1.080 Ensuring Confidentiality

PURPOSE

In compliance with the Health Insurance Portability and Accountability Act of 1996 (45 CFR Sections 164 et seq.), it is the policy of Missouri State University, and its University Health Care Components (HCC) to provide procedures for best practices for employees, and students to utilize in the field when traveling outside the University. These procedures are to protect the privacy of Protected Health Information (PHI) of consumers in compliance with federal and state laws governing the use and disclosure of such PHI.

APPLICATION

Missouri State University, its HCC and workforce.

  1. Definitions:
    1. Authorized persons: those individuals involved in the treatment, payment or health care operations pertaining to the subject of the PHI.
    2. Designated Record Set: A group of any records under the control of a covered entity from which personal health information is retrieved by the name of the individual or by identifying number.
    3. Individually Identifiable Health Information: Any information, including demographic information, collected from an individual that (a) is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and (b) related to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual, and (i) identifies the individual or (ii) with respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
    4. Protected Health Information (PHI): Individually identifiable health information.
    5. Vehicle: Any mode of transportation utilized in HCC business.
  2. PHI that is unattended shall be secured in a manner to protect such information from persons without authorized access to this PHI.
    1. Vehicles containing any PHI shall be kept locked while unoccupied. PHI shall be kept locked in the trunk of the vehicle, when possible. In the event of extreme temperature situations, an electronic device (laptop, personal digital assistant (PDA), etc.) containing PHI shall be maintained in the temperature controlled cab in a case while the vehicle is occupied. In the event of a vehicle accident, any University employee or student who suspects there is PHI in the vehicle shall make every reasonable attempt to make sure that the PHI is not accessible to anyone who does not need to have access to it, after assuring the health and safety of any individual(s).
    2. Upon an employee or student leaving an area where they have materials containing PHI, e.g., to use the restroom, the employee or student shall take the materials with them or ensure that the area is protected from viewing by those without authorization by locking the area, or informing HCC personnel if they are HCC records, or using some other reasonable intervention.
    3. Electronic devices containing PHI and other forms of PHI shall not be left in a hotel room for the day when cleaning service is expected. Upon leaving the hotel, employees or students shall take these items with them or ensure they are locked in the valuables area at the front desk or locked in a safe in the room if one is available. Should this not be possible, each document that is contained on the laptop shall be password protected on an individual basis.
    4. Employees and students shall travel in the field taking only PHI necessary to carry out their duties.
    5. Any documentation or equipment such as laptops, pagers, briefcases, palm pilots, etc. that may contain PHI shall be secured from access by those without authorization to the PHI. This includes all locations including an employee’s or student’s home. Again, each document that is contained on the laptop shall be password protected on an individual basis.
    6. If a designated record set is checked out from a University HCC, the medical records policy of the HCC shall be followed. If not a University HCC, careful consideration should be used to determine whether checking out any original records containing PHI is appropriate, and what measures may be used to secure these when unattended.
    7. Data contained on all laptops, etc., should be backed-up to a disk or to the network when at all possible to avoid loss of valuable consumer protected health information.
    8. If PHI in any form is lost or stolen, the University or Unit Privacy Officer (as applicable), or designee, should be notified as soon as practical, not to exceed two (2) business days, in order to initiate the mitigation process.
  3. PHI that is potentially within view of others, even if University employee or student is present, shall be protected in a manner that such information is not communicated to persons without authorized access to this PHI.
    1. All PHI within a vehicle shall be maintained so as to protect from plain view through the windows of the vehicle.
    2. Any electronic device containing PHI shall not have the screen placed in view of others and if left unattended briefly, a screen saver with password shall be employed consistent with the University’s security and Office of Information Systems requirements.
    3. All documentation containing PHI shall be maintained out of the view of unauthorized persons.
      1. While working with PHI, the employee or student shall keep the documentation within line of sight or within arm’s reach.
      2. This documentation shall be viewed in the most private settings available.
      3. Only PHI documentation necessary for the task at hand shall be in view.

      4. Briefcases containing PHI shall remain closed when not in use.
      5. When having PHI material copied, the employee or student shall ensure that this material is only viewed by authorized persons.

      6. When the employee or student is finished with reviewing HCC records containing PHI, the records shall be returned to HCC personnel and secured prior to the field employee or student departing, or in the case of an ongoing audit or investigation, etc., at the time of completion.
    4. Employees and students shall send and receive faxed materials containing PHI to and from University locations only, unless such locations are not readily available and timely transmission of records is necessary for safety needs. If in non-University locations:
      1. When sending or receiving a fax containing PHI, the employee or student shall ensure only those authorized to view have access to the material during the process of transmission.
      2. The fax cover sheet shall not contain PHI.
      3. Upon sending or receiving material containing PHI, the employee or student or designee shall call the location to verify with the sender or the receiver that the transaction was successful.
      4. The employee or student shall be waiting to receive the fax at the fax machine when the transmission is expected if the material could be accessed by those without authorization to view the PHI.
    5. Field-based employees/students will utilize appropriate discretion in the use of ID badges when providing treatment in public areas, in accord with the policies of the site.
    6. When using sign language interpreters where PHI may be transmitted, the most private setting available out of view of others shall be used.
  4. PHI that is verbally transmitted to others shall be protected in a manner that such information is not communicated to persons without authorized access to this PHI.
    1. Conversations where PHI is discussed shall occur in the most private settings. There shall be as much distance as possible between any individuals without authorized access to the PHI.
    2. Conversations where PHI is discussed shall occur with the employee or student using a volume level which cannot be overheard by those without authorized access to the PHI. This includes telephone conversations. If there is no way to prevent being overheard, a specific code shall be used to identify an individual such as chart number, or patient initials.
      1. The employee or student shall make every effort to keep the volume level of all participants low enough so as to not be overheard.

      2. Conversations shall involve using only the first name of an individual whenever possible.
    3. Wireless/cellular and cordless telephones shall be used for communicating PHI only if necessary.
      1. Home cordless telephones can be monitored up to one mile away. The employee or student shall switch to their regular landline telephone (if available) or digital cellular telephone for increased security if they receive a call on a cordless telephone. Employees and students shall not communicate PHI on a cordless telephone, unless using a code specified in 4.b.
      2. There is currently no device to monitor digital cellular telephone calls, so PHI discussions are currently acceptable. The employee or student shall not communicate PHI on analog cellular telephones, unless using a code specified in 4.b.
  5. PHI that may be shared with others in the course of an employee carrying out duties shall be protected in a manner that such information is not communicated to persons without authorized access to this PHI.
    1. Deaf and linguistic interpreters shall be used by field staff in accordance with guidelines established by the University Office of Disability Support Services. When the use of an interpreter is required, field staff and students shall contact the Office of Disability Support Services for guidance; however, in the absence of verified interpreter certification or licensure, the following minimal requirements shall be ensured:
      1. The interpreter shall not be an immediate family member or close family friend of the subject of the PHI, unless the subject of the PHI consents.
      2. The interpreter shall not use or disclose any PHI obtained as a result of providing interpretation services. If at all possible, the interpreter shall sign a confidentiality agreement as set forth in these procedures.
  6. Sanctions. Failure of employees to comply or assure compliance with this procedure may result in disciplinary action, up to and including dismissal.
  7. Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.

HISTORY: Effective March 21, 2003