It is the policy of Missouri State to identify those records maintained by or for the department and its facilities that meet the definition of designated record set covered by the HIPAA Privacy rule, specifically 45 CFR Section 164.501.
The University’s HCC
- Designated Record Set: A group of records maintained by or for a covered entity that is: (a) the medical records and billing records about individuals maintained by or for a covered health care provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (c) used, in whole or in part, by or for the covered entity to make decisions about individuals.
- Record: any item, collection, or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a HCC.
- Sentinel Event: a term used by the Joint Commission on Accreditation of Health Care Organizations (accreditation held by CPS facilities). A sentinel event is an unexpected occurrence involving death or serious physical or psychological injury, or the risk thereof.
- Protected Health Information (PHI): See HIPAA Procedure 1.005, 1.b. and c.
- All Missouri State HCC shall identify all information systems (defined as an organized collection of information) that contain Protected Health Information, including the location, unique system identifier, the form of the data (electronic or paper), the data maintainer, and a description of the type of PHI contained.
- That inventory shall be maintained by the Unit Privacy Officer or designee, or the University Privacy Officer, if applicable. Assistance may be requested from the Information Services staff. Any new or modified systems shall be added to the inventory by the appropriate Privacy Officer.
- In order to maintain an accurate inventory of record systems, when new systems are created, the staff responsible for developing and maintaining the information shall notify the Unit Privacy Officer that the system is in production and it contains PHI. When a current system that contains PHI is no longer used or needed, the staff responsible for maintaining the information shall notify the HCC Privacy Officer so that the inventory system can be amended and the information retained or destroyed according to retention policies.
- For the purpose of the implementation of this policy, the term designated record set includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the Missouri State HCC for covered care or payment decision making including but not limited to:
- Medical record and billing records about covered patients maintained by or for Missouri State HCC;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for Missouri State HCC; and
- Any records or information used, in whole or in part, by or for Missouri State HCC to make decisions about patients.
- Information that is not part of the Designated Record Set is defined as follows: any documents that are used for census information, quality assurance or quality improvement, peer review, sentinel event, Centers for Medicare and Medicaid purposes, utilization review, abuse/neglect investigations, incident/injury reports, state auditors, or various electronic databases, etc., which are not used to make decisions regarding an individual consumer, shall not be considered as part of the Designated Record Set. FERPA education and treatment records may or may not be included, based on unit determinations. See HIPAA Procedure 1.005, 2.
However, please note that these types of information may be accessible by parents or guardians upon presentation of appropriate documentation. In addition, for forensic cases (defined as Chapter 552 or 557, RSMO, evaluations), the pretrial commitment order, the pretrial evaluation, or any correspondence relating to the pretrial is not part of the designated records set.
- Working files, either paper or electronic, are also not considered part of the designated records set, and are defined in Appendix A.
- Psychotherapy notes are not included in the designated records set (psychotherapy notes are defined in 45 CFR Section 164.501, and are to be kept separate from the medical record).
- When an individual or department has been given sanctioned, exclusive possession and control of PHI as part of their assigned duties, they shall be responsible for all administrative duties of a data trustee in terms of security, data access, privacy, data backup, disaster recovery and accountability. When the HCC does not have the technical expertise or equipment to adequately protect the PHI, they must arrange for technical assistance through the Information Systems to assure the confidentiality of the PHI.
- The designated record set shall be created, stored, released, transported, copied and destroyed based on policy 8.110, Record Retention and Destruction.
- Sanctions. Failure to comply or assure compliance with the policy may result in disciplinary action, up to and including dismissal.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
HISTORY: Effective March 21, 2003.
Working files, either paper or electronic, are not included as part of the designated records set. Working files are typically held by staff working or meeting with patients away from a facility-based setting. Working files may consist of copies of records that are included in the designated records set.