All employees, consultants, students, volunteers, and any other business affiliates working with Maine Veterans’ Homes Pharmacies (MVHP) will deal with each other, the residents, and families of residents in a professional, respectful, and courteous manner.
In the course of performing duties for MVHP, employees may have access to the protected health information (PHI) of our clients and residents. It is illegal for them to use or disclose PHI outside the scope of their duties for MVH. This includes oral, written, or electronic uses and disclosures.
HIPAA Protects Patient Privacy
The following are guidelines for using protected health information:
- Employees may use PHI when necessary to carry out their duties.
- They may share PHI with other health care providers for treatment purposes.
- They may NOT photocopy PHI unless authorized in writing by the resident/client and facility administrator.
- They must access only the minimum amount of PHI necessary to care for a resident/client or to carry out an assignment.
- They may only access the PHI of residents/clients for whom they are caring when there is a need for the PHI.
Further, our employees:
- Do not discuss the medical condition of any resident with family members without prior approval from the facility administrator or designee.
- Maintain a discreet and professional manner in the course of all interactions with residents, families, employees, consultants, students, and other business affiliates;
- Assure resident privacy by not using smartphones, cameras or any other photographing or recording device in resident rooms or resident care areas without the specific written permission of the resident/responsible party & the specific permission of the administrator.
Information provided to the press, community organizations, or other entities may only be provided by the Chief Executive Officer, Chief Operations Officer, Director of Public Relations, or a designated MVH facility administrator.
All employees, consultants, volunteers, and students have an obligation to report promptly any activity which they believe, in good faith, may be a violation of law, regulation, MVH policy or the MVH Code of Conduct. Reporting shall be made to an immediate Supervisor or the MVH Compliance Officer. Further, the reporting party shall cooperate to the extent allowable by law with any investigation conducted or sponsored by MVH in connection with any alleged violation. Confidentiality related to reporting and investigation is essential and required.
HIPAA Privacy and Security Rule Overview
The Health Insurance Portability and Accountability Act (HIPAA) governs the security and privacy of residents’ protected health information (“PHI”). Maine law also provides separate additional protections to residents’ health information.
The HIPAA privacy and security standards preempt Maine law only when HIPAA imposes more privacy or security protection to PHI, or affords a resident a greater right with respect to PHI, than Maine law. However, Maine law affords special protection (often more protective than HIPAA) to residents’ mental health information, substance abuse program information (should any such information be received by MVH from a substance abuse program provider), and HIV information.
PHI is any information, whether in oral, written or electronic form, (i) that is created by a health care provider or facility, a health plan, a public health authority, an employer, a life insurer, school or university, or health care clearinghouse, (ii) that relates to the past, present or future physical or mental health or condition of a person, the provision of health care to a person, or the past, present or future payment for the provision of health care to a person, and (iii) that either identifies a person or could reasonably be used to identify a person. PHI includes:
- A resident’s current or past health status, diagnosis, health care and services, medications, treatment plans, lab & diagnostic test results, and other treatment-related information.
- Financial and billing information concerning a resident, including the resident’s insurance status, enrollment in a government or third-party payor health plan, and eligibility for benefits.
- Health information containing resident identifiers such as name, date of birth, address (geographic & e-mail), social security number, phone number, fax number, medical record number, insurance number, photographs, etc.
Access to PHI is limited based on roles and responsibilities at MVH. If employees do not have a need to know PHI to perform a job-related function, they are not authorized to access the PHI. For example, looking at a friend’s or family member’s medical record to “see how they are doing” is prohibited unless specifically authorized by your friend or family member in a manner consistent with MVH policy.
“Reasonable Safeguards” must be followed to protect the privacy and security of PHI, including:
- Not discussing PHI in public areas
- Not leaving PHI (including lists of resident names) unattended
- Not leaving computer monitors with PHI visible to unauthorized persons
- Not leaving laptops containing PHI in unlocked cars
- Not posting identifying information (including photographs) concerning a resident on social media
- Using “confidential destruction” bins for the disposal of any paper records containing PHI
- Ensure correct destination when faxing or emailing PHI
A Notice of Privacy Practices must be provided to every MVH resident and MVH is required to retain a written acknowledgement of receipt of the Notice. The Notice describes residents’ rights with respect to their PHI, the uses and disclosures of PHI that MVH is permitted and required to make without a resident’s authorization, MVH’s legal duty to protect residents’ PHI, and the process for residents to file a complaint with respect to their PHI or privacy rights.
PHI may be disclosed for the following purposes without specific resident authorization (with the exception of certain mental health, HIV, and substance abuse program information):
- For treatment, payment, and healthcare operations purposes
- To public health agencies when reporting is required by law (e.g., for infectious disease reporting)
- To state adult and child protection agencies when adult or child abuse or neglect is required to be reported by law
PHI may be faxed only if a cover sheet with a confidentiality statement is used, and the person sending the fax has verified that the number to which the PHI is being faxed is accurate and not outdated. Faxing PHI to public fax machines is prohibited unless the intended recipient can confirm that he or she is physically present to receive the information as it is transmitted.
Every MVH resident has the right to privacy and to have their PHI kept confidential, and no resident’s PHI should be disclosed unless employees are sure that the disclosure meets an applicable exception to confidentiality under MVH policy and applicable law (e.g., pursuant to the resident’s written authorization, for treatment, payment or health care operations, pursuant to a court order, for mandatory reporting purposes).
Individuals who breach the HIPAA privacy and security standards or a resident’s privacy rights, could be subject to significant civil fines and criminal penalties, as well as loss of employment or termination of their relationship with MVH.
- All members of the MVH workforce are required to immediately notify MVH’s Privacy Officer of any breaches of PHI that are known to or discovered by them.
- All members of the MVH workforce are expected to be familiar with MVH’s policies and procedures on the protection of PHI and other confidential information.