Emergency Medical Services Division Policies Procedures Protocols

Similar documents
Chapter 9 Legal Aspects of Health Information Management

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Security Risk Analysis

Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

FCSRMC 2017 HIPAA PRESENTATION

Privacy and Security For Teammates

Teleworking and access to ECHA IT systems

I. POLICY: DEFINITIONS:

VCU Health System PatientKeeper Connect. Request Instructions

VHA Privacy Policy Training FY VHA Privacy Office

PATIENT INFORMATION. In Case of Emergency Notification

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HIPAA Privacy & Security

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Safeguarding Healthcare Information. By:

HIPAA THE PRIVACY RULE

HIPAA PRIVACY TRAINING

Health Insurance Portability and Accountability Act (HIPAA)

PRIVACY POLICIES AND PROCEDURES

INCOMPLETE APPLICATIONS WILL NOT BE PROCESSED

2018 Employee HIPAA Orientation (EHO) Handbook

Information Privacy and Security

PRIVACY IMPACT ASSESSMENT (PIA) For the

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

I. PURPOSE DEFINITIONS. Page 1 of 5

HIPAA Privacy Rule. Best PHI Privacy Practices

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

CLINICIAN S GUIDE TO HIPAA PRIVACY

TELECOMMUNICATION SERVICES CSHCN SERVICES PROGRAM PROVIDER MANUAL

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Patient Privacy Requirements Beyond HIPAA

Checklist for Minimum Security Procedures for Voting Systems 1S Section (4),F.S.

East Carolina University 2010 Annual HIPAA Privacy Training

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

PRIVACY IMPACT ASSESSMENT (PIA) For the

HIPAA Privacy Policies & Procedures Table of Contents

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

HIPAA 201: Student Self-Learning Module & Test

- Cardiac Catherization - Cardiac Angioplasty - Cardiac Bypass - MUGA - CT Scan

MCCP Online Orientation

Chapter 7 Section 22.1

Institutional Review Board (previously referred to as Human Participants Research Board) Updated January 2004

A general review of HIPAA standards and privacy practices 2016

DRAFT. Telework Policy. 1. Applicability. This policy applies to civilian employees of the Fort Belvoir Garrison.

Texas Medicaid. Provider Procedures Manual. Provider Handbooks. Telecommunication Services Handbook

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

GDPR Records Management Policy

Parental Consent For Minors to Receive Services

SURPRISE POLICE DEPARTMENT PORTABLE VIDEO MANAGEMENT SYSTEM

Special Presentation: HIPAA Survival. Dr. Ty Talcott, CHPSE C: / PH: /

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

Chapter 7 Section 22.1

HIPAA Privacy Regulations Governing Research

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA Education Program

Section: Medical Staff Office Page: 1 of 2

Minimum Business Requirements To Administer the CAHPS Hospice Survey

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER Review Recommendation File: July 13, 2015

2514 Stenson Dr Cedar Park TX Fax

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

School Manual Statewide Vision Program School Year

Compliance & Privacy For Teammates

Protecting PHI for Clinical Staff and Students

NEW PATIENT PACKET. Address: City: State: Zip: Home Phone: Cell Phone: Primary Contact: Home Phone Cell Phone. Address: Driver s License #:

Compliance Policy C-FMS Clinical Research Project Approval Application

Provider Rights and Responsibilities

Order No. PP Re: Health PEI. Prince Edward Island Information and Privacy Commissioner Maria C. MacDonald. March 12, 2015

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

LCSW, CGT, SRT 7710 N.

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Policies and Procedures for LTC

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

PROTECTING PATIENT PRIVACY IS NOT ONLY

I. SUBJECT: PORTABLE VIDEO RECORDING SYSTEM

Associates in ear, nose, throat/ Head & Neck surgery, pllc

Welcome to Baptist Medical Group - Westside. Please read the below information carefully to prepare for your upcoming appointment.

HIPAA Privacy Training for Non-Clinical Workforce

State of Alaska Department of Corrections Policies and Procedures Chapter: Subject:

907 KAR 1:044. Coverage provisions and requirements regarding community mental health center behavioral health services.

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Advanced HIPAA Communications and University Relations

Quality Standards and Practice Principles for Senior Care Pharmacists

12057 Jefferson Blvd LA, CA (323)

Compliance & Privacy For Teammates

POLICY NUMBER B JULY 8, 2014

Privacy Board Standard Operating Procedures

To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department: All HealthPoint Policy/Procedure #:

Compliance with Personal Health Information Protection Act

Telehealth Legal and Compliance Issues. Nathaniel Lacktman, Anna Whites, Esq.

Section: EMS Page: 1 of 5 Section No: 4.6 Date: July 15, 2013

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Title: HIPAA PRIVACY ADMINISTRATIVE

IVAN FRANKO HOME Пансіон Ім. Івана Франка

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Transcription:

Emergency Medical Services Division Policies Procedures Protocols Patient Medical Record Security and Privacy Policies and Procedures (1003.00) I. GENERAL PROVISIONS: A. The intent of these policies and procedures is to define internal requirements for patient medical record security and privacy in accordance with the Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress in 1996, defined as Protected Health Information (PHI) requirements through the Privacy Rule and the Security Rule. B. The Kern County EMS Department, as a local government regulatory agency in accordance with State law, is exempt from chain of custody agreements and other HIPAA requirements applied to private organizations. However, internal medical record security requirements and medical record privacy requirements under the Privacy Rule and Security Rule are applicable. C. These policies and procedures shall apply to any and all records or data with any patient identification information. All patient medical records managed by the Department, including but not limited to completed or partially completed PCR-Transport forms, EMT-I First Responder forms, MICN forms, Defibrillation or Combitube forms, physician and hospital claims for EMS Fund reimbursement, PCR-Transport data reports, or patient record images with patient identification information (hereinafter referred to as patient record(s) ) shall be applied to these policies and procedures. D. Kern County EMS Department staff shall continuously comply with these policies and procedures. II. MEDICAL RECORD SECURITY: (Security - Ensure the security of patient information and associated transactions both from a physical and electronic point of view) A. All patient records shall be maintained secure by the Department. B. Patient records shall either be attended by Department staff or stored in a secure or locked area of the Department. Patient records may only be removed from the Department by EMS staff if approved by the Department Privacy Officer (DPO). C. Patient records shall remain in a secure area or locked storage after office hours. This includes staff offices with patient records. No patient record will be left in an open office area unattended. Patient Medical Record Security and Privacy (1003.00) 1

D. The data entry office shall remain closed and locked when unoccupied during and after normal office hours. E. During office hours, any office that contains patient records shall be closed and locked when left unattended by Department staff. EMS staff will continuously monitor secure office areas for unauthorized access. An office is unattended when staff are physically outside the specific office area and unable to maintain record security. This includes breaks, lunch, or meetings outside the specific office space. F. The Computer Server Room must remain locked after normal business hours, unless occupied by Department Staff. G. All entrance and exit doors must remain locked after normal business hours, unless the building is occupied by Department staff. H. Electronic Patient Record Security: 1. All computer workstations and servers within the Department require a user identification and password for login access to electronic documents, including electronically stored patient records, in accordance with the following requirements: a. File access is controlled by login identification; b. Unique passwords, changed at least annually, shall be maintained secure by each EMS staff member; and c. Login identification and passwords will be removed when an employee is no longer employed by the Department. 2. EMS staff shall comply with one of the following when an office area with a computer workstation is unoccupied with the intent to remain unoccupied (i.e. lunch, a break, a meeting, or an appointment): a. The office door(s) must be locked; or b. Logoff the workstation; or c. Shut down the workstation. 3. Upon leaving the office for the day Department staff must shut down their computer workstation, except VPN users as per H- 6. 4. Department Computer Servers are to remain "locked" at the system console, requiring a password login to access the system and data. 5. Patient record data may be referred electronically provided referral is through a secure process that allows end-to-end authentication. Electronic referral consists of e-mail, file transfer protocol, Internet Patient Medical Record Security and Privacy (1003.00) 2

web posting, and any configurable data stream. End-to-end authentication is met when the electronic referral does not leave a secure network environment and the recipient is known, such as the Kern County Wide Area Network e-mail client, or when encryption and authentication measures are used between sender and recipient thus verifying full receipt by recipient. Any e-mail traveling outside a secure network environment into the Internet requires encryption and authentication measures. 6. Remote access to Department workstations and thus the Department Local Area Network and Kern County Wide Area Network require of the remote user: a. An account with a reputable Internet Service Provider. III. b. Install and configure VPN software per County specifications. User cannot share his/her VPN password with others. c. Install ICSA Labs approved anti-virus software (McAfee or Norton). Anti-virus files must be updated, at minimum, every three months. d. Log out once completing current remote session - do not allow the session to remain open and idle on the intent to return at a later time - by logging off the Department workstation and then properly exiting all remote access and VPN software accordingly. The County reserves the right to terminate idle connections exceeding ten (10) minutes. e. Take reasonable steps to safeguard data from tampering and unauthorized disclosures at remote locations. INTERNAL PATIENT RECORD MANAGEMENT PROCEDURES: A. Upon receipt, patient records shall immediately be delivered to the Data Entry office, appropriate EMS staff or must be attended by EMS staff until the patient records can be appropriately secured. B. Patient records cannot remain in office areas open to the public (i.e. staff boxes, routing trays, training rooms, break rooms, cabinet tops located in passageways) or in plain sight of the public (i.e. copier rooms, fax machines, desktops, and counter tops). C. Stored patient records shall be maintained in a locked storage area. D. Upon DPO authorization to release a patient record, an assigned staff member is to retain the requested patient record until pick-up or place the patient record into a sealed envelope for pick-up so the patient record is not in plain sight of the public. A requested patient record cannot be placed in Patient Medical Record Security and Privacy (1003.00) 3

plain sight on a counter top or an out-box awaiting pick-up from the requestor. IV. MEDICAL RECORD PRIVACY: (Privacy - Ensure the confidentiality of the patient record through management of access) A. Any patient record request received by Department staff from any other organization or individual shall be referred to the DPO for review and consideration. B. Patient records may be reviewed by Department staff in group quality improvement activities. However, all patient identification information shall be removed or rendered unreadable for group quality improvement activities involving other organizations or individuals. Such patient records will still not be released unless approved by the DPO. V. MEDICAL RECORD RELEASE: A. All patient record release requests shall be referred to the DPO for review, authorization or denial. B. Patient records are confidential, limited to the possession of the Department, authorized EMS providers involved with response to the patient location or direct patient care that completed the record, authorized medical facilities that receive the patient if transported, and validated service payor sources. C. Patient record copies can be provided by the DPO to legal sources in accordance with legal and valid subpoena or appropriate patient or legal patient responsible party medical record release. D. The DPO may release a copy of a patient record directly to the patient or patient responsible party in accordance with the following: 1. Completion of the form "Authorization to Release Records"; 2. Verification that the person completing the form is the patient or the legal patient responsible party with appropriate identification and documentation. E. In each case of patient record release to a legal source, patient or legal patient responsible party, a full copy of the subpoena, medical record release or completed Authorization to Release Records in addition to the patient record copy will be maintained on file. Authorization to Release Records are also patient records in accordance with these policies and procedures. Patient Medical Record Security and Privacy (1003.00) 4

VI. TRAINING: (To ensure protection of health information a self-certified training program must be created and implemented for employees and vendors) A. All Department staff shall review these policies and procedures and shall sign a verification form that validates competency and compliance. The signed verification form shall be retained in each Department staff member s personnel file at the Department. B. Any newly employed Department staff person shall review these policies and procedures and shall sign a verification form that validates competency and compliance. The signed verification form shall be retained in each Department staff member s personnel file at the Department. C. These policies and procedures, as a public record, will be referred to providers or organizations upon request and will be posted on the Department s web site. Patient Medical Record Security and Privacy (1003.00) 5

Kern County EMS Department Patient Medical Record Security and Privacy Policies & Procedures EMS Staff Competency & Compliance Verification Form With my signature below, I verify that I have reviewed the Kern County EMS Department - Patient Medical Record Security and Privacy Policies & Procedures, that I am competent in the content, and I will comply with the requirements. (print name) (signature) (date signed) Patient Medical Record Security and Privacy (1003.00) 6

KERN COUNTY EMS DEPARTMENT AUTHORIZATION TO RELEASE RECORDS TO: I,, D.O.B., hereby authorize and consent to the release of any medical, psychiatric, drug and/or alcohol abuse records to myself or to representative of patient as signed above. PATIENT NAME: PATIENT AGE: D.O.B.: PATIENT SEX: CALL DATE: CALL LOCATION: TYPE OF INCIDENT/MEDICAL PROBLEM: HOSPITAL: AMBULANCE SERVICE: EXECUTED THIS DAY OF, 20. Signature of Person Requesting Records Date of Request for Records For Office Use Only: Records Released By: Identification Verified: Yes No Patient Medical Record Security and Privacy (1003.00) 7

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback