Health Insurance Portability and Accountability Act (HIPAA)
19.0 DOCUMENT SECURITY
19.1 Purpose
The HIPAA Privacy and Security regulations require that documents containing protected health information, in particular, documents pertaining to the Medical Assistance, GA, TANF, CHIP and Adult Basic programs, be kept confidential.
19.2 Policy
1. This policy must not impede service delivery or prevent efficient office practices (telephone messages, interview notes). The policy must protect information in the individual’s record and limit incidental disclosures.
2. All documents (including paper and electronic documents) containing identifying information must be kept confidential and private at all times.
3. Identifying information includes: names, address, social security numbers, employee numbers, CIS/HCSIS numbers, account numbers, e-mail addresses, internet addresses, fax numbers, vehicle ID numbers, birth dates, discharge dates, employment dates, photographs and descriptions of persons that could identify a specific individual.
19.3 Procedure
1. Both interoffice and outside mail may not be out of sight at any time during pick-up or delivery. This applies to areas that are accessible to the public during the process of picking-up and delivering mail. This does not apply to mail distribution areas/rooms or mail on someone’s desk.
2. All documents containing identifying information must be shredded prior to disposal. Documents waiting to be shredded must be stored in a lidded shredding bin or in a confidential area. Documents must be shredded within 15 working days of designation to be shredded.
3. All floppy diskettes that contain identifying information must be destroyed prior to disposal. Identifying information on diskettes must be deleted prior to disposal if possible. Diskettes to be disposed of (whether information is deleted or not deleted) must be sent to the DPW Office of Administration, Division of Support Services, DPW Warehouse, 905 Elmerton Avenue, Harrisburg, PA 17105, 717-783-8083, attention surplus officer, for proper disposal. The DPW Warehouse has a proper disposal box and procedures for disposal of diskettes.
4. An alternative to 19.3 (relating to document security procedure), #2 and #3, is to implement a contract, which includes business associate assurances, with an appropriate professional shredding service that is HIPAA compliant. A shredding service may be used for disposal of paper documents, floppy diskettes or both. If a shredding service is used, the time frame for shredding in 19.3-2 does not apply.
5. All documents containing identifying information must be kept in a locked file cabinet or in a locked office when unattended. This does not apply to offices located in secure buildings or to areas of buildings where public access is not permitted (e.g. employee access only).
6. All e-mail and facsimile (fax) communications containing identifying information must contain a confidential warning regarding unintended access to the information.
7. Knowledge of a violation of this policy must be reported directly to the program office coordinator.
20.0 GENERAL BUSINESS PRACTICES
20.1 Purpose
HIPAA Privacy and Security regulations require that protected health information be kept confidential in daily practice.
20.2 Policy
All staff must maintain the confidentiality of protected health information in daily practice.
19.0 DOCUMENT SECURITY
19.1 Purpose
The HIPAA Privacy and Security regulations require that documents containing protected health information, in particular, documents pertaining to the Medical Assistance, GA, TANF, CHIP and Adult Basic programs, be kept confidential.
19.2 Policy
1. This policy must not impede service delivery or prevent efficient office practices (telephone messages, interview notes). The policy must protect information in the individual’s record and limit incidental disclosures.
2. All documents (including paper and electronic documents) containing identifying information must be kept confidential and private at all times.
3. Identifying information includes: names, address, social security numbers, employee numbers, CIS/HCSIS numbers, account numbers, e-mail addresses, internet addresses, fax numbers, vehicle ID numbers, birth dates, discharge dates, employment dates, photographs and descriptions of persons that could identify a specific individual.
19.3 Procedure
1. Both interoffice and outside mail may not be out of sight at any time during pick-up or delivery. This applies to areas that are accessible to the public during the process of picking-up and delivering mail. This does not apply to mail distribution areas/rooms or mail on someone’s desk.
2. All documents containing identifying information must be shredded prior to disposal. Documents waiting to be shredded must be stored in a lidded shredding bin or in a confidential area. Documents must be shredded within 15 working days of designation to be shredded.
3. All floppy diskettes that contain identifying information must be destroyed prior to disposal. Identifying information on diskettes must be deleted prior to disposal if possible. Diskettes to be disposed of (whether information is deleted or not deleted) must be sent to the DPW Office of Administration, Division of Support Services, DPW Warehouse, 905 Elmerton Avenue, Harrisburg, PA 17105, 717-783-8083, attention surplus officer, for proper disposal. The DPW Warehouse has a proper disposal box and procedures for disposal of diskettes.
4. An alternative to 19.3 (relating to document security procedure), #2 and #3, is to implement a contract, which includes business associate assurances, with an appropriate professional shredding service that is HIPAA compliant. A shredding service may be used for disposal of paper documents, floppy diskettes or both. If a shredding service is used, the time frame for shredding in 19.3-2 does not apply.
5. All documents containing identifying information must be kept in a locked file cabinet or in a locked office when unattended. This does not apply to offices located in secure buildings or to areas of buildings where public access is not permitted (e.g. employee access only).
6. All e-mail and facsimile (fax) communications containing identifying information must contain a confidential warning regarding unintended access to the information.
7. Knowledge of a violation of this policy must be reported directly to the program office coordinator.
20.0 GENERAL BUSINESS PRACTICES
20.1 Purpose
HIPAA Privacy and Security regulations require that protected health information be kept confidential in daily practice.
20.2 Policy
All staff must maintain the confidentiality of protected health information in daily practice.
