Privacy and Security of Protected Health,  Confidential and Sensitive Information Guidelines

NKY Health, in each of its divisions and units, and by each of its divisions and units, and by each of its agents or individuals, will act as a responsible steward of all information. NKY Health will take reasonable and prudent measures to insure the privacy and security of protected health, confidential and sensitive information. All medical information will be handled in accordance with applicable law.  This includes but is not limited to “The Health Insurance Portability and Accountability Act of 1996,” “The HIPAA Final Omnibus Rule,” and other applicable Federal Laws, the “Kentucky Revised Statutes” and the regulations promulgated therein. Medical information will only be collected, used, distributed or disclosed for the betterment of public or individual health and in support of the payment, integrity, accountability, reliability, quality and delivery of health services.

In accordance with the Kentucky Administrative Reference for Local Health Departments, Personnel section, “Health Insurance Portability and Accountability Act of 1996 (HIPAA),” which states:

“The employee shall be familiar with the HIPAA statute and protect protected health information (PHI) and other personal or sensitive information within their trust in the course of health department business by applying appropriate safeguards.  You will share only the information required to deliver health department services.  Personal or sensitive information overheard or seen by the employees will be kept confidential by not sharing it with others, on or off the work-site grounds.”

At all times, every employee/student/volunteer/supplemental staff will strive to protect the confidentiality, integrity and accuracy of all information maintained by NKY Health in any form. It is the responsibility of every non-employee (student, volunteer, intern, co-op) and employee (non-merit system employee, merit system employee, contract employee), and contractual entity or its Individuals of NKY Health, to diligently safeguard protected health, confidential and sensitive information. Each person engaged in the duties of NKY Health shall be deemed charged with the obligation to comply fully with their assigned tasks but to do so while limiting their access to, and knowledge of, protected health, confidential and sensitive information to the minimum necessary for the accurate and timely completion of her/his duties.

Under HIPAA, an individual’s health care information must be used by the District and its employees and agents only for legitimate health purposes like treatment and payment. 45 C.F.R. § 160.101 et seq. and specifically §§ 164.500, 164.501, 164.514 established standards for privacy of health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Final Omnibus rule. Health information, including genetic information, that must be kept private and secure is called Protected Health Information (PHI). HIPAA establishes in Federal Laws the basic principle that an individual’s medical records belong to that individual and, with certain exceptions, cannot be used, released or disclosed without the explicit permission of that individual or their legal guardian. This includes disclosing PHI in even casual or informal conversation not related to a legitimate health purpose (like treatment or payment) at any time whether at work or not. HIPAA gives patients/clients of the District programs and services the right to an explanation of their privacy rights, the right to see their medical records (with some exceptions) in the format they request provided it is readily producible in such form or format as agreed by NKY Health and the individual, the right to request corrections to these records, the right to control the release of information from their records and the right to documented explanations of disclosures by the Cabinet and by others who may have access to this information. Those who violate the rules laid down by HIPAA are subject to federal penalties. For non-criminal violations of the privacy standards, including disclosures made in error, there are civil monetary penalties of $100 per violation up to $50,000 per year, per standard. The revised penalty scheme differs significantly from its predecessor by establishing several categories of violations that reflect increasing levels of culpability: “Did Not Know” can cost $100 - $50,000 for each violation; “Reasonable Cause” can cost $1,000 - $50,000 per violation; “Willful Neglect-Corrected” can cost $10,000-$50,000 for each violation; and “Willful Neglect-Not Corrected” can cost $50,000 for each violation.  Identical violations in a calendar year can cost $1,500,000.00 each. Criminal penalties are imposed for violations of the statute that are done knowingly (on purpose) – up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under “false pretenses;” and up to $250,000 and up to 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

Under KRS 214.420, all information in the possession of local health departments concerning persons tested for, having, or suspected of having sexually transmitted diseases, or identified in an epidemiologic investigation for sexually transmitted diseases, is strictly confidential. A general authorization for the release of medical or other information is not sufficient to authorize release of this information. Breach of this confidentiality is considered a violation under KRS 214.990.

Under KRS 214.181, no test results relating to human immunodeficiency virus are to be disclosed to unauthorized persons.

Information collected from patients pertaining to mental health, alcohol and drug abuse and domestic violence is protected and not to be released without specific written permission from the patient as cited in KRS 304.17A-555 Patient’s Right to Privacy Regarding Mental Health and Chemical Dependency, and 42 CFR Part 2 Confidentiality of Alcohol and Drug Abuse Patient Records. KRS 403.160 allows only the court to determine if domestic violence or child abuse information may be disclosed.

I may have access to information, records, or reports concerning persons provided services for Sexually Transmitted Diseases (STDs). I understand that data concerning these clients is not to be shared with anyone who is not assigned to STD activities.

Confidentiality of family planning services is required by 42 C.F.R. 59. Section 59.11 states: “All information as to personal facts and circumstances obtained by the project staff about individuals receiving services must be held confidential and may not be disclosed without the individual’s consent, except as may be necessary to provide services to the patient or as required by law, with appropriate safeguards for confidentiality. Otherwise, information may be disclosed only in summary, statistical, or other form which does not identify particular individuals.” The confidentiality rules applicable to all programs or projects supported in whole or in part by federal financial assistance, whether by grant or by contract, are found at 42 C.F.R. § 50.310, which states: “Information in the records or in the possession of programs or projects which is acquired in connection with the requirements of this subpart may not be disclosed in a form which permits the identification of an individual without the individual’s consent except as may be necessary for the health of the individual or as may be necessary for the Secretary [of Health and Human Services] to monitor the activities of those programs or projects. In any event, any disclosure shall be subject to appropriate safeguards which minimize the likelihood of disclosures of personal information in an identifiable form.”

There is information not covered specifically by these laws, which is also sensitive and must be safeguarded because of the potential for its misuse. Examples include, but are not limited to the following: social security number, home address, home telephone number, date of birth, height, weight, race, gender, political affiliation, employment history, genetic information, and any other information of a purely personal nature.

Protected health, confidential and sensitive information is information that is either protected by law or is of such personal or private nature that it is normally not treated as public record. Neither NKY Health, nor any of its agents or Individuals will obtain, maintain, release, use, disclose or distribute any information in any form in contravention of currently applicable State or Federal law and the regulations promulgated therein. Individuals who violate these standards may be subject to disciplinary action up to and including termination of employment.

An individual’s responsibility extends to all situations where the individual is accessing, using, circulating, maintaining, disclosing and disposing of reports or documents, or has access to information through conversations or observations that contain protected confidential or sensitive information.

Specifically:

• Individuals shall not release protected health, confidential and sensitive information to themselves or to other persons, entities or Individuals outside the scope of their duties. Such information may be in any form, e.g. verbal (discussions/conversations), paper or electronic.

• Individuals shall not seek access to, or inquire about protected health, confidential and sensitive information in excess of the minimum necessary to efficiently discharge the documented responsibilities within the scope of their duties.

• At no time will Individuals allow the use of their User ID and Password by another person to access computer data. Allowing access includes, but it is not limited to leaving a written notation of a User ID or Password on or near a computer terminal.

• Individuals shall familiarize themselves with the laws pertaining to confidential information.

• Individuals shall familiarize themselves with what types of information are considered protected health, confidential, personal or sensitive information and do their utmost to protect it. For example, when documents or reports are circulated that contain such information, the sender will alert the receiver(s) to insure the confidentiality of the data.

• Individuals are not to include protected health, confidential, personal or sensitive information on site visit or other administrative reports/records or documents. If there is a need to address specific patient records, these records are to be addressed by code with specific identification provided separately via phone or via a separate key/listing, which is to be destroyed upon completion of the investigation.

• Individuals, when sending mail or other correspondence containing protected health, confidential, personal or sensitive information to any person, the sender will indicate “Personal and Confidential” on the envelope to insure that only the addressee opens it. Extreme caution shall be taken when mailing identifying information to assure that the envelopes or other mailing containers are securely closed and that the information is mailed to the correct location/address and addressed to the appropriate individual.

• In cases when it is necessary to fax protected health, confidential, personal or sensitive information, Individuals are to take extreme caution to assure:

  • The correct fax number is entered;

  • The message or cover memo includes a confidentiality notice indicating the faxed material is for the sole use of the intended recipient and may contain confidential information; and

  • That only an authorized person is available to receive the information.

• Interviews with patients or family members where information of a personal and confidential nature such as medical histories, medical treatments, genetic information, family income, etc. is discussed must be conducted in areas where patient privacy can be expected and maintained.

• Computer screens with person specific data are not to be visible to unauthorized personnel or public areas.

• When it is necessary to leave the computer/computer monitor for a short period of time during the workday, the computer shall be locked.

• The computer shall be locked or logged off before leaving at the close of the workday.

• Printouts or any hard copy records with person specific information shall be covered to prevent the identifying information from being exposed and accessible to unauthorized personnel.

• Originals, copies, or excerpts from patient medical records shall be maintained in locked cabinets or locked storage areas when unattended.

• Person-specific data shall be discussed only with authorized personnel and then only within the context of providing patient care/services, assisting with a reporting, billing, record keeping, or specific health care management problem and should be discussed in a private location.

• Person specific/patient information obtained through conversation or observation by Individuals of NKY Health is confidential and such info shall not be disclosed without the individual’s written consent, except as required by law.

• Permission shall be obtained from the patient as to how and/or if the patient may be notified or reminded regarding appointments, billings or any other message regarding health department services.

• Individuals will take reasonable and appropriate measures to protect identifying numbers. Of particular concern is the social security number and date of birth. Because it appears on a myriad of documents and reports, it is one of the most difficult pieces of data to protect, but all Individuals should do their utmost to safeguard it.

• When no specific guidance is provided regarding responding to requests for information and a written request for information is received, only release the information with the written authorization of the affected party.

• When no specific guidance is provided regarding responding to an oral or unwritten request for information – where no written request for information is received – only release the information after verifying and documenting the authorization of the affected party.

• Unless using encryption software approved by COT; whenever reasonable and practical, protected health, confidential, personal or sensitive information may not be included in e-mails.

• All Individuals shall dispose of documents that contain protected, health, confidential, personal or sensitive information. Paper documents or reports shall be placed in a ―shred box that is removed from the work site and destroyed prior to disposal or recycling, rather than placing the documents in a regular solid waste or recycling receptacle. All protected, health, confidential, personal or sensitive information in electronic form must be erased or destroyed in a manner that prevents reconstruction prior to disposal.

• All electronic or paper records with protected health, confidential or sensitive data shall be accessible only to authorized personnel; indexed; maintained in a secure location, and retained for only the period of time deemed necessary by the Records Retention Schedule. The retention period shall not be permanent unless authorized by Federal or State Law.

• Individuals must understand there may be other information that must be protected that is not specifically listed in this procedure. When in doubt, the Individuals should consult with their supervisor or chain-of-command.

• Individuals shall not disclose protected health, confidential, personal or sensitive information even after their employment with NKY Health ceases. State and Federal law regarding protected health, confidential, personal or sensitive information also applies OUTSIDE the employment relationship and criminal or civil penalties including fines and imprisonment could apply.

• Individuals shall be informed that disregard of the privacy and security of protected health, confidential, personal or sensitive information might result in disciplinary action, up to and including dismissal. Additionally, Individuals may subject themselves to civil and criminal liability for the disclosure of confidential information to unauthorized persons.

• Individuals shall complete annual privacy training.

• Individuals shall report suspected violations of a business associates' contractual obligation to safeguard protected information.

• Individuals shall report suspected violations of the policies and procedures established in this manual by staff members.

Kentucky Administrative Reference for Local Health Departments, Personnel section, “Privacy and Protected Health Guidelines.”

6/20/2023

• Added Revision Log

11/13/2023

• Policy Revised with language required by Kentucky Administrative Reference for Local Health Departments