Patient Care Report Access, Security & Disclosure

Section 2 - EMERGENCY OPERATIONS

220.10 Patient Care Report Access, Security & Disclosure

PURPOSE:

To outline levels of access to Protected Health Information (PHI) for various staff members of Maitland Fire Rescue and to provide a policy and procedure on limiting access, disclosure, and use of PHI. To provide policies outlining patient rights and Maitland Fire Rescue’s responsibilities in fulfilling patient requests. Security of PHI is everyone’s responsibility.

GENERAL STATEMENTS:

Maitland Fire Rescue retains strict requirements on the security, access, disclosure and use of PHI. Access, disclosure and use of PHI will be based on the role of the individual staff member in the organization, and should be only to the extent that the person needs access to PHI to complete necessary job functions.

When PHI is accessed, disclosed and used, the individuals involved will make every effort, except in patient care situations, to only access, disclose and use PHI to the extent that only the minimum necessary information is used to accomplish the intended purpose.

Patients may exercise their rights to access, amend, restrict, and request an accounting, as well as lodge a complaint with either Maitland Fire Rescue or the Secretary of the Department of Health and Human Services.

PROCEDURE:

Role Based Access

• Access to PHI will be limited to those who need access to PHI to carry out their duties. The following describes the specific categories or types of PHI to which such persons need access is defined and the conditions, as appropriate, that would apply to such access.

Job Title

• Access to PHI is limited to the above-identified persons only, and to the identified PHI only, based on the Company’s reasonable determination of the persons or classes of persons who require PHI, and the nature of the health information they require, consistent with their job responsibilities.
• Access to a patient’s entire file will not be allowed except when expressly permitted by company policy or approved by the Privacy Officer.

Disclosures To and Authorizations From The Patient

• You are not required to limit your disclosure to the minimum amount of information necessary when disclosing PHI to other health care providers for treatment of the patient. This includes doctors, nurses, etc. at the receiving hospital, any mutual aid provider, your fellow crew members involved in the call, and any other person involved in the treatment of the patient who has a need to know that patient’s PHI. In addition, disclosures authorized by the patient are exempt from the minimum necessary requirements unless the authorization to disclose PHI is requested by the Company.
• Authorizations received directly from third parties, such as Medicare, or other insurance companies, which direct you to release PHI to those entities, are not subject to the minimum necessary standards. For example, if we have a patient’s authorization to disclose PHI to Medicare, Medicaid or another health insurance plan for claim determination purposes, the Company is permitted to disclose the PHI requested without making any minimum necessary determination.
• For all other uses and disclosures of PHI, the minimum necessary rule is likely to apply. A good example of when the minimum necessary rule applies is when your Company conducts quality assurance activities. In most situations it is not necessary to disclose certain patient information such as the patient’s name, address, social security number, all PHI of the treated patient, in order to conduct a call review. This sensitive information should be redacted or blacked out from the PCR being used as a Q/A example.

Company Requests for PHI

• If the Company needs to request PHI from another health care provider on a routine or recurring basis, we must limit our requests to only the reasonably necessary information needed for the intended purpose, as described below. For requests not covered below, you must make this determination individually for each request and you should consult your supervisor for guidance. For example, if the request in non-recurring or non-routine, like making a request for documents via a subpoena, we must review the request to make sure it covers only the minimum necessary PHI to accomplish the purpose of the request.