12-14 HIPAA: Maintenance of PHI

• Attachments are included in the PDF file.
• Effective date of this revision: March 14, 2024
• Contact for more information: Office of HIPAA Compliance 989-774-2829, hipaa@cmich.edu

BACKGROUND

Central Michigan University is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 law and regulations. According to this law, CMU officers, employees, and agents must preserve the confidentiality, integrity, and availability of Individually Identifiable Health Information (IIHI) pertaining to each patient, client, or individual covered under a CMU self-insured health plan. This IIHI is Protected Health Information (PHI) and shall be safeguarded in compliance with the requirements of the Security and Privacy rules and standards established under HIPAA law and regulations.

PURPOSE

To ensure there is a standard approach to the maintenance of PHI across CMU’s Hybrid Entity and preserve the confidentiality, integrity, and availability of PHI. Maintenance of PHI may include the transmission, transfer, duplication, or conversion of the medical record in paper or digital format. For example, maintenance may include scanning, faxing, sweeping, and storing information. In the event of errant maintenance of information, response and mitigation steps must be followed in accordance with this policy as well as any other applicable CMU Policy.

DEFINITIONS

The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

Individually Identifiable Health Information: information, including demographic data that relates to: (1) the individual’s past, present or future physical or mental health or condition, (2) the provision of health care to the individual, or (3) the past, present, or future payment for the provision of health care to the individual, (4) and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Protected Health Information (PHI): Individually Identifiable Health Information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

Workforce Member: A “Workforce Member” includes employees (and student employees), volunteers, trainees, and other persons whose conduct, in the performance of work for a unit in the CMU Hybrid entity is under the direct control of such entity, whether or not they are paid by the entity. This includes students at a CMU work-site who have access to PHI in order to satisfy a clinical experience requirement for a program of study.

POLICY

1. All workforce members involved in the process of maintaining documents containing PHI must be fully trained on procedures specific to the systems and software they are using to complete the job function.

2. A quality assurance process must be used when converting digital and paper documents containing PHI. Refer to Attachment A for Quality Assurance Standards.

a. Standard Operating Procedures must be maintained by CMU’s Hybrid Entity units, with language specific to the unit, and retained within in the HIPAA Council.

3. Workforce members must apply reasonable safeguards when working with any form of PHI, in accordance with CMU policies and procedures.

4. Failure to comply with this policy may result in sanctions up to and including termination pursuant to HIPAA Policy 12- 10: Sanctions for Breach of Privacy and Security of PHI.

PROCEDURE

1. If transferring a document into an Electronic Medical Record System, trained workforce members will identify and select the correct patient chart by using a minimum of two (2) unique Protected Health Information identifiers that appear both in the patient chart and on the document to be transferred. Examples of acceptable identifiers include date of birth, full legal name, social security number, medical record number, or maiden name. If document identifiers cannot be matched between the patient’s chart and the document to be transferred, the workforce member may not transfer the document until the proper identifiers can be verified.

2. If transferring a document to be stored in a system approved by Healthcare Information Technology to retain electronic PHI, trained workforce members will identify and select the correct destination to file the record and will assure the document is titled and filed appropriately.

3. In the event of a minor transfer error (document filed under the wrong heading, document labeled incorrectly) the workforce member will notify their direct supervisor or Healthcare Information Technology so that a correction can be made.

4. In the event of a serious transfer error (e.g. document transferred under the wrong patient chart) the workforce member will notify their direct supervisor immediately. The supervisor will immediately contact Healthcare Information Technology who will initiate the investigation/corrective action process and will contact the Office of HIPAA Compliance and Business Associates as applicable.

5. In the event that a patient identifies an error in their medical record’s content and alerts a workforce member, the workforce member will notify the HIPAA Privacy Officer who will provide direction to the staff on the necessary corrective action steps and complete an investigation pursuant to CMU HIPAA policies.