Piedmont Community Services

Transcription

1 Piedmont Community Services Medical Records Policy Effective: September 1, 2012 Revisions: November 28, 2012 August 1, 2014

2 TABLE OF CONTENTS PURPOSE:... 4 DEFINITIONS:... 4 SECURITY OF THE Electronic Health Record... 5 Security... 5 Electronic Signatures... 6 Information Technology Policies... 7 USE OF THE ELECTRONIC HEALTH RECORD... 8 Adding Individuals to the EHR... 8 Team Assignments... 8 Emergency Access to Individual Records... 8 Case Load Assignments... 9 Discharging Individuals From Services... 9 Transferring Within the Same Program (no discharge)... 9 Completion, Timeliness and Authentication Case Review Process Corrections and Ammendments CONFIDENTIALITY AND DISCLOSURE OF INFORMATION Disclosure with Written Consent: Minor Consumers (individuals under the age of 18) Deceased Consumers: Revocation of Consent: Disclosure without Consent: Medical Emergencies: Disclosure to Courts: Subpoenas for Substance Abuse Records: Court Orders: Third Party Payers: Disclosure to State Hospitals: Disclosure to Accrediting and Licensing Agencies: Child Abuse and Neglect Reporting: Adult Abuse Reporting: Medical Examiner: Re-disclosure of Health Information: Revised: November 28, 2012 Page 2

3 Faxing Information: Copying Fees: Disclosure Process: Business Associate Agreements: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION REQUEST FOR AMMENDMENT OF MEDICAL RECORD MINIMUM NECESSARY POLICY & PROCEDURES Exceptions to the Minimum Necessary Standard Use and Disclosure of PHI Internal to the Agency Use and Disclosure of PHI External to the Agency RETENTION AND DISPOSITION OF RECORDS EMERGENCY ACCESS AND DISASTER RECOVERY Emergency Access Software Escrow Revised: November 28, 2012 Page 3

4 PURPOSE: Piedmont Community Services [PCS] is responsible for collecting health information on the individuals it serves in a timely and service-oriented manner for the purposes of treatment and billing as well as internal and external reviews. This policy establishes guidelines for the contents, maintenance and confidentiality of individual Medical Records that meet the requirements set forth by Federal and State laws and regulations. This policy defines requirements for those components of information that comprise an individual s Legal Medical Record. The Director of Information and Technology is designated as the official records management officer. DEFINITIONS: Authentication: The process that ensures that users are who they say they are. Authentication prevents unauthorized people from accessing data or using another person s identity to sign documents. Covered Entity: A covered entity is any provider who transmits health information in an electronic format. PCS is a covered entity. Designated Record Set ( DRS ): Under the HIPAA Privacy Rule, an individual has the right to access and/or amend his or her protected health (medical record) information that is contained in a designated record set. The term designated record set is defined within the Privacy Rule to include medical and billing records, and any other records used by the provider to make decisions about an individual. In accordance with the HIPAA Privacy Rule, PCS has defined a designated record set to include: A. All Signed/Final Approved provider documentation to include Assessments, Treatment Plans, Plan Reviews, Progress Notes, Crisis Pre-Screenings, MD Orders, MD Notes and Psychiatric Evaluations. B. Billing records including claim information C. The designated record set generally excludes records from non PCS providers. However, if information from another provider or healthcare facility is used in providing patient care or making service decisions, it may be considered part of the PCS Designated Record Set. HIPAA: In 1996 the Health Insurance Portability and Accountability Act (HIPAA) became law. Its purpose is to improve the portability and continuity of health insurance coverage. It requires agencies ( covered entities ) to adopt standards for Code Sets and Transactions, assure privacy and security of confidential protected health care information (PHI), increase provider accountability, and increased consumer rights. It is the intent of PCS to comply with all the requirements set forth by HIPAA. Medical Record: The collection of information (paper or electronic), concerning an individual and his or her health care that is created and/or maintained in the regular course of PCS business in accordance with PCS policies and procedures. Medical records shall contain sufficient, accurate information to identify the individual, support the diagnosis, justify the treatment, document the Revised: November 28, 2012 Page 4

5 treatment and services provided and promote continuity of care among all services provided by PCS. Protected Health Information ( PHI ): PHI is any individually identifiable health information that is created, transmitted or maintained by PCS. If the information is individually identifiable and is health information, then it is protected by HIPAA. Signature: A signature identifies the author or the responsible party who takes ownership of and attests to the information contained in a record entry or document. SECURITY OF THE ELECTRONIC HEALTH RECORD In July 2009, Piedmont Community Services implemented a completely integrated Electronic Health Record [EHR]. This EHR is the official medical record for all consumers receiving services provided by PCS. This section outlines security aspects of the EHR. For detailed usage information, refer to the online help system within the EHR by clicking the help [ ]icon in the upper right hand corner of the home page. The Credible Behavioral Health Electronic Health Record [EHR] is certified as a Complete EHR by the Certification Commission for Health Information Technology (CCHIT ), an ONC-ATCB in accordance with the applicable Eligible Provider certification criteria adopted by the Secretary of Health and Human Services. The EHR supports Stage 1 meaningful use measures required to qualify for funding under the American Recovery and Reinvestment Act (ARRA). SECURITY 1. System Administration: The Information Technology department is responsible for system administration, user setup, security settings and system configuration. An internal task request system has been developed for staff to submit issues that need attention and resolution. 2. User Accounts & Passwords: All EHR user names and passwords will be issued by the IT Department. User accounts will be created and assigned to the appropriate Security Matrix. EHR passwords will expire every 90 days. Passwords must be 8 characters long, consist of upper and lower case letters, contain at least one special character and cannot be any word in the English dictionary. Forgotten passwords may be reset by selecting the Forgot Password link on the login page or contacting the IT Department for assistance. Because some programs prompt you to save user id s and passwords, this could cause a breach in security. If prompted to save user id s and passwords, DO NOT save them on your computer. 3. Termination of Access: The Human Resources department will notify the IT Department upon termination or dismissal of an employee. Access to the EHR will be disabled as soon as the IT Department is notified. 4. Security Matrix: Permissions to allow or restrict access to functions within the EHR are controlled by the security matrix. Multiple profiles are created that group users in different Revised: November 28, 2012 Page 5

6 categories with varying levels of access. Assignment to a security matrix is maintained by the IT Department in consultation with QA and the Supervisor of each user. 5. HIPAA Logs: All access to the EHR is logged with Login Date, User Name and IP Address. In addition to logins, access to all consumer records is recorded in a HIPAA log. The HIPAA log records Date, User Name, Action Taken, Record Accessed and description of changes made. Only System Administrators will have access to the HIPAA Logs. 6. Location and Use: HIPAA and confidentiality laws require that Protected Health Information remain protected. Using computers, tablets, smart phones, etc. and failing to log off properly opens up our database to unauthorized access. Since our EHR is a webbased application, it can be accessed anywhere internet access is available. Staff members are strongly encouraged to only use computers that are secure and to make sure you log off properly. To minimize the risk of a data breach, all PCS laptop computers have been equipped with encryption software. Tampering with or disabling the encryption software is prohibited. 7. Access to Individual Records: Access to an individual s EHR is controlled by team assignments. Direct Care Staff will only have access to records in which the individual and staff member are both assigned. Medical records shall only be accessed in the provision of services or for operational reasons such as billing and system administration. In all instances, each access is recorded in the HIPAA log. 8. Data Breach and Reporting: In the event that confidential protected health information is lost, disclosed to unauthorized parties or suspected of being lost or disclosed, staff must immediately complete a Critical Incident Report and notify the Director of Information Technology. The Director of Information Technology will be responsible for investigating the disclosure and if necessary, notifying the appropriate authorities as outlined in the HIPAA regulations. ELECTRONIC SIGNATURES Electronic signatures are the digital attributes affixed to an electronic document that connect it to a particular person (author) and ensures the integrity of the signed document. Electronic signatures are stored in PCS Electronic Health Record and are protected against unauthorized access by unique user id and password. PCS will utilize electronic signatures to identify and affirm the author of the medical record entries and confirm that the contents are what the author intended. Policy: 1. All consumer health information which requires authentication in the EHR shall be authenticated by electronic signature. 2. The electronic signature shall be the deemed signature of the author and suffice as the written signature of the individual making the entry in the EHR. 3. Staff members shall not share user id s or login information to other users or allow other users to electronically sign documents in which he/she did not author. Revised: November 28, 2012 Page 6

7 Procedures: 1. Upon hire, the IT department will assign a unique user id and password which grants access to PCS s Electronic Health Record. 2. Staff will be assigned to the appropriate Security Matrix in the EHR depending on job duties and responsibilities. 3. Once staff is logged in, they must go to their Employee Profile and record their electronic signature(s) along with appropriate credentials. The EHR only allows staff members access to their digital signature(s). 4. The staff member is required to complete the Electronic Signature Attestation Form indicating that they have recorded their electronic signature(s) and will not share their login credentials with anyone else. This form is then routed to Human Resources and stored in their personnel file. 5. When a staff member resigns or is terminated, the Human Resources Department will immediately notify the IT Department and the user s login and employee profiles will be deactivated. INFORMATION TECHNOLOGY POLICIES In addition to this Medical Record Policy, PCS also has an Information Technology Policy that outlines: Access Control Facility Access Controls Electronic Mail Policy Internet Use Policy Cell Phone / Electronic Device Policy Virus Protection Policy Device and Media Controls Disaster Recovery Plan Fax Policy Password Policy Laptop Security Policy Online Social Networking Policy This Medical Records Policy is not intended to address the areas above that are already outlined in the Information Technology Policy. Revised: November 28, 2012 Page 7

8 USE OF THE ELECTRONIC HEALTH RECORD All individuals receiving any direct or contracted services shall be entered into PCS s Electronic Health Record. Each program or department is responsible for developing protocols that outline the process for admitting (creating) individuals into the EHR as well as discharging (closing) the record when services are completed. The data collected on individuals is a compilation of demographic, clinical and descriptive data about the individual. ADDING INDIVIDUALS TO THE EHR A. To add a new record. a. Click INDIVIDUAL -> ADD INDIVIDUAL b. Choose the TEAM Assignment c. Complete fields on the profile screen d. Required fields are marked with an asterisk ( * ) e. Once fields are complete client CHECK FOR DUPLICATE f. SAVE INDIVIDUAL & COMPLETE B. If a duplicate is found the record will be listed. C. Once the individual record is created: a. Select TEAM and assign to any additional teams as necessary. b. If necessary, update the admission date on the episode record. Once an individual s record is created and appropriate assignments are completed, services may then be entered. TEAM ASSIGNMENTS Team Assignment is the process that assigns individuals to specific teams (programs). Team assignments also determine what type of access providers have to individual records. Once an individual has been opened in the EHR, they should then be assigned to the appropriate Team(s). Services cannot be entered into the EHR until the assignment has been made. Assigning an individual to a team also creates an Episode of Care record. By default, the admission date on the Episode record will be the date the team assignment was made. Service dates cannot be outside of the date range on the episode record. To change the admission or discharge date, providers will have to edit the Episode Record and enter a corrected admission or discharge date. EMERGENCY ACCESS TO INDIVIDUAL RECORDS To protect individuals PHI, direct care providers will only have access to records in which they are providing services. Providers will be able to search for individuals but unless they are assigned to a team that the provider is also assigned, they will not be able to see the detailed service records or add visits. When staff activates the emergency access, it is recorded in the HIPAA Log. Program managers and team leaders will continue to have access to all individual records. Staff can only take emergency access for themselves. You cannot assign access to other employees. Once you Revised: November 28, 2012 Page 8

9 activate emergency access, the individual must still be assigned to the appropriate team(s) in order to enter services. CASE LOAD ASSIGNMENTS Case Load Assignment is the process that assigns individuals to provider caseloads. Assignments are made on the Individual Extended Page in the EHR. Once assignments are made, caseloads may by run utilizing the Individual Advanced Search function. DISCHARGING INDIVIDUALS FROM SERVICES An individual is discharged from a service if any of the following conditions exist; A. It has been determined that no further services in that program are needed, B. The individual has completed receiving services from all CSB services in that program, C. The individual has received no services in 90 days from the date of last face to face, D. The individual is being transferred to another program within the CSB, or E. The individual has relocated or died. Once determined that the individual meets discharge criteria, they must be discharged (unassigned) from the service. To discharge an individual the following must be completed; A. Assure all documentation ( including a Discharge Summary* ) has been completed. B. If transferring to another program, complete TRANSFER INFORMATION section on the Discharge Summary. C. Select appropriate Team and Click UNASSIGN. D. Select appropriate Discharge Status and client SAVE. E. If necessary, update the discharge date on the episode record. * The discharge summary shall include medication and dosages, names, phone numbers and addresses of referrals, current medical issues or conditions and the identity of the treating health care providers. This information should be included in the discharge summary and a printed copy should be given to the individual upon discharge. TRANSFERRING WITHIN THE SAME PROGRAM (NO DISCHARGE) When an individual is being transferred within a service (provider to provider or locality to locality), it is the responsibility of the referring provider to complete a Transfer Summary. This summary record is completed in the EHR and should be reviewed by the receiving provider. The receiving provider shall document in the individual s record that the transfer summary has been reviewed. Revised: November 28, 2012 Page 9

10 COMPLETION, TIMELINESS AND AUTHENTICATION A. Adding Visits: All visits are to be entered on the day of service. Visits must be entered by the employee providing the service. There are two methods for entering visits. Scheduled and unscheduled. Once the form has been completed, verify all fields on the Sign and Submit page are correct and press the [Sign and Submit] button. This will save the visit in the visit list. B. Editing Visits: Visits may be edited for 48 hours from the date of service. All visits should be approved within 48 hours. Only the staff member that created the visit will have rights to edit the visit. To edit the visit, click on the visit ID number in the visit list and click the [Edit Full Visit] button. Once the visit is approved, this button will no longer be available. NOTE: For those services that require same day of service approval, the 48 hour edit window does not apply and must be approved on the day of service. a. Supervisory Review: Supervisors will not have the security right to edit their staff s visits. Supervisors may make supervisory (non-clinical) notes by pressing the [UPDATE] button and entering notes in the header of the visit. Clinically relevant documentation must be documented on a Visit Addendum Form. b. Late Entry: Visits that exceed the 48 hours (excluding weekends and holidays) between the visit date and the sign and submit date will be marked as Late Entry. A report will be available for supervisors to run that list visits by staff member that are marked late. C. Approving Visits: All visits should be approved within 48 hours of the date of service. Once a visit is approved, no further edits will be allowed. A Visit Addendum note must be added for any further edits or comments. D. Signatures: Signatures will not be applied to visits until the visit is approved. Once the visit is approved, signatures will only be visible on the PRINT VIEW. To see signatures attached to the visit you will need to click the [PRINT] button at the top of the visit view. When requests for information are processed, staff should use the Print View to assure that only approved documents with signatures are released. E. Multi-Stage Approvals: Multi-Stage Approval Roles establish a chain of approvals (approvals from multiple providers with different roles). Employees with multi-stage approval roles will not be able to approve visits until the author of the visit has signed and submitted the visit for approval. CASE REVIEW PROCESS A case review process shall exist for each unit of Piedmont Community Services. At a minimum, each department shall develop a case review checklist that addresses issues such as completeness, accuracy, timeliness of entries and quality assurance. At a minimum case reviews shall be Revised: November 28, 2012 Page 10

11 completed on all open records every ninety days. Programs may choose to have case reviews completed in shorter time periods (such as programs that are time limited). CORRECTIONS AND AMMENDMENTS When an error is made in an electronic medical record, the original entry must not be obliterated, and the inaccurate information must still be accessible. Once a visit has been approved, further edits to the electronic form in the EHR will not be allowed. In order to make changes or corrections, staff must complete the Visit Addendum form. This form is in PDF format and is available under the LINKS section on the EHR Home Page. A. Click the link PCS_Visit Addendum Form on the home page. B. Print the completed form and sign the document. Addendums MUST be signed by the provider and when required, the supervisor and consumer signatures should also be obtained. C. Forward the completed form the medical records to be attached to the visit. D. For Treatment Plans Only, you must end the goals you are changing on the treatment plan tab and then do a treatment plan addendum visit in the EHR to assure the correct goals inject into your progress notes. In is not necessary to do a Visit Addendum form for treatment plan updates. Revised: November 28, 2012 Page 11

12 CONFIDENTIALITY AND DISCLOSURE OF INFORMATION Electronic Health Records contain private and confidential information about consumers who receive services from PCS. In order to receive the most effective care, consumers must be able to trust that information shared will be held in confidence. Lack of trust could result in the failure to share information that would improve service planning. All information contained in the Electronic Health Record is confidential and can be disclosed only with proper consent or as required by state and federal laws and regulations. DISCLOSURE WITH WRITTEN CONSENT: In most cases, when confidential information is disclosed, it is disclosed with the written consent of the consumer, the consumer s guardian, or the consumer s legally authorized representative. CSB service providers sometimes need to exchange information with other service providers in order to follow best practice guidelines for treatment planning and coordination. There are also times when consumers request disclosure of information to other parties. Any request for the disclosure of information from the health record will be processed through the medical records department. Medical records staff will review the request to determine the existence of a valid authorization to release confidential information. Required elements of an acceptable written consent are: Name of the program or person permitted to make the disclosure. Name of the program or person to whom the disclosure is to be made. Name of the consumer. Confirmation of consumer identity (Date of Birth or Social Security Number). Purpose of the disclosure. Information to be disclosed. A statement that the consent may be revoked at any time, except to the extent that disclosure has already been made in accordance with the consent. The date, event or condition upon which the consent will expire. The date the consent becomes effective. Signature of the consumer, guardian, or legally authorized representative. A statement prohibiting re-disclosure without written consent. A statement advising the consumer of the risk that the recipient might re-disclose the information despite the prohibition. If a written consent does not meet minimum requirements, medical records staff will send a letter to the requester, outlining the information that must be supplied in order for PCS to release the requested records. Upon receipt of a valid request, medical records staff will assemble the requested information and submit it to the CSB service provider/program Manager for review. After review, the requested information will be released. Revised: November 28, 2012 Page 12

13 MINOR CONSUMERS (INDIVIDUALS UNDER THE AGE OF 18) Disclosure of information from the record of a minor consumer requires the written consent of a parent, guardian, or legal representative, except: When the minor has presented for treatment as an adult. When the minor has been emancipated. When the minor is or has been married. When the minor has presented for Substance Abuse Services. Note: In the event that the parent of a minor consumer is also a minor, written parental consent is sufficient for the release of information concerning the child. DECEASED CONSUMERS: In the case of a deceased consumer, written consent to release information should be obtained in the following order or priority: 1. Executor/Administrator of the Estate 2. Spouse 3. Adult Son or Daughter 4. Either Parent 5. Adult Brother or Sister 6. Other relative in descending order of blood relationship REVOCATION OF CONSENT: Consent to release information may be revoked at any time, except to the extent that disclosure has already been made in accordance with the consent. DISCLOSURE WITHOUT CONSENT: Under certain circumstances, information from the health record may be disclosed without the consumer s consent. Any such disclosure must be limited to that information which is necessary to carry out the purpose of the disclosure. MEDICAL EMERGENCIES: Information from the health record may be disclosed to any treating provider or official who has a need for the information about the consumer in order to treat a condition which poses an immediate threat to the health of the consumer or any other individual. A medical emergency exists when a physical or mental health condition affects any individual and requires immediate Revised: November 28, 2012 Page 13

14 medical intervention. The disclosure should only include information necessary to treat the medical emergency. The disclosure should be documented in the consumer record, and documentation should include the nature of the emergency, the content of the disclosure, the person to whom the disclosure is made, the date and time of the disclosure, and the name of the individual disclosing the information. DISCLOSURE TO COURTS: Properly executed subpoenas will be responded to within the time-frame specified by the subpoena. Any PCS staff member can accept service of a subpoena and direct it to the attention of the appropriate service provider or Program Manager. If the service provider or Program Manager questions the merits of the subpoena, PCS legal counsel will be consulted. Legal counsel can move to have the subpoena quashed so that the court may rule on its merits. In civil matters, psychotherapy notes documenting or analyzing the content of conversation during a counseling session with licensed counselors, psychologists, social workers and physicians are privileged. This does not include medication and prescription monitoring, counseling session start and stop times, treatment modalities and frequencies, clinical test results, or any summary of symptoms, diagnosis, prognosis, functional status, treatment plan, or assessment of the consumer s progress to date. Exceptions to privilege include: When the physical or mental condition of the consumer is at issue in the action. In matters related to child abuse and neglect. When the court deems disclosure to be necessary for the proper administration of justice. SUBPOENAS FOR SUBSTANCE ABUSE RECORDS: When a consumer s record contains information regarding substance use disorder diagnosis, treatment, or referral for treatment, the information can only be released when a subpoena is accompanied by a Subpart E Court Order (Ref. 42 CFR, Part 2, Subpart E). Upon receipt of a subpoena that is not accompanied by a Subpart E Court Order, the health care provider must move to have the subpoena quashed. Upon receipt of a subpoena issued by the consumer s attorney, the requested information can be released with the written consent of the consumer, eliminating the need to have the subpoena quashed. A copy of the subpoena should be scanned and maintained in the individual s record. COURT ORDERS: Upon receipt of a properly executed court order, the requested information should be released in accordance with the order. The disclosure should be documented in the consumer record, and documentation should include the content of the disclosure, the person to whom the disclosure is made, the date and time of the disclosure, and the name of the individual disclosing the information. A copy of the court order should be scanned and maintained in the individual s record. Revised: November 28, 2012 Page 14

15 THIRD PARTY PAYERS: When a consumer requests that a claim be submitted to a third party payer for reimbursement, information released should be limited to the following: Consumer name and policy/contract number Date of Birth, Address, Phone Number(s), Date of admission to services Date(s) of service Date of onset of symptoms Date of discharge or termination from services Diagnosis with brief, substantiating information Brief description of services provided, including treatment modalities, medications ordered and administered, and number of hours spent in therapeutic activities Identification of consumer status (inpatient or outpatient) Consumer relationship to the policyholder or contract subscriber Polycy holder name, DOB, address phone number & employer information In the event that the third party payer is unable to settle the claim based on the information provided above, a physician employed by the third party payer may request additional information stating the reasons for the request. The additional information may then be forwarded to the third party payer. DISCLOSURE TO STATE HOSPITALS: When a consumer who is deemed suitable for discharge or his guardian or conservator refuses to authorize the release of information that is required to formulate and implement a discharge plan as specified in subsection A of , then PCS may release without authorization to those service providers and human service agencies identified in the discharge plan only the information needed to secure those services specified in the plan. DISCLOSURE TO ACCREDITING AND LICENSING AGENCIES: CSB accreditation, federal and state licensure surveyors may have access to health information to the extent necessary to enable the surveyors to conduct reviews for the purpose of licensure or accreditation. Authorization of the consumer or his/her legal representative is not required in such cases, provided the survey reports do not identify any individual. A confidentiality statement shall be signed by the surveyor s to attest to the above agreement. CHILD ABUSE AND NEGLECT REPORTING: All staff who has reason to suspect that a child is abused or neglected shall immediately report the matter to the local department of Social Services. The person making the report is required, upon request, to make available to the child protective services coordinator and the local department of Revised: November 28, 2012 Page 15

16 social services any records or reports which document the basis for the report of suspected child abuse. ADULT ABUSE REPORTING: All staff who has reason to suspect than an adult is abused, neglected or exploited shall report the matter immediately to the local department of Social Services. The reporting requirement is intended to protect the elderly and those who are under mental or physical disability. The person making the report is required to disclose any records or reports that document the basis for the report of suspected abuse, neglect or exploitation. MEDICAL EXAMINER: The medical examiner s office is expressly authorized to investigate the cause and manner of the death of any person from trauma, injury, violence, poisoning, accident or homicide, or sudden death when in good apparent health RE-DISCLOSURE OF HEALTH INFORMATION: Any information received from another service provider used in the consumer s diagnosis and treatment shall be maintained permanently in the consumer s record. Even though information from another service provider is maintained in the EHR, staff shall not re-disclose or otherwise reveal health records of an individual from an another service provider, beyond the purpose for which such disclosure was made, without first obtaining the individual s specific written authorization to such re-disclosure. FAXING INFORMATION: Faxing of protected health information shall only occur when the printed copies from the EHR or mail delivered copies cannot meet the needs of immediate emergency care. 1. Fax machines must be located in a secure area with limited access. 2. Accompany each disclosure with a cover letter including the following: a. Date and time of transmission. b. Sending facility s name, address, phone #, fax #, senders name. c. Receiving facility s name, address, phone #, fax #, and authorized receiver s name. d. Number of pages including cover memo. e. Statement regarding re-disclosure. f. Statement of destruction. g. Instructions for authorized receiver to verify receipt. Revised: November 28, 2012 Page 16

17 3. INTERNAL USE: If possible, use the original record for exchanging information within the CSB. If information must be faxed, once the information has been used, destroy the fax copy or return copies to the medical records department. 4. EXTERNAL USE: The fax machine should not be used for routine release of information to insurance companies, attorneys or other non-health care providers. 5. MIS-DIRECTED FAX: If a fax does not reach the intended recipient, fax a request to the incorrect fax number. Explain the misdirected fax and ask for destruction of all documents received from PCS. Complete an incident report and forward it to the Director of Information Technology. COPYING FEES: A reasonable charge, not to exceed fifty cents per page for up to fifty pages and twenty-five cents a page for the remainder and a fee for searching and handling not to exceed ten dollars, may be made for such copies. These charges may be waived if PCS deems the case exceptional. DISCLOSURE PROCESS: All requests for information shall be processed through the medical records department. Medical records staff will review the request to determine whether or not it meets the minimum requirements for release. If the request meets the requirements, the appropriate information is gathered and routed to the appropriate service provider(s) for approval. Approval of the service provider(s) is required prior to releasing any information. Once provider approvals have been completed, the information may be released to the requestor. All disclosures of information (PHI) must be documented. To document the disclosure the staff member releasing the information must complete the Info Disclosure form in the EHR. If the individual is closed (not assigned to a team), assign him/her to the Administration Team and enter the information. Once the Info Disclosure is created, scan and attach the original request for information document to the visit along with the approval form signed by the provider. BUSINESS ASSOCIATE AGREEMENTS: A Business Associate Agreement (BAA) governs the relationship between two parties who are exchanging protected health information and services. The agreement serves as a guideline for how the information may be used so that both parties are properly protected in case of legal problems. It is the policy of PCS to execute a Business Associate Agreement with any agency in which routine exchange of PHI will occur. The HIPAA Security Officer will be responsible for completing and maintaining the BAA s. Revised: November 28, 2012 Page 17

18 RIGHT TO ACCESS PROTECTED HEALTH INFORMATION It is the policy of Piedmont Community Services (PCS) that each individual served has a right to inspect and/or obtain a copy of their protected health information (PHI) maintained in his/her own service record. An individual s legally authorized representative has the same right as the consumer. PCS will supply protected health information to individuals served upon request EXCEPT FOR: PROCEDURES: 1. Any information compiled in reasonable anticipation of, or use in a civil, criminal, or administrative action or proceeding. 2. The individual served is an inmate of a correctional facility and if the information could jeopardize the health, safety, security, custody or rehabilitation of the individual served or other inmates, or the safety of any officer, employee or other person at the facility or responsible for the transportation of the inmate. 3. The individual served is involved in research that includes treatment and he/she has consented to not have access to his/her health information while the research is in progress. Access to the protected health information will resume upon completion of the research. 4. The individual s attending psychiatrist or psychologist has determined that the information could be injurious to the individual s physical or mental health, well being, or the life and safety of another person. (Reference: Code of Virginia ; ; :03) 1. The individual served may request to inspect and/or obtain a copy of his/her protected health information; the request for access must be made in writing to the consumer s primary service coordinator. 2. The individual served may request to inspect and/or obtain a copy of his/her protected health information for as long as it is maintained in a designated record set. 3. If a individual served requests to inspect and/or obtain a copy of his/her protected health information the PCS shall: a. Determine if there are any grounds for the request to be denied. b. The attending psychiatrist or psychologist determines that the individual s life or physical safety might be in jeopardy if he/she has access to his/her protected health information, and, the attending psychiatrist or psychologist has made a part of the individual s medical record a written statement that, in his/her opinion, the furnishing to or review by the individual served of his/her protected health information would be injurious to the individual s health or well-being. c. Another person s life or physical safety might be in jeopardy if the individual served has access to his/her protected health information. Revised: November 28, 2012 Page 18

19 d. The information contains reference to another person and the information could cause harm to that person. e. The individual s legally authorized representative makes the request and the attending psychiatrist or psychologist has determined that access by the individual s legally authorized representative could result in harm to the individual served or another person. 4. If PCS denies the individual served access to the requested information, PCS shall: a. Provide the individual served with a written explanation of why access was denied within 15 days of the request (Reference Code of Virginia ). This explanation is to include the reason for the denial and information on how to file an appeal/ complaint with PCS. (Include the name, title, telephone number and address of the contact person(s) or office). b. Honor the right of the individual served to request that a denial for access be reviewed by another psychiatrist, psychologist or attorney (designated by the individual served) who did not participate in the original decision to deny access. c. Give the individual served access to any other health information requested that is not covered by the denial. 5. If accepted, provide the individual served with the requested health information within 15 days of the request. 6. If the information is in duplicate or at more than one location, PCS only has to provide one copy of the information to the individual served. 7. PCS will provide the individual served with the requested healthcare information in the format requested by the individual served -- either hard copy or electronic. 8. PCS may provide the individual served with a summary of the requested healthcare information instead of the actual information providing the individual served agrees in advance. 9. PCS will arrange with the individual served a convenient time and place to review the requested health information in the presence of the Program Manager or to mail a copy of the information at the individual s request. 10. PCS may charge the individual served a fee for providing the information. The fee includes the costs of copying the material, labor, supplies, postage, and preparing a summary (if the individual served desires a summary). The Code of Virginia provides that copying charges shall not exceed $0.50 per page for each page up to 50 pages and $0.25 a page thereafter. All postage and shipping costs may be charged. Pre-payment of copying charges is preferred. 11. If PCS does not possess the information the individual served requests, but knows where it is maintained, PCS shall inform the individual served where to direct his/her request for access. Revised: November 28, 2012 Page 19

20 REQUEST FOR AMMENDMENT OF MEDICAL RECORD It is the policy of Piedmont Community Services (PCS) to respond to the request of an individual served to amend the medical record of that individual if the individual believes information in his/her service record is incomplete or incorrect. PROCEDURES: 1. After reviewing his/her health information, the individual served may request an amendment to the information in the record. a. The individual served requests in writing an amendment to his/her primary service coordinator, including the reasons why he/she wants an amendment to the information. b. The agency has 60 days to act on the request to amend the information. If the agency cannot act on the request within 60 days, the agency may extend the time period once for an additional 30 days. The agency will write a letter to the individual served explaining the need and reasons for an additional 30 days and the expected date the decision about the request will be made. 2. In response to a request to amend health information, the agency: a. May deny the request if the information was not created by the agency; b. May deny the request if the individual who created the information that the individual served wants amended is no longer an employee of the agency; c. May deny the request if the information in the record is currently accurate and complete. 3. If the agency denies the request to amend the information, the agency shall: a. Write the individual served a letter explaining the reason(s) for the denial. b. Explain in the denial letter steps the individual served may take to appeal the agency s decision. c. Explain in the denial letter that if the individual served does not appeal the agency s decision, he/she may request the agency to include the request for amendment by the individual served and the denial with any future releases of the disputed health information. d. Explain how the individual served may file an appeal to the agency by giving the individual the name, address, and telephone number of the Privacy Officer. Revised: November 28, 2012 Page 20

21 e. Review a written appeal statement from the individual served disagreeing with the denial of all or part of the requested amendment. f. Prepare a written response to the statement of disagreement of the individual served and provide a copy to the client. i. Identify the information that the individual served wanted amended and attach the client s request for amendment, the agency s denial of the request, the client s statement of disagreement and the agency s written rebuttal. ii. Include the request for amendment by the individual served and the denial to make the amendment with any future releases of the information if the client has not submitted a written statement of disagreement. 4. If at any point the agency honors the request for amendment: a. The agency shall make the amendment. The minimum amendment accepted is identifying the information to be amended then providing a link to the amended information. b. Inform the individual served that the amendment(s) is accepted. c. Obtain from the individual served the names and addresses of individuals who need to have the amended information. d. Attempt to reach those individuals who need to have the amended information. e. Attempt to contact other persons or business associates regarding the amended information if the information was detrimental to the client. 5. Document in the progress notes of the individual served medical record the names and titles of the employees responsible for receiving and processing the request for amendment. Revised: November 28, 2012 Page 21

22 MINIMUM NECESSARY POLICY & PROCEDURES The Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to take reasonable steps to limit the use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Piedmont Community Service Board will adhere to the standards set by HIPAA and the ethical principles of the agency to insure that only information that is required to fulfill the stated purpose of the services, and that required by law, will be disclosed. EXCEPTIONS TO THE MINIMUM NECESSARY STANDARD The minimum necessary standard does not apply in the following circumstances: Disclosures to or requests by healthcare providers for treatment purposes Disclosures to the individual who is the subject of the information Uses or disclosures made pursuant to an authorization requested by the individual Uses or disclosures required for compliance with the standardized HIPAA transactions Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes Uses or disclosures that are required by other law USE AND DISCLOSURE OF PHI INTERNAL TO THE AGENCY Piedmont Community Service Board will insure the Minimum Necessary Standard is met by: Identifying the persons or classes of persons in the workforce who need access to PHI. Identifying the categories of PHI to which access is needed. Developing and implementing procedures to insure that disclosure of PHI is limited to the amount reasonably necessary to achieve the purpose of the disclosure Maintaining standards of good practice to assure reasonable precautions are taken to prevent inadvertent and unnecessary disclosure, such as limiting discussion in public areas Developing and implementing procedures for review of requests for access Utilizing security features of the EHR to restrict access to records in which there is no service need. Persons or Class of Persons Who Need Access to PHI and Categories of PHI to Which Access is Needed In order to appropriately comply with Minimum Necessary Standards and effectively maintain healthcare operations, access will be determined by a role-based assessment and context-based assessment: Complete access to a client's PHI will be available to the direct service provider, his/her immediate supervisor, and other providers on the same service unit/team Revised: November 28, 2012 Page 22

23 Emergency Services/ Crisis Intervention staff will have access to all clients' PHI Medical Records staff will have complete access to all clients' PHI Reimbursement staff will have access to all clients' PHI, as needed, to handle transactions Information Technology staff will have complete access to all clients' PHI Data Entry staff will have access to all client's PHI, as needed, to complete data entry Procedures to Insure Disclosure of PHI is Limited to the Amount Reasonably Necessary to Achieve the Purpose of the Disclosure Internal to the agency, there are numerous and varied ways in which PHI is used and disclosed for treatment and healthcare operations. To insure adherence to the standards, the following questions will be considered to determine appropriate safeguards are in place: a. What PHI is necessary to complete the task? b. What PHI can be omitted and healthcare operations continue unimpeded c. Who will have access to the information disclosed in the healthcare operation under review? Procedures are also to be in place to ensure that the minimum necessary is disclosed: a. Staff will be trained in HIPAA standards. b. Supervisors will be available for consultation. c. The agency s Privacy Officer will be available for consultation and will be responsible for handling any complaints. d. Periodic audits by the Quality Assurance Department 2. Precautions to Prevent Inadvertent and Unnecessary Disclosure Staff will be trained about the need to take reasonable precautions to prevent inadvertent and unnecessary disclosure, such as disclosure that can occur if discussions were held in areas with public access. 3. Procedures for Review of Request for Access Medical Records Staff will periodically audit procedures to assure compliance with all confidentiality and Minimum Necessary standards. Corrective action will be taken as needed and appropriate. Revised: November 28, 2012 Page 23

24 USE AND DISCLOSURE OF PHI EXTERNAL TO THE AGENCY 1. Authorization to Release Information The Authorization form indicates the specific information to be disclosed or requested. Only the minimum necessary information needed to accomplish the intended purpose will be disclosed or requested. The form contains an explanation of confidentiality and Privacy Rule standards for the client's information. Client's must give informed, voluntary consent to any disclosure of PHI, and may revoke the authorization at any time. 2. Routine and Non-routine Requests and Disclosures For routine and recurring requests and disclosure, individual review of each request is not necessary. Agency staff will limit information that is disclosed or requested to the minimum necessary to achieve the purpose of the disclosure. If a covered entity is requesting information, staff may rely on the judgment of the party requesting the disclosure as to the minimum necessary amount of information that is needed. However, if the agency staff member has concerns that more than the minimum necessary is requested to be disclosed, the staff member may, in consultation with his/her supervisor, make his/her own minimum necessary determination for disclosure. For non-routine requests or disclosure, agency staff, with the guidance of their direct supervisor, shall determine the minimum necessary that is needed to achieve the purpose of the disclosure. Some guidelines are: The medical record in its entirety will not routinely be copied Portions of the medical record will not routinely be copied If a request or disclosure is for treatment information, a summary of client contact may be prepared which includes: the client's name, date of birth, service dates, purpose for seeking services, diagnosis and assessment information, type and duration of services received, outcomes of services received, and discharge summary information and referral, if appropriate. Substance abuse information will only be shared if the Authorization for Release of Information specifically states that information is to be disclosed or in accordance with 42 CFR. Medical information such as diagnosis of TB, AIDS, HIV or other infectious disease will only be shared if the Authorization for Release of Information specifically states that information is to be disclosed. Agency staff will not routinely list all options on the Authorization for Release of Information, for information to be disclosed or requested. Agency staff must be very specific as to what is being requested or disclosed, applying the minimum necessary standard. Third party information is to be considered part of the Designated Record Set, and may be disclosed in accordance with this policy and applicable law. Revised: November 28, 2012 Page 24