TITLE: Internal Use of Protected Health Information
Originating Dept/Committee: HIPAA Implementation Team
Original Date: 7/31/03
Revised: 11/02, 11/03; 09/15
This policy issues instructions regarding Workforce Member’s1 internal use of identifiable client information.Obligations relating to the HIPAA2 Privacy Regulations are addressed in this policy as it applies to the requirements on The Crossroads Center’s use (internally) of Protected Health Information3.
This policy applies to all Crossroads Center programs and, as applicable, to all Crossroads work force members.
In compliance with HIPAA Privacy Regulations, The Crossroads Center will make reasonable efforts to ensure that only the minimum necessary4 amount of protected health information (only information that is required to accomplish the intended function), is disclosed, used, or requested by its employees.
1 Workforce Members - employees, volunteers, trainees, contract workers and other persons whose conduct, in the performance of work for Crossroads Center, its offices, programs or facilities, is under the direct control of Crossroads Center, office, program or facility, regardless of whether they are paid by Crossroads Center.
2 HIPAA – The Health Insurance Portability and Accountability Act of 1996 established standards and requirements for health care providers to protect confidential patient information.
3 Protected Health Information (PHI) - individually identifiable health information relating to past, present or future physical or mental health or condition of a client, provision of health care to a client, or the past, present or future payment for health care provided to a client. PHI includes information that is transmitted or maintained in any form or medium, except educational and other records covered by the Family Educational Rights and Privacy Act; and employment records held by Crossroads Center in its capacity as employer.
4 Minimum Necessary Use – limiting the use of only the PHI that is required to carry out duties of the workforce member when acting as an agent of Crossroads Center.
5 ICR – acronym for Individual Client Record; refers to the client’s chart within the agency.
Exceptions to the Minimum Necessary requirement are explained below:
- PHI may be disclosed to the client to whom the PHI pertains (the individual who is the subject of the information);
- PHI may be disclosed in accordance to an Authorization of Release requested by the individual;
- PHI may be disclosed to healthcare providers for treatment purposes, for disclosures required to comply with the standardized HIPAA transactions or otherwise required by the HIPAA regulations or other law;
- PHI may be disclosed to the Secretary of the U.S. Department of Health and Human Services when requested to investigate or determine The Crossroads Center’s compliance with Privacy Regulations.
Procedures:For all situations excluding those listed in the above exceptions, the following procedures will be implemented to ensure that this Minimum Necessary policy is enforced effectively across all parts of the organization.
- Access to PHI – All Crossroads Center staff who are involved in the exchange of a Crossroad Center client’s PHI between Crossroads Center staff will make reasonable efforts to limit each PHI user’s access to only the PHI that is needed to carry out his/her job-related duties.Reasonable efforts will include, but are not limited to the following procedures.
- Internal staff may access client’s PHI only if their job position is listed in the Authorized Users Chart in this document.
- Before a Crossroads Center employee makes a request for information, s/he will verify that access is authorized according to the Authorized Users Chart.If uncertainties arise, the matter should be taken to the Privacy Officer for a decision.
- Discussions as well as other forms of communications in which a client’s identity or other PHI (e.g., SSN, address) may be disclosed should be limited to settings and methods that restrict other employees who are not Authorized Users to access to this information.
- Visitor is defined as any spouse, significant other, sibling, child[ren], extended family member or personal friend of a Crossroads employee.Visitors are permitted to visit a Crossroads employee during business hours only.Visitors must first stop at the reception desk in the lobby to obtain [and wear] a visitor badge, and also sign in and sign out on the daily Visitor Sheet.In the event the visitor is a minor, the Crossroads employee/ parent will sign in for the minor on the daily Visitor Sheet.
When a Crossroads employee receives a visitor, that Crossroads employee accepts full responsibility for protecting any client PHI that is located in his/ her personal work space.
- Access to PHI – High Profile Cases –
- For certain high profile situations, the Crossroads Center Executive Team may determine that additional privacy and security requirements are necessary.Under these circumstances, the CEO and/or Executive Team will generate and administer specific guidelines, on a case-by-case basis.
- These guidelines may put additional restrictions on accessing and using a client’s information.However, all Crossroads Center’s requirements for HIPAA, including the Minimum Necessary Use requirements specified in this document, shall be observed first and foremost.
- Authorized Users of PHI – Please refer to the attachment, Crossroads Center’s Users Authorized to Access PHI, which identifies each user of PHI, the category or categories of PHI to which access is needed, and any conditions appropriate to access of PHI.Only users identified in this chart may access PHI.Authorized users of High Profile cases must first have authorization from the CEO or Executive Team as discussed in the above section.
- Training – All Crossroads Center staff will be trained on the policies and procedures developed to apply the principles concerning the use, disclosure of, or requests for PHI.The Crossroads Center staff will be trained on a regular basis regarding this policy.Newly hired employees will be provided with an overview of confidentiality/ HIPAA policies and procedures by the Vice President of Clinical Operations.Refresher training will be held for all employees, annually, and whenever changes/additions are implemented.
- Responsibility - Each employee shares the responsibility of the Crossroads Center to adhere to this policy.It is the employee’s responsibility to only access/use the minimum necessary client information required to carry out his/her job duties within the Crossroads Center. Similarly, it is each employee’s responsibility to take reasonable precaution so that a client’s PHI is not accessed/ used in violation of the restrictions established within this policy.For example, using an alias name instead of client’s actual name is a good precaution during case presentations because it de-identifies the client and therefore PHI is not being shared.A rule of thumb is to apply careful considerations in situations where protected information about a client may be inadvertently exposed (e.g. do not leave client PHI on copy machine; do not discuss client’s PHI in hallways).
- Violations - When there is concern that access to or use of PHI is being handled in ways that this policy is being violated, this PHI incident should be reported to the Quality Assurance Office.The following information should be provided: Date, Time, Staff Involved, Description of Inappropriate Access/Use of PHI.