Policy & Guidelines for Physical Security
Designated Record Set: Medical, clinical research and billing
records about an individual maintained or used to make decisions about the
individual and the individual’s treatment. and subject to an individual’s
right to request access and amendment.
Medical Record [from Exhibit 5002A]: for the purposes of
these guidelines the ‘medical record’ is considered to include Identification
Sheet/Face Sheet; Advance Directives; Problem List; History and Physical; Progress
Notes (including documentation); Consultations; Diagnostic Imaging Reports;
Laboratory Reports; EKG Reports; EEG Reports; Pathology Reports; Reports of
Operations/Procedures; Therapy Reports; Graphic Sheets; Medication Records;
Nursing Documentation; Immunization Records; Discharge Instructions; Consents
and Authorizations; Home Health Documentation; Photographs (if included in
the medical record); Medical Release Forms; Life Time Insurance Authorization
(LTIA) (scanned image); Explanation of Benefits (EOB) (scanned image); Patient
Checks (scanned image)
Protected Health Information (PHI): individually identifiable
health information that is held by a covered component and transmitted or maintained
in any form or medium. PHI excludes individually identifiable health information
in education records covered by the Family Educational Right and Privacy Act
(FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records
held by a covered entity in its role as employer. (see HIPAA
- You must secure paper records that include protected health information.
You must immediately report all incidents that may involve the loss or theft of any such paper records.
Call: (203) 432-3262 to report potential breaches
- Medical records and PHI must be located and used so as to minimize incidental
disclosure of PHI
- Individual documents should not be separated from the medical record and
Exception: Pages can briefly be removed for administrative purposes,
such as making copies
- We recommend having a process for tracking/logging the location of medical
records and PHI while in use, transit or storage
- YSM, YSN & YNHH primary source medical records and PHI should not
leave the worksite
Exception: medical records and PHI in transit between worksites
Exception: inactive records and PHI stored in off–site archives
If the medical record and PHI is in use, but not actively being viewed,
it should be closed, covered or placed in a position to minimize incidental
disclosure. This is especially important in patient or research subject areas.
In Transit (including YNHH medical records)
Medical records and PHI should be covered, so that no personal identifiers
are visible when moving medical records and PHI in volume use procedures that minimize
- Medical records and PHI must be stored where there is controlled access
- We recommend that medical records and PHI stored in hallways that are
accessible by unauthorized individuals should be in locked cabinets.
- No open shelves in a patient or research subject area.
- No open shelves in a hallway that allows access to individuals not authorized
to access those medical records and PHI.
- Medical Records and PHI should be stored out of sight of unauthorized
individuals, and should be locked in a cabinet, room or building when not
supervised or in use.
- Provide physical access control for offices/labs/classrooms through the following:
- Locked file cabinets, desks, closets or offices
- Mechanical Keys
- ID swipes (can be designed to accept YU/YNHH IDs)
- Alarm keypad systems (mechanical or electronic)
- Change keypad access codes on a regular basis
- Assign someone to manage and document access issues (keys,
card swipe, keypad access):
- Identify individual(s) with the authority to grant access to an area
- Use the HR Oracle Move
and Gone report to remove access ASAP when an individual’s status
changes or if the individual leaves the University.