Shadow chart is the form of protected health information which is difficult to manage. HIPAA’s privacy and security standards help in increasing the safety of this information. Shadow charts are formed because of various reasons and used for various reasons. When primary records are not accessible, physicians tend to make copies of them for easy access and reference. Physicians use these for billing. The shadow charts are not as complete and accurate as a primary record. There is no proper procedure, tracking and accounting for the release of information from shadow charts.
There are no strict HIPAA rules for the security of the patient information in shadow charts. But these are subject to covered entity’s policies and procedures. In most of the cases, the shadow charts become completely separated records from the primary record. In these instances where the shadow chart has the patient information associated with an episode of patient care which is not included in the electronic record, such documented information should be scanned to the electronic record and added to the original permanent legal record. A2.
Ways to reduce incidents of breach of security of patient health information: Information technology staff can help decrease incidents of security breaches in following ways: a) Providing the staff which handles the patient’s information with restricted access. Access should be provided to the employees for the information that they deal with. b) There should be continuous monitoring on usage of the access to patient information. Audit trail should be run to know if there are any breaches. Strict policies should be implemented to prevent password sharing.
c) There should be restrictions on the passwords created by users with regards to complexity, maximum and minimum duration of the password, history of the password etc. Login information should be changed once in three months to keep it secure. d) Each time a user accesses patient information, there should be a popup warning/alert to make sure if the user is accessing the information that he or she is supposed to work on . e) If a user doesn’t use a computer for few minutes, the monitor should get locked to make sure if the patient data is accessible to unauthorized personnel.
B. Situation from Montana Code 41-1-402 which can lead to criminal charges on an organization when it is not followed: A situation from Montana Code 41-1-402 which directly influences the clinical staff and lead to criminal charges on an organization is 2d. This code states that minor can give consent to a health care provider for treatment or control access to his/her confidential health information in case of emergency situations where he/she needs emergency treatment without which his/her life or health would be in danger.
If a health care provider takes responsibility to manage a minor in emergency situation but denies treatment due to the absence of consent from parents or legal guardian, the health care provider/organization would be held liable for criminal charges according to Montana code 41-1-402 Also if a minor comes to a physician/healthcare provider and requests for management of her pregnancy, and if the physician refuses to manage her pregnancy, the healthcare provider would be held responsible for criminal liability. 1. HIPAA’s definition of criminal liability:
Criminal Charges: In June 2005, the U. S. Department of Justice (DOJ) gave the definition of criminal liability under HIPAA. Individuals and entities who intentionally acquire and release personal health information in breach of the Administrative Simplification Regulations are charged with a fine of up to fifty thousand dollars, and an imprisonment of up to one year. Penalties would be increased to a fine of up to hundred thousand dollars fine and 5 years of imprisonment if the wrongdoings are committed under false simulations.
If the offenses are committed with the intention to put up for sale, transfer, or utilize personal health information for profitable benefit, personal gain or malicious harm, there would be fines up to two hundred and fifty thousand dollars and an imprisonment of up to 10 years. 2. Part of Montana Code 41-1-402 (2a through 2d) that directly effects the actions of clinical staff. A situation from Montana Code 41-1-402 which directly influences the clinical staff and lead to criminal charges on an organization is 2d.
This code states that minor can give consent to a health care provider for treatment or control access to his/her confidential health information in case of emergency situations where he/she needs emergency treatment without which his/her life or health would be in danger. If a health care provider takes responsibility to manage a minor in emergency situation but denies treatment due to the absence of consent from parents or legal guardian, the health care provider/organization would be held liable for criminal charges according to Montana code 41-1-402
(c) Montana code 41-1-401 2C directly influences the actions of clinical workforce. According to this code, a minor who is a pregnant or who is acquired any reportable communicable disease, including an STD (sexually transmitted disease), or drug and substance abuse can give the consent to the health care provider for provision of health services and to manage access to the patient health information. The self-consent in the above mentioned conditions make the healthcare provider obligated to take the responsibility for the treatment and counseling of the patient. C.
Situation from Montana Code 50-16-603x related to medical record identification that results in legal charge against healthcare provider if not followed. According to Montana code 50-16-603x, Health care information should not be released without proper written consent from patient. Also, the information should be released only when the type of information to be released and the person to whom it may be released is specified. If the healthcare information is released to a person without proper written consent to the release and without proper mention of the person to be released can lead to a legal claim against an entity or an organization.
C1. Confidentiality policy statement: The main purpose of the confidentiality policy statement is to make the employees of any organization aware of their responsibilities when dealing with confidential information. All employees of a department or an organization should follow the policy during the period of work. “It is a requirement that any individual, company and firm to which this policy applies shall not at any time during the period they work for any organization or at any time after its termination, disclose confidential Information that is held or processed by the organization.
“ (NHS Yorkshire and the Humber – Confidentiality Policy Statement and Guidance) Confidentiality should only be breached under special circumstances and with appropriate justification and be fully documented. The following principles should be followed by all the employees of an organization as part of confidentiality policy:- • When an employee is responsible for confidential information, he/she should make sure that the information is well protected against improper disclosure at the time of receiving, storing, transmitting and disposing.
• Access to the confidential information should be provided only on a need-to-know basis • Patients/individuals should be informed about how their information would be used or disclosed. • When an individual gives consent for disclosure of confidential information, he/she should be given complete information about what information would be disclosed, the reason for disclosure and the consequences of disclosure •Disclosures without consent can be made only under certain circumstances like: a. In case of public interest b. When required by law • Only the necessary information should be disclosed
• The disclosure of information should always be documented and justified. The patient information could be released under following circumstances also. It can be released for statistical purposes if the person’s identification is protected, to medical personnel in case of life threatening emergency to save the life of the concerned person, to a local health officer or board, or a district court to prevent the spread of reportable communicable diseases. Healthcare information should be provided to court to use it as evidence in a case of child abuse.
It can also be released to prevent injuries caused by the release of biological, chemical or radiological agents. D. Comparison of Montana codes with HIPAA laws with reference to the release of information. 1) According to HIPAA, medical providers must honor requests of the consumer, with regards to viewing and obtaining a copy of his/her medical records, making corrections to the records and to know how the records have been used. Montana codes also state that provider has to provide the requested health information when patient gives written consent
2) According to HIPAA, patient information cannot be disclosed unless he/she signs an authorization form, which must be written in an understandable language and should clearly mention circumstances under which the information can be released as well as the entities to which it can be released. The authorization should also contain the expiration date. Montana codes also stress the importance of proper authorization form filled and signed by the patient for the release of his/her information.
3) According to HIPAA, under following conditions, the providers should not release the information: a) Patients can “opt out” of providing information: It is the provider’s responsibility to inform the patients either verbally of in writing, what kind of information will saved in the hospital directory and to whom that information will be revealed. The patient has the option to state that he or she does not want information released —- including information confirming his or her presence in the facility. b) In situations that could embarrass or endanger patients.
Montana codes also states that a health provider may deny access to the patient’s health information if the provider thinks that: (a) Knowledge of the health care information would be injurious to the health of the patient; (b) Knowledge of the health care information could become dangerous to the life or safety of any individual; 1. Release of information policy statement: When a patient submits a written request to examine of copy his/her healthcare information, it is providers responsibility to provide the required information in 10 days after receiving the request.
Provider can provide the requested information to the patient for examination during regular business hours. Patient should be notified if the requested information does not exist or cannot be located, if the provider does not maintain the record of the requested information, if the information is in use or unusual circumstances have delayed processing the request. Patient’s request can be denied with proper information. Provider can charge a fee to provide copies of the health information. Also, provider shall provide an explanation of any code or abbreviation used in the healthcare information.