It is the policy of the Missouri State University (University) and its Health Care Components (HCC) to protect the privacy of individually identifiable health information in compliance with federal law. To assist in assuring that protection, it is the practice of the HCC to assure that its workforce recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines. See 45 CFR Sections 160 and 164, et seq.
The University’s HCC
- Staff Access
- Training on Access
- Required Confidentiality Agreement
- Local Policies
- Review Process
- Protected Health Information (PHI): Individually identifiable PHI is any information, including demographic information collected from an individual that:
- Is created or received by a healthcare provider, health plan, employer, pharmacy, prescription, or healthcare clearinghouse; and
- Related to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual, and
- Identifies the individual, or
- With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
- Workforce: Includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity (facility or Department). This shall include any client workers employed by the HCC 45 CFR Section 160.103.
- Any Person with Access to PHI
- HCC workforce members shall be granted access to protected health information (PHI), whether written, electronic or verbal in nature, in accordance with state and federal law (HIPAA, P.L. 104-191); (42 CFR Part 2 et seq.; Privacy 45 CFR Parts 160 and 164); and other relevant regulations. Such access shall be limited to the minimum necessary amount of PHI to accomplish the purpose of any requested use or disclosure of PHI, e.g., to the amount of PHI the employee or workforce member needs to know in order to accomplish their job or task. In addition, communications between workforce members, which involve PHI, shall also be considered confidential and should not take place in public areas. If it is absolutely necessary to conduct such conversations in public areas, reasonable steps shall be taken to assure the confidentiality of the PHI.
- Patient PHI should never be removed from this facility without specific authorization from the Unit Privacy Officer, pursuant to a signed Business Associate Agreement, or the appropriate medical records personnel. Each HCC shall establish a procedure for how workforce members are to physically access PHI in medical records (i.e., how to sign records in and out and under what conditions, etc.).
- If PHI in any form is lost or stolen, the Unit Privacy Officer should be notified as soon as practical, but no later than two (2) business days after the loss is discovered, in order for the Privacy Officer or designee to initiate the mitigation process.
- Training. The HCC workforce members shall be informed of their obligations with respect to PHI by mandatory participation in HIPAA Privacy Training.
- Required Confidentiality Agreement. The HCC workforce members that receive or maintain PHI shall be required to agree to the protection of such PHI in accordance with the state and federal laws as set forth above. These workforce members shall sign a confidentiality statement. The model statement is attached as HIPAA Regulation 8.040, Form 1. A copy of the signed confidentiality statement shall be maintained in the personnel file of the HCC staff.
- Visitors. Visitors to all facilities are required to sign the confidentiality agreement if they are going to have access to PHI. A copy of the confidentiality agreement shall be located in each facility.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
- Sanctions. Any person found to have violated the requirements of this policy shall be subject to disciplinary action up to and including dismissal.
HISTORY: Effective March 21, 2003