Question

Two of the most significant developments in the relationship between law and medicine during the twentieth century are the doctrines of Confidentiality & Informed Consent.

CASE STUDY

You are the Director of Health Information Services at a medium-size health care facility providing general, emergency, and pediatric care. Because of downsizing and consolidation of managerial functions, you are also responsible for staff education in your facility.

Discuss how you would structure and present an inservice program to staff members of various departments that addresses confidentiality policies and procedures of your facility and the legal bases underlying these policies and procedures.  

Answer 1

Hospital confidentiality policy and procedures

Policy:

It is the policy to respect and protect the right to confidentiality and privacy of all patients and Staff concerning their healthcare, personal, or employment information. All Staff are responsible to maintain the confidentiality of this information protecting it against loss,
defacement, tampering, access, or use by unauthorized individuals.

Confidential Information: Verbal communications, written records, computer-based information, other
electronic, visual or digital media, photographs and films, observations, including but not limited to:
Individually Identifiable Health Information: Information, including demographic
information, that is created or received by a healthcare provider and relates to the past, present, or future physical or mental health or condition of an individual. The information either identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual.

Health Care Information: All information and records, in any form, related to the
physical or mental health of a patient prepared by or under the supervision of a healthcare provider, e.g., diagnosis, treatment, prognosis, condition, or other information contained in medical records, photographs, video tapes, or verbal reports.

Personal Information: Patient birth date, social security number, address, phone number, admission and discharge dates, appointment or visit dates, doctor’s name, family or social information, financial information.

Employment Information: Employee address, birth date, telephone number, personnel file, job application, performance appraisal, discipline, termination, investigations, compensation and benefits.

Business Information: Confidential business information is information of a proprietary nature related to the operations, finances, marketing or strategic plans.

Designated Record Set: A group of records maintained by or for a covered entity that
includes the medical records and billing records about individuals maintained by or for a covered health provider, used in whole or in part, by or for the covered entity to make decisions about individuals. For purpose of the Privacy Rule, the term record means any item, collection, or grouping of information that includes protected health information

Procedure:
Authorized Users of Confidential Information:
1. Authorized users of healthcare and personal information include those Staff who have a job-related need-to-know and are:

a. Providing direct care and treatment to the patient, or
b. Required to use healthcare or personal information to perform their assigned job

c. Specifically authorized by the patient to have access to their confidential
information.
2. Authorized users of employment information include those Staff who have a job-related
need-to-know and are:
a. Specifically authorized by an Employee to have access to his/her employment
information, or performance

b. Responsible for hiring, discipline, evaluation, or termination of an Employee

c. Responsible for responding to employment-related complaints, e.g., grievances, discrimination, harassment, etc.

d. Required to use employment information to accomplish their job responsibilities or meet legal or regulatory obligations.

3. patient health care record encompasses all records related to the health and treatment of the patient prepared by or under the supervision of a healthcare provider. It includes paper and computer-based information and other electronic, visual or digital media from inpatient, outpatient, and emergency care.

4. Access is provided to hospital employees meeting the definition of

Authorized Users and based on their job related need-to-know as defined.


5. All information generated or handled, whether paper-based or computer-based
information and other electronic, visual or digital media is considered the property of hospital.

6. Contact the Legal Department

7.Employees are afforded the same confidentiality as all other
patients. Access to healthcare and personal information is limited to authorized users,based on their job related need-to-know.


8. While the healthcare record is the property of hospital, the patient generally has control over the disclosure of information from the record.

9. Employees may be asked to provide information about a patient's healthcare to others.
Patient healthcare information is confidential. You may respond only when providing this information is part of your assigned job responsibility and you have:

a. the patient's authorization to disclose the information, or
b. you are allowed or required to disclose the information by state law, federal law,

10. When it is not part of your job to disclose confidential information, refer the requester .

11. If the request is from the news media, refer the requester to the Trauma & Emergency

12. Telephone inquiries are to be handled with discretion. Verify the identity of the caller. Information is disclosed only when the conditions outlined above are met.

13. All inquiries and requests for employment information related to job applicants, current and former Employees, should be referred to the Human Resource Service Center for response.

14. Employees may be asked to provide employment information. Employment information is confidential. You may respond only when providing this information is part of your assigned job responsibility.

15. When disclosure of confidential employment information is not part of your job, refer the requester to the Human Resource Service Center.

16. Original medical records may not be destroyed.

17. All paper materials containing protected health information or employee identification or other confidential information shall be placed in designated confidential collection containers that are picked up for shredding on a regular basis. If a confidential collection container is not available, the patient or employee identification must be destroyed by tearing into quarters or using a personal shredder.

18. All non-paper items containing patient or employee identification shall be sent off site for incineration in the regular waste stream. Before placing these items into the regular waste container, obliterate the person's identification.

19. Applicant and employment information shall be destroyed based on relevant legal
guidelines. Such information shall be destroyed by tearing into quarters or depositing in designated containers for disposal.

20. Employees who become aware of unauthorized access or inappropriate handling, use, sharing, or disclosure of confidential information shall contact the Legal Department

21. Patients who believe that their confidential information has been accessed, reviewed, disclosed or handled inappropriately shall be referred to the Legal Department.

22. The Legal Department and Human Resources shall investigate each alleged breach of confidentiality.

23. Violations of this policy may result in disciplinary action up to and including termination of employment.

24. Healthcare information is protected by state and federal law. Employees who
inappropriately access, use, or disclose confidential healthcare information may be
personally subject to civil and/or criminal punishment.