It is the policy of Christ Health Center (CHC) that all employees shall regard information about CHC's patients, clients, staff, or associates as confidential. Information regarding any patient's medical records, telephone conversations, family histories and diseases or illnesses shall be restricted to CHC's professional and paraprofessional personnel, appropriate business associates or relatives that directly participate in the care of the patient. Employees who violate this policy are subject to disciplinary action, including termination from employment.
The CHC Board of Directors (BOD) has ultimate responsibility for the approval of the Privacy and Confidentiality of Patient Information Policy and Procedure. The BOD delegates policy compliance to the Chief Executive Officer (CEO.) The CEO delegates policy review and recommendations to CHC's Quality Improvement Committee (QIC). The QIC delegates oversight of policy implementation to the Administrative Services Director. The Administrative Services Director (ASD) ensures implementation of the standards as outlined below.
Privacy and Confidentiality of Patient Information
Federal and state laws govern the privacy, security, and confidentiality of patient health information (PHI) that CHC may possess, control, or access in the normal course of business. CHC is committed to complying with these laws to ensure that PHI remains private, secure, and confidential. In addition to the policy below, CHC is required to implement a Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Plan, and to appoint a HIPAA Officer to administer this plan; the Administrative Services Director will serve as the required HIPAA Privacy and Security Officer.
In addition to appropriately maintaining appropriate patient information, CHC should ensure that the following types of documents are properly maintained in accordance with this policy:
- All records and documentation (e.g., billing and claims documentation) required for participation in government and private payor health care programs.
- All records necessary to demonstrate the integrity of CHC's compliance process and to confirm the effectiveness of the compliance policy. Among the materials useful in documenting the compliance with this policy are:
- certifications relating to training and other compliance initiatives,
- copies of compliance training materials,
- any corresponding reports of investigation, outcomes, internal audit results, disciplinary actions and
- any violations uncovered by the compliance program and the resulting remedial action.
- In addition, CHC should keep all relevant correspondence with carriers, private payer insurers, and CMS.
Storage, Retention and Destruction.
All patient records and information will be stored in a location that will provide convenient and quick access and which will best protect the records from decay and exposure to natural elements. Patient records and related information shall be retained by CHC in accordance with applicable law and guidelines. After the retention period has expired, the HIPAA Officer must grant his or her written approval prior to the destruction of any patient records or information, and such destruction shall comply with all CHC policies and procedures and applicable federal and state laws, rules and regulations and requirements of third party payors.
Patient information and medical records should be secured against loss, destruction, unauthorized access, unauthorized reproduction, corruption, or damage. CHC employees must maintain the confidentiality of patient information in compliance with all applicable laws and regulations. CHC employees shall refrain from revealing any personal or confidential information concerning patients unless supported by legitimate patient care purposes, authorized by the patient or otherwise required by law. Any request for a patient's medical records, financial and/or billing information must be accompanied by a release signed by the patient authorizing release of the records to the person who is requesting the records. When an attorney (other than the attorney for CHC) requests records on behalf of a patient, inquiry may be made of the attorney regarding the reason the request has been made. In addition, a CHC employees should consult the HIPAA Officer, who will seek legal advice when necessary, prior to releasing records, depending on the circumstances. If questions arise regarding an obligation to maintain the confidentiality of information or the appropriateness of releasing information, CHC employees should seek guidance from the HIPAA Officer.
Health Insurance Portability and Accountability Act
- HIPAA Privacy.
CHC employees are required to comply with and adhere to the Health Insurance Portability and Accountability Act of 1996. The HIPAA law strictly prohibits health care providers (i.e., covered entities) from wrongfully disclosing individually identifiable health information if such protected information is transmitted in electronic form. The regulations expand the general disclosure prohibition to include health information in any form either electronic, written, or oral communications. CHC intends to comply with all of the requirements of the HIPAA law and regulations, including the regulatory standards. In this regard, all CHC employees are required to review, and be familiar with, CHC's HIPAA and privacy policies
Any questions regarding privacy of PHI or security should be forwarded to the HIPAA Officer. In this regard, therefore, before a CHC employee releases any individually identifiable health information or data governed by the HIPAA law, the CHC employee and/or CHC shall obtain approval of the HIPAA Officer, when necessary, to ensure that the proposed disclosure complies with the HIPAA law. This policy is applicable to, but is not limited to:
If a CHC employee receives a third-party subpoena requesting "protected health information (PHI)", as defined by HIPAA, the CHC employee shall immediately notify the HIPAA Officer. Under no circumstances shall PHI be released, pursuant to subpoena, unless such subpoena is accompanied by a signed HIPAA protective order. With few exceptions, such as psychotherapy notes or information compiled for a legal proceeding, a patient has the right to access, review and restrict the PHI. The HIPAA Patients' Bill of Rights and Regulations specifically address the mechanics of a request for access, the form in which a request for access may be made, and any applicable fees relating to accessing the information. Subject to certain requirements and restrictions, patients also have the right to have CHC amend protected health information about themselves. However, a patient's right to his or her medical record is not absolute, and CHC may deny amendment for a legitimate reason and under certain circumstances, as long as there is a mechanism available to review the denial.
- non-routine disclosures of individually identifiable health information, including, but not limited to, disclosures to employers, life insurance companies, mortgage lenders, drug or medical device manufacturers, etc.
- patient inquiries regarding their ability to access, review, restrict and/or amend their medical records
- upon a patient's request, CHC's compilation and preparation of a summary of all of the disclosures involving a patient's medical records and individually identifiable health information.
- HIPAA Security.
The HIPAA Security Rule generally requires that providers, such as CHC, safeguard all electronic protected health information (EPHI) by:
The Security Rule includes two types of specifications: those that are "required" and those that are "addressable." All required specifications must be implemented. However, HIPAA allows covered entities to look at addressable specifications and determine whether each one is workable and makes sense for their particular setting.
- ensuring the confidentiality, integrity, and availability of all EPHI the provider creates, receives, maintains, or transmits
- protecting against any reasonably anticipated threats or hazards to the security or integrity of such information
- protecting against any reasonably anticipated use or disclosures of such information that are not permitted under the Security Rule
- ensuring compliance with the Security Rule by its workforce
For every addressable specification in the Security Rule, the provider will decide whether the specification is a reasonable and appropriate security measure to apply within its particular security framework, taking into account the following factors:
- the size, complexity, and capabilities of the provider;
- the technical infrastructure, hardware, and software security measures;
- the cost of the security measures;
- the probability and criticality of potential risks to EPHI.
When implementing the specification is not reasonable and appropriate, the provider must:
- document why it would not be reasonable and appropriate; and
- implement an equivalent alternative measure, if reasonable and appropriate.
- HIPAA Breach Notification.
HIPAA regulations also require covered entities, such as CHC, notify each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used, or disclosed following a breach of that unsecured PHI. A "breach" is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Examples of impermissible uses or disclosures of PHI include the theft of a laptop containing PHI or the unauthorized downloading or transfer of PHI by employees.
"Unsecured" PHI is defined as PHI that is not secured through the use of a technology or methodology required in Health and Human Services (HHS) guidance to render PHI "unusable, unreadable or indecipherable to unauthorized individuals." HHS issued guidance on April 17, 2009, identifying two methods for securing PHI: encryption and destruction. Covered entities that take the steps specified in the HHS guidance to secure PHI will not be required to provide the notifications required by the breach notification regulations in the event of a breach. If you believe that a breach of unsecured PHI has occurred, contact the HIPAA Officer.