It is office policy that all information contained in the medical record is private and will remain strictly confidential. A patient’s medical record information cannot be released without the express consent of the patient. The office maintains a standard Consent to Release Medical Records Form, which must be reviewed, understood, and signed by patients before the release of any part of the patient’s medical records.
The following guidelines govern office data security:
1. The medical record belongs to the physician/practice and will not be made public.
2. Only the physician, clinical, and administrative staff, who have a specific need, will have access to and handle medical records.
3. All records are maintained in the office in a secure medical record storage facility. The facility is to be locked after hours. During normal business hours, only designated office staff members monitor the facility.
4. Information contained in the medical record is not to be discussed by or among employees or with visitors unless there is a specific reason to do so. Such conversations are considered confidential.
5. The office states its policy for releasing HIV/AIDS and STD information contained in medical records. Policy should reflect state law.
6. All employees, consultants, and contractors who may have access to confidential information are advised of their responsibility to maintain the confidentiality of all data and information, including but not limited to the private medical information of patients, as well as any information deemed proprietary.
7. All employees, consultants, and contractors are informed prior to employment or contract execution of the confidentiality of private medical information and the rules and regulations regarding their use. All employees receive instruction on the appropriate handling and safeguarding of confidential information and are apprised of their responsibility for maintaining strict confidentiality of practice and patient data.
8. Only designated managers, staff, consultants, and contractors are authorized to review the medical records of patients seen by the practice. All such personnel are to be trained in the proper handling of medical records, and continue to receive such training as necessary.
9. Electronic information systems that maintain electronic protected health information must be secured so that only authorized users can access the information. This includes the following requirements:
•Assign a unique user name or number to track the identity of the person accessing the information.
•Establish procedures for accessing electronic protected health information during an emergency.
•(Optional) Ensure electronic sessions are terminated after a predetermined time of inactivity.
•(Optional) Encrypt all electronic health information.