HIPAA

CONFIDENTIALITY

PURPOSE:

To assure that the patient/residents rights of privacy and confidentiality are maintained in an acceptable manner.

SUMMARY:

Maintaining the security of confidential information is a duty of all board members, employees, volunteers, agents, medical and allied health staff, contractors and agents, regardless of whether or not the individual in question works directly with such information. Individuals who have access to confidential information must ensure that such information, in whatever form it exists, is handled in strict accordance with this policy and applicable legal, accreditation and regulatory requirements regarding safeguarding confidential information.

DEFINITIONS:

Authorization – A written agreement to let Samaritan disclose protected health information only for a particular request or need.

Breach – an unauthorized acquisition, access, use, or disclosure of protected health information (PHI) relating to security or privacy.

Confidential Information - Any information in whatever form it exists, electronic, oral or otherwise, related to any person at the hospital or home and any other information not generally available to the public. Examples include but are not limited to:

  • Patient/resident and employee demographics, religion, financial and account status;
  • Employee health records, medical care program and employment information;
  • Patient/resident/resident diagnosis, care plan, current and previous medical records and any other type of communication regarding patient/resident specific information;
  • Computer system reports, access, passwords and security codes;
  • Medical Staff and peer review files
  • Institutional business and financial records;
  • Verbal communication and conversations between patient/residents, physicians, employees and the institution.


Employees
- For the purpose of this policy, "employees" refers to board members, employees, volunteers, agents, medical and allied health staff, and contractors.

HITECH Act - Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

Individual Identifiers – Information collected that would uniquely identify an individual including: name, address, birth date, phone number, e-mail address, social security number, medical record number, account number, finger prints, photographic images, other unique identifier, license number, vehicle ID number

Minimum Necessary – Least amount of health information necessary to accomplish the intended professional purpose of the use or disclosure.

Protected Health Information – Any individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and:

  • Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse.
  • Relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare, and that identifies the individual with respect to which there is reasonable basis to believe the information can be used to identify the individual examples, but not limited to:
  1. Patient/resident/resident diagnosis, care plan, current and previous medical records and any other type of communication regarding patient/resident specific information, whether it be physical, emotional or behavioral.
  2. Verbal communication and conversations between patient/residents, physicians, employees and the institution related to health information.


Permissible Uses and Disclosures
- Allowable situations for which we use and share the patient/residents protected health information.
Confidential information may exist in electronic, written or oral format. Samaritan will ensure that all data and information throughout the facilities is managed in a secure and confidential manner, in accordance with Federal, State and other regulatory agencies' requirements. All efforts will be undertaken to prevent a breach of this security and confidentiality.

POLICY:

To assure that confidentiality and security of information are upheld, all users of the computer system will be assigned an individual access user ID and have a personal password.

Information which may be considered ordinary facts and necessary for planning specific care and services will be handled with professional discretion on a "need to know" basis.

Proper authorization is required when disclosing confidential information for purposes other than permissible uses and disclosures.

Information may be disclosed without authorization if all individual identifiers are removed. When so doing, Samaritan (collectively, Samaritan Medical Center and Samaritan-Keep Nursing Home) will not disclose the key or other mechanisms that would enable the information to be re-identified.

Employees shall not access or attempt to access confidential information, in whatever form it exists, electronic or otherwise, which is not required in connection with the provision of clinical services or any other authorized use. This includes confidential information relating to employees' own and/or their family's/ significant other's care or treatment except in the manner available to non-employee patient/residents.

Employees are cautioned not to discuss any information regarding patient/residents with others. Conversation with fellow employees may be overheard and violate the trust others have placed in our personnel and faculty. Personal opinions as to the competence of hospital medical staff members or any staff members are not to be expressed in a public environment and should always be addressed to the staff member's Supervisor, hospital CEO or Chief of Staff for resolution.

Violations of this policy will be cause for disciplinary action up to and including termination of employment or medical staff appointment.

Disciplinary actions for breaches of confidentiality by non-employed physicians and/or allied health professional shall be in accordance with the medical staff bylaws, including procedures for action.

Disciplinary actions for non-employed physician office staff, vendors, and/or external entity breaches of confidentiality may include, but are not limited to, immediate discontinuance of computer system access and the evaluation of any additional sanctions or actions warranted by the situation.

Witnessed inappropriate access to or use of patient/resident data must be reported to management.

Protection under HIPAA/HITECH regulations has determined that breach notification will proceed as follows: Samaritan will be required to provide notice to the patient/resident within 60 days of discovery of the breach via first class mail to the affected person's last known address. Samaritan will be required to disclose all breaches to Health and Human Services (HHS). Breaches affecting 500 or more patients must be disclosed to HHS immediately. Breaches affecting fewer than 500 patients/residents can be reported annually. A log of all breaches must be maintained. Business Associates (BA) are required to notify Samaritan's Privacy Officer and the individual should a breach occur. This is a requirement under the HITECH Act of 2009.

Employees will sign a confidentiality acknowledgement statement upon association and annually thereafter.

Employees who have access to information concerning patient/residents, residents, registrants, volunteers, employees and physicians must hold all information in strict confidence.

PROCEDURE:

Request for confidential patient/resident/resident/registrant information, including but not limited to those received from other facilities, lawyers and physicians who are not documented as a physician of record, should be directed to the Health Information Management Department. Disposition of such requests shall be in accordance with the established policy and procedure for disclosing medical information.

Requests for insurance/billing information should be directed to the Business Office.

Requests for physician information should be directed to the Medical Staff Office.

Requests for employment information should be directed to the Human Resource Department.

Requests for all other confidential information should be directed to Health Information Management.

Computer System
Access to modules of the computer system will be granted based upon the user's need related to job responsibilities as determined by department manager/supervisor and verified by MIS.

Each user will read and sign a Meditech New User Assignment form or Meditech Non-Employee User Assignment Form before a user ID and temporary password is assigned.

Computer access passwords are not to be utilized by anyone other than the assigned user. Sharing of computer access password is grounds for progressive discipline.

The computer system has a built in automatic password change requirement after every 90 days once access has been granted.

Every computer system user will have the ability to change the password whenever a change is wanted.

Each employee will receive training on the applicable information system modules prior to receiving a temporary password. The information system module team leader will determine this training. The training will include education on confidentiality of patient/resident information, the need to maintain password as private personal information, and the ability to change password as needed.

The department manager will immediately send the names of terminated employees to the Operations Manager of the MIS department. The Operations Manager will forward that information to the appropriate Meditech Analyst or supervisor. This will assure that access to the clinical modules of Meditech and PYXIS can be deleted. Also, the removal of all other access rights, including removal from databases, network and phone system, will be done in the MIS Operations department.

E-mail
E-mail users may only transmit patient/resident/resident/registrant identifiable information via the internal e-mail system to other users of the internal email system who are authorized to access such information.

When accessing the email system from outside the building, information sent and received will be secured by utilizing encryption software.

Inpatient Mental Health Unit
No information on patient/residents admitted to the IMHU will be given over the telephone without the patient/resident's voluntary written permission except for the sharing of information among providers as allowed by law. Patient/residents are presented a notice of the limits of confidentiality, which allows the patient/resident to authorize the hospital to notify their family of their whereabouts. When a telephone call is received, the patient/resident's record is checked prior to any disclosure. If there is no written consent, no information is given out and the staff can neither confirm nor deny that a patient/resident is on the unit.

Outpatient Alcohol
The program does not release any information on clients without signed Release of Information, appropriate court order, the occurrence of a suicidal or homicidal threat/action, medical emergency, or a situation, which requires mandated reporting of child abuse or neglect.

Therapists are not to speak to anyone on the phone without the client's record and Release of Information in front of them. Only information incorporated in the Release of Information may be disclosed.

Visitor confidentiality forms must be completed by anyone entering the treatment area that is not employed by the organization or not in active treatment.

Charts, case notes or any client's identifying data must be locked in the appropriate file room when not in use.

Telecommuting
Transcription staff authorized to transcribe confidential medical reports will receive and transmit information which is secured by utilization of encryption software. Telecommuting staff will sign an annual telecommuters agreement.

Medical Staff Services
Medical Staff Services and Quality Improvement Services maintain physician specific files. The professionals in this area are the custodians of these files. Medical Staff Affairs Policy governs internal and external access; Physician Specific Files approved June 1988.

Media
It is the responsibility of the Marketing and Community Relations Department to coordinate all requests for information from the media/public as outlined in Public Information and Media Policy.

Other
HIV antibody test results can only be given out if the tested individual has provided written consent in the appropriate format or to those who need status information to provide medical care and services, including care providers; persons involved in foster care or adoption; parents and guardians who consent to care for minors; jail, prison, probation and parole employees; emergency response workers in hospitals, other regulated settings or medical offices, who are exposed to blood/body fluids in the course of their employment; and organizations that review the services received. Samaritan will disclose relevant information concerning emergency response employee/volunteer exposure to specified airborne and blood borne infectious diseases, including HIV, to the designated officers of the emergency response employed volunteer. The information disclosed in this situation will not include patient/resident name or address.

RELATED POLICIES:
Patient/Resident Access to PHI
Authorization for Disclosure
Human Resource Policy 1-004 "Corrective Action" REV 6/95
Inpatient/resident Mental Health Unit Policy on Patient/resident Confidentiality
Marketing and Community Relations "Public Information and Media
Alcohol Outpatient/resident Program "Release of Confidential Information"

RELATED FORMS:
Release of Information - SHS-0082
Legal Consent for Release of Information (Outpatient/resident Alcohol) - MR-0159
Confidential Information Consent (Outpatient/resident Alcohol) - MR-0096

Note: Other regulatory-related forms that may be pertinent include:
Consent for Release of Information Concerning Alcoholism/Drug Abuse Patient/resident - OASAS - TRS-2 (4/97)
Consent for Release of Information - OMH-11 (5/87)
DOH 405.4, 6/00 Informed Consent to Perform a Confidential HIV Test and authorization for release of HIV related information for purposes of providing post-exposure care to a healthcare worker exposed to a patient/resident's blood or body fluids.

REFERENCES:
DOH 405.4, 6/00 Informed Consent to Perform a Confidential HIV Test and authorization for release of HIV related information for purposes of providing post-exposure care to a healthcare worker exposed to a patient/resident's blood or body fluids.
Ryan White Comprehensive AIDS Resources Emergency Act of 1990
New York State Mental Hygiene Law
JC
HHS

Reviewed 7/27/2009
Revised 10/16/2012

Samaritan Medical Center | 830 Washington Street | Watertown, NY 13601 | (315)785-4000 | Toll-Free 1-877-888-6138
Copyright © 2014 Samaritan Medical Center. All Rights Reserved.