The Arc of Monroe County, NYSARC, Inc.
AGENCY POLICY: PRIVACY OF QUALITY ASSURANCE RECORDS
SCOPE OF POLICY This policy applies to all agency staff members engaged in quality assurance activities at the agency. Agency staff members include all employees, trainees, volunteers, consultants, contractors and subcontractors at the agency.
STATEMENT OF POLICY Agency staff are expected to use or disclose only the minimum amount of protected health information about people served when performing quality assurance activities. They are also expected to maintain quality assurance records separate from records in the agency’s designated record set unless such quality assurance records are used to make prospective decisions about treatment or benefits for people served. All quality assurance activities should be conducted in accordance with this policy and the procedures set forth below.
IMPLEMENTATION OF POLICY 1. Minimum Necessary Uses & Disclosures During Quality Assurance Activities Except in connection with treatment of a person served, the agency generally is required to limit its use and disclosure of, and its requests for, protected health information about people served to the minimum amount necessary to accomplish the purpose of the use, disclosure or request. With respect to quality assurance records, this means limiting uses and disclosures of, and requests for, protected health information to the minimum amount necessary to accomplish the purpose of the quality assurance review. Quality assurance committees at the agency are also expected to limit the use of unnecessary identifiers about people served in quality assurance reports. Members of any quality assurance committee should be careful not to disclose information about people served to others unless necessary to effectively engage in the quality assurance department activities or as required by regulation. 2. Differentiating Quality Assurance Records From Designated Record Sets People served have a right to access, and a right to request amendment of, protected health information contained in the “designated record set” maintained by the agency or its business associates. The agency’s designated record set includes medical records, billing records, and other records used to make prospective decisions about treatment or benefits for individuals. Quality assurance records are NOT considered part of the designated record set, even though they may contain protected health information, because ordinarily they are not used to make prospective decisions about treatment or benefits for individuals. For example: Records used to analyze whether the agency has provided quality care services and how those services may be improved for people served in general in the future (known as “quality control” records) typically are not part of the designated record set.
HIPAA QA records pnp
1
The Arc of Monroe County, NYSARC, Inc.
As a general rule, agency staff in each department are expected to maintain quality assurance records in a location or medium separate from the records maintained in their department or clinic that are part of the designated record set. For example, such quality assurance records should be kept in separate files or databases, or on a different form of electronic media (such as a separate diskette or compact disc). Separation of these records is important to ensure that people served are only given access to sensitive quality assurance records when they have a personal interest in knowing how the records were used to make decisions about them. Moreover, each department and clinic is expected to maintain these records in separate locations so that the agency’s staff responsible for records will be able to respond to requests by people served to access or amend protected health information in the designated record set promptly without spending significant amounts of time “culling out” quality assurance records that have been commingled with records are part of the designated record set. However, in the rare situations when quality assurance records are used to make prospective decisions about treatment or benefits for individuals (as explained above in this policy), copies of these specific quality assurance records should be maintained with and as a part of the agency’s designated record sets for those people. The original quality assurance records should be maintained with other quality assurance records in a location separate from the individual’s designated record sets.
VIOLATIONS The agency’s Privacy Officer has general responsibility for implementation of this policy. Members of our medical staff and agency staff who violate this policy will be subject to disciplinary action up to and including termination of employment or contract with The Arc of Monroe County. Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor or the agency’s Privacy Officer. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible, The Arc of Monroe County will make every effort to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment or contract with The Arc of Monroe County. QUESTIONS If you have questions about this policy, please contact your department supervisor or the agency’s Privacy Officer. It is important that all questions be resolved as soon as possible to ensure protected health information is used and disclosed appropriately.
Effective Date: 4/1/03 Revised: 9/17/08
HIPAA QA records pnp
2