Policies & Procedures


Policies & Procedures

P&P Home

Institutional Handbook of Operating Procedures (IHOP)

Table of Contents
Official Governance
General Administrative
Employee Related
Fiscal Related
Faculty Related
Compliance Related
Student Policies
Health, Safety and Security

About IHOP
Description of the IHOP Process
Committee Members
Goals of the IHOP Committee
Process Diagram

Policy Guidelines
Policy Definitions
Policy Template
Violation of Policy Paragraph
Understanding the CMS

Other Policies and Procedures

Departmental
• Healthcare Epidemiology Policies

UTMB HANDBOOK OF OPERATING PROCEDURES

Section 6 Compliance Policies

Subject 6.2 Privacy Related

Policy 6.2.24 Removal of Protected Health Information from UTMB Facilities

12/10/03 -Originated

10/08/07 -Reviewed w/ changes

-Reviewed w/o changes

Compliance Office -Author

Removal of Protected Health Information from UTMB Facilities

Definitions

Unit Medical Record (UMR): The UTMB medical record maintained by the Health Information Management (HIM) Department that is designed to contain a composite of all significant hospital and clinical information gathered on a given patient, whether as an inpatient, outpatient, or emergency care patient. Portions of the UMR may be housed at various locations throughout the UTMB system. The UMR has a permanent retention schedule.

Case Management File/Shadow Medical Record (CMR): The medical record maintained by a specific physician or department, other than HIM. This information often includes copies of medical record information also in the UMR. A CMR does not contain any pertinent patient care information that cannot be found in the UMR. A CMR is considered a convenience copy and has no record retention schedule.

Convenience Copy: a copy of an original medical record, case management record or source data that was printed for a one time use. Convenience copies may be items like lab reports or other information found in an electronic system that are used for convenience but not required to be maintained in storage or in files.

Designated Record Set: A group of records maintained by or for UTMB that are:

A. The medical records and billing records about patients maintained by or for UTMB

B. The enrollment, payments, claims adjudication, and case or medical management record systems maintained by or for a health plan

C. Used, in whole or in part, by or for UTMB to make decisions about patients

Medical Record Custodian: The person or department who is responsible for the maintenance, retention, access, data integrity, and data quality of PHI. The medical record custodian must ensure that the medical record(s) in their possession is maintained confidentially and only released with proper authority.

Definitions, (cont’d)

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Record: Any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for UTMB.

Source Data: Source Data includes health information stored in any original media. Examples of Source Data include, but are not limited to, paper diagnostic tests or tools, x-rays, videotapes, ultrasounds, fetal monitor strips, photographs (either conventional photos or digital images), EKG strips, and ancillary or supporting systems (e.g . pharmacy information systems and radiation oncology information systems). These forms of Source Data have unique retention schedules. The UMR must contain a written interpretation of all Source Data. Source Data is distinct from the written interpretations of significant clinical information that has been forwarded to the UMR.

Policy

UTMB prohibits the unauthorized disclosure of PHI while in use at UTMB or while in use at any off-site location. Whenever a hardcopy version of PHI (actual medical records, photocopies and extra printouts) or electronic PHI is removed from UTMB premises, it must be secured and protected at all times. The storage and security of PHI must follow IHOP Policy 6.2.11, Storing and securing PHI.

Unit Medical Records, Case Management Records, Source Data and any other information that contains PHI may not be removed from UTMB premises unless there has been prior approval from the custodian of the information. In some instances the removal of Case Management Records and other PHI may require documentation and tracking as provided for in IHOP Policy 9.2.13, UTMB Medical Record Policy. This policy applies to PHI in any form, including electronic PHI, held by a UTMB facility.

Policy, (cont’d)

When employees use PHI at home, the information should be stored in a secure manner so no other individuals in the home will have access to the PHI. For example the information should be locked in a file drawer or briefcase when not in use. If UTMB computers or individual home computers are used to store PHI, the PHI must be stored and protected from any and all unauthorized access.

With the exception of convenience copies, all PHI must be returned to UTMB. In all other instances, the PHI should be retuned to the custodian who granted the UTMB employee permission to remove the PHI.

In the case of convenience copies that are not required to be returned, the individual must dispose of the information in accordance with UTMB’s Disposal of PHI Policy (IHOP 6.2.12). This requirement applies to electronic PHI, as well.

Violation of this policy may result in disciplinary action up to and including termination for employees; a termination of employment relationship in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals may be subject to loss of access privileges and civil and/or criminal prosecution.

References

IHOP Policy 6.2.10 Printing and Copying PHI