Policy 1109: Medical Records Access
YAKIMA COUNTY FIRE DISTRICT 12
10000 ZIER ROAD
YAKIMA, WA 98908
POLICY # 1109
COMMISSION CHAIR SIGNATURE: s/b Ken Eakin, Chair
EFFECTIVE DATE: 03/01/05
REVISED DATE: 06/10/08
POLICY TITLE: ACCESS, ACCOUNTING, SECURITY, DISCLOSURE AND COMPLAINTS
1.0 PURPOSE
To outline levels of access to Protected Health information (PHI) for various members of Yakima County Fire District 12, and to provide a policy and procedure on limiting access, disclosure, and use of PHI. To provide policies outlining patient rights and the District’s responsibilities in fulfilling patient requests. Security of PHI is everyone’s responsibility.
2.0 DIVISIONS AFFECTED
All divisions.
3.0 REFERENCES
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
4.0 ACCESS
4.1 Yakima County Fire District 12 retains strict requirements on the security, access, disclosure and use of PHI. Access, disclosure and use of PHI will be based on the role of the individual member in the organization, and should be only to the extent that the person needs access to PHI to complete necessary job functions.
4.2 When PHI is accessed, disclosed and used, the individuals involved will make every effort, except in patient care situations, to only access, disclose and use PHI to the extent that only the minimum necessary information is used to accomplish the intended purpose.
4.3 Patients may exercise their rights to access, amend, restrict, and request an accounting, as well as lodge a complaint, with either Yakima County Fire District 12 or the Secretary of the Department of Health and Human Services.
4.4 The Privacy Officer for Yakima County Fire District 12 is the appointed District Secretary.
4.4.1 Privacy Officer will oversee District policies on patient privacy and to monitor compliance.
4.4.2 The District will not retaliate against any member who expresses concern or complaint about any policy or practice related to the safeguarding of patient information.
5.0 ACCOUNTING
5.1 All patient records will be kept and maintained at the District’s Administrative Office.
5.2 All patient accounting requests should be received directly from a patient or a legal personal representative.
5.3 All uses and disclosures of a patient’s PHI, made by the District, must be documented for accounting purposes except:
5.3.1 Disclosures to carry out treatment, payment and health care operations.
5.3.2 For national security or intelligence purposes.
5.3.3 Uses and disclosures incident to an unaccountable use or disclosure.
5.3.4 A common use or disclosure that must be accounted for and information provided upon a request for accounting is the disclosure of PHI in response to a subpoena, summons or warrant.
6.0 SECURITY
6.1 Verbal Security
6.1.1 If patients are in waiting areas to discuss the service provided to them or request copies of PHI, security and privacy is crucial. Take patients to a private area before engaging in discussion if necessary.
6.1.2 Personnel should exercise due regard when discussing potential PHI. Conversations about patients and their health care should not take place in areas where those without a need to know are present.
6.1.3 Members should ONLY discuss patient care information with those who are involved in the care of that patient, regardless of your physical location. Members should be sensitive to their level of voice and to the fact that others may be in the area when you are speaking. This approach is not meant to impede anyone’s ability to speak with other health care providers freely when engaged in the care of the patient. When it comes to treatment of the patient, members should be free to discuss all aspects of the patient’s medical condition, treatment provided, and any of their health information you may have in your possession with others involved in the care of the patient.
6.2 Physical Security
6.2.1 Patient care records, including MIR’s are to be stored in safe and secure areas. When any paper records concerning a patient are completed, they must be secured in the lock box provided at each station. Only those with a need to have the information for the completion of their job duties should have access to any paper records.
6.3 Computers
6.3.1 Computer access terminals and other remote entry devices should be kept secure at all times. Access to any computer device should be by password only. Members should be sensitive to who may be in viewing range of the monitor screen and take simple steps to shield viewing of the screen by unauthorized persons.
7.0 DISCLOSURE
Any disclosure of PHI for law enforcement purposes must meet the following conditions:
7.1 Disclosure pursuant to laws that require the reporting of certain types of conditions, like firearm injuries, burns, child or elder abuse and / or neglect and other disclosures required of pre-hospital providers by Washington State law.
7.2 Disclosures pursuant to a court-ordered warrant or a subpoena or summons issues by a judicial officer. (Note: this is different than a subpoena issued by an attorney or a party in litigation).
7.3 Disclosures as ordered by a grand jury subpoena.
7.4 Disclosures as ordered by an administrative subpoena or summons by an authorized agency if the information sought is relevant and material to a legitimate law enforcement inquiry, and provided that the request is specific and limited in scope.
7.5 Disclosure to a law enforcement official for purposes of identifying or locating a suspect, fugitive, material witness or missing person. However, the only PHI that maybe released for such purpose includes name, address, date and place of birth, blood type, type of injury, date and time of treatment, date and time of death, if applicable, and description of distinguishing physical characteristics such as weight, hair color, eye color, gender, presence or absence of facial hair, scars and tattoos. (Note: absent a subpoena or other legal process, HIPAA Privacy Rule does not permit disclosure of PHI to law enforcement officers for purpose of assisting generally in their investigation or building a case against the suspect.)
7.6 Disclosures regarding victims of a crime. Pre-hospital EMS providers may disclose PHI about a crime victim to a law enforcement official if the affected individual agrees to the disclosure. However, the PHI may be disclosed to law enforcement without the individual’s agreement if the agreement cannot be obtained due to the individual’s incapacity or other emergency, and if the law enforcement official needs the information to determine whether a violation of the law has occurred. Law enforcement must assure the pre-hospital provider that the information will not be used against the victim. Law enforcement also must represent that waiting until the patient is capable of agreeing to the disclosure would compromise an immediate law-enforcement activity.
7.7 Pre-hospital providers and other covered entities may disclose PHI to a coroner or medical examiner for the purpose of identifying the deceased person, det