Policy/Procedure Number: CMP-10 (Formerly ADM-2) / Lead Department: Administration
Policy/Procedure Title: Confidentiality / ☒External Policy
☒ Internal Policy
Original Date: 04/24/1994 / Next Review Date: 11/15/2018
Last Review Date: 11/15/2017
Applies to: / ☒ Medi-Cal / ☐ Healthy Kids / ☒ Employees
Policy/Procedure Number: CMP-10 (Formerly ADM-2) / Lead Department: Administration
Policy/Procedure Title:Confidentiality / ☒External Policy
☒Internal Policy
Original Date: 04/24/1994 / Next Review Date:11/15/2018
Last Review Date:11/15/2017
Applies to: / ☒Medi-Cal / ☐Healthy Kids / ☒Employees
Reviewing Entities: / ☐ IQI / ☐ P & T / ☐ QUAC
☐OPerations / ☐Executive / ☒Compliance / ☐Department
Approving Entities: / ☐BOARD / ☒COMPLIANCE / ☐FINANCE / ☐ PAC
☒ CEO / ☐COO / ☐Credentialing / ☐ DEPT. DIRECTOR/OFFICER
Approval Signature: Elizabeth Gibboney, CEO / Approval Date:11/15/2017
  1. RELATED POLICIES:

Policy CMP-13: Minimum Use Necessary or Disclosure of Member Information

  1. IMPACTED DEPTS:

All

  1. DEFINITIONS:
  2. Protected health information (PHI) referred to herein includes, but is not explicitly limited to:
    a. Information received or otherwise collected on claim forms and their attachments, referral forms, medical records, utilization management review notes, logs, reports, treatment plans, committee records, and eligibility files and other administrative data that are personally identifiable. PHI includes any such information whether in oral or recorded form, both electronic and written, that may be used to identify a patient.

b.Information received and/or collected by any individual is limited to that essential in the performance of his/her specific job function. PHC conducts research and measures quality using aggregated or non-personally identifiable protected health information to the extent possible.

B. Prolonged time: any duration of time greater than 15 minutes

  1. ATTACHMENTS:
  2. Confidentiality Agreement
  3. PHI Evacuation Process
  1. PURPOSE:
  1. POLICY / PROCEDURE:

1.Oversight:

  1. The Compliance Committee is designated as the internal body charged withreviewing and approving all compliance policies and procedures as well as any related initiatives on confidentiality or privacy
  2. PHC’s appointed Privacy Officer will sit on the Compliance Committee
  3. The Regulatory Affairs and Compliance Unit (RAC) under the direction of the Privacy Officer is responsible for the review of external requests for using members' PHI and identifying opportunities where such member-specific information is not absolutely necessary
  4. The Physical, Technical, Administrative Safeguard (PTAS) workgroup reviews the processes for how to determine which staff need what level of access and determining operational mechanisms for abiding by specific member requests to limit access to data.

2.Routine Member Consent

  1. All PHC members sign a consent form at the time of enrollment in the Medi-Cal program. This consent allows the County and PHC to utilize PHI in order to verify their eligibility.
  2. Members who obtain Medi-Cal benefits through the Social Security Administration are made aware that their PHI may be used in order to provide medical care.
  3. As a contractor with County Children’s Health Initiatives (CHIs), DHCS, and MRMIB, PHC utilizes this consent to allow PHC the ability to share necessary PHI with subcontractors, such as medical providers, in order to fulfill the requirements of PHC's contracts with these agencies or to provide additional services and benefits. Special authorization may be requested of the member by PHC or its subcontracted providers before PHI can be shared with an outside organization.
  4. Examples of situations that may require authorization include, but are not limited to:

1)Research projects where a member is personally identifiable, release of health information pertaining to a sensitive diagnosis (release of information from a behavioral health specialist to the PCP is required by the behavioral health organization). In such instances, PHC or its subcontracted providers notify members of their right to limit the scope, or decline release, of their PHI. Members are made aware of PHC's confidentiality policies in the Member Handbook/EOC and other member communications.

a)For release of information guidelines or authorization form, contact the PHC Regulatory Affairs & Compliance Unit.

3.Access to Medical Records

  1. All PHC members may access their medical records by contacting their primary care provider, or the treating provider in instances where a member is not assigned to a primary care provider.

1)Members are not charged for copies of their medical records, and providers are made aware of this prohibition in the Provider Manual. Members are made aware of this process in the Member Handbook, via the PHC website and in other member communications.

  1. Members may file a request to amend PHI, other than medical records that are retained by PHC (e.g. care coordination database), although this request may or may not be granted by PHC. If a request to amend is denied, members are notified of the denial in writing.

4.Safeguarding PHI

  1. Internal

1)All PHC employees are apprised of PHC's prohibition against inappropriate disclosure of confidential information and are required to sign PHC’s Confidentiality Agreement found in Attachment Aon their date of hire as part of their orientation to PHC.

a)This confidentiality statement includes a written attestation that the employee has read and understands this policy.

b)This signed Agreement is maintained by Human Resources in each employee’s file.

c)Immediate action will be taken in the event of a breach of confidentiality in accordance with current policies and procedures.

2)All PHC employees are directed to shred or otherwise properly dispose of paper data containing PHI in confidential and secure shred bins located throughout the building. Paper data containing PHI are not to be disposed ofthrough regular trash or recycle bins.

5.Clinical or Administrative Services Subcontractors

  1. All subcontractor Business Associate agreements, including those with providers, explicitly state PHC's expectations about maintenance of confidentiality of member information and records.
  2. Primary care provider practices are assessed as to their ability to safeguard confidentiality of members' PHI in accordance with the facility review process.

6.Research and Quality Measurement

  1. To the extent possible, PHC utilizes aggregate or other non-personally identifiable health information when conducting research, quality studies, or other measurements. When this is notpossible, PHC ensures that any subcontractors and committee members sign confidentiality agreements annually or their contracts contain confidentiality protection clauses.

7.Peer Review Records

  1. Proceedings and records obtained for the quality/peer review process are protected by California Evidence Code § 1157 and are not subject to discovery when confidentiality has been maintained. To maintain confidentiality, peer review records are retained by the Quality Monitoring and Improvement department and are not released to anyone for purposes other than peer review.

1)Records are maintained in a locked file cabinet with access restricted to the Chief Medical Officer, Director of Quality and Performance Improvement, QI Coordinators, the QI Assistant, and peer reviewers.

2)While records are being reviewed, or during transport to peer review meetings, a QI staff person accompanies them at all times.

B.Procedure

1.All departments are to maintain paper data containing PHI in locked cabinets or secured file rooms. Sensitive files include, but are not limited to those department files which involve PHC member or provider specific information, i.e. documents with member names, diagnosis, procedures, complaints, grievances, authorizations, medical records, claims, or member/provider call logs with member/provider information, and provider credentialing information.

  1. Files not being used are to be returned to secured cabinets.

1)No sensitive files are to be left in work stations when unattended.

2)At the end of the day, all sensitive files are to be returned to the locked file cabinet.

  1. Files taken offsite must be secured and not left unattended at any time.

1)Sensitive files may not be checked in baggage on commercial planes, or be left unattended in vehicles or on planes.

  1. Files containing PHI are not to be removed from PHC’s offices except for routine business purposes or with the express written permission of the health oversight authority.
  2. Computer reports and listings with sensitive member and provider data are to be stored in locked file cabinets or secure file rooms when not being used.

1)Old computer reports and listings are to be shredded when they are no longer needed.

  1. Faxes and emails containing PHI must contain a confidentiality statement notifying persons who receive these documents in error to destroy them. Staff shall verify email addresses and/or fax numbers prior to sending documents.

2.PHI may be mailed using secure methods only.

  1. Paper documents must be sent via certified mail (USPS), or via FedEx.
  2. CDs, or other transportable media must be sent through the same means, and the contents of CDs or other transportable media must be encrypted using PGP.

1)Passwords for encrypted media must be sent separately (via email) to the recipient of the PHI.

3.Inactive/dead files and medical records are to be shredded.

4.Working documents and notes relating to member/provider specific information are to be stored in locked work station drawers at the end of each day and when away from the work area.

5.PHC staff are to lock their computers during breaks, lunch, meetings and when leaving for the day.

6.When at their work station, but not actively working in the system, PHC staff are to return the computer screen to the main menu of the subsystem they generally access.

7.Member or provider information may not be left displayed on the computer screen when visitors are present at the PHC office.

8.Non-PHC staff are asked to sign in and wear a visitor’s badge.

  1. Non-PHC staff are not left unattended while visiting PHC, unless using common space such as the employee lounge and conference rooms
  2. CD’s are to be stored in locked file cabinets

9.All work stations are to be cleared of member and provider sensitive information/documentation at the end of each day. PHI or any sensitive information/documentation must be locked in desk drawers.

  1. Prolonged time away from workstations:

1)Must lock away all PHI

2)PHI kept in a locked office is considered secure

10.Member Focus Groups

  1. Tapes can be viewed by PHC staff on site at PHC only.
  2. Departmental Director approval is required for any staff to view the tape.

1)If the tape is shown to any individuals other than PHC staff or Board members, Departmental Director approval is required-complete with an explanation of which PHC staff member will be present with those who view the tape

2)For any non-employee to view the tape while here at PHC, the Member Services Department is responsible to provide the confidentiality page for signature and to make sure these are received back when the tape is returned

3)Designated staff within the Member Services Department will maintain the tapes in a locked drawer.

4)PHC staff requesting the tapes for viewing must have approval from their department director prior to requesting the tapes from Member Services Department.

5)On a case-by-case basis, a Departmental Director may have special circumstances that are outside of these guidelines. In those instances, approval from the CEO and/or PHC Privacy Officer must be obtained.

  1. REFERENCES:
  2. Employee Handbook Declaration of Confidentiality Section
  1. DISTRIBUTION:
  2. SharePoint
  3. Directors
  1. POSITION RESPONSIBLE FOR IMPLEMENTING PROCEDURE:

N/A

  1. REVISION DATES:

Medi-Cal
01/27/95, 10/10/97 (name only), 12/98, 02/13/01, 10/30/02, 12/11/02; 01/26/04, 10/13/06, 05/01/09, 06/18/10, 12/06/11, 12/04/12, 03/26/13, 09/07/16, 11/15/2017

PREVIOUSLY APPLIED TO:

PartnershipAdvantage:
CMP-10 – 06/01/2006 to 01/01/2015
Healthy Families:
CMP-10 – 10/01/2010 to 03/01/2013

Healthy Kids:

CMP-10 – 01/01/2006 to 12/06/2016

Page 1 of 5