Volume 6 Student Services
Chapter 17 Medical Record Security, Confidentiality, & Retention Policy
Responsible Office: Student Health
Originally issued: 8/2009
It is the policy of Georgia Health Sciences University to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations to ensure that all healthcare information is protected from physical loss, administrative loss, theft, fire and unauthorized personnel who can inadvertently alter, release, or lose data. Medical records of students and their spouses are originated and maintained in an electronic medical record (EMR) and practice management software system. They are in a secured electronic format that only select staff with appropriate authorization can access. Paper records will be stored in physically secure areas. Retention of medical records is in accordance with the Georgia Composite Medical Board and Georgia regulations Official Code of Georgia Annotated (O.C.G.A.) 31-33-2.
Reason For Policy
The purpose of this policy is to ensure that proper security, access, confidentiality and retention of all medical records is practiced at Georgia Health Sciences University Student Health Service Clinical Services.
Entities Affected By This Policy
All students and spouses of students receiving clinical services from Georgia Health Sciences University Student Health Service are affected by this policy.
Who Should Read This Policy
All students/spouses receiving services from Georgia Health Sciences University Student Health Service, faculty, and the Georgia Health Sciences University Registrar and support staff must be aware of this policy.
|Director, Student Health Service||706-721-3448||http://www.georgiahealth.edu/shs/mailto:email@example.com|
HIPAA Public Law 104-191: http://aspe.hhs.gov/admnsimp/pL104191.htm
45 C.F.R. 160 & 164: http://www.wedi.org/snip/public/articles/45CFR160&164.pdf
Georgia Composite Medical Board and Georgia regulations O.C.G.A 31-33-2: www.lexis-nexis.com/hottopics/gacode/default.asp
MCG Privacy of Health Information Policy:
HIPAA information: www.hipaa.org
Health Information Privacy: www.hhs.gov/ocr/privacy/index.html
These definitions apply to these terms as they are used in this policy.
|HIPAA||Health Insurance Portability and Accountability Act of 1996, and the regulations issued pursuant to that law.|
|Medical Record||A patient’s total health record, including, but not limited to, evaluations, diagnoses, prognoses, laboratory reports, X-rays, prescriptions, and other technical information used in assessing the patient’s condition, or the pertinent portion of the record relating to a specific condition or a summary of the record. The total record may be in electronic or non-electronic formats.|
This policy is designed to protect students and their spouses who receive clinical services from Georgia Health Sciences University Student Health Service. These efforts help to fulfill major aspects of the mission of Student Health Service.
- The medical record is originated on the date of the patient’s first visit to Georgia Health Sciences University Student Health Service or when a student submits health information related to medical or immunization history.
- Non-electronic documents are scanned and incorporated into the electronic medical record.
- Student Health Service will retain medical records on paper or in electronic format for ten years past the last visit. For minors, records will be kept 10 years past the age of majority (18 years old for the State of Georgia). All records older than ten years will be purged from the computer system and from backup storage. Paper records are picked up by a data destruction company under contract with Georgia Health Sciences University Student Health Service.
- Servers are backed up nightly through the Georgia Health Sciences University Information Technology Support and Services.
- All paper medical records shall be housed in physically secure areas.
- Access to and use of health information shall be restricted to authorized personnel with a need to know in the performance of their work at Georgia Health Sciences University Student Health Service.
- Medical records will not be left visible or unattended in areas accessible by unauthorized individuals.
- Health information of a secondary means (indexes, hard-copy reports, or archived and deactivated records) shall be protected with the same diligence as the original health record. Computerized patient/provider care information shall be protected with the same diligence as the original paper health record.
- Only authorized personnel will be permitted access to the Student Health Serive computers. Access to computer files shall be controlled through security codes and passwords. Passwords will be changed frequently to ensure security.
10. Previous passwords cannot be reused within the Student Health Service computer system. Users are restricted to log-ins only at certain workstations.
11. All paper medical records are returned to the Georgia Health Sciences University Student Health Service locked medical record room after use during patient encounters.
12. Student workers have specific tasks and are under supervision when handling a record. Student workers do not review or open the medical record unless specific permissions are requested by the Nurse Manager and approved by the Director of Student Health Service.
13. All losses, tampering, and unauthorized use of health information are reported to the HIPAA Privacy/Security Officer (do you mean Compliance Officer at Georgia Health Sciences University, or is this MCGHI??–) followed by an incident report. Resolution will involve thorough analysis and development and implementation of working solutions.
14. Release of any medical records to the student/spouse or outside entity will be in accordance of the current “Notice of Privacy Practices” listed in Related Documents above.
The responsibilities each party has in connection with Academic, Research, and Student Affairs Policy 6.17, Medical Record Security, Confidentiality, and Retention Policy, are:
|Registrar (Registrar is never mentioned in procedures above……)||Electronic notification via demographic upload of eligible students|
|Student Health Service||Ensure proper medical record maintenance and security per procedure|