HIPAA

 View Only
  • 1.  PHI?

    Posted 7 days ago

    Hello everyone,

     

    Looking for feedback:

     

    A call is taken by the receptionist at an outpatient rehabilitation center. The prospective new patient (or family/caregiver) gives the receptionist some basic demographic information (which is written down) ...name, phone number, address, DOB, and answers some questions as to: what rehab needs they have, guardianship, insurance information, referring physician name.  The prospective new patient is never heard from again, is never treated or billed for any service. Does this information need to be retained for 6 years from the date of its creation or can it be shredded.

     

    Thanks!

     


    Michael Scudillo, OTR, CHC, CBIS 
    Chief Compliance Officer/Privacy Officer


    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.com<mailto:michael.scudillo@uirehab.com> and delete the material from all computers. </mailto:michael.scudillo@uirehab.com>
    Default Blank


  • 2.  RE: PHI?

    Posted 7 days ago
    If the six years is the six-year retention requirement in HIPAA, then I'd say the information you have isn't the information required to be retained for HIPAA.  I'd consider the information pre-registration/admit information.  I'd look at your record retention requirements for registration records.

     

    David Garrison 

    Compliance/Privacy Officer 

    SEARHC Executive Offices

    P: 907.364.4466 F: 907.463.4075
    3100 Channel Drive, Suite 300 | Juneau, AK 99801


    -- This e-mail and any files transmitted with it are confidential, may be protected by state and federal privacy laws, and intended solely for the use of the individual or entity to whom it is addressed. If you are not the named addressee, do not disseminate, distribute or copy this e-mail or any attachments. Please notify the sender immediately by e-mail if you have received this e-mail in error, and delete this e-mail and any attachments from your system.



    Default Blank


  • 3.  RE: PHI?

    Posted 7 days ago
    There's no retention requirement in HIPAA. State laws apply.  



    Default Blank


  • 4.  RE: PHI?

    Posted 7 days ago
    An interesting question. Here is my take for what it is worth: 

    The idea that PHI needs to be retained for 6 years comes from OCR having a 6 year look back period for enforcement. I do not recall off the top of my head if this is statutory or by custom. That's answer number 1. 

    Answer number 2 is that no one at OCR is likely to say: "With all the real compliance issues of consequence I have to deal with, I'm going to initiate enforcement action on the receptionist who incorrectly discarded the While You Were Out slip." Although admittedly,  not getting caught is not a good reason to do something known to be noncompliant, it's just that this is not in that category.  

    Answer number 3 goes the other way: If your policy and procedures document initial contact information be retained for X amount of time or that it becomes part of your designated record set then you need to follow policy and retain it like any other part of your designated record set. 

    Alexander I Slosman, MHA, CHC, CHPC



    Default Blank


  • 5.  RE: PHI?

    Posted 6 days ago
    My view is that if the information was written down on paper and not an electronic registration, then we are not talking about HIPAA and information can be shredded.  HIPAA was established for electronic transaction. Refer to CMS.Gov under HIPAA.

    ------------------------------
    Barbara Naimark
    Severna Park,MD
    ------------------------------

    Default Blank


  • 6.  RE: PHI?

    Posted 6 days ago

    Barbara,

    Regarding your response below, my understanding is that the HIPAA Security rule applies to only electronic information, however the HIPAA Privacy rule applies to all other forms including paper and oral information. A covered entity is subject to both rules. For example, if a doctor's office submits bills electronically for payment but keeps paper patient files, those files are protected under the HIPAA Privacy rule.

     

     

     

    My view is that if the information was written down on paper and not an electronic registration, then we are not talking about HIPAA and information can be shredded.  HIPAA was established for electronic transaction. Refer to CMS.Gov under HIPAA.



     


    Michael Scudillo, OTR, CHC, CBIS 
    Chief Compliance Officer/Privacy Officer


    15 Microlab Road
    Suite 101 • Livingston, New Jersey 07039

    P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964
    www.uirehab.com

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.com<mailto:michael.scudillo@uirehab.com> and delete the material from all computers. </mailto:michael.scudillo@uirehab.com>



    Default Blank


  • 7.  RE: PHI?

    Posted 6 days ago

    Perhaps this article will help answer your question...

     

    https://www.hipaajournal.com/hipaa-retention-requirements/

     

    Cinda

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    Default Blank


  • 8.  RE: PHI?

    Posted 6 days ago

    Thank you Cinda...that was helpful!

     


    Michael Scudillo, OTR, CHC, CBIS 
    Chief Compliance Officer/Privacy Officer


    15 Microlab Road
    Suite 101 • Livingston, New Jersey 07039

    P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964
    www.uirehab.com

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.com<mailto:michael.scudillo@uirehab.com> and delete the material from all computers. </mailto:michael.scudillo@uirehab.com>



    Default Blank


  • 9.  RE: PHI?

    Posted 5 days ago
    Michael- I knew you would probably call me out on that viewpoint. I am also a medical record professional, so not creating an ehr or file I have little use for the paper information. If the prospective patient ever comes back, I would have them fill the information over again. The information given is just a small timeframe where everything can change. In keeping it, you have to give it a location, mark it, remember status, etc. If you are not keeping the info for treatment or billing, I agree with Alex that it is a small entity in a big world of compliance. Cinda's reference is a good one.

    ------------------------------
    Barbara Naimark
    Severna Park,MD
    ------------------------------

    Default Blank


  • 10.  RE: PHI?

    Posted 4 days ago
    I agree with Barbara and that was my train of thought of well. I couldn't imagine an organization creating a patient record for someone who simply calls to ask a question and never establishes care as a patient. I welcome other view points.

    ------------------------------
    Brenda Manning JD, CHC, CHPC
    Privacy Counsel
    Maximus, Inc.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    Default Blank


  • 11.  RE: PHI?

    Posted 4 days ago

    Thank you for all the input. We have decided that if the patient simply calls and gives some information but never begins treatment, the information will be shredded.

     

    Thanks again.

     


    Michael Scudillo, OTR, CHC, CBIS 
    Chief Compliance Officer/Privacy Officer


    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.com<mailto:michael.scudillo@uirehab.com> and delete the material from all computers. </mailto:michael.scudillo@uirehab.com>



    Default Blank