BACKCOUNTRY THERAPEUTICS, LLC
HIPAA POLICY AND PROCEDURE MANUAL
The purpose of this policy is to provide guidelines for the safeguarding of Protected Health Information (“PHI”) in the Backcountry Therapeutics, LLC (BCT) Facility and to limit unauthorized disclosures of PHI that is contained in a client/patient’s Medical Record, while at the same time ensuring that such PHI is easily accessible to those involved in the treatment of the client.
The policy of this BCT is to ensure, to the extent possible, that PHI is not intentionally or unintentionally used or disclosed in a manner that would violate the HIPAA Privacy Rule or any other federal or state regulation governing confidentiality and privacy of health information. The following procedure is designed to prevent improper uses and disclosures of PHI and limit incidental uses and disclosures of PHI that is, or will be, contained in a Medical Record. At the same time, BCT recognizes that easy access to all or part of a client/patient Medical Record by health care practitioners involved in a client/patient’s care (nurses, attending and consulting physicians, therapists, and others) is essential to ensure the efficient quality delivery of health care.
The Administrator and all staff members are responsible for the security of all Medical Records.
BCT owner Andrea Rapson and the Practice Administrator shall periodically monitor the Facility’s compliance regarding its reasonable efforts to safeguard PHI.
Safeguards for Verbal Uses
These procedures shall be followed, if reasonable by BCT, for any meeting or conversation where PHI is discussed.
Meetings during which PHI is discussed:
- Specific types of meetings where PHI may be discussed include, but are not limited to:
- Daily Standup or Department Head meetings
- Interdisciplinary Plan of Care meeting
- Bill review meetings
- Family Care Conference
- Meetings will be conducted in an area that is not easily accessible to unauthorized persons.
- Meetings will be conducted in a room with a door that closes, if possible.
- Voices will be kept to a moderate level to avoid unauthorized persons from overhearing.
- Only staff members who have a “need to know” the information will be present at the meeting. (See the Policy “Minimum Necessary Uses and Disclosures.”)
- The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI.
- Telephones used for discussing PHI are located in as private an area as possible.
- Staff members will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI. Reasonable measures may include:
- Lowering the voice
- Requesting that unauthorized persons step away from the telephone area.
- Moving to a telephone in a more private area before continuing the conversation
- PHI shared over the phone will be limited to the minimum amount necessary to accomplish the purpose of the use or disclosure.
- In treatment rooms
- With client/patient/family in public areas
- With authorized staff in public areas
Reasonable measures will be taken to assure that unauthorized persons do not overhear conversations involving PHI. Such measures may include:
- Lowering the voice
- Moving to a private area within the Facility
- If in treatment room, closing the door.
Safeguards for Written PHI
All documents containing PHI should be stored in a locked cabinet in a locked room to reduce the potential for incidental use or disclosure. Documents should not be accessible to any unauthorized staff or visitors.
- Active Medical Records shall be stored in an area that allows staff providing care to clients/patients to access the records quickly and easily as needed.
- Authorized staff shall review the Medical Record in the office.
- Active Medical Records shall not be left unattended in any area where clients/patients/visitors and unauthorized individuals could easily view the records.
- Medication Administration Records, Treatment Administration Records, report sheets and other documents containing PHI shall not be left open and/or unattended.
- Only authorized staff shall review the Medical Records. All authorized staff reviewing Medical Records shall do so in accordance with the minimum necessary standards.
- Medical Records shall be protected from loss, damage and destruction.
Active Business Office Files:
Active Business Office Files shall be stored in a secure area that allows authorized staff access as needed.
Thinned Records, Inactive Medical Records:
- Thinned and inactive Medical Records will be filed in a systematic manner in a location that ensures the privacy and security of the information. The Owner and Practice Manager shall monitor storage and security of such Medical Records. When records are left unattended, records will be in a locked room, in a locked file cabinet or closet.
- The Owner and Practice Manager will identify and document those staff members with keys to stored Medical Records. The minimum number of staff necessary to assure that records are secure yet accessible shall have keys allowing access to stored Medical Records. Staff members with keys shall assure that the keys are not accessible to unauthorized individuals.
- Inactive Medical Records must be signed out if removed from their designated storage area. Only authorized persons shall be allowed to sign out such records.
- Records must be returned to storage promptly.
- In the event that the confidentiality or security of PHI stored in an active or inactive Medical Record has been breached, the BCT Owner and Practice Manager shall be notified immediately.
- BCT procedure will be followed if Medical Records are missing.
- In the event of a change in ownership of BCT, the Medical Records shall be maintained as specified in the Purchase and Sale Agreement.
Inactive Business Office Files:
Inactive Business Office Files shall be stored in a systematic manner in a location that ensures privacy and security of the information.
PHI Not a Part of the Designated Record Set:
- Use of “shadow” charts or files is prohibited.
- Any documentation of PHI shall be stored in a location that ensures, to the extent possible, that such PHI is accessible only to authorized individuals.
Office Equipment Safeguards
- Only staff members who need to use computers to accomplish work-related tasks shall have access to computer workstations or terminals.
- All users of computer equipment must have unique login and passwords.
- Passwords shall be changed every 90 days.
- Posting, sharing and any other disclosure of passwords and/or access codes is strongly discouraged.
- Access to computer-based PHI shall be limited to staff members who need the information for treatment, payment or health care operations.
- BCT staff members shall log off their computers/workstations when leaving the work area.
- Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen.
- Employee access privileges will be removed promptly following their departure from employment.
- Employees will immediately report any violations of this Policy to the Owner or Practice Manager.
Printers, copiers and fax machines:
- Printers will be located in areas not easily accessible to unauthorized persons.
- Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location.
- Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding, then incineration.
Documentation that is not part of the Medical Record and will not become part of the Medical Record (e.g., report sheets, shadow charts or files, notes, lists of vital signs, weights, etc.) shall be destroyed promptly by shredding and incineration when it is no longer needed.
Prior to the disposal of any computer equipment, including donation, sale or destruction, BCT must determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment.