POLICY: 

The facility is committed to maintaining the confidentiality of our individuals through the proper use and disclosure of individuals’ Personal Health Information (PHI). All the Company personnel have a duty to follow the procedures in this policy and report any suspected breaches of individual privacy to the Office of Quality Management. Violation of this policy may result in disciplinary action up to and including termination for employees or a termination of employment relationship in the case of contractors or consultants. Additionally, individual may be subject to loss of access privileges and civil and/or criminal prosecution. 

This facility complies comply with Title 42, Code of Federal Regulations, Part 2, titled “Confidentiality of Alcohol and Drug Abuse Patient Records,” regarding confidential individual information. 

PROCEDURE: 

1) Use and Disclosure of PHI for Treatment, Payment, or Healthcare Operations 

  1. a) PHI may be disclosed without individual authorization for treatment, payment, or healthcare operations (TPO). This includes the following:
  2. i) The Company’s own treatment, payment, or healthcare operations (TPO). 
  3. ii) Treatment activities of another health care provider iii) The payment activities of another covered entity or healthcare provider; and 
  4. iv) The healthcare operation activities of another covered entity or health care provider, if each entity has or had a relationship with the individual who is the subject of the PHI being requested, and the disclosure is: a) For a purpose listed in the definition of health care operations; or b) For the purpose of health care fraud and abuse detection or compliance 

2) Disclosures for Payment 

  1. a) Only the minimum necessary PHI shall be disclosed for payment functions, as provided through contractual agreement. 
  2. b) Persons handling PHI in a payment context shall refrain from publicizing individual diagnosis information. 
  3. c) This policy shall apply to checks collected, credit card paper receipts, and envelopes. 

3) Use and Disclosure of PHI for non-TPO Purposes 

  1. a) The Company may not use and disclose PHI for non-TPO purposes, unless:
  2. i) The Company has obtained a valid authorization for disclosure of PHI signed by the individual or personal representative of the individual that meets the requirements of Quality Management 

4) Inappropriate Use and Disclosure of PHI 

  1. a) Company personnel must only use individual PHI when it is directly related to his/her work duties. 
  2. b) Any use of disclosure of individual information outside the scope of employment is a breach of confidentiality. 
  3. c) Medical records are not to be used as reading material or accessed out of curiosity. 
  4. d) Discussing Individuals in public areas i.e. restrooms. Elevators, hallways, etc. 
  5. e) Reviewing treatment information on a peer, colleague, or friend who is not actively engaged as an Individual in this facility. 
  6. f) Examples of inappropriate use of PHI resulting in a breach of individual confidentiality include:
  7. i) A Company employee who uses an electronic system to look up the phone number and address of an individual for personal reasons. 
  8. ii) A Company employee that is involved in a family dispute and accesses information about the welfare of a family member, including information about when their next appointment at the Company is. 

iii) A Company employee is asked by a visitor the location of an individual. The Company employee looks up the information for the visitor even though it is not part of the employee’s job. (Employees should direct visitors to the Reception Desk in the hospital. For more information, please refer to the Individual Directory policy.) 

  1. iv) A Company employee that accesses the Company bed census to find out where an individual is being treated. 
  2. g) Company personnel are responsible for all information accessed under his / her username and password. 
  3. h) Sharing passwords or leaving computers unattended and logged in to a program containing PHI while unattended jeopardizes individual confidentiality and will be considered a breach of confidentiality if the information is accessed inappropriately. 
  4. i) Company personnel are responsible for all disclosures of PHI. The disclosure of PHI, whether written, oral, or electronic must be done solely for TPO purposes associated with the individual in accordance with this policy. 
  5. j) Communicating confidential individual information inappropriately, carelessly, or negligently is a breach of confidentiality. (Ex. Casual discussions regarding individuals, discussion in public areas, and/or unauthorized release of information while on or off campus.) 
  6. k) Professional discussion of individual conditions or medical plans should be limited to private areas and should not be discussed in public areas such as hallways or waiting areas. 
  7. l) Casual discussions regarding individuals and/or unauthorized release of information are considered a breach of confidentiality. 
  8. m) Examples of inappropriate disclosure of PHI resulting in a breach of individual confidentiality include: 
  9. i) A Company employee, treating a well-known person in the community, telling other Company employees (not on the individual’s treatment team) about the treatment of the individual. 
  10. ii) A Company employee learns about the condition of an individual who is also a family member while at work. The Company employee then tells other family members about the individual’s condition. 

iii) A Company employee who sends an email to her spouse that contained PHI on individuals the employee was treating. 

  1. iv) A Company employee who discloses identifying information on an individual and talks about the medical condition of the individual in the dining hall with friends at lunch. v) Company employee who accidentally leaves detailed medical notes on individuals on a table next to a soft drink machine while on break. 

5) Transmission of PHI 

  1. It is this facility’s policy that PHI may only be transmitted by the following: 
  2. Mail – priority or certified mail or 
  3. Facsimile – Faxing of PHI is the preferred method. 
  4. Password protected files are allowed to be transmitted electronically in extreme instances. In certain circumstances, encrypted email may be utilized if required to comply with federal regulations. 
  5. Transmission of documentation and records for virtual programming will be facilitated through an end-to-end encrypted patient portal. 

Email is prohibited for exchange of PHI, except through the use of encryption software. 

Minimum Necessary Rule prevails with all record requests. 

Note: For any release of PHI where multiple items are requestor, Records Management in collaboration with Director of Quality Management and Compliance will evaluate which items will be sent based upon the minimum necessary rule and purpose of the request. Just because all items are requested, not all items will be sent. 

All requests for PHI must be submitted in writing utilizing the “Authorization for Release” and be signed by the individual or the individuals authorized representative. Requests not submitted on this form will not be accepted, and the requestor will be made aware of this form. The Director of Quality Management will verify information to confirm it is a legitimate request. 

A record of all transmissions of PHI will be recorded by the Medical Records department and will document the date the PHI was requested, the requestor/entity, verification of requestor, and date the PHI was released.