I – PREFACE
Salveo Healthcare Solutions, Inc. have a long-standing commitment to protecting the privacy of patient and employee health information which is sometimes referred to as Protected Health Information (“PHI”). A part of this commitment involves compliance with the privacy standards contained in the regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the first comprehensive federal protection of health information. The regulation is known as the Privacy Rule.
The following is a general overview of the requirements of the HIPAA privacy regulations. Each facility is referred to as a “Covered Entity” by these regulations and in this statement.
The HIPAA regulations govern the use and disclosure of PHI. In general, a Covered Entity may use PHI for purposes of treatment, payment, and health care operations. It may disclose PHI
- with the individual’s authorization;
- To another healthcare provider for treatment and payment purposes with the individual’s authorization; and
- in certain other circumstances described by the regulations.
In using or disclosing PHI a Covered Entity must restrict the use or disclosure to the minimum amount necessary to accomplish the purpose of the use or disclosure.
The HIPAA regulations also give individuals several rights with respect to their PHI. In addition to the rights to have access and to receive confidential communications about PHI, the individual may copy and inspect PHI, restrict its use and disclosure, amend it, and receive an accounting of disclosures made of their PHI.
There are many obligations imposed on a Covered Entity by the privacy regulations. These
- Include developing and implementing policies and procedures to assure compliance;
- Training members of its workforce in the HIPAA requirements appropriate to their jobs;
- Documenting its efforts to achieve compliance; developing and implementing safeguards to protect PHI
The Covered Entity must state its practices with respect to the use and disclosure of PHI, the individual’s rights and the Covered Entity’s obligations in a “Notice of Privacy Practices”. This Notice must be given to individuals at the time the treatment relationship begins.
II – SAFEGUARDING AND STORING PROTECTED HEALTH INFORMATION
The policy of Salveo Healthcare Solutions, Inc. is to ensure, to the extent possible, that PHI is not intentionally or unintentionally used or disclosed in a manner that would violate the HIPAA Privacy Rule or any other federal or state regulation governing confidentiality and privacy of health information. The following procedure is designed to prevent improper uses and disclosures of PHI and limit incidental uses and disclosures of PHI that is, or will be, contained in a patient’s Medical Record. At the same time, Salveo Healthcare Solutions recognizes that easy access to all or part of an employee or a patient’s session logs/reports by health care practitioners involved in a patient’s care (nurses, attending and consulting physicians, therapists, and others) is essential to ensure the efficient quality delivery of health care.
The Administrator is responsible for the security of all Medical Records.
PROCEDURE
Salveo Healthcare Solutions’ Administrator shall periodically monitor the company’s compliance regarding its reasonable efforts to safeguard PHI.
Safeguards for Verbal Uses
These procedures shall be followed, if reasonable by the company, for any meeting or conversation where PHI is discussed.
Meetings during which PHI is discussed:
- Specific types of meetings where PHI may be discussed
- Meetings will be conducted in an area that is not easily accessible to unauthorized persons.
- Meetings will be conducted in a room with a door that closes, if possible.
- Voices will be kept to a moderate level to avoid unauthorized persons from overhearing.
- Only staff members who have a “need to know” the information will be present at the meeting. (See the Policy “Minimum Necessary Uses and Disclosures.”)
- The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI.
Telephone conversations:
- Telephones used for discussing PHI are located in as private an area as possible.
- Staff members will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI.
Reasonable measures may include:
- Lowering the voice
- Requesting that unauthorized persons step away from the telephone area
- Moving to a telephone in a more private area before continuing the conversation
Safeguards for Written PHI
All documents containing PHI should be stored appropriately to reduce the potential for incidental use or disclosure. Documents should not be easily accessible to any unauthorized staff or visitors.
Active Records:
- Active Logs shall be stored in an area and on the company database that will allow authorized staffs and health care providers to access the records quickly but securely
- Active Logs shall not be left unattended on the desk or other areas or be uploaded online unsecured where any unauthorized individuals could easily view the records.
- Only authorized staff shall review the Treatment Logs/Reports. All authorized staff reviewing these shall do so in accordance with the minimum necessary standards.
- Treatment logs/reports shall be protected from loss, damage and destruction.
Active Business Office Files:
Active Business Office Files shall be stored in a secure area in the office as well as on the Salveo Healthcare Solutions, Inc’s database that allows authorized staff access as needed.
- The Administrator will identify and document those staff members with keys to stored PHI records. The minimum number of staff necessary to assure that records are secure yet accessible shall have keys allowing access to stored PHI. Staff members with keys shall assure that the keys are not accessible to unauthorized individuals.
- Inactive Records must be signed out if removed from their designated storage area. Only authorized persons shall be allowed to sign out such records.
- Records must be returned to storage promptly.
- In the event that the confidentiality or security of PHI stored in an active or inactive Medical Record has been breached, the Administrator shall be notified immediately.
- Facility procedure will be followed if any medical records are missing.
- All medical records, session logs and reports will also be kept on the database where only authorized person can access using a specific username and password provided by the company
Inactive Business Office Files:
Inactive Business Office Files shall be stored in a systematic manner in a location that ensures privacy and security of the information both online and physically.
Office Equipment Safeguards
Computer access:
- Only staff members who need to use computers to accomplish work-related tasks shall have access to computer workstations or terminals.
- All users of computer equipment must have unique login and passwords
- Posting, sharing and any other disclosure of passwords and/or access codes to an unauthorized person unless otherwise approved.
- Access to computer-based PHI shall be limited to staff members who need the information for treatment, payment or health care operations.
- Facility staff members shall log off or lock their workstation when leaving the work area
- Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen.
- Employee access privileges will be removed promptly following their departure from employment.
- Employees will immediately report any violations of this Policy to their supervisor, Administrator or Facility Privacy Official.
Printers, copiers and fax machines:
- Printers, copiers and fax machines will be located in areas not easily accessible to unauthorized persons.
- If equipment cannot be relocated to a secure location, a sign will be posted near the equipment indicating that unauthorized persons are prohibited from viewing documents from the equipment.
- Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location by an authorized staff.
- Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding or by placing the document in a secure recycling or shredding bin until destroyed.
III – DESTRUCTION
Written:
Documentation that is not part of the medical record and will not become part of the Medical Record (e.g., report sheets, shadow charts or files, notes, lists of vital signs, weights, etc.) shall be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed.
Electronic:
Prior to the disposal of any computer equipment, including donation, sale or destruction, the Facility must determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment.
IV – EMAILING PROTECTED HEALTH INFORMATION
It is the policy of this Facility to protect the electronic transmission of PHI as well as to fulfill our duty to protect the confidentiality and integrity of resident PHI as required by law, professional ethics and accreditation requirements. The information released will be limited to the minimum necessary to meet the requestor’s needs. Whenever possible, de-identified information will be used.
PROCEDURE
- E-mail users will be set up with a unique identity complete with unique password and file access controls.
- E-mail users may not intercept, disclose or assist in intercepting and disclosing e-mail communications.
- Patient specific information regarding highly sensitive health information must not be sent via e-mail, even within the internal email system (i.e. information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes).
- Users will restrict their use of email for communicating normal business information such as information about general care and treatment of patients, operational and administrative matters, such as billing.
- Users should verify the accuracy of the email address before sending any PHI and, if possible, use email addresses loaded in the system address book.
- PHI may be sent unprotected via e-mail within a properly secured, internal network of the organization. When sending PHI outside of this network, such as over the Internet, every effort should be made to secure the confidentiality and privacy of the information. Sample security measures include password protecting the document(s) being sent or encrypting the message.
- All e-mail containing PHI will contain a confidentiality statement (see sample below).
- Users should exercise extreme caution when forwarding messages. Sensitive information, including patient information, must not be forwarded to any party outside the organization without using the same security safeguards as specified above.
- Users should periodically purge e-mail messages that are no longer needed for business purposes, per the organization’s records retention policy.
- Employee e-mail access privileges will be removed promptly following their departure from the organization.
- Email messages, regardless of content, should not be considered secure and private. The amount of information in any email will be limited to the minimum necessary to meet the needs of the recipient.
- Employees should immediately report any violations of this guideline to their supervisor, Administrator or Facility Privacy Official.
Sample Confidentiality Statement
The information contained in this e-mail is legally privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, or copy of this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete this e-mail from your system. Thank you.
V – Faxing Protected Health Information
It is the policy of Salveo Healthcare Solutions to allow the use of facsimile machines to transmit and receive PHI. The information released will be limited to the minimum necessary to meet the requestor’s needs.
PROCEDURE
- The fax machine should be located in an area that is not easily accessible to unauthorized persons.
- Received documents will be removed promptly from the fax machine. To promote secure delivery, instructions on the cover page will be followed.
- Unless otherwise prohibited by state law, information transmitted via facsimile is acceptable and may be included in the patient’s record.
- Steps should be taken to ensure that the fax transmission is sent to the appropriate destination. These include:
- Pre-programming and testing destination numbers whenever possible to eliminate errors in transmission due to misdialing.
- Asking frequent recipients to notify the Facility of a fax number change.
- Confirming the accuracy of the recipient’s fax number before pressing the send/start key.
- If possible, printing a confirmation of each fax transmission.
- A cover page should be attached to any facsimile document that includes PHI. (See a sample cover page following this Policy.)
- If a fax transmission fails to reach a recipient or if the sender becomes aware that a fax was misdirected, the internal logging system should be checked to obtain incorrect recipient’s fax number. Fax a letter to the receiver and ask that the material be returned or destroyed.
- A written Authorization for any use or disclosure of PHI will be obtained when the use or disclosure is not for treatment, payment or healthcare operations or required by federal or state law or regulation.
- The PHI disclosed will be the minimum necessary to meet the requestor’s needs.
- Highly sensitive health information should not be sent by fax in certain states (e.g., information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes).
SAMPLE CONFIDENTIALITY STATEMENT
This communication may contain confidential Protected Health Information. This information is intended only for the use of the individual or entity to which it is addressed. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled.
If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is STRICTLY PROHIBITED by Federal law. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents
VI – USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
Disclosure of PHI will only be allowed with a properly completed and signed authorization except:
- When required or allowed by law
- As defined in the Notice of Privacy Practices:
- For continuing care (treatment)
- To obtain payment for services (payment)
- For the day-to-day operations of the facility and the care given to the patients
Disclosure of PHI will be centralized through the company’s Administrator. In some instances, the Administrator will need to track information that is disclosed. All disclosures designated as trackable on the “Request and Disclosure Table” must be approved to enable the Facility to provide an accounting of disclosures when requested.
Disclosure of PHI will be carried out in accordance with all applicable legal requirements and in accordance with Facility policy. Each Facility will be responsible for researching and abiding by applicable state laws and regulations.
VII – AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION
In accordance with the HIPAA Privacy Rule, when PHI is to be used or disclosed for purposes other than treatment, payment, or health care operations, the Facility will use and disclose it only pursuant to a valid, written authorization, unless such use or disclosure is otherwise permitted or required by law. Use or disclosure pursuant to an authorization will be consistent with the terms of such authorization.
PROCEDURE
Exceptions to Authorization Requirements
PHI may be disclosed without an authorization if the disclosure is:
- Requested by the patient or by a confirmed authorized person (authorization is never required);
- For the purpose of treatment;
- For the purpose of the company’s payment activities, or the payment activities of the entity receiving/providing the PHI
Use or Disclosure Pursuant to an Authorization
- When the Facility receives a request for disclosure of PHI, the Facility Administrator shall determine whether an authorization is required prior to disclosing the PHI.
- PHI may never be used or disclosed in the absence of a valid written authorization if the use or disclosure is:
- Of psychotherapy notes as defined by the HIPAA Privacy Rule;
- For the purpose of marketing; or
- For the purpose of fundraising.
- If the use or disclosure requires a written authorization, the Facility shall not use or disclose the PHI unless the request for disclosure is accompanied by a valid authorization.
- If the request for disclosure is not accompanied by a written authorization, the Administrator shall notify the requestor that it is unable to provide the PHI requested. The Administrator will supply the requestor with an Authorization to Use or Disclose PHI (“Authorization”) form.
- If the request for disclosure is accompanied by a written authorization, the Administrator will review the authorization to assure that it is valid
- If the authorization is lacking a required element or does not otherwise satisfy the HIPAA requirements, the Administrator will notify the requestor, in writing, of the deficiencies in the authorization. No PHI will be disclosed unless and until a valid authorization is received.
- If the authorization is valid, the Administrator will disclose the requested PHI to the requester. Only the PHI specified in the authorization will be disclosed.
- Each authorization shall be filed in the patient’s Medical Record.
Preparing an Authorization for Use or Disclosure
- When the Facility is using or disclosing PHI and an authorization is required for the use or disclosure, the Facility will not use or disclose the PHI without a valid written authorization from the patient or the patient’s personal representative.
- The Authorization form must be fully completed, signed and dated by the patient or the patient’s personal representative before the PHI is used or disclosed.
Revocation of Authorization
- The patient/client may revoke his authorization at any time.
- The authorization may ONLY be revoked in writing.
- Upon receipt of a written revocation, the Privacy Official will write the effective date of the revocation on the Authorization form.
- Upon receipt of a written revocation, the Facility may no longer use or disclose a resident’s PHI pursuant to the authorization.
- Each revocation will be filed in the patient’s medical records.
VIII – RETENTION OF PROTECTED HEALTH INFORMATION
PHI contained in the Designated Record Set will be retained according to state and federal regulations whichever requires retention for the longer period of time.
PHI, including medical and financial records contained in the Designated Record Set, will be retained for a minimum of six years as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
In absence of state law specifying a greater retention period, Medical Records must be retained for at least six years after the date it was last in effect.
For minor patients (persons who have not reached full legal age), the Medical Record must be retained for three years after the minor reaches legal age under state law or six years from the date of discharge, whichever is longer.
Medical records on which there may be pending litigation may be exempt from scheduled destruction at the discretion of the Facility.
If state laws and regulations require a greater retention time period, the greater will be followed.
PROCEDURE
- The Facility will review state laws and regulations to determine Medical Record retention period and “legal age.”
- If state laws or regulations require a different retention period, the greater retention period will be followed.
- The Facility will store the records until the retention period has expired. Records must be stored in a secure manner. The records must be protected from unauthorized access and accidental/wrong destruction.
- At the expiration of the retention period, the Medical Records will be destroyed. Records should be destroyed annually in accordance with the retention time frames.
IX – DESTRUCTION OF PROTECTED HEALTH INFORMATION
PHI stored in paper, electronic or other format will be destroyed utilizing an acceptable method of destruction after the appropriate retention period has been met.
Access to PHI stored on computer equipment and media will be limited by taking the appropriate measures to destroy electronically stored PHI.
PROCEDURE
Paper Documents:
- PHI maintained in paper format will be destroyed at the end of the retention period.
- All paper documents that contain PHI will be destroyed using an acceptable method of destruction.
- Acceptable methods of destruction include shredding, incineration, pulverization and use of a bonded recycling company.
Computer Data Storage Media
- Personal Computers: Workstations, laptops and servers use hard drives to store a wide variety of information. Residents’ health information may be stored in a number of areas on a computer hard drive. For example, health information may be stored in “Folders” specifically designated for storage of this type of information, in temporary storage areas and in cache. Simply deleting the files or folders containing this information does not necessarily erase the data.
- To ensure that any health information has been removed, a utility that overwrites the entire disk drive with “1”s and “0”s must be used.
- If the computer is being re-deployed internally or disposed of due to obsolescence, the aforementioned utility must be run against the computer’s hard drive, after which the hard drive may be reformatted and a standard software image loaded on the reformatted drive.
- If the computer is being disposed of due to damage and it is not possible to run the utility to overwrite the data, then the hard drive must be removed from the computer and physically destroyed. Alternatively, the drive can be erased by use of magnetic bulk eraser. This applies to PC workstations, laptops and servers.
Prepared By: Salveo Healthcare Solutions, Inc
Date Prepared: August 12, 2017
Last Updated: April 24, 2019