Fluent Essays

The instructions for the paper are attached, as well as the documents you will need to read and reference in writing the paper. health_record_paper_instructions.docx cedar_bend_record_policy.pdf hipaa_security_rule_overview.pdf retention_and_destruction_of_health_information.pdf Unformatted Attachment Preview Paper Instructions Background The health record is a form of communication between internal and external stakeholders in the healthcare environment. Health information management professionals are responsible for managing health records whether in paper, electronic, or hybrid format. Guidelines must be followed in maintaining records, including their storage and destruction, and policies must be evaluated for their compliance with state and federal regulations. Goals of the Paper A. Compare and contrast the characteristics of paper, hybrid, and fully electronic health records. 1. Discuss legal issues that may arise when using hybrid records. B. Evaluate the attached “Cedar Bend Record Policy” to determine if the policy protects health information for record storage and destruction of paper and electronic health records, by doing the following: 1. Describe whether the Cedar Bend record policy would comply with the State of Iowa’s regulations. Be sure to include the state in which you reside and justify your decision. Note: Refer to the attached “State Retention Guidelines” to identify your state’s regulations. (Iowa) 2. Describe whether the Cedar Bend record policy would comply with the Medicare Conditions of Participation. Note: Refer to the attached “Retention and Destruction of Health Information” for a summary of the Medicare Conditions of Participation. 3. Describe whether the Cedar Bend record policy would comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Note: Refer to the attached “HIPAA Security Rule Overview” for a summary of the relevant HIPAA regulations related to records storage and destruction. Requirements C. Acknowledge sources, using APA-formatted in-text citations and references, for content that is quoted, paraphrased, or summarized. 4 full double-spaced pages. No plagiarism. Cedar Bend Hospital Policy and Procedures SUBJECT: Retention of Health Information DEPARTMENT/SERVICE: Health Information Management APPROVED BY: Virginia Welch, RHIA HIM Director MEDICAL STAFF COMMITTEE James Harkness, MD CHIEF FINANCIAL OFFICER Richard Louis, MBA CHIEF EXECUTIVE OFFICER Hudson Taveggia, MBA POLICY NO. HIM 19.44 EFFECTIVE DATE: 04/2011 REVIEWED/REVISED: 4/01; 4/05; 4/08; 4/09; 4/10 PURPOSE To establish guidelines for the retention, storage, and destruction of health information that meet the requirements of federal and state laws and regulations. POLICY Health information will be retained, stored, and destroyed in paper copy or electronic media format according to state and federal guidelines and Cedar Bend Hospital retention guidelines. PROCEDURE: I. Maintenance of Health Information a) Health information (for definition, refer to Policy 19.50: Legal Medical Record) within the medical record is considered a hybrid record, consisting of both paper and electronic documentation. All paper medical records are converted to an electronic format within 24 hours of patient discharge. b) Electronic portions of the medical record are fed via computer output to laser disc into the electronic health information repository system, Apex Patient Folder (APF), without manual intervention. All electronic documents from all sources should be integrated into the permanent repository system, Apex Patient Folder. II. Retention Guidelines a) All paper records converted to electronic format will be maintained in a safe and secure area in the Health Information and Informatics Management department. Safeguards to prevent loss, destruction, and tampering will be maintained as appropriate. Paper records scanned into the APF shall be retained for a period of six months, at which time they will be shredded. Those records remaining in paper format shall be retained in accordance with Cedar Bend Hospital guidelines. Health Information Diagnostic images Disease Index Fetal heart monitor records Master Patient Index Operative Index Adult medical records Retention Period 5 years 10 years 10 years after the infant reaches the age of majority Permanently 10 years 10 years after last encounter Minors medical records Physician Index Birth Registry Death Registry Surgical Procedure Registry Age of majority plus statute of limitations 10 years Permanently Permanently Permanently b) Health information will be maintained with Apex Patient Folder repository. All health information unable to be scanned will be kept in accordance with section II.a, of this policy. When paper records have reached the designated destruction date, they will be shredded. When electronic information reaches the designated limit of the retention period, it will be destroyed. III. Destruction Guidelines a) Health information maintained in paper format will be shredded after reaching the designated destruction date. A list of stored records and their retention deadlines is kept by the Health Information Management department. The Health Information Management department director will review the list of records. Once approved, designated staff will destroy the records. A destruction log will be maintained to identify the destroyed records, and will include date of destruction, names of individuals responsible for destroying the records, names of persons witnessing the destruction, method of destruction, and patient information (full name, medical record number, date of admission, and date of discharge). b) Prior to a computer’s being redeployed internally or disposed, the information technology (IT) department is responsible for overwriting the entire disk drive (refer to Policy 20.202 HIT). The IT department will follow its policies to ensure all health information is removed and the hard drive is reformatted. In the event the computer is damaged and it is not possible to overwrite the data, the hard drive will be removed from the computer and physically destroyed. Oversight of destruction of compact disks used in the Apex Patient folder (health information repository) is the responsibility of the Health Information Management department director. Compact disks used in the Apex Patient Folder (health information repository) must be shredded or pulverized before disposal. Cedar Bend Hospital contracts this service with an outside vendor. The vendor will provide a certificate indicating the following: 1. Computers and media that were decommissioned have been disposed of in accordance with environmental regulations. 2. Data stored on the decommissioned computer or media was destroyed per the previously stated method(s) prior to disposal. 3. The destruction form will be signed and filed in the Health Information Management department. c) Methods of destruction and disposal will be reassessed annually based on current technology, accepted practices, and the availability of timely and costeffective destruction/disposal services. HIPAA Security Rule Overview (2013 update) Editor’s note: This update replaces the April 2004 and the November 2010 practice briefs titled “A HIPAA Security Overview.” The HIPAA security rule has remained unchanged since its implementation more than a decade ago. However, the Health Information Technology for Economic and Clinical Health (HITECH) Act, amended by the Omnibus Rule on January 25, 2013, includes provisions that change several important aspects of the rule. The Omnibus Rule requires the compliance of business associates (BAs) and their subcontractors. It also requires the Office for Civil Rights (OCR) to perform audits that include stiffer penalties for non-compliance. Achieving compliance requires organizations to maintain and implement effective written policies and procedures as well as implement safeguards and controls. The HIPAA Security Rule describes safeguards as the administrative, physical, and technical considerations that an organization must incorporate into its HIPAA security compliance plan. Safeguards include technology, policies and procedures, and sanctions for noncompliance. This practice brief provides a succinct overview of the security rule, along with some of the background and basic concepts necessary to understand the security rule. In addition, it highlights the skills that health information management (HIM) professionals possess to maintain HIPAA security compliance within their organizations. Background The Department of Health and Human Services (HHS) published the HIPAA security rule on February 20, 2003. Except for small health plans that had until April 21, 2006 to comply, Covered entities (CEs) should have been in compliance no later than April 21, 2005—two years from the original date of publication. However, even today, CEs have difficulty maintaining and documenting compliance with the security rule’s requirements. Although the HIPAA privacy rule covers all protected health information (PHI) in an organization, the HIPAA security rule is narrower in scope and focuses solely on electronic PHI (ePHI). Section 164.530 of the HIPAA privacy rule requires “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” The security rule complements the privacy rule by establishing the baseline for securing ePHI both in transit and at rest. The HIPAA security rule is based on three principles: comprehensiveness, scalability, and technology neutrality. It addresses all aspects of security, does not require specific technology to achieve effective implementation, and can be implemented effectively by organizations of any type and size. Basic Concepts CEs include healthcare plans, healthcare clearinghouses, and healthcare providers that electronically maintain or transmit PHI. As previously stated, the HITECH Act, which is part of the American Recovery and Reinvestment Act (ARRA), and amended by the Omnibus Rule, requires BAs to comply with the HIPAA security rule. This means that BAs are now subject to the same criminal and civil penalties as CEs. The HITECH regulations, which required compliance by September 23, 2013, also include enhanced penalties and a national breach notification requirement. This requirement specifies that in the event of a breach of PHI, organizations must notify the individual(s) to which the PHI is applicable as well as HHS. If the breach affects more than 500 individuals, the organization must also notify the local media. ePHI includes PHI that is simply maintained (i.e., at rest) or PHI that is transmitted (i.e., in transit). Examples of ePHI at rest include patient information stored on magnetic tapes, optical discs, internal and external hard drives, DVDs, USB thumb drives, smartphones, and storage area networks. ePHI in transit includes patient information sent between computer systems (internal and external). The security risks are generally greater when ePHI is being transmitted outside of an organization’s internal network. This includes sending information via the Internet and extranet technology, leased lines, and private networks. However, security breaches of ePHI in transit can also occur internally by authorized users. HIPAA security implementation specifications are either required (i.e., must be implemented as stated in the rule) or are addressable (i.e., must be implemented as stated in the rule or in an alternate manner that better meets the organization’s needs while still meeting the intent of the implementation specification). Although addressable specifications offer some flexibility to organizations these specifications are still required. Organizations choosing an alternate method of implementation for addressable specifications must maintain formal documentation regarding why and how the specification is implemented. Information security is the preservation of confidentiality, integrity, and availability of information. In a healthcare setting, this security includes ePHI used for clinical decision making or healthcare operations. Scalability allows organizations to identify security measures appropriate for its own unique operational risks and other factors. These factors include the organization’s size and complexity, hardware and software, costs of implementing additional security, and the threats and vulnerabilities identified during a risk analysis. The Security Rule at a Glance The HIPAA security rule standards are grouped into five categories: administrative safeguards; physical safeguards; technical safeguards; organizational standards; and policies, procedures, and documentation requirements. One of the most important steps in preparing to implement these standards is to review the HIPAA security rule itself. The most important elements of the rule are summarized below. Administrative safeguards (section 164.308) include nine standards: 1. Security management functions. This standard requires organizations to analyze their security risks and implement policies and procedures that prevent, detect, and correct security violations. It also requires organizations to define appropriate sanctions for security violations. Security management is the foundation of the HIPAA security rule. Performing a thorough risk analysis and developing a corresponding risk management plan are an integral first step toward compliance with this standard. o Tip: One of the keys to this section is to use risk analysis to prioritize the security management process. Identify the specific controls (i.e. stronger passwords, 2. 3. 4. 5. 6. 7. 8. 9. email encryption, intrusion prevention software, locking down USB ports) that the organization will implement. Ensure enforcement of policies and procedures by applying sanctions and reviewing system activity regularly. Assigning security responsibility (no implementation specifications) requires organizations to identify the individual responsible for overseeing development of the organization’s security policies and procedures. o Tip: This role must include a job description. Everyone in the organization should be able to identify this individual and his or her role. Workforce security (three implementation specifications) requires organizations to develop and implement policies and procedures to ensure that members of the workforce have access to information appropriate for their job. It also requires organizations to have clear termination procedures. o Tip: Workforce extends beyond employees (review HR policies for further clarification) to physicians (Credentialing Office) and contract workers, so a process must be in place to validate, add, and remove users. Information access management (three implementation specifications) requires organizations to implement procedures authorizing access to ePHI. o Tip: Document clearly who can authorize the access to PHI for the organization’s workforce (i.e., employees, vendors, contractors). Security awareness and training (four implementation specifications) require a security awareness and training program for all members of the workforce, including management. o Tip: Although only four areas (security reminders, protection from malicious software, log-in monitoring, and password management) of specific training are mentioned, organizations should train staff on their overall policies and practices to protect the security of ePHI. Security incident procedures (one implementation specification) require that there be policies and procedures for reporting and responding to security incidents. o Tip: Refer to the Omnibus Rule to meet compliance with this standard. Contingency planning (five implementation specifications) requires organizations to develop and implement policies and procedures for responding to an emergency or an unusual occurrence (i.e., a fire, vandalism, or natural disaster) that damages equipment or systems containing ePHI, making the information unavailable to caregivers. o Tip: Ensure that critical information is available at patients’ bedsides. . Evaluation (no implementation specifications) requires a technical and a nontechnical review, including periodic monitoring of adherence to security policies and procedures, documentation of the results of those monitoring activities, and implementation of appropriate improvements in policies and procedures. o Tip: The OCR issued the HIPAA Audit Program Protocol that can assist organizations in conducting an evaluation. However, the protocol does not address each standard. Organizations must ensure that their evaluation includes all HIPAA, HITECH, and Breach Notification requirements. BA contracts and other arrangements (one implementation specification) requires contracts between CEs and BAs to provide satisfactory assurance that appropriate safeguards will be applied to protect the ePHI that is created, received, maintained, or transmitted on behalf of the CE. o Tip: Identify all data that is shared with organization and reconcile this with all business associate agreements (BAAs). Physical safeguards (section 164.310) include four standards: 1. Facility access controls (four implementation specifications) requires limitations on physical access to equipment and locations that contain or use ePHI. o Tip: Ensure physical security over equipment that transmits information, such as wireless and wired networks. 2. Workstation use (no implementation specifications) requires organizations to document the specific tasks that employees can perform at each workstation. It also requires documentation of the manner in which these tasks can be performed as well as the physical attributes of the areas in which workstations with access to ePHI are located. o Tip: Some language considerations to consider include only allowing terminals business purpose use only, restricting users from downloading or implementing software (i.e., games, music, movies) and not leaving terminals unattended without logging out of workstation or locking it. 3. Workstation security (no implementation specifications) requires a description of how workstations permitting access to ePHI are protected from unauthorized use. Workstations include mobile devices, such as laptops, tablets, and smart phones. o Tip: Workstation security might require encryption for mobile devices, screen savers, automatic logoff and locking down laptops on workstations on wheels (WOWs). 4. Device and media controls (four implementation specifications) require organizations to address the receipt and removal of hardware and electronic media containing ePHI. Organizations must adhere to this standard when using, reusing, and disposing of electronic media containing ePHI both within and outside the organization. o Tip: Often times organizations focus on desktop computers and laptops, but electronic media includes CDs, DVDs, computer hard drives, external or portable hard drives, backup tapes, and USB memory devices (i.e., flash drives, thumb drives, jump drives, copier and printer hard drives, bio-medical devices). Technical safeguards (section 164.312) include five standards: 1. Access control (four implementation specifications) requires controls for limiting access to ePHI to only those persons or software programs requiring the information to do their jobs. o Tip: One of the implementation specifications is for the use of encryption and decryption of data at rest. The need for encryption of data at rest (e.g., data on laptops, thumb drives, mobile devices, and databases) is increasingly common and necessary due to the breach notification requirements when unencrypted data is lost or stolen. 2. Audit controls (no implementation specifications) requires installation of hardware, software, or manual mechanisms to examine activity in systems containing ePHI. o Tip: This regulation, which requires audit controls, works in collaboration with the information system activity review implementation specification under the security management process standard. The technical capabilities of audit controls must be available in order to rev ... Purchase answer to see full attachment