HIPAA

1.  42 CFR Part 2

Posted 6 days ago

For those of you who fall under 42 CFR Part 2 and HIPAA: In  acute care facilities that may also have a substance use program, how do you control access to those records by staff on other units in the facility?  Is there a process electronically to segregate those records to eliminate access (besides education of staff re: "need to know")?

 

Susan Amrose, MA, CPHQ, CHPC

Privacy Officer

Sheppard Pratt Health System

Please be green and think before printing this email, thank you.

* Confidentiality Notice *

This electronic message may contain confidential and legally protected information, intended only for the use of
the individual or entity named in the message header. The authorized recipient of this information is prohibited
from disclosing this information to any other party and is required to delete the electronic message after its
stated need has been fulfilled. 

If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action
taken in reliance on the contents of this electronic message and/or any attachments is strictly prohibited.
If you have received this electronic message in error, please notify the sender immediately to arrange for
your electronic email address to be removed from the sender's personal address book and/or distribution list.



2.  RE: 42 CFR Part 2

Posted 6 days ago
I am going to guess that in such facilities, there are challenges in segregating access as you described.  The kicker is that in such settings...there continues to be a lack of auditing and monitoring (relax for some folks...I am speaking in generalities) which would be a nice way to evaluate if people are adhering to role based and need to know use of ePHI within the EHR.

Something to think about.

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



3.  RE: 42 CFR Part 2

Posted 6 days ago
Susan,

It also depends on your EHR. Most EHRs that are designed for behavioral health use make role-based settings pretty easy and can be set up to give access to users either individually or based on role (Staff Joe can be assigned access to inpt detox and inpt rehab, but not inpt psych or it can be set up that every Doctor has access to specific units/ programs.

Some EHRs have the capability to assign specific patients to specific individuals.

It's probably best to speak with your in-house EHR experts or speak with your EHR vendor.

Carly Borenkind, LCSW
Compliance Officer- JASA
247 W. 37th Street 9th Floor
New York, NY 10018
Ph: 212.273.5296
eFax: 929.299.1132

Compliance Concerns can be reported anonymously, if desired, through the Compliance Hotline at 212-273-5288 or click here.  Concerns can also be emailed to complianceconcerns@jasa.org




www.jasa.org

  

Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  JASA's Privacy officer can be reached at 212-273-5296.





4.  RE: 42 CFR Part 2

Posted 5 days ago
​Susan - as Carly pointed out, it depends on your EHR.   We are on Epic.   When we went live in 2013, we developed a whole opt in/out system  (flags placed on charts) that helped block our behavioral health records (that includes substance abuse).   Then when the 42 CFR part 2 regulations changed earlier this year, we regrouped and the opt in/our went away.  Now there are only certain people in certain areas on the acute side that can access or even see that a pt had a behavioral health visit.  Lots of work by our Epic analysts!

------------------------------
Terri Pierce CHPC
Privacy Officer
Hattiesburg,MS
------------------------------



5.  RE: 42 CFR Part 2

Posted 5 days ago
​We are also on Epic and can restrict access in certain instances.  I also run reports on Break the Glass events and then analyze the user's access for appropriateness.

------------------------------
Diane Pringle MSN, CHC
Compliance/Privacy Officer
Conemaugh Health System
Johnstown, PA
------------------------------