Confidentiality, Privacy, and Security of Patient Information
It is the policy of Tactile Medical, the “Company”, that all personal and Protected Health Information (PHI) concerning patient service or care shall be treated confidentially and appropriately secured to minimize risk of breach or unauthorized access. This includes patient information in any format (i.e. electronic, paper, telephonic, fax, etc.). PHI includes electronic PHI (EPHI). PHI is information about the patient including demographic information that may identify the patient and that relates to the patient’s past, present or future physical or mental health or condition and related health care services. PHI may be used and disclosed by the Company, the office staff, and others outside of the Company that are involved in the patient’s service/care and treatment for the purpose of providing health care services to the patient, to pay the patient’s healthcare bills, to support the operation of the Company, and any other use required by law.
Each patient will receive, at or before the start of service, a HIPAA Notice of Privacy Practices, which describes how the Company may use and disclose PHI. Typically, PHI will be used for treatment and payment purposes. For example, obtaining approval for equipment or supplies may require the relevant PHI be disclosed to the health plan. On occasion, PHI may be used for appropriate healthcare operations. These activities include, but are not limited to, performance improvement activities, employee improvement activities, accreditation activities, and conducting or arranging for other business activities. For example, the Company may disclose a patient’s PHI to accrediting agencies as part of an accreditation survey. Any other use must be appropriately authorized by the patient or his/her representative. The Company will exercise sound business judgment to determine the minimum PHI necessary to fulfill treatment and payment needs.
Staff will provide written information to patients, and answer questions related to confidentiality and privacy of information as included in the Client Bill of Rights and Responsibilities and Notice of Privacy Practices, during or prior to initial set-up.
Staff will discuss patient-related information with Company personnel only on a need-to-know basis. Accessibility to a patient’s records is to be limited to Company staff and appropriately contracted individuals or organizations. At or prior to time of set-up, each patient or that patient’s legal representative will sign a Patient Consent form which includes a consent for the use and disclosure of PHI. PHI may be released to family members and others who were involved with the care of the individual prior to death, unless the disclosure would be inconsistent with the individual’s expressed wishes.
All Company staff will receive training in confidentiality and security of patient information at orientation and annually. These trainings will be documented. and will be maintained in the employee’s personnel training record. The employee will acknowledge that all confidential information, including passwords and any information received or transmitted by computer, will remain confidential. All FAX including PHI require a cover sheet or other similar notice stating the confidentiality of the information to be transmitted. E-mail transmissions of PHI will be sent via secure, encrypted transmission and contain a statement concerning the confidentiality of the information to be transmitted. Phone and verbal transmissions of PHI may only occur if the employee is assured of the identity of the person the PHI is discussed with and the employee may only provide the information required for treatment, payment, or healthcare operations
Reasonable measures will be taken to ensure the security of records against loss, defacement, tampering, and unauthorized use. Records will be stored in a manner that minimizes the possibility of damage from fire and water. Staff will be instructed to secure papers, files, records, and devices that may contain PHI/EPHI (iPads, smart phones, laptops) to reduce the risk of unauthorized access and theft.
Personal identifying information will be eliminated from Performance Management and other reports generated by the Company unless otherwise required.
Patient information will not be displayed in areas accessible to the public or unauthorized personnel. Tactile has adopted a Clean Desk Policy which requires that no patient information be left out in the open on top of desks, on computer screens, or publicly visible at the end of the day. For corporate employees, patient information should be stored in a closed file cabinet or drawer, computers should be restarted or locked and any documents containing PHI that need to be disposed of should be placed in the “Shred It” bins for proper disposal or removed from plain view (i.e. put in a drawer or file cabinet for placement later in a “Shred It” bin). Employees should lock their computer before leaving their desk during the work day using CTRL-ALT-DELETE or Windows Key + L. Violation of this Clean Desk Policy could result in PHI being misappropriated or accidentally exposed resulting in a possible breach.
Any non-employee having access to records (e.g., contracted individuals, billing services, etc.) are required to sign a Business Associate Agreement which will be kept as part of their contract. The agreement requires the associate keep confidential any patient information they may receive or be privileged to know. The business associate is required to have a business associate agreement with any downstream subcontractors they have that may have access to PHI.
Original records should not be removed from the office unless authorized by senior management, the Compliance Officer, or by court order. The Compliance Officer or senior manager is responsible for determining what portion of the record may be copied for client/patient care purposes, holding staff members accountable for copies in their possession, and ensuring that copies are returned to the office for destruction.
Records will be available for review by licensing, regulatory, and accrediting bodies as appropriate.
All Company staff and contractors (Business Associates) have an affirmative duty to promptly report any breach or suspected breach of PHI/EPHI. Civil and criminal sanctions may be imposed, as permitted by law, upon any staff and/or contractors in the event of a violation. Patients shall be promptly notified as required by law in the event of a breach. To the extent required by law, privacy breaches shall be reported to the media and/or regulatory authorities. Retention
PHI will be retained consistent with state and federal law and regulations in accordance to Tactile Medical’s Record Retention Policy and Record Retention Schedule.
Destruction of PHI
PHI maintained in paper format will be destroyed at the end of the retention period. All paper documents that contain PHI will be destroyed using an acceptable method of destruction. Acceptable methods of destruction include shredding, incineration, pulverization, and use of a bonded recycling company. Documentation will be retained verifying the appropriate destruction. Record destruction is completed by a third-party business data record services company. Validation of off-site record destruction will be confirmed with a Certificate of Destruction which will attest to destruction of the records and include:
- Date of destruction (date(s), records are destroyed).
- Destroyed by (name(s) of the individual responsible for destroying the records).
- Witness (name(s) of the person witnessing the destruction).
- Method of destruction (method used to destroy records), and
- Description of what was destroyed
Prior to destruction of boxed items, the Company will verify the retention period has expired.
The Company will maintain evidence of destruction documents in accordance with the Records Retention policy.
It is the policy of the Company to ensure the privacy of PHI as well as to ensure that such information is used and disclosed in accordance with all applicable laws and regulations. Any concerned individual has the right to file a complaint concerning privacy issues without fear of reprisal. All patients or their personal representatives are notified of their right to complain to the Company or the Department of Health and Human Services as outlined in the Company’s Notice of Privacy Practices. All concerns may be communicated by telephone, mail, email, or in person. Complaints regarding PHI can include, but are not limited to, allegations that:
- PHI that was used/disclosed improperly;
- Access or amendment rights were wrongfully denied; or
- The Company’s Notice of Privacy Practices does not reflect current practices accurately.
Upon receipt of a complaint regarding privacy or PHI, the complaint will be documented in accordance with Complaint Handling Procedures . The Privacy officer shall review and investigate to determine if a violation of the law or company policy has occurred. The Privacy Officer shall maintain documentation of all complaints received and their disposition for a period defined in the company Record Retention PolicyBreaches to confidentiality of client/patient PHI must be investigated and if the incident is determined to constitute a reportable breach, the affected individual(s) will be notified. All required state and federal reports will be completed as required.