Handling PHI: Collection, Storage, Transmission, and Disposal
Category: Privacy
Date: March 2003
Reviewed/Revised: July 2014
Policy
The patient’s health record is the property of EVMS Medical Group and shall be appropriately collected, maintained, transmitted, stored, and disposed of by EVMS Medical Group in accordance with legal, accrediting, and regulatory requirements. Protected health information (“PHI”) may not be used or disclosed except when authorized by the patient or as otherwise permitted or required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Virginia Health Records Privacy Act, Va. Code Section 32.1-127:103, and other applicable state and federal laws and regulations. PHI is individually identifiable health information that is transmitted or maintained as electronic media or in any other form or medium, including but not limited to, paper and oral forms. All health information, including PHI, shall be regarded as confidential and shall be made available only to authorized users per state and federal laws and regulations. For more information about the proper use and disclosure of PHI, review EVMS Medical Group’s Notice of Privacy Practices and HIPAA policies, including Authorization to Disclose or Use Protected Health Information and Confidentiality of Patient Information.
Procedure
I. Collection of Protected Health Information
- The types and amount of health information gathered and recorded about a patient shall be limited to that information needed for patient care.
- All individuals engaged in the collection, handling, or dissemination of patient health information shall be specifically informed of their responsibility to protect patient data and of the penalty for violation of this trust. Staff who feel they are inadequately trained or informed should address this issue with their supervisor or manager. Proven intentional violation of confidential patient information may result in immediate termination of access to further data and immediate termination of any employer-employee relationship. For more information about the group’s disciplinary action procedure, please refer to EVMS Medical Group’s Disciplinary Action policy.
- The collection of any data related to a patient, whether by interview, observation, or review of documents, shall be conducted in a setting which provides reasonable privacy and protects the information from unauthorized disclosure. Protected health information should not leave the premises of EVMS Medical Group facilities or EVMS Medical Group’s business associates unless EVMS Medical Group or its business associate, as applicable, have received a valid patient authorization or such disclosure is otherwise required or permitted by law.
II. Storage of Health Records
- Access to the areas housing health information records in any form shall be limited to Health Information Management Department personnel and other individuals designated by the Department administrator to have a legitimate need to access the area.
- Health records should be kept in secure areas at all times. Health records should not be left unattended in areas accessible to unauthorized individuals. Information systems containing PHI should be secure and inaccessible to unauthorized individuals.
- If health records are stored off-site, then they must be stored in a secure off-site location. The off-site facility (or agent) maintaining protected health information must sign a business associate agreement and a confidentiality statement. Self-storage units are not acceptable off-site locations for protected health information, in any form.
- In accordance with applicable state and federal laws, physicians must maintain health records for adults for at least six (6) years from the last patient encounter. Health records of a minor child, including immunization records, must be maintained until the child reaches the age of 18 or becomes emancipated, with a minimum time for record retention of six (6) years from the last patient encounter regardless of the age of the child. 18 VAC 85-20-26.
- Pathology test reports must be retained for at least ten (10) years after the date of report. This information may be maintained as part of the patient’s chart or medical record and must be readily available to the lab and the Department of Health and Human Services. 42 CFR 493.1105.
- If EVMS Medical Group performs the mammogram, then it must retain the mammography films and reports in a permanent medical record of the patient for a period of not less than five (5) years, or not less than ten (10) years if no additional mammograms of the patient are performed by EVMS Medical Group. 42 U.S.C. § 263b(f)(1(G); 21 CFR 900.12(c)(4)(i).
III. Transmission of Protected Health Information (PHI)
In the course of work it may become necessary to send internal communications containing protected health information. If it is necessary to transmit protected health information internally, the following guidelines should be followed:
- All communications containing protected health information should be sent using a secure method such as (a) via inter-office mail marked “confidential”, (b) by facsimile in accordance with the EVMS Medical Group Facsimile Confidentiality Policy, (c) through the EVMS Medical Group EHR system, or (d) if necessary, by email, but only if using the encrypted EVMS network using email addresses ending in “evms.edu” to send and receive such email messages. Protected health information should not be transmitted over text message or any other unsecured and unencrypted messaging system.
- All other HIPAA policies and procedures of EVMS Medical Group regarding the use and disclosure of PHI must be followed.
IV. Disposal of Protected Health Information (PHI)
Protected health information that is stored in any form (for example in the form of an abstract, index, photocopy, carbon copy or computer media) is subject to the same maintenance and confidentiality requirements as described in the EVMS Medical Group policy on Confidentiality of Patient Information. Any records containing PHI can only be destroyed or disposed of by EVMS Medical Group in accordance with the HIPAA Privacy and Security Rules.
Any workforce member or volunteer that is involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal.
Health information must never be placed into a trash receptacle or other container that is accessible by the public or other unauthorized persons.
Protected health information is considered destroyed if:
- For PHI in paper records, if it has been shredded, burned, pulped, or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- For PHI on electronic media, if it has been cleared (using software or hardware products to overwrite media with non-sensitive data), purged (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroyed (disintegration, pulverization, melting, incinerating, or shredding). Electronic media is appropriately destroyed if it has been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that the PHI cannot be retrieved.
If an outside vendor provides disposal services on behalf of EVMS Medical Group, then the vendor and EVMS Medical Group must enter into a business associate agreement that requires the business associate, among other things, to appropriately safeguard the PHI through disposal.