HIPAA

It shall be the policy of Hurley Medical Center to protect the confidentiality of each patient’s medical information, and to that end, no medical information may be released without proper authorization of the patient or as may be required by State and/or Federal law.

It shall be the responsibility of all employees of Hurley Medical Center having access to/or information about patients, their admission, diagnosis or treatment, to protect the confidentiality of such information. All information about patients, their admission, diagnosis and treatment is absolutely confidential and is never to be used or disclosed to anyone with the exception of: the patient, persons authorized by the patient, persons having a treatment-related need to know the information, or as authorized or required by law. Any collection, maintenance, access, or disclosure relating to information in the medical records or computer files is legally and ethically considered privileged information and protected by Federal and State law.

It is the responsibility of all employees to adhere to HIPPA requirements for the protection of patient health information. All employees shall be instructed and advised, by their supervisor, regarding procedures relating to patient information, confidentiality, and proper procedure to follow relative to minimum necessary disclosure of medical information.

Use or disclosure of protected health information (PHI) without proper authorization except as provided by State and/or Federal law may result in discipline, including discharge and/or prosecution in the event that such disclosure violates State and/or Federal law.

PROCEDURE:

1. Except as indicated in this policy, and the policy pertaining to the Health Information Services which applies to its employees, no department of the Medical Center may release medical information from the patient’s record unless a valid authorization for release has been obtained. To be considered valid, a general authorization for release of medical information must contain, at a minimum:
   • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. The name or other specific identification of the person(s) or class of persons, authorized to make the requested use or disclosure.
   • A name or other specific identification of the person(s), or class of persons, to whom HMC may make the requested use or disclosure.
   • A description of each purpose of the requested use or disclosure. The statement “at the request of the patient” is sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.
   • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
   • Signature of the individual and date. If the authorization is signed by a personal representative of the patient, a description of such representative’s authority to act for the patient must also be provided.

2. No employee may discuss patient information with persons not involved in the care and treatment of the patient without express authorization, preferably written, from the patient or authorized patient representative, if applicable. The competent patient should determine those persons who may receive information. If the patient is present for, or otherwise available prior to, a use or disclosure, and has the capacity to make health care decisions, Hurley may use or disclose the protected health information of it: (1) obtains the patient’s agreement; (2) Provides the patient with the opportunity to object to the disclosure, and the individual does not express an objection; or (3) Reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure. Hurley may use or disclose PHI to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the patient, or another person responsible for the care of the patient of the patient’s location, general condition, or death. Any such use or disclosure of PHI for such notification purposes must be in compliance with (1), (2) or (3) above, as applicable. If the patient is not competent, the authorized representative may make these decisions. Any questions concerning whether an individual is authorized to receive patient information should be referred to the employee’s supervisor; however, the general policy is that the patient must authorize the release of patient information. If the matter remains unresolved, the chain of command should be utilized to resolve the question. Risk Management should be contacted for any unresolved questions beyond that point.

3. Inquiries to Information Desk, nursing staff, and other involved Medical Center staff about patients should be handled by first explaining the confidentiality policy and then processing in the following manner:

   • Psychiatric patients, substance abuse patients and patients opting out of the hospital directory:
     Telephone inquiries:
     A. Persons inquiring about psychiatric patients, substance abuse patients and patients opting out of the hospital directory will be informed that there is no information on that person.
     B. If persistent, persons inquiring about psychiatric patients, substance abuse patients, and patients opting out of the hospital directory shall be communicated this message: “I can take your name and number and if that person is here, I’ll see that that person gets it.”
     C. If the person remains adamant, instruct the person that a supervisor will discuss the situation with them and contact the Public Safety supervisor or House Director.
     D. If unresolved at that point, contact Administration on call.
     Visitor’s inquiries: Information Desk, nursing personnel and other involved Medical Center staff will ask for visitor’s name and the patient’s name.
     A. If a visitor appears at the Information Desk or nursing unit to visit a psychiatric patient, substance abuse patient, or patient opting out of the hospital directory, the visitor’s name will be checked with the patient and against the physician’s orders and the treatment plan. If approved, the visitor may be allowed to visit and written permission from the patient is advised. If not approved, the visitor should be told, “I’m sorry, there is no information on that person” and an explanation of the confidentiality policy provided.
     B. If the visitor remains adamant, ask them to have a seat and tell them that the supervisor will be with them in a moment.
     C. Contact the Public Safety Supervisor or House Director.
     D. Public Safety Supervisor/House Director should inform the visitor that “I’m sorry, but there is no information on that person,” and attempt to defuse the situation.
     E. If at all possible, discreetly try and contact the patient or patient family member, unless the visitor has been specifically restricted.
     F. If unable to defuse and the visitor has no other valid reason to be on the premises, ask visitor to leave. Proceed in accordance with the Public Safety policy on trespassers if visitor refuses to leave.

   • BED and critical care patients: if the opportunity to agree or object to the use or disclosure of protected health information (PHI) cannot practicably be provided because of the patient’s incapacity or an emergency situation, HMC, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient. If so, disclose only the PHI that is directly relevant to the person’s involvement with the patient’s health care. When the bona fide medical emergency requires information release without patient authorization, the following should be documented:
     A. Name of individual making the disclosure;
     B. Nature of the emergency;
     C. What the disclosure was;
     D. Name of individual to whom disclosure made;
     E. Date and time of the disclosure;
     F. Why authorization was unable to be obtained.

   • All other patients:
     Telephone/Visitor inquiries:
     A. Persons inquiring about all other patients, unless directed otherwise by the patient or hospital administration, should be provided with the condition (fair, good, serious, critical) and location of the patient.
     B. If further information is sought by a caller or visitor:
     • The caller/visitor may be referred directly to the patient’s telephone/room in keeping with telephone/visiting guidelines.
     • The caller/visitor may be referred to the patient’s family if the patient is not able to respond.
     • When indicated, the patient/appropriate spokesperson may be solicited by staff for direction regarding information to specific individuals. If the patient/appropriate spokesperson directs that information to specific individuals be provided, this direction shall be documented.

4. All employees will be instructed and advised, at orientation and at their annual evaluation, of the existence and content of the policy on patient confidentiality and, at orientation, requested to sign the attached Notice of Confidentiality Requirements form. An employee’s refusal to sign shall be indicated on the Notice of Confidentiality Requirements form. The original form shall be placed in the employee’s personnel file and a copy forwarded to Risk Management.

5. It shall be the policy of Hurley Medical Center that facsimile transmission of health information is to be considered sensitive and should be conducted only within the procedure specified herein. The information contained in health records should be transmitted via facsimile only when: (1) urgently needed for patient care, (2) required by a third party payer for ongoing certification of payment for hospitalized patient, or (3) required by the pertinent physicians of record to ensure prompt care through office follow-up. Sensitive health information dealing with mental health, chemical dependency, sexually transmitted diseases and HIV should be made through regular mail or messenger service, unless the need to fax meets one of the noted exceptions. The information transmitted should be limited to that necessary to meet the requester’s needs.  Routine disclosure of information to insurance companies, attorney’s, or other legitimate users should be made through regular mail or messenger service.

6. Except as required by law, a properly completed and signed authorization should be obtained prior to the release of patient information. An authorization transmitted via facsimile is acceptable. If authorization cannot be obtained in cases of explained medical emergency, information may be released for patient care without authorization from the patient or legal representative. (See Section 3B).
   The cover page accompanying the facsimile transmission should include the following:
   • Date of the fax.
   • Sender’s name, address, telephone and fax numbers.
   • The authorized recipient’s name, telephone and fax numbers.
   • Number of pages submitted.
   • Confidentiality notice that indicates the information is confidential and limits its use:

   “The information contained in this facsimile message may be privileged and confidential information intended only for the use of the individual or entity named above.  If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying is strictly prohibited.  The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled.

   If you have received this communication in error, please immediately notify us by telephone, and return the original message to us at the above address via the U.S. Postal Service.”

   Faxes with PHI should be deposited in a secure/confidential place when they are delivered and not, for example, left in an area that passersby can see.

   Reasonable efforts should be made to assure the facsimile transmission is sent to the appropriate destination. Destination numbers should be pre-programmed into facsimile machines, if possible, to eliminate errors in transmission from incorrect dialing. Cover sheets should be placed on the bottom of the batch transmission so that it ends up on top of the confidential information at the receiving end. See the attachment to this Standard Practice for the appropriate cover sheet to use during facsimile transmission of any confidential information at Hurley Medical Center.

   All patient records and charts maintained in a department should be secured as much as possible from inappropriate access. When possible, such records should be stored in locked cabinets or areas. When confidential paper records are to be discarded or destroyed, they will be shredded, taken to a secured recycling area or disposed of in other ways so as to protect confidentiality.

   Hurley Medical Center is committed to safeguarding PHI. Staff should immediately report to the Privacy Officer any incidents where incoming or outgoing faxes have compromised a patient’s right to privacy.

   Management staff members considering disciplinary action against any employee for violation of this Standard Practice should consult with the Labor Relations Department to ensure fair and even handed actions. Any disciplinary action related to breaches of confidentiality should not include patient names.

   All information about patients, their admission, diagnosis and treatment is absolutely confidential and is never to be disclosed or repeated to other than authorized persons having a need to know the information. All collection, maintenance, access, or disclosure relating to information in the medical records or computer files is legally and ethically considered privileged information and protected by Federal and State law. UNAUTHORIZED ACCESS, USE OR DISCLOSURE of this personal, confidential information, MAY SUBJECT YOU TO CIVIL ACTION by the individual to whom the information pertains AND BE CAUSE FOR LEGAL ACTION. I understand that the system keeps track of every access by user, date, time and terminal. Individuals with questions regarding confidentiality should refer those questions to Hurley Medical Center Administration.