Patient Privacy

DRX 2-5ABC Patient Confidentiality/Privacy and Patient Rights/Responsibilities

It is the policy of Roger Mills Memorial Hospital to treat client/patient protected health information confidentially and enforce secure safeguards.

Protected health information (PHI) is defined as Health information means any information, whether oral or recorded in any form or medium (to include verbal , faxed, electronic, computerized, telephonic, cellular, hard copy, etc.), that–

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse;

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

The HIPAA Notice of Privacy Practices, describing how Roger Mills Memorial Hospital may use and disclose Protected Health Information (PHI), is included in the “New Patient Packet” sent to each patient in his/her initial order shipment. The Patient Rights and Responsibilities form, defining the client/patient rights and supplier responsibilities will also be included in this shipment.

Staff members will discuss client/patient-related information with Company personnel only on a need-to-know basis. Accessibility to a client/patient’s records is to be limited between Roger Mills Memorial Hospital staff and authorized payers, governmental entities and physicians.

At time of set-up, each client/patient or that client/patient’s legal representative will sign HIPAA authorization forms, allowing Roger Mills Memorial Hospital to obtain PHI from and release PHI to other involved physician(s) excluding the referring physician, and other organizations or individuals involved in that client/patient’s care. In order to release a client/patient’s PHI to any other entity, a Protected Health Information Privacy Agreement signed by the client/patient or that client/patient’s legal representative must first be obtained. The patient has the right to request a restriction on certain uses and disclosures of PHI. The patient has the right to inspect and obtain a copy of PHI. This document must advise:

  • Description of PHI to be disclosed
  • Where the PHI is to be forwarded
  • Which entity/individual is permitted to receive the PHI
  • Expiration date of authorization (if applicable)

Roger Mills Memorial Hospital staff members will receive HIPAA privacy training during orientation. Proof of training will be placed in the employee’s personnel record. The employee will be required to sign an Employment Conduct Agreement requiring that all confidential information, including passwords and any information received or transmitted by computer, to remain confidential. All fax transmissions of PHI require a cover sheet stating the confidentiality of the information to be transmitted.

These are some of the topics that are discussed in the HIPAA privacy training during orientation:

  • Definitions
    • HIPAA
    • Covered Entity
    • Protected Health Information
    • Individually Identifiable Health Information
  • Treatment, Payment and Healthcare Operations
  • Notice of Privacy Practices
  • Patients Rights and Responsibilities
  • How We Can Protect Our Patient’s Privacy
  • Employees Responsibilities
  • Leaving a Voicemail
  • HIPAA Violations and Penalties
  • Company Privacy Officer

Reasonable measures will be taken to ensure the security of records against loss, defacement, tampering, and unauthorized use. Records will be stored in a manner that minimizes the possibility of damage from fire and water.

Personal identifying information will be eliminated from Quality Improvement documentation and other reports generated by Roger Mills Memorial Hospital.

Client/patient information will not be displayed in areas accessible to the public or unauthorized personnel. Any non-employee having access to records (e.g., contracted individuals, billing services, etc.) are required to sign a Protected Health Information Privacy Agreement which will be kept as part of their contract (business associate agreement).

Roger Mills Memorial Hospital will ensure that Business Associate Agreements are HIPAA and HITECH compliant.

Original records may only be removed from the Location with the Compliance Officer’s permission or by court order. The Compliance Officer is responsible for determining what portion of the record may be copied for client/patient care purposes, holding staff members accountable for copies in their possession and ensuring that copies are returned to Location for destruction. Records will be available for review by licensing, regulatory, and accrediting bodies.

Breach Handling

Example steps to be taken to document and remedy the situation:

When a potential violation has occurred, the Compliance Officer/Privacy Officer or President shall take corrective action as soon as possible by investigating the complaint.  The results of the investigation should be in writing and might include:

  • The nature of the complaint or potential violation.
  • The steps taken to investigate the complaint.
  • The facts revealed by the investigation.
  • The internal HIPAA policies or procedures related to the facts.
  • The appropriate remedial action to resolve the issue.

In this regard, the report might include sanctions against any employees who violated the policies, in addition to any actions required to mitigate the harmful effects of the violation. The report might also include steps that should be followed in the future to minimize the possibility of recurrence.

HIPAA Privacy and Security Breaches will be reported and handled according to local, state and federal guidelines. Roger Mills Memorial Hospital will abide by state, local, and federal laws; whichever is more stringent. Factors to be considered include but are not limited to:

  • Type of PHI at risk
  • Count of records exposed
  • Method of exposure
  • Foreseen risks resulting from the breach
PATIENT RIGHTPROCESSING METHODDEFINITION
CONFIDENTIAL COMMUNICATIONSHIPAA Privacy Patient Rights Request FormPatient’s have the right to request that we communicate about all or part of their protected health information by alternative means or to an alternative location
RESTRICTION REQUESTHIPAA Privacy Patient Rights Request FormPatients have the right to request that Roger Mills Memorial Hospital restrict the use or disclosure of their protected health information, including for treatment, payment or our health care operations.
ACCOUNTING OF DISCLOSURESHIPAA Privacy Patient Rights Request FormPatients have the right to an accounting of the disclosures Roger Mills Memorial Hospital or its business associates have made of their protected health information. They are entitled to one free disclosure accounting every 12 months.
AMENDMENT REQUESTHIPAA Privacy Patient Rights Request FormPatients have the right to request that Roger Mills Memorial Hospital change or amend their protected health information in the medical record that Roger Mills Memorial Hospital maintains. Roger Mills Memorial Hospital may approve or not approve the request under certain circumstances.
RECORD REQUESTHIPAA Privacy Patient Rights Request FormPatients have the right to request that Roger Mills Memorial Hospital provide a copy of their medical record and other health information we have about them. We will provide a copy or a summary of their health information, usually within 30 days of their request.
FILE A COMPLAINTAny acceptable form:
Mail
Phone
Fax
Email
If you feel your rights have been violated or if Patients have questions regarding this form, contact Roger Mills Memorial Hospital Privacy Officer by mail at 501 South L.L. Males Avenue, Cheyenne, Oklahoma  73628; by phone at 580-497-3336; by fax at 580-497-2124; or by email at [email protected]