Skip to main content

12-14 HIPAA: Maintenance of PHI

About CMU's "HIPAA PHI maintenance policy"

This policy establishes procedures for the transmission and maintenance of protected medical information as required by the Health Insurance Portability and Accountability Act of 1996.

NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.

BACKGROUND

Central Michigan University (CMU) is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law and regulations. CMU has designated itself as a hybrid entity as its business activities include both covered and non-covered functions. HIPAA requires that all CMU officers, employees and agents of units within the hybrid entity must preserve the confidentiality, integrity, and availability of Individually Identifiable Health Information (IIHI) pertaining to each patient, client, or participant in CMU’s self-funded health plan. This IIHI is considered Protected Health Information (PHI) and shall be safeguarded in compliance with the rules and standards established under HIPAA.

For additional information on the measures Central Michigan University has implemented to comply with this legislation, visit CMU’s official HIPAA website at HIPAA.cmich.edu.

PURPOSE

To ensure there is a standard approach to the maintenance of PHI across CMU’s Hybrid Entity and preserve the confidentiality, integrity, and availability of PHI. Maintenance of PHI may include the transmission, transfer, duplication, or conversion of the medical record in paper or digital format. For example, maintenance may include scanning, faxing, sweeping, and storing information. In the event of errant maintenance of information, response and mitigation steps must be followed in accordance with this policy as well as any other applicable CMU Policy.

DEFINITIONS

Individually Identifiable Health Information: Information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI): Individually identifiable health information (IIHI) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral unless otherwise excluded from this definition under the Privacy Rule.

Workforce Member: includes employees, volunteers, students, trainees, and other persons whose conduct, in the performance of work for a unit in the CMU Hybrid Entity is under the direct control of such entity, whether or not they are paid by the entity. This includes students at a CMU work-site who have access to PHI in order to satisfy a clinical experience requirement for a program of study.

All other terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

POLICY

  1. All workforce members involved in the process of maintaining documents containing PHI must be fully trained on procedures specific to the systems and software they are using to complete the job function.
  2. A quality assurance process must be used when converting digital and paper documents containing PHI. Refer to Attachment A for Quality Assurance Standards.
    1. Standard Operating Procedures must be maintained by CMU’s Hybrid Entity units, with language specific to the unit, and retained within the HIPAA Council.
  3. Workforce members must apply reasonable safeguards when working with any form of PHI, in accordance with CMU policies and procedures.
  4. Failure to comply with this policy may result in sanctions up to and including termination pursuant to HIPAA Policy 12- 10: Sanctions for Breach of Privacy and Security of PHI.

PROCEDURE

  1. If transferring a document into an Electronic Medical Record System, trained workforce members will identify and select the correct patient chart by using a minimum of two (2) unique Protected Health Information identifiers that appear both in the patient chart and on the document to be transferred. Examples of acceptable identifiers include date of birth, full legal name, social security number, medical record number, or maiden name. If document identifiers cannot be matched between the patient’s chart and the document to be transferred, the workforce member may not transfer the document until the proper identifiers can be verified.
  2. If transferring a document to be stored in a system approved by Healthcare Information Technology to retain electronic PHI, trained workforce members will identify and select the correct destination to file the record and will ensure the document is titled and filed appropriately.
  3. In the event of a minor transfer error (document filed under the wrong heading, document labeled incorrectly) the workforce member will notify their direct supervisor or Healthcare Information Technology so that a correction can be made.
  4. In the event of a serious transfer error (e.g. document transferred under the wrong patient chart) the workforce member will notify their direct supervisor immediately. The supervisor will immediately contact Healthcare Information Technology who will initiate the investigation/corrective action process and will contact the Office of HIPAA Compliance and Business Associates as applicable.
  5. In the event that a patient identifies an error in their medical record’s content and alerts a workforce member, the workforce member will notify the HIPAA Privacy Officer who will provide direction to the staff on the necessary corrective action steps and complete an investigation pursuant to CMU HIPAA policies

Central Michigan University reserves the right to make exceptions to modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines related to this subject.