that health information practitioners obtain a copy and review the entire HIPAA privacy rule. Copies can be obtained through the Administrative Simplification website at http://aspe.os.dhhs.gov/admnsimp/   http://www.hhs.gov/ocr/privacy/hipaa/administrative/  or http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html. Additional compliance guidance regarding the HIPAA Privacy Rule and answers to Frequently Asked  Questions can be located at the Office For Civil Rights website at  http://www.hhs.gov/ocr/hipaa/.

 

Identification of Confidential vs. Non-confidential Information

 

HIM STANDARD:

 

  • Residents’ protected health information is regarded as confidential and made available only to users authorized within the healthcare organization, users authorized by the resident or his/her legal representative, and users authorized by law.
  • Confidentiality/privacy and security policies and procedures differentiate between confidential and non-confidential data and information.
  • Policies and procedures address the heightened level of confidentiality/privacy  provided to for protection  of  healthcare information related to: behavioral health, substance abuse treatment, sexual or physical abuse, HIV/AIDS, abortion, and adoption.

 

Defintion: Definition:

Protected Health Information (PHI) (Individually Identifiable Health Information) is information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

 

Confidentiality:  the principle in medical ethics that the information a patient reveals to a health care provider is private and has limits on how and when it can be disclosed to a third party.  (Dorland's Medical Dictionary)

 

Privacy: The quality or state of being hidden from, or undisturbed by, observation or activities of other persons, or freedom from unauthorized intrusion; in healthcare-related contexts, the right of a patient to control disclosure of protected health information. (AHIMA Release of Information Toolkit)

 

Security:  1. The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction or loss.   2. The physical protection of facilities and equipment from theft, damage, or unauthorized access, collective, the policies, procedures and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems. (AHIMA Release of Information Toolkit)

 

Electronic Health Record: An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization.  (AHIMA Release of Information Toolkit)

 

The confidentiality/privacy and security release disclosure of  health information/PHI information policy should define what information is considered non-confidential and may be disclosed without a HIPAA compliant authorization and that which is considered confidential. The policy should contain information that is maintained in both paper and electronic format.  State law may define non-confidential information.  Federal law restricts has additional specific restrictive regulations which govern disclosure of  health information/PHI related to drug and alcohol abuse treatment.  Section of CFR  Some states have additional restrictions on the disclosure of sensitive health information.  See resources for additional information.  Under the HIPAA privacy rule, disclosure of directory information is permitted without resident’s authorization as long as the resident has had an opportunity to agree or restrict its use.  Directory information may be disclosed to individuals who ask for the resident by name.  Healthcare facilities are under no obligation to disclose even non-confidential information; Ppolicies should define the facility practice.  The resident population should be considered when deciding what is considered non-confidential.  Special consideration may be given to celebrities, facilities who treat HIV/AIDS residents, behavioral health facilities, residents identified as at risk for harm,  etc.  Under the HIPAA privacy rule:

 

  • Non-confidential or directory information is considered to be common knowledge such as name of the resident, location in the facility (room number), their condition described in general terms (critical, stable, good, fair, transferred, treated and released, or expired) , and religious affiliation (only available to members of the clergy).  
  • Confidential information PHI is information made available during the course of a confidential relationship between the resident and healthcare professional.  Confidential information PHI includes – but is not limited to – all clinical data and the resident’s address on discharge.  Confidential information PHI may be disclosed only when the resident, or the resident’s legal representative, gives written authorization, or when federal or state law, subpoena, or court order requires such disclosure.1 

 

Facility policies should give direction to staff on releasing non-confidential and confidential information PHI.  Since these situations often occur at the receptionist desk or at the nursing station, staff should receive special training in dealing with  responding to requests and deciding what is acceptable to release and what is not according to facility policy and procedure.  For sample/s see Appendix B of the AHIMA ROI Toolkit Refer to example policy/procedure and form.  (sample to be provided via embedding or a link)  ADD LINK TO TOOLKIT

 

Resident Access to Their Records

 

HIM STANDARD:

 

  • Subject only to specific legal constraints (such as those governing minors and persons adjudicated incompetent), a resident or his/her legal representative has access to and is provided photocopies of his/her health record upon written request with reasonable notice and payment of a cost based, reasonable .
  • Policies and procedures have been established to enable the resident to review, amend, restrict access to or correct his/her health record.

 

Definition:

Designated Record Set means (1) a group of records maintained by or for a covered entity that is (i) the medical records and billing records about individuals maintained by or for a covered health care providers; (ii) the enrollment, payment, claims adjudication, and case or medical management record system maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) The term record means any item, collection or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a covered entity.

 

By federal law, residents or their legal representative in a long term care facility have the right to access their designated record set. Facility policies should provide guidance on who is considered a legal representative based on State law (i.e. guardian, conservator, durable power of attorney, etc.) Facility procedures should also outline how each request – whether a review of the medical record or request for photocopies -- will be handled.  

 

CFR § 483.10(b)(2)   (F153)  states "The resident or his or her legal representative has the right -

(I) Upon an oral or written request, to access all records pertaining to himself or herself including current clinical records within 24 hours (excluding weekends and holidays);

(ii) After receipt of his or her records for inspection, to purchase at a cost not to exceed the community standard photocopies of the records or any portions of them upon request and 2 working days advance notice to the facility.  (State Operations Manual F153)

 

The HIPAA Privacy Rule timelines can be followed when responding to requests from former residents or their legal representatives.  Again, Some state may have additional requirements relating to the time frames for disclosing health information/PHI.  See resources for additional information.

 

Under the HIPAA privacy rule, the resident has the right of access to inspect and obtain a copy of their protected health information in a designated record set as long as the information/record is maintained. The privacy rule allows facilities a longer timeframe to respond to requests to inspect or obtain copies. The facility may follow the privacy rule timeframes when responding to requests from former residents. The facility must act on the request no later than 30 days after receipt.  If records or information are not maintained on-site, the facility has up to 60 days to act on the request.  If the facility is unable to respond within the 30 or 60 days, the facility may have one time extension of no more than 30 days. The facility must notify the requesting party in writing of the reason/s for the delay and the date when the request will be completed. Again, the The facility is only allowed one time extension.

 

The HITECH Act (part of the Affordable Care Act) of 2013, revised the HIPAA requirements as follows:

 

  • Effective 9/23/2013, (Facility) will honor a request received by an authorized individual for an electronic copy of protected health information that is maintained electronically, located in one or  more designated record sets and in the form and format requested.

 

  • If the form and format are not readily producible, the information will be produced in an electronic form as agreed to by (Facility) and the individual.  If the individual declines any of the electronic formats that  are available, (Facility) will provide a hard copy printed record as an option to fulfill the access request.

     

  • If/when a portion of the record is maintained in paper, the hard copy documents do not have to be converted to an electronic format.

     

  • (Facility) will not accept used/open external portable media from individuals for producing electronic format.  (Facility) will encourage individual to provide a new external portable media or accept a  portable media device from the facility.

 

  • (Facility) may send unencrypted e-mails containing resident PHI to authorized individuals after explanation and understanding of the risks and the individual still prefers this method of delivery.

     

  • (Facility) will comply with authorized individual request to transmit resident PHI to another person.  The request must be made in writing, signed by the individual, clearly identify the designated recipient and  location the information will be received.   In addition to the written  request, an authorization form will also be completed.  

 

 

Steps In Handling A Request To Access/View Designated Record Set:

 

When a request is made by the resident or another party to view information within the designated record set, those requests should be directed to the health information coordinator.  Selecting one person or a department to handle requests will help to assure that the policy is carried out uniformly and information isn’t inappropriately disclosed or withheld.

 

 

 

Prior to the meeting, the record should be reviewed to ensure that it is complete, accurate and organized. This also helps the facility to become familiar with the content and identify any potential areas of concern. Facility policy should address how to handle re-disclosure of protected health information received from another facility (i.e. hospital from a prior stay or another nursing home).  With the revisions to HIPAA under the HITECH Act, copies of information received from referring facilities must be included in the disclosure if they are maintained as part of the resident's record.

 

If components of the designated record set are maintained electronically in a hybrid medical record, determine how access will be provided to the electronic components of the medical record.  
 

During the meeting, a staff member should be in attendance at all times.  The staff member can be from the health information department or a designee such as nursing or social service per facility policy.  The staff member present at the meeting is there to answer questions and to assure that the record is not altered in any way or documents removed/destroyed.  The resident/legal representative should be allowed to review and read the record without intervention from the staff member present. 

 

If copies are requested during this meeting, an authorization to use or disclose health information form should be signed with the specific documents and dates listed.  The facility’s copy charge policy should be disclosed to the resident/legal representative at the time of the request

 

Steps in Handling A Request for Copies of Designated Record Set:

 

See the sections on Handling a Request for Medical Records and Copy Fees for Medical Records.  The request for copies must be documented on a HIPAA compliant authorization form and signed by the resident or legal representative (for tracking purposes).  The request should specifically state what records are to be copied.  Review the copy fee policy with the resident/legal representative and if known, provide the estimated cost to fulfill the request before copies are made. 

 

All incoming requests for Release of Protected Health  Information should be logged on a Release of Information Log to include: date of request, medical record number, resident name, name of requestor, address of requestor, whether an authorization was required (yes/no), whether an Accounting of Disclosure applies (yes/no), purpose of the request, protected health information disclosed, date disclosed and by whom, if a copy fees was charged and if monies were received. A Release of Information Log in the form of a spreadsheet can alleviate the need for maintaining a separate Accounting of Disclosure Log, as the information could be exported if needed to satisfy an Accounting of Disclosure request.  Click here for a sample Release of Information Log

 

Copying Fees:

 

Many Some states and requestors have set fees which are to be applied to the copying of the clinical record. The individual state regulations or requestor must be referenced for this guidance.  Regardless of If the state based does not have a set fee schedule,  HIPAA covered entities may not charge the resident or their representative more than a "cost based fee" as determined by the facilities costs and postage. Facilities may not charge residents for retrieval of records. http://www.gpo.gov/fdsys/pkg/CFR-2002-title45-vol1/xml/CFR-2002-title45-vol1-sec164-524.xml     the charge should be set by the community rate (what one would pay if using a publicly accessed photocopier, for example at a public library. Those requestors other than the resident or their representative may be charged the fees established through state regulation and/or facility policy.

 

Confidentiality, Privacy and Security Training and Agreements with Employees and Volunteers

 

HIM STANDARD:

 

  • Education and training programs provided to members of the healthcare organization as a whole and to specific departments address the confidentiality, privacy and security of residents’ protected health information.
  • Confidentiality   policies and procedures are incorporated into new employee orientations and routinely reviewed as part of each employee’s ongoing education.
  • Education and training programs on confidentiality address the responsibilities of staff to protect the resident’s right to privacy and their responsibilities to safeguard protected health information.
  • Confidentiality agreements are signed by everyone connected with the healthcare organization who may have access to confidential healthcare information and resident-identifiable data PHI.  It is recommended that agreements are updated annually.
  • Agreements with home-based employees state that the employees assume the same responsibility as regular employees for maintaining the confidentiality privacy and  security of all residents’ protected health information within their control.
  • Education and training programs provided to members of the healthcare organization as a whole and to specific departments address policies and procedures for the release disclosure of residents’ protected health information.

 

Long term care facilities should have confidentiality privacy and security training programs in place for all employees and volunteers.  Under the privacy rule, training must be provided within a reasonable time after hire. It is reQUIRED the training be reviewed at hire and annually with employees/volunteers.  Training should address the employee’s responsibility in maintaining the resident’s privacy, the facility’s confidentiality privacy/security and release disclosure of information PHI policies, common situations which an employee may face which could result in a breach of confidentiality and the consequences if a breach occurs or policy is not followed.  All employees should have some basic training on their responsibility.  Staff members who handle requests for information should have additional training to address the situations they will face in their position.

 

Definition:

Workforce means employees, volunteers, trainees and other persons whose conduct, in the performance of work for a facility, is under the direct control of the facility, whether or not they are paid by the facility.

 

Under the HIPAA privacy rule, facilities must train all members of its workforce on their policies and procedures related to the privacy rule.  The training should be based on an employee's job function and access or exposure to protected health information.  All new members of the workforce must be trained within a reasonable period of time after hire.  Retraining must occur when there is a policy or procedure change that affects an employee's job position related to the policy/procedure.  In all instances, the facility must document that training was provided.

 

In addition to training, long term care facilities should have members of the HIPAA defined workforce – who includes employees, students, and volunteers sign a confidentiality agreement at the time of employment after they have received training. Facility policies should address the frequency for obtaining updates to the agreement (i.e. annually after training).  It is not recommended that confidentiality statements/agreements be incorporated into employee handbooks where the employee signs a blanket statement at the end. It is recommended that confidentiality agreements should be separate from the employee handbook to stress the importance of maintaining resident privacy and the potential action if privacy is breached.

 

The following sample provides language developed by AHIMA for discussion purposes only and is published in the book, Release and Disclosure, Guidelines Regarding Maintenance and Disclosure of Health Information by Mary Brandt, MBA, RHIA, CHE.   It should not be used without review by your organization’s legal counsel to ensure compliance with local and state laws.  Practice Brief links

 

Employee/Student/Volunteer Nondisclosure Agreement 

 

[Name of healthcare facility] has a legal and ethical responsibility to safeguard the privacy of all residents and to protect the confidentiality of their health information.  In the course of my employment/assignment at [healthcare facility], I may come into possession of confidential resident information, even though I may not be directly involved in providing resident services.

 

I understand that such information must be maintained in the strictest confidence.  As a condition of my employment/assignment, I hereby agree that, unless directed by my supervisor, I will not at any time during or after my employment/assignment with [name of healthcare facility] disclose any resident information to any person whatsoever or permit any person whatsoever to examine or make copies of any resident reports or other documents prepared by me, coming into my possession, or under my control, or use resident information, other than as necessary in the course of my employment/assignment.

 

When resident information must be discussed with other healthcare practitioners in the course of my work, I will use discretion to ensure that such conversations cannot be overheard by others who are not involved in the resident’s care.

 

I understand that violation of this agreement may result in corrective action, up to and including discharge.

 

[Signature and date of employee, student, or volunteer]

 

 

 

 

Resident Identification Boards at Nursing Stations and Other Facility Locations

 

Communication boards may be used to communicate within a facility and may contain protected health information. Common uses of communication boards include staff assignments, sharing information with other shifts, census information, etc. These communication boards that contain residents’ protected health information  must be in an area that is not viewable to residents, unauthorized staff members or the public. As a general rule, the only resident communication boards that should be viewable to the public provide directory information (room number).

 

Maintaining an Access/Disclosure Grid for Employees, Contractors and Outside Parties

 

HIM STANDARD:

 

  • With regard to access to residents’ protected health information, the healthcare organization’s and health information management department’s policies differentiate among levels of authorized users within the healthcare organization, users within the healthcare organization’s provider network, and third-party users external to the healthcare organization and its provider network.
  • Contracts for services external to the healthcare organization must include business associate language that state that the companies providing the services assume responsibility for maintaining the confidentiality privacy of all protected health information within their control.
  • Policies and procedures identify when disclosure of protected health information may be made without the resident’s authorization and differentiate between mandatory disclosure (for example, reporting of child abuse, neglect or injury) and permissive disclosure (for example, access by healthcare staff).
  • Policies and procedures define those circumstances that require resident authorization prior to disclosure of information and those that do not require resident authorization.
  • Policies and procedures identify those communicable diseases and other public health threats that require reporting to the appropriate governmental agency and the mechanism by which the reporting is to be done.

 

Definition:

Minimum necessary means that when a facility uses or discloses protected health information or requests protected health information from another covered entity, the facility must make a reasonable effort to limit protected health information to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure, or request.

 

Part of the facility policies on minimum necessary and confidentiality privacy  should be an access grid that outlines which employees and contractors are considered authorized users of the information contained in the designated record set and any restrictions or limitations on what can be accessed.  The grid should identify the authorized user by department and position and the limitations on access to information.  If subcontractors are used for certain services (billing service, dietary, etc.) language needs to be included in the contracts outlining the employee’s responsibility to maintain resident confidentiality privacy and their authority to access the designated record s

 

All subcontractors who have access to or utilize protected health information in their actions on behalf of the facility/resident must have a Business Associate Agreement as part of their contract with the facility.

 

Employee/Contractor Access to Protected Health Information

Position

Access to Records Granted

Scope/Limitations

Administrator/Executive Director

Yes

No limitations

Director of Nursing Services

Yes

No limitations

RAI Coordinator

Yes

Full access to records but only residents on their case load

Staff Nurse 

Yes

Full access to records but only residents on their case load

Nursing Assistant

Limited

Care plan and documentation flowsheets only

Health Information Services

Yes

No limitations

Health Information Consultant

Limited

As directed by the facility

Business Office Manager

Limited

Access only to clinical information required for billing purposes

Director of Laundry

Limited

Access only to information necessary to do job

Therapy Staff

Yes

Access to records but only to those residents on their case load/receiving therapy treatment

Pastor

Limited

Access only to information necessary to do job and only for those residents requesting pastoral services

Receptionist

No

 

Maintenance

No

 

This table is not all-inclusive and is for discussion/illustration purposes only.  Positions, access and scope should be determined by each facility.  No recommendations are made through this illustration.

 

 

A second access grid should also be developed for access to clinical information computer systems.  The grid would serve the same purpose of outlining who has access to the system and what screens or programs are available to the position.

 

Employee/Contractor Access to Clinical Information Computer System

Position

Access to System

Scope/Limitations*

Read Only or Read/Write

Administrator/Executive Director

Yes

Billing and Clinical

Read/Write

Director of Nursing Services

Limited

Clinical Only

Read/Write

RAI Coordinator

Limited

Clinical Only

Read/Write

Staff Nurse 

Limited

Clinical Only

Read/Write

Nursing Assistant

No

 

 

Health Information Services

Yes

Billing and Clinical

Read/Write

Health Information Consultant

Limited

Access as directed by facility

Read Only

Business Office Manager

Yes

Billing

Limited Clinical

Read/Write

Read Only

Director of Laundry

No

 

 

Therapy Staff

Limited

 Clinical Only

Read/Write

Pastor

No

 

 

Receptionist

Limited

Demographics Only

Read Only

Maintenance

No

 

 

This table is not all-inclusive and is for discussion/illustration purposes only.  Positions, access and scope should be determined by each facility.  No recommendations are made through this illustration.

 

*As computer systems access control becomes more sophisticated, the scope and limitation should be more specific to the specific programs and screens in the system.

 

 

In addition to an access grid for employees and contractors, a grid should be included which outlines access to the designated record set by other types of providers, agencies or third-party users.  This grid should outline whether an authorization to use or disclose health information form is required to be signed before information is disclosed or released and when reporting/disclosure is mandatory by law.  Both federal and state regulations need to be incorporated into the facility policy and procedure and access grid.  

 

The federal regulation (42 CFR § 483.75(4)) requires that the facility must keep confidential all information contained in the residents’ records, regardless of the form or storage method of the records, except when release is required by – (i) transfer to another health care institution; (ii) law; (iii) third party payment contract; or (iv) the resident

 

The disclosure grid should outline access to protected health information by the following individuals/entities and whether an authorization from the resident is required to release information.

 

Completion of this grid should be based on applicable federal and state laws the following are guidelines:

 

Disclosure Grid

Requestor or Outside Party

Authorization Required

Copy Charges Allowed

Accrediting Agencies (JCAHO, CARF)

No 

No

Attorney

Yes

Yes

Attorney for Facility/Corporation

No

No

Courts of Law (Court Order)

No

Yes

Employer of Resident

Yes

Yes

Family members

Family members with demonstrated involvement in care

Yes

No – for verbal updates related to involvement in care

Yes

No

Federal, State, and Local Government, and Voluntary Welfare Agencies

No – when reporting is required by law

No – when reporting is required by law

Funeral Homes

No – when releasing remains

No

Health Department

No

No

Healthcare Practitioners

No -  for continuity of care purposes when involved in residents care and treatment

Yes – if not involved in care and treatment

No – for continuity of care and continued treatment.

Yes – if not involved in care and treatment

Healthcare Providers (hospitals, LTC facilities, home health/hospice agencies, etc.)

No – for continuity of care purposes

No – for continuity of care purposes

Insurance Companies and Third Party Payers

No – for third party payment purposes

No – for third party payment purposes

Insurance Companies for Facility/Corporation

No

No

Law Enforcement Officials

Dependent on state law

 

Medical Examiner/Coroner

No – if reporting is required by law

 

Ombudsman

Dependent on state law

 

Research

Dependent on Research Project & IRB Approval/Waiver

No – if project is approved by facility

Residents

No

Yes

The column “Copy Charges Allowed” should be reviewed carefully and compared to the requirements in the privacy rule and any other applicable state of federal regulations. While is it may be acceptable to charge for copies, facilities may exercise discretion and judgment when determining whether or not to charge a resident, his/her legal representative or other requesting party for copies.  This table is not all-inclusive and is for discussion/illustration purposes only.  No recommendations are made through this illustration.

 

Handling a Request for Health Information contained in the Designated Record Set 

 

HIM STANDARDS:

 

Requests for healthcare information require a valid (HIPAA compliant) authorization to disclose protected health information, unless the disclosure is required for treatment, payment or healthcare operations.

 

All requests for information should be handled by the health information department to assure uniform application of the facility policy and adherence to applicable laws and practice standards.   When a request for information is made, the following issues criteria should be considered before releasing disclosing information:

 

  • Is an authorization to use or disclose health information required to be signed by the resident or their legal representative?
  • What is the nature of the information requested?
  • Is the information considered confidential or non-confidential?
  • What is the purpose of the request?
  • What is the authority of the person or agency requesting the information?
  • Are there any revocations or notices to withhold information on file?

 

Consent for Use and Disclosure of Protected Health Information:

 

The HIPAA privacy rule does not require the facility to obtain the resident's consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. The HIPAA Privacy Rule states that your facility may choose to obtain consent. The decision to obtain consent should be defined in the facility’s policies and procedures. 

 

Redisclosure upon Transfer to Another Healthcare Facility  

 

If the hospital or another facility’s records provide important information for the continued care of the resident, those records should be sent to the next facility/agency that will be providing care. The privacy rule allows for redisclosure of resident’s protected health information.  Your facility should have a policy in place to ensure redisclosure is handled in a consistent manner. A LTC facility should send the most recent hospital history and physical report and discharge summary upon transfer to another facility if the information provides insight into the resident’s current health status or would be beneficial in the continued diagnosis and treatment.  A copy of the most recent RAI/MDS must also be sent. (RAI Manual pg 2-5) Other documents should be redisclosed based on the content and relevance to the resident’s continued care and treatment.  Refer to the Frequently Asked Questions available on the Office For Civil Rights web site at http://www.hhs.gov/ocr/hipaa/ for additional information regarding this topic.

 

  1. Unless otherwise required by state law, incorporate in your own facility’s designated record set the health information generated by other healthcare providers needed for patient diagnosis and treatment.
  2. Become knowledgeable about and implement organizational compliance with federal and state laws and regulations that address redisclosure. Any redisclosure must comply with federal and state laws and regulations.
  3. Consult with legal counsel when federal and state redisclosure requirements differ and it’s unclear which should prevail.
  4. Develop facility policies and procedures that address redisclosure. Be sure to include the requirement that prior to disclosure, the disclosing staff member verify the authority of the person to receive the information.
  5. Modify existing authorization forms to incorporate required language in the HIPAA final privacy rule.
  6. In general, healthcare providers should:
    • Redisclose to other healthcare providers PHI when it is necessary to ensure the health and safety of the patient resident
    • Redisclose requested health information to patients when necessary, but after first encouraging the patient resident to obtain the most complete and accurate copies from the originating healthcare provider
    • Redisclose PHI when necessary to comply with a valid authorization
    • Redisclose PHI when necessary to comply with a legal process. Only redisclose PHI located within your legal health record (the designated record set). Note that you may be compelled by the legal discovery process to release additional individually identifiable health information if access to the information is deemed necessary for the stated purpose 2
  7. Ask legal counsel to review draft policies and procedures prior to implementation.
  8. Educate staff on new or revised policies and procedures relative to redisclosure.
  9. Implement policies and procedures and monitor compliance.
  10. When in doubt about a potential redisclosure, consult legal counsel.
  11. When asked to certify or testify about the authenticity of redisclosed health information, state that the information was received from another healthcare facility’s medical record through normal business practices, your facility received the information in good faith, and that you cannot knowledgeably speak about the record-keeping practices of the originating organization.
  12. Modify existing certification forms when indicated.

 

Source: Rhodes, Harry, and Gwen Hughes. "Redisclosure of Patient Health Information (AHIMA Practice Brief)." Journal of AHIMA 74, no.4 (April 2003): 56A-C.

 

Handling Telephone Requests for Information

 

When a request for a resident’s health information is received by telephone, the person receiving the request must decide if they have the authority to handle the request, decide whether information can be disclosed without an authorization, and verify that the individual has a right to receive the information.  With the exception of requests related to the resident’s current care and treatment, other types of telephone requests should be directed to the health information management department.  

 

Telephone requests can be honored without an authorization if they are for the purposes of treatment, payment or health care operations. This may occur when a resident’s protected health information is needed for a transfer to another health care institution (for continuity of care purposes), when required by law, for third party payment, or when requested by the resident (including the legal representative). 

 

Regardless of the situation, if the caller’s identity is unknown, steps should be taken to verify the caller’s identity. This can be accomplished by requesting the caller’s name, address and, if applicable, company information.  The facility staff member should look up the information, verify that it is accurate and return the call based on the verification of the information looked upFacilities where HIPAA standards apply, should have a Verification of Identity Policy and Procedure. 

 

Transmitting Resident Information via Facsimile

 

HIM STANDARD:

 

  • Policies and procedures establish the circumstances under which transmission of resident-identifiable data and healthcare information by facsimile machine is appropriate (such as when the original document or mail-delivered photocopies will not serve the purposes of the requestor).

 

When the fax machine is used to release of transmit resident health information, safeguards must be in place to protect the resident’s confidentiality privacy.  If a LTC facility uses the fax machine to transmit information PHI, they must have a policy and procedure in place directing staff on the proper procedures.

 

  • A fax cover letter must always be used when sending resident information PHI.  The cover letter should indicate whom the fax is sent to, whom it is from, the number of pages, and a confidentiality statement.  A facility should never send resident information PHI (whether medical record documents or a narrative summary/notes) without a cover sheet.  The cover sheet should not contain any PHI, nor should it refer to the resident by name.
  • The fax cover letter should provide specific directions on the steps to take if the fax was sent to the wrong location/person. If a facsimile transmission fails to reach the recipient, check the internal logging system of the facsimile machine to obtain the number to which the transmission was sent. If the sender becomes aware that a fax was misdirected, contact the receiver and ask that the material be returned or destroyed. Investigate misdirected faxes as a risk management occurrence or security incident; include the accidental disclosure of patient health information in the accounting of disclosures log. Mitigate the accidental disclosure and determine the need to contact the patient, organization's legal counsel, and risk management carrier.
  • Preprogram fax numbers into the machine whenever possible to minimize the chance of entering an incorrect fax number resulting in a misdirected fax. Request that frequent recipients notify your facility of any fax number changes.
  • Place fax machines in secure areas.
  • If faxing is used to correspond with the physician and a response is needed, maintain a monitoring system to assure that a response is received.  If an immediate response is needed or the resident’s condition requires immediate intervention, the telephone should be used to contact the physician rather than the fax machine.
  • Some type of  A verification process should be in place to assure that the fax was transmitted.  Verification may vary from a report generated by the fax machine to a call back from the receiving party.  The type of verification used should be dependent on what was sent and who it was sent to.  
  • Facility policy should outline the types of information that cannot be faxed. For instance, it may not be is not appropriate to fax highly sensitive information (HIV/AIDS status, psychiatric, drug or alcohol abuse information, etc.).
  • Establish guidelines to address retention of information transmitted via facsimile and whether it should become part of the patient's health record (e.g., is the document part of a designated record set or a business record?).
  • Take precautions to preserve the quality of faxed documents. Fax copies may fade and may need to be photocopied. Extra precautions are necessary when thermal paper is used to ensure legible copies are retained as long as the medical record is retained i.e. the thermal paper should be photocopied and the photocopy retained. The thermal copy should be destroyed.
  • Include in your organization's notice of information practices uses and disclosures of individually identifiable health information made via fax machine or software where appropriate (see the AHIMA practice brief "Notice of Privacy Practices").
  • Obtain a written authorization for any use or disclosure of individually identifiable health information made via fax machine or software when not otherwise authorized by the individual's consent to treatment, payment, and healthcare operations, or federal or state law or regulation.

 

Source: Davis, Nancy, et al.. "Facsimile Transmission of Health Information." (AHIMA Practice Brief, updated August 2006).

 

Responding to a Subpoena or Court Order

 

It is critical that state law is followed in processing a subpoena. In addition, the privacy rule has specific requirements that must be met prior to responding to a subpoena. (Refer to the privacy rule 42 C.F.R. § 164.512 (e).) The following provide general guidelines in handling a subpoena when it is received.  Facility policies should be tailored to specific state statutes and the privacy rule. Generally, your facility should work with legal counsel to ensure a subpoena is valid and your facility responds appropriately.

 

  • Check that the subpoena is signed by a representative of the court (usually the Clerk of Court).
  • Determine if an authorization has been included or if one is required per your State regulations. 
  • Determine if satisfactory assurances are received with the subpoena. Contact your facility’s legal counsel to ensure appropriate satisfactory assurances have been received or a qualified protective order is present or requested.
  • If a subpoena is received notify facility administration and the facility legal counsel per facility policy.  Some corporate offices require that the corporate legal department be notified and approve the release before records are sent.
  • Review the entire medical record to make sure that all sections in the record are present and in the proper sequence.  For a discharge record, do not make any alterations in the record or allow anyone else to make additions, corrections, or deletions after the subpoena has been received.  
  • If the entire medical record is requested, verify that the records all belong to the correct resident, and check that the resident name and medical record number are on all pages including both sides of forms, and then number the pages of the original medical record (including shingled copies).  Make the requested copy after approval from administration/legal counsel if required by facility policy. Make a second copy for facility use/legal counsel.
  • If the record is for a discharge resident and for litigation purposes, the records should be removed from the storage/filing area and placed in a locked location until the litigation process is complete.
  • Deliver the copy of the record to the location listed on the subpoena.
  • Upon return from court, write a note on the subpoena identifying by whom the subpoena was answered, the date and time, the attorney’s name, and note that a copy of the medical records was left with the court.
  • If the original record is requested, contact the Clerk of Court to determine if a copy is acceptable.  If the original is required for court, retain a copy for the facility.  At the conclusion of the case, ask the clerk of court to notify the facility and exchange the copy for the original, returning the original to the facility.
  • Create a Receipt for Medical Records and keep one copy for the facility and one for the person accepting the record on behalf of the court.  Include on the receipt an inventory of the medical record content.  For example, nurses notes – 20 pages, physician orders – 10 pages, total pages – 30.
  • Place the original record in a folder with the receipt and label as the “Original Medical Record.”
  • Deliver both the original record and the copy to the location listed on the subpoena. 
  • Remain with the original record at all times until you are sworn in.
  • Request the Court Official to review the copy to see if they will accept the copy in place of the original.  If the Judge or Hearing Officer refuses to accept the copy in place of the original, leave the original record.  Request that the original record be returned to the facility when the case is completed.
  • Obtain a signature of the original copy of the Receipt for Medical Records from the Clerk of Court.  Keep the original copy of the receipt.
  • Leave the copy of the receipt with the record held by the Court.
  • Upon return from court, write a note on the subpoena identifying by whom the subpoena was answered, the date and time, the attorney’s name, and that the original medical record was left with the court.
  • File the subpoena and the signed receipt in the resident/resident’s medical record file folder until the record is returned.
  • After the record is returned, check the record against the receipt to make sure that all pages are present.  Reassemble the record in proper order, if necessary.  Note the date returned on the receipt/subpoena and file the original record in the permanent file.
  • Subpoenas received from an entity outside of the facility's legal jurisdictional region, do not have to be honored; however these should be referred to the facility's legal representative for final response/determination. 

 

Removing Original Records from the Facility

 

HIM STANDARD:

 

  • Original health records may not be physically removed except in accordance with the healthcare organization’s policies.

 

The original medical record should never be removed from the facility.   Facility policies should specifically address removal of records and prohibit any employee, contractor or agent from removing resident medical records (in full or in part) from the facility.  When records are requested for legal proceedings, it is acceptable to submit a copy of the original.  If the original record is specifically requested for a legal proceeding, every effort should be made to submit a copy.  For example, contact the court requesting that a copy versus the original be submitted or go to court with the original record and a copy.  Request that the copy be placed into evidence rather than the original record.  If the original must be placed into evidence, then the copy can be used by the facility.

 

If it is absolutely necessary to remove the original record, measures should be in place to physically protect the original.  One possible method is to utilize the storage bags with plastic locks that can be purchased through medical record supply companies.  The bag can be locked at the facility and the lock broken once at the destination.  If the original record does have to be removed from the facility, it should always stay in the custody of a facility representative who takes full responsibility for its safe-keeping.

 

Notice of Information Privacy Practices

 

The HIPAA privacy rule requires facilities to provide the resident with a Notice of Information Privacy Practices also referred to as a Notice of Privacy Practices. This Notice must describe how the facility  uses or  discloses residents’  protected health information, the resident's rights with respect to his/her PHI, and the facility's legal duties under the privacy rule.  The notice must be provided at the time of admission to the facility.  The notice must be written in plain language and contain the following elements: (See HIPAA privacy rule for specifics under each section)

 

  • Header: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information.  Please read it carefully."
  • Uses and disclosures
  • Separate statements for certain uses or disclosures
  • Individual rights
  • Covered entity's duties (facility's duties)
  • Complaints
  • Contact information
  • Effective date
  • Other optional information as described in the HIPAA privacy rule

 

A good faith effort must be made to obtain acknowledgement of receipt of the Notice. If your facility is unable to obtain acknowledgment, document actions taken to obtain acknowledgement and why you were unable to obtain acknowledgement.

 

If a resident is admitted in an emergency situation, provide the Notice as soon as reasonably practicable after the emergency situation.

 

The Notice must be posted in your facility; in addition, you must have copies of the Notice available for interested parties (perspective residents, visitors, family members, etc.) to have upon request.

 

If your organization maintains a public Web site, the Notice must be posted on the Web site.

 

Changes to the Notice:

  • Content (material changes) to the Notice cannot be implemented prior to the effective date of the revised Notice.
  • Your facility’s Notice should include a statement that it reserves the right to make changes to the Notice and how an updated Notice can be obtained. This will allow the facility to make changes to the Notice without having to redistribute the Notice to current residents. If your Notice does not contain this type of statement, it must provide an updated Notice to current residents.

 

A copy of each version of your facility’s Notice must be retained for six years from the date it was last in effect.

 

Designation of a Privacy and Security Officer

 

HIPAA requires the designation of a privacy and security official who is responsible for the development and implementation of the policies and procedures of the facility related to the privacy and security rule. The facility must also designate a contact person or office who is responsible for receiving complaints related to the facility's privacy or security practices.  The privacy and/or security official and contact person does not have to be the same individual.  The rule does not require specific training or expertise. 

 

AHIMA's published model position description for the Privacy Officer

 

 

Additional considerations would it be better to place these in the resources document imbedded in the Guidelines

  • Do want to provide a link to the AHIMA ROI tool kit?  No charge to members below is link:

https://www.ahimastore.org/ProductDetailBooks.aspx?ProductID=16469

  • Need to Add link for sample AHIMA Security Position description below is link

http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_019915.hcsp?dDocName=bok1_019915

  • Guidelines need update to include a section on Social Media, below is link

http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_046308.hcsp?dDocName=bok1_046308

 


Copyright ©2011 American Health Information Management Association. All rights reserved. All contents, including images and graphics, on this Web site are copyrighted by AHIMA unless otherwise noted. You must obtain permission to reproduce any information, graphics, or images from this site. You do not need to obtain permission to cite, reference, or briefly quote this material as long as proper citation of the source of the information is made. Please contact Publications to obtain permission. Please include the title and URL of the content you wish to reprint in your request.

Comments (0)

You don't have permission to comment on this page.