2.5. NORMA OHSAS 18001
2.2.16. IDENTIFICACIÓN DE NO-CONFORMIDADES
We have provided these responses to address common privacy issues encountered in a variety of clinical settings. Some answers may depend upon your facility’s policies and procedures and should be modified to meet your operational needs.
1. Yes, you may leave a limited message. Be sure to be discreet when doing so, as others may be present when the individual replays the message—or another person may pick up the message.
For an appointment involving highly sensitive PHI (e.g., pregnancy, mental health, STDs, or substance abuse, an appropriate message might be limited to:
“Hello, this is Lynne calling for Susan. Please have her call me at 206-111-2222.”
Never leave information about a diagnosis, medical condition, or laboratory or test result on an answering machine—even if the result is good news—unless the patient has requested you to do so. Be sure to document the patient’s request in the medical record.
2. a. Protected Health Information
3. The privacy concern in this scenario is that Jane is considering an unauthorized disclosure of PHI. In general, disclosures of PHI for any purpose other than treatment, payment, or health care operations require the patient to sign an authorization. Releasing such information violates state and federal laws and may also subject the individual and facility to criminal or civil fines and penalties. Further, it would violate the organization’s privacy policies and subject Jane to disciplinary action that may include termination from her job.
How to handle this situation: Advise Jane that Gary’s health information is protected by law. Jane could share her concerns with the doctor. The doctor may then take whatever action is clinically appropriate. Jane should not share information with anyone else unless the disclosure is in the performance of her job-related duties to facilitate treatment, payment, or health care operations.
4. True, if the request is for purposes of treating the student/patient.
The Washington State Department of Health has advised that sharing immunization records with the nurse or a designee—regardless of purpose—is acceptable. However, we are not aware of any provision in the HIPAA Privacy Rule or Washington State laws that would allow sharing this information for any purposes other than treatment. Therefore, we recommend that if the request is for school administrative purposes, the parent’s permission be obtained prior to sending the records to the school. A signed authorization is preferred (though a facsimile is acceptable). However, authorization could be obtained over the phone from the parent. The oral permission should be documented, dated, timed, and signed by the staff.
Be sure to use reasonable precautions to protect the privacy of information sent via facsimile (e.g., double-check the number before sending and use a facsimile cover sheet with a disclaimer).
5. The patient has a right to request a correction or amendment to her PHI. Initially, you may wish to discuss her request with her. If this was a note that you authored, then you could review the note and approve or deny the request. If the note was made by someone else, refer Sally to the appropriate individual according to your organization’s Request to Correct or Amend Protected Health Information (Policy & Procedures).
6. State and federal privacy laws permit access to PHI by those involved in treatment, payment, or health care operations without a patient authorization. In this case it does not appear that Dr. Rota has a legitimate need to know the information—as he is not directly involved in the
patient’s care (i.e., he is not the attending or a consulting physician for this patient). Unless Dr. Rota was performing some other health care operation for the organization, such as a quality improvement review, access to this patient’s information is not appropriate. In such a case you might inquire about the reason for Dr. Rota’s need for the information. If the reason given does not coincide with patient privacy laws, you might: 1) ask for the patient’s chart and indicate that due to patient privacy laws he is not permitted to access this patient’s information or 2) go up the chain of command.
7. Patients have a right to obtain a list of the individuals that have received copies of their PHI in certain circumstances when the disclosure has not been made for treatment, payment, or health care operations and the patient has not authorized the disclosure. This should be referred to an appropriately trained and authorized individual to handle according to the
organization’s Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures). The trained and authorized individual should be able to provide details about how to handle the request—as outlined in your policy.
8. True—if the disclosure is necessary for continuity of care. Discretion (e.g., reasonable and appropriate safeguards) should be used as appropriate.
9. Provide the current Notice of Privacy Practices (NPP) to the visitor or direct the visitor to the appropriate individual or department to obtain a copy of the current NPP. Patients must be given a copy of the NPP at their first contact with the facility. Reasonable attempts must be made to obtain a signed acknowledgment of receipt of the NPP. The regulations also require the facility to provide a copy to ANY individual upon his or her request - and this does not need to be documented.
10. Appropriate responses may be a, c, or d, depending upon the job position, circumstances, or the organization’s policies and procedures. HIPAA requires that organizations have a policy in place to address complaints pertaining to the handling of PHI—which must be followed. 11. False---unless it is an emergency, the stepparent has adopted the child, the stepparent is
representing himself or herself to be a relative responsible for the health care of this minor patient, or the stepparent has obtained permission from one of the birth parents. From a risk management perspective, it is suggested that the stepparent complete a Kinship Caregivers Informed Consent Declaration for Minors form if he or she is representing himself or herself to be a relative responsible for the health care of this minor patient. If the stepparent obtains permission from the birth parent, it should be in writing and a copy should be filed in the medical record. Authorization from the birth parent can also be obtained over the phone. The oral permission should be documented, along with the date and time, and signed by the staff. 12. As a general rule, the right to consent for care is a companion right to release of information.
• Minors may consent independently at any age for treatment related to pregnancy and reproductive care—provided the provider determines the minor has the capacity to understand the nature of the treatment and the risks associated with the treatment. • Minors may consent independently at age 14 for treatment related to sexually transmitted
diseases (STDs) provided they have the capacity to understand the nature of the treatment and the risks associated with the treatment. Since the minor is 12 in this scenario, this would not apply.
• Emancipated minors may consent for treatment of any condition independently.
Emancipation may be determined by the courts or for medical treatment purposes by the physician.
• The health care information may be released to the mother if the highly sensitive areas that require the minor’s permission for release are redacted from the copy of the record.
Consultation with the treating provider may be necessary to determine whether providing the mother with access is permissible. You might inform the mother that patient privacy laws
protect the information in the medical record. Urge the mother to discuss the reason for the visit with her daughter.
When in doubt, it is advisable to obtain the minor’s permission prior to releasing the information.