STATEMENT OF PURPOSE:

Transcription

1 Policy Number: Page: Page 1 of 5 STATEMENT OF PURPOSE: The purpose of this policy is to provide guidelines on the appropriate use of Secure for patient/physician communications and transmission of Protected Health Information via the OUHSC Exchange system. OU Physicians Clinics should use Secure Messaging via the IDX Centricity Electronic Medical Record (EMR). DEFINITIONS: (1) Secure - an application that allows messages sent via OUHSC Exchange system to be delivered to an recipient in the form of a URL. The message resides on a secure server through a logon with a username and password. (2) Expired Message - a message that has been delivered to the recipient s address and has not been accessed via the URL link within the specified time (14 days), after which the URL and the message become inaccessible. (3) Patient Reply - patient response to the message. (4) Critical Results - results that require immediate intervention or are lifethreatening. (5) Protected Health Information (PHI) - any information about health status, medical treatment, or payment for health care that can be linked to an individual. (6) Release of Information: a signed authorization is required if the patient requests a copy of their medical record. A physician may release a patient s medical record / information directly to the patient without a signed authorization form, if it is the physician s desire (versus the patient s request) that the patient have the information. (7) Sender - the provider or designee who initiates the secure message. SCOPE: This policy addresses the Secure functionality available in the OUHSC MS Exchange/Proofpoint system. It is not intended to provide direction regarding any other messaging application.

2 Policy Number: Page: Page 2 of 5 POLICY: The primary contact address for the patient will be maintained by the sending department. Secure will not be utilized for: Advertising and marketing Release of personal health information / medical records Recruiting of patients Dismissal of patients (1) Communication: a) A number of types of Secure communication are allowed, such as typical test results, appointment reminders, etc. (If results are abnormal but acceptable, this should be reflected in the communication.) b) Critical Results shall not be communicated electronically until the patient has already had contact via another form of communication or all other methods of communication have been exhausted. c) All patient/physician communications sent via Secure should be included in the patient medical record. The MS Exchange system is a transport system and not designed to be an EMR or to store Protected Health Information. d) Certain results should be communicated only in person and should not be communicated via Secure Message; i.e., new cancer diagnosis, new HIV diagnosis. e) Personnel with the need to send or receive PHI should request approval from their supervisor or the clinic medical director / clinic administrator. f) Providers should respond to a patient message within 5 days of receipt. A disclaimer must accompany secure messages advising the patient to contact the clinic by other means if concern is warranted. If a provider is unavailable to respond in a reasonable time, a designee must be identified. g) Grammar and content should reflect the professional clinic conversation that would be used with the patient in person. Grammar shortcuts are not acceptable. Only approved abbreviations should be used. Expletive or derogatory comments are not to be included.

3 Policy Number: Page: Page 3 of 5 h) No PHI may be included in the subject line of a message. i) The default setting must include the following language in all messages in accordance with OUHSC policy: Confidentiality Notice This , including any attachments, contains information from clinic name, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this is prohibited. If you have received this in error, please notify the sender immediately by a reply to sender only message and destroy all electronic and hard copies of the communication, including attachments. (2) Message Expiration: a) Secure Messages will expire in 14 days. Once expired: b) Notification will be given to the sender that the message has not been retrieved, with the option to manually resend. c) Documentation in the chart will be retained to show the message was not retrieved. (3) Attachments: An attachment may be sent via Secure , with the following guidelines: Records should not be attached as a mechanism for release of information (see Definition 6, Page 1) Only signed test results may be attached. For any abnormal result attached, the message must contain in narrative an explanation / interpretation of the abnormal results and any follow-up action needed. Attachments may originate only from the patient s chart.

4 Policy Number: Page: Page 4 of 5 (4) Referrals: Information on referral appointments may be sent via secure message if the appointment is greater than 14 days out. If the appointment is less than 14 days out, another form of notification must be used. (5) Inappropriate use of Secure Messaging: a) By Patients: Inappropriate use is to be identified by the clinic staff or provider and includes, but is not limited to: inappropriate language threatening language requesting release of information requesting medication / treatment without a recent visit i. Response to inappropriate use shall be via one or more of the following: Redirect to the appropriate entity, i.e. (release of information requests are referred to Medical Records) Notify the patient of inappropriate use Disable Secure Messaging Account Phone: Redirect to the appropriate entity, i.e. (release of information requests are referred to Medical Records) Notify the patient of inappropriate use Disable Secure Messaging Account

5 Policy Number: Page: Page 5 of 5 b) By OU Staff: Written Response: Necessary if the patient is going to be dismissed Inappropriate use is to be identified by the Clinic Management. The incident shall be reviewed by the Medical Records Committee. Recommended action shall be carried out by Clinic Management. Disciplinary action may include, but is not limited to: verbal warning written warning performance improvement plan suspension termination Depending upon the severity of the incident, immediate termination may be appropriate. (8) Patient Passwords: Patients who are unable to remember their secure messaging password and/or remember the two security questions to reset/change their password must complete a Secure Messaging Password Reset form. LEGAL/CONTRACT/OUHSC REFERENCE: Consent for Electronic Communication via 45 CFR Parts 160 & 164 Staff Handbook Section 3.22 OUHSC HIPAA Privacy-18, Safeguards