Category: Privacy

Date: March 2003

Reviewed/Revised: April 2013

Policy

It shall be the policy of EVMS Medical Group et al. that all information regarding care of the individual patient be maintained as confidential information. Patient care information is the property of the patient; EVMS Medical Group is the steward or caretaker of that information and the owner of the medium of storage.

Purpose

To protect the patient, the clinical team, and the EVMS Medical Group et al., from inappropriate dissemination of information regarding care of individual and collective patients. This policy applies to all clinical staff, employees, vendors, volunteers, students and others who are members of the EVMS Medical Group et al., and refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked. Proper handling of external requests for patient information is addressed in the Uses and Disclosure of PHI policies. This policy also provides guidelines and examples on employee access to patient identifiable information to ensure confidentiality and integrity of patient information.

Definitions

Aggregate Data: A collection of patient care or clinical information which does not reveal the identity of individual patients.

Central Repository of Patient Information: A physical archive or storage area where one or more of the several components of patient information are permanently maintained.

Clinical Staff: Attending, courtesy, honorary, and visiting physicians, house officers and fellows, special purpose trainee staff members and nurses having practice privileges for the diagnosis and treatment of patients at the EVMS Medical Group et al.

Confidential Information: All of the following are considered confidential.

  • Patient information collected by EVMS Medical Group et al. (e.g. transferred medical records, correspondence, telephone calls, etc.); or
  • Patient information generated by the EVMS Medical Group et al..; or
  • Information entrusted by the patient to an employee, trainee, student, volunteer or member of the clinical staff; or
  • Any knowledge the employee, trainee, student, volunteer or clinical staff member has regarding the patient.

Data Steward: Individual or department having access to patient information and having capability of providing for storage or transfer of patient information subject to this policy.

Due Care: That degree of care which other prudent, competent persons providing patient services would exercise in similar circumstances.

Employee: For the purposes of this policy, any individual who receives compensation from EVMS Medical Group.

Inappropriate Dissemination: Seeking access to and/or disclosing confidential information, regardless of intent, in verbal, written or electronic form:

  • To individuals not involved in the care and treatment of the patient; or
  • To individuals who are involved with or know the patient but have no need to know the information; or
  • In a setting where that information could be overheard by individuals who have no need to know (e.g., in elevators, lobbies, waiting rooms, hallways, dining rooms, etc.); or
  • In a setting where information can be read or transferred from an unattended computer monitor; or
  • Through sharing another person’s electronic password.

Need to Know: Necessary to fulfill the mission or charge of EVMS Medical Group and its clinical staff, employees, trainees, students, volunteers, or vendors to provide quality patient care, education and research. See Exhibit – “Need to Know” for further discussion and examples of this definition.

Patient Information: All information, data and/or knowledge relating to the care of an EVMS Medical Group patient, including but not limited to:

  • The medical record, including data recorded on paper, on microfilm, or in a computer data base; or Pictorial, graphic, or multimedia representations (e.g. photographs, x-ray films ECG tracings, videotape); or Tissue specimens obtained for histological examination; or
  • Administrative data, such as the data included in the EVMS Medical Group census system, registration system, clinic scheduling system, laboratory system and the billing system; or
  • Business or financial records.

Trainee: Any individual involved, directly or indirectly, in the provision of patient care, one aspect of which is to further that individual’s knowledge. Includes house officers, medical students, nursing students, and other health care professions students. A trainee may or may not receive financial compensation from EVMS Medical Group.

Vendor: Any individual or organization that sells or otherwise provides goods or services to EVMS Medical Group.

Volunteer: Any individual providing a service to EVMS Medical Group coordinated through the Director of Volunteers in each corporate area, who receives no financial compensation from EVMS Medical Group for that service.

Policy Standards 

  1. In order to ensure confidentiality, patient information collected and/or generated within EVMS Medical Group shall be maintained in such a manner that access to it is restricted to those with a need to know, and release of it is restricted to those with a legal right to know, as mandated by state and federal laws.
  2. It shall be the responsibility of management in each department to determine what information its members need access to in order to complete their job functions. Viewing or obtaining information not needed for job completion, regardless of the medium of storage, constitutes use of that information. It shall be the responsibility of department management to monitor and discipline members in all matters of information security.
  3. It shall be the responsibility of management staff in each department to inform their employees of this policy and to develop and maintain, if appropriate, data confidentiality policies specific to their department which are consistent with this policy. To ensure knowledge of these policies, it shall be the responsibility of the department supervisors to ensure that current policies are addressed at departmental staff meetings periodically. In addition, these policies shall be referred to and addressed in each orientation program and shall be included in any orientation “information packet” provided for new employees, trainees, volunteers, vendors, and clinical staff.
  4. It shall be the responsibility of respective data steward to maintain secure access to their electronic data and to provide such information in response to questions regarding potential breach of confidentiality. To the extent technologically possible, audit trails shall be maintained of access to both aggregate and patient-identifiable electronic data.
  5. It shall be the responsibility of respective data stewards to maintain a list of all people granted access to electronic databases under their stewardship. Access shall not be granted to employees who do not have an up-to-date, signed confidentiality statement on file. (See Confidentiality Statement)
  6. In order to help ensure that only those employees with a need to know patient identifiable information are granted access to such information, data stewards will, on an annual basis, review who has access to patient identifiable information in central repositories of patient information under their control.
  7. Hard copy printouts of aggregate and patient-identifiable electronic data will be stored in a secure area and maintained in a confidential manner as is currently required of paper medical records.
  8. Every clinical staff member, employee, trainee, student, vendor and volunteer at EVMS shall be responsible for maintaining confidentiality of all information entrusted to them.
  9. Every employee is expected to exercise due care in any discussion or use of patient information.
  10. Confidentiality statements attesting that the employee is aware of and understands the confidentiality policy, shall be signed at the beginning of employment and shall be reviewed and signed by all employees and clinical staff of EVMS Medical Group who have access to patient identifiable information.
  11. EVMS Medical Group characterizes as unethical and unacceptable any activity through which an individual:
    1. Voluntarily allows or participates in inappropriate dissemination of confidential patient information; or
    2. Interferes with the intended use of the information resources; or
    3. Without authorization, destroys, alters, dismantles, disfigures, prevents rightful access to or otherwise interferes with the integrity of patient information and/or information resources; or
    4. Without authorization invades the privacy of individuals or entities that are creators, authors, users, or subjects of the information resources.
  12. Infractions of this confidentiality policy shall be subject to the disciplinary action of EVMS Medical Group, up to and including dismissal and/or loss of privileges. Invasion of another person’s right to privacy can have legal consequences in addition to disciplinary action from EVMS Medical Group.
  13. Requests for access to patient identifiable data needed for research purposes must be accompanied by IRB approval.
  14. Communication regarding confidentiality policies and monitoring of these policies for medical staff shall be channeled through EVMS Medical Group Clinical Auditors.

NEED TO KNOW: The definition of “Need to Know” is information necessary to fulfill the mission or charge of EVMS Medical Group and its clinical staff, employees, trainees, students, volunteers or vendors to provide quality patient care, education, and research.

Following are examples where employees have a need to know patient identifiable information to complete their assigned job functions, as well as examples where employees do not have a need to know such information. These lists are intended to be examples only and are not intended to be complete representations of situations where employees have a need to know patient identifiable information. Per EVMS Medical Group policy, specific access to patient identifiable information is under the discretion of departmental management.

Examples of appropriate uses of patient identifiable information where employees have a need to know:

  1. Rendering care to specific patients.
  2. Billing and collecting for services rendered to specific patients.
  3. Financial analysis to assess the business impact of patient care, including but not limited to analysis of specific cases to assess impact of clinical practice redesign or in response to research requests, and analysis of situations where it is necessary to join records from more than one system (i.e., Vendor 1 and Vendor 2) together in order to analyze the full impact of care.
  4. Performing reimbursement analysis on specific patients.
  5. Provision of educational materials for patients, given at the direction of their treating physician.
  6. Fund raising activities done at the request of a physician who has knowledge of the patient’s or family’s desire to donate to the Medical School.

Examples of inappropriate use of patient identifiable information:

  1. Mass mailing fund raising solicitations to patients with specific medical conditions, without the express approval of the Provost and Dean of the Medical School.
  2. Informing others that employees, relatives, famous people, etc., are patients in the hospital.
  3. Use of personal medical information in making employment decision.
  4. Use of employee’s personal medical information to see if the employee was really out sick, had a doctor’s appointment, had a worker’s compensation injury, etc.
  5. Employee access to or request for patient information of a relative or another EVMS Medical Group employee, unless:
    1. The request or access is made on behalf of an inpatient unit or an outpatient clinic and the information is needed to provide patient care during a verified clinic appointment or inpatient hospitalization;
    2. The request of access is made for the purpose of carrying out medical research and the need for the patient information is verified as consistent with the goals of that research;
    3. The request or access made by EVMS Medical Group for billing and collection purposes.