Confidentiality, Privacy, and Security of Patient Information

Original Effective Date 2008 (Policy 45)
ACHC Standards DRX2-5A; DRX2-5C; DRX5-1C
Related Documents Data Breach Investigation and Mitigation Checklist; 700749 Notice of Privacy Practices; 700915 Patient Bill of Rights and Responsibilities; 700585 Record Retention Policy; 700122 Complaint Handling Procedure; 700888 Information Security Program

It is the policy of Tactile Medical, the “Company”, that all personal and Protected Health Information (PHI) concerning patient service or care shall be treated confidentially and appropriately secured to minimize risk of breach or unauthorized access. This includes patient information in any format (i.e. electronic, paper, telephonic, fax, etc.). PHI includes electronic PHI (EPHI). PHI is information about the patient including demographic information that may identify the patient and that relates to the patient’s past, present or future physical or mental health or condition and related health care services. PHI may be used and disclosed by the Company, the office staff, and others outside of the Company that are involved in the patient’s service/care and treatment for the purpose of providing health care services to the patient, to pay the patient’s healthcare bills, to support the operation of the Company, and any other use required by law.

Each patient will receive, at or before the start of service, a HIPAA Notice of Privacy Practices, which describes how the Company may use and disclose PHI. Typically, PHI will be used for treatment and payment purposes. For example, obtaining approval for equipment or supplies may require the relevant PHI be disclosed to the health plan.  On occasion, PHI may be used for appropriate healthcare operations. These activities include, but are not limited to, performance improvement activities, employee improvement activities, accreditation activities, and conducting or arranging for other business activities. For example, the Company may disclose a patient’s PHI to accrediting agencies as part of an accreditation survey.  Any other use must be appropriately authorized by the patient or his/her representative. The Company will exercise sound business judgment to determine the minimum PHI necessary to fulfill treatment and payment needs.

Staff will provide written information to patients, and answer questions related to confidentiality and privacy of information as included in the Client Bill of Rights and Responsibilities and Notice of Privacy Practices, during or prior to initial set-up. 

Staff will discuss patient-related information with Company personnel only on a need-to-know basis. Accessibility to a patient’s records is to be limited to Company staff and appropriately contracted individuals or organizations. At or prior to time of set-up, each patient or that patient’s legal representative will sign a Patient Consent form which includes a consent for the use and disclosure of PHI. PHI may be released to family members and others who were involved with the care of the individual prior to death, unless the disclosure would be inconsistent with the individual’s expressed wishes. 

All Company staff will receive training in confidentiality and security of patient information at  orientation and annually. These trainings will be documented. and will be maintained in the employee’s personnel training record. The employee will acknowledge that all confidential information, including passwords and any information received or transmitted by computer, will remain confidential. All FAX including PHI require a cover sheet or other similar notice stating the confidentiality of the information to be transmitted. E-mail transmissions of PHI will be sent via secure, encrypted transmission and contain a statement concerning the confidentiality of the information to be transmitted.  Phone and verbal transmissions of PHI may only occur if the employee is assured of the identity of the person the PHI is discussed with and the employee may only provide the information required for treatment, payment, or healthcare operations 

Reasonable measures will be taken to ensure the security of records against loss, defacement, tampering, and unauthorized use. Records will be stored in a manner that minimizes the possibility of damage from fire and water. Staff will be instructed to secure papers, files, records, and devices that may contain PHI/EPHI (iPads, smart phones, laptops) to reduce the risk of unauthorized access and theft.

Personal identifying information will be eliminated from Performance Management and other reports generated by the Company unless otherwise required.

Patient information will not be displayed in areas accessible to the public or unauthorized personnel. Tactile has adopted a Clean Desk Policy which requires that no patient information be left out in the open on top of desks, on computer screens, or publicly visible at the end of the day.  For corporate employees, patient information should be stored in a closed file cabinet or drawer, computers should be restarted or locked and any documents containing PHI that need to be disposed of should be placed in the “Shred It” bins for proper disposal or removed from plain view (i.e. put in a drawer or file cabinet for placement later in a “Shred It” bin).  Employees should lock their computer before leaving their desk during the work day using CTRL-ALT-DELETE or Windows Key + L. Violation of this Clean Desk Policy could result in PHI being misappropriated or accidentally exposed resulting in a possible breach.  

Any non-employee having access to records (e.g., contracted individuals, billing services, etc.) are required to sign a  Business Associate Agreement which will be kept as part of their contract. The agreement requires the associate keep confidential any patient information they may receive or be privileged to know. The business associate is required to have a business associate agreement with any downstream subcontractors they have that may have access to PHI. 

Original records should not be removed from the office unless authorized by senior management, the Compliance Officer, or by court order. The Compliance Officer or senior manager is responsible for determining what portion of the record may be copied for client/patient care purposes, holding staff members accountable for copies in their possession, and ensuring that copies are returned to the office for destruction.

Records will be available for review by licensing, regulatory, and accrediting bodies as appropriate.

All Company staff and contractors (Business Associates) have an affirmative duty to promptly report any breach or suspected breach of PHI/EPHI. Civil and criminal sanctions may be imposed, as permitted by law, upon any staff and/or contractors in the event of a violation. Patients shall be promptly notified as required by law in the event of a breach. To the extent required by law, privacy breaches shall be reported to the media and/or regulatory authorities. Retention

PHI will be retained consistent with state and federal law and regulations in accordance to Tactile Medical’s Record Retention Policy and Record Retention Schedule.

Destruction of PHI

PHI maintained in paper format will be destroyed at the end of the retention period.  All paper documents that contain PHI will be destroyed using an acceptable method of destruction. Acceptable methods of destruction include shredding, incineration, pulverization, and use of a bonded recycling company. Documentation will be retained verifying the appropriate destruction. Record destruction is completed by a third-party business data record services company. Validation of off-site record destruction will be confirmed with a Certificate of Destruction which will attest to destruction of the records and include: 

  1. Date of destruction (date(s), records are destroyed).
  2. Destroyed by (name(s) of the individual responsible for destroying the records).
  3. Witness (name(s) of the person witnessing the destruction).
  4. Method of destruction (method used to destroy records), and
  5. Description of what was destroyed

Prior to destruction of boxed items, the Company will verify the retention period has expired.

The Company will maintain evidence of destruction documents in accordance with the Records Retention policy. 

Complaints

It is the policy of the Company to ensure the privacy of PHI as well as to ensure that such information is used and disclosed in accordance with all applicable laws and regulations.  Any concerned individual has the right to file a complaint concerning privacy issues without fear of reprisal. All patients or their personal representatives are notified of their right to complain to the Company or the Department of Health and Human Services as outlined in the Company’s Notice of Privacy Practices. All concerns may be communicated by telephone, mail, email, or in person.  Complaints regarding PHI can include, but are not limited to, allegations that:

  • PHI that was used/disclosed improperly;
  • Access or amendment rights were wrongfully denied; or
  • The Company’s Notice of Privacy Practices does not reflect current practices accurately.

Upon receipt of a complaint regarding privacy or PHI, the complaint will be documented in accordance with Complaint Handling Procedures . The Privacy officer shall review and investigate to determine if a violation of the law or company policy has occurred. The Privacy Officer shall maintain documentation of all complaints received and their disposition for a period defined in the company Record Retention PolicyBreaches to confidentiality of client/patient PHI must be investigated and if the incident is determined to constitute a reportable breach,  the affected individual(s) will be notified. All required state and federal reports will be completed as required. 

PROTECTED HEALTH INFORMATION

BREACH INVESTIGATION and MITIGATION CHECKLIST

In the event your laptop, iPad, iPhone or any other portable electronic device that may contain patient Protected Health Information is lost or stolen, please review the following checklist and take immediate action:

If the loss is of a company-owned OR personal smartphone or tablet containing EPHI: IMMEDIATELY contact Presidio (local: 612-213-2600; toll free: 1-855-264-4696, available 24x7x365). Report the situation and ask for an immediate “wipe” of all information from the affected electronic device(s). In the event a Presidio support agent isn’t available to immediately take your call, leave a message on the Presidio support voicemail system with the best number for an on-call representative to reach you for the purposes of reporting the loss.

If the loss is of a personal smartphone or tablet containing EPHI through a connection to your company email account, you must call Presidio to request a remote wipe of the device. Only after confirming the device has been wiped can you contact your wireless service provider (e.g. Verizon, AT&T; Sprint; etc.). to report the situation and request suspension of service to the device. If service is suspended before the device is wiped there is no way to remotely access the device to perform the wipe.  

Service provider numbers for major providers:  

  • Verizon: 1-800-922-0204
  • T-mobile: 1-800-937-8997
  • AT&T: 1-800-331-0500
  • Sprint: 1-888-211-4727

If you have a different provider, please ensure you know what number to call.

If the loss is of a company-owned laptop: Because our laptops are fully encrypted, the risk of data breach in the event of a lost or stolen laptop is minimal, as long as your password is known only to you. We can track the location of stolen laptops using our CompuTrace system, and in some cases we have been able to recover stolen laptops using this system. Email your manager, Carl Skildum, and Sunday Hoy with the following information: 

  • Date and time of theft (include time zone)
  • Address of theft
  • Was power cord stolen
  • Details of theft (last known location of the device and how it was stolen)
  • Police Agency (name of police agency to which the loss was reported)
  • District/Division/Precinct Number
  • Police File Number
  • Investigating Officer
  • Police Agency Phone

You do NOT need to contact Presidio regarding lost or stolen laptops unless you suspect that the thief may know your passwords – in that case, request password changes for your email and network accounts from Presidio as soon as possible.

Notify the following individuals regarding any lost or stolen laptops, iPads, iPhones, or smartphones: Tactile Medical Security Officer (Carl Skildum, 612-355-5206 or cell 612-205-2333), Tactile Medical Compliance Officer (Sunday Hoy, 612-355-5121 or cell 612-867-9748), and your direct manager.

Notify Tactile Medical Compliance Officer (Sunday Hoy, 612-355-5121 or cell 612-867-9748) in the event of any lost or stolen paper documents containing PHI.

File police report regarding stolen electronic device(s), if appropriate.

Compile/collect notes regarding last known whereabouts; last known use; last known list of patients referenced on electronic device(s).

REMINDERS

Remove/delete/secure Protected Health Information from your portable electronic device(s) on a DAILY basis. This will greatly reduce the risk of a data breach. Do not create unnecessary risk by saving e-mails longer than needed. iPhones and iPads will store mail for three (3) days by default. Make sure that if you change this setting that you know how long you are retaining mail on your device. The maximum is one (1) month.

Your iPhone or iPad are set to auto-lock after five (5) minutes of inactivity. When you are done using your device, you should manually lock it to reduce the likelihood of unauthorized access to your device. Use a password that is not easily guessed (do not use passwords such as 123456, 654321, 111111, 222222, etc.).

Do not leave patient documents, laptops, iPads, iPhones, or smartphones unattended in your vehicle. If you must store them in your car, lock them in your trunk where they are not visible to anyone looking inside your windows. Visible electronic equipment, briefcases, purses, backpacks, and bags in vehicles are common targets for theft, regardless of location, time of day, alarm systems, security cameras, or pedestrian activity levels near your vehicle. 

Do not write down your company passwords on any documents stored on or with your laptop, iPhone or any other smartphone (Post-It Notes, business cards taped to your device).

If you establish company email on a personal mobile device using either the built-in mail client or an app such as Outlook Mobile, you must completely remove these connections before leaving the company or risk having your device erased at time of termination. Tactile Medical IT performs a remote wipe of any devices connected to your mail account at the specified termination time. Installing a connection to Tactile Medical email on a personal device indicates acceptance of this risk.