Policy & Guidelines for Physical Security

Definitions

Designated Record Set: Medical, clinical research and billing records about an individual maintained or used to make decisions about the individual and the individual’s treatment. and subject to an individual’s right to request access and amendment.

Medical Record [from Exhibit 5002A]: for the purposes of these guidelines the ‘medical record’ is considered to include Identification Sheet/Face Sheet; Advance Directives; Problem List; History and Physical; Progress Notes (including documentation); Consultations; Diagnostic Imaging Reports; Laboratory Reports; EKG Reports; EEG Reports; Pathology Reports; Reports of Operations/Procedures; Therapy Reports; Graphic Sheets; Medication Records; Nursing Documentation; Immunization Records; Discharge Instructions; Consents and Authorizations; Home Health Documentation; Photographs (if included in the medical record); Medical Release Forms; Life Time Insurance Authorization (LTIA) (scanned image); Explanation of Benefits (EOB) (scanned image); Patient Checks (scanned image)

Protected Health Information (PHI): individually identifiable health information that is held by a covered component and transmitted or maintained in any form or medium. PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer. (see HIPAA glossary)

General Information

You must secure paper records that include protected health information. You must immediately report all incidents that may involve the loss or theft of any such paper records.

Call: (203) 432-3262 to report potential breaches

Medical records and PHI must be located and used so as to minimize incidental disclosure of PHI
Individual documents should not be separated from the medical record and PHI.
Exception: Pages can briefly be removed for administrative purposes, such as making copies
We recommend having a process for tracking/logging the location of medical records and PHI while in use, transit or storage
YSM, YSN & YNHH primary source medical records and PHI should not leave the worksite
Exception: medical records and PHI in transit between worksites
Exception: inactive records and PHI stored in off–site archives

In Use

If the medical record and PHI is in use, but not actively being viewed, it should be closed, covered or placed in a position to minimize incidental disclosure. This is especially important in patient or research subject areas.

In Transit (including YNHH medical records)

Medical records and PHI should be covered, so that no personal identifiers are visible when moving medical records and PHI in volume use procedures that minimize exposure.

Storage

Medical records and PHI must be stored where there is controlled access
- We recommend that medical records and PHI stored in hallways that are accessible by unauthorized individuals should be in locked cabinets.
- No open shelves in a patient or research subject area.
- No open shelves in a hallway that allows access to individuals not authorized to access those medical records and PHI.
Medical Records and PHI should be stored out of sight of unauthorized individuals, and should be locked in a cabinet, room or building when not supervised or in use.
Provide physical access control for offices/labs/classrooms through the following:
- Locked file cabinets, desks, closets or offices
- Mechanical Keys
- ID swipes (can be designed to accept YU/YNHH IDs)
- Alarm keypad systems (mechanical or electronic)
- Change keypad access codes on a regular basis
Assign someone to manage and document access issues (keys, card swipe, keypad access):
Identify individual(s) with the authority to grant access to an area
Use the HR Oracle Move and Gone report to remove access ASAP when an individual’s status changes or if the individual leaves the University.

Yale University