PARTNERSHIP HEALTHPLAN OF CALIFORNIA
POLICY/ PROCEDURE
Policy/Procedure Number: CMP-10 (Formerly ADM-2)
Policy/Procedure Title: Confidentiality
Lead Department: Administration
☒External Policy
☐ Internal Policy
Next Review Date: 03/26/2015
Last Review Date: 03/26/2013
Original Date: 04/24/1994
Applies to:
☒ Medi-Cal
☒ Healthy Kids
☐ Employees
Reviewing
Entities:
☐ IQI
☐P&T
☐ QUAC
☐ OPERATIONS
☐ EXECUTIVE
☐ COMPLIANCE
☐ DEPARTMENT
☐ BOARD
☒ COMPLIANCE
☐ FINANCE
☐ PAC
☐ CREDENTIALING
☐ DEPT. DIRECTOR/OFFICER
Approving
Entities:
☐ CEO
☐ COO
Approval Signature: Elizabeth Gibboney, COO
Approval Date: 03/26/2013
I.
RELATED POLICIES:
II.
IMPACTED DEPTS:
III.
DEFINITIONS:
IV.
ATTACHMENTS:
A. Confidentiality Agreement
B. Declaration of Confidentiality
C. Member Services Department “Video Check Out List” form
V.
PURPOSE:
To ensure members' medical and/or other protected health information is handled in a confidential manner to
avoid unauthorized or inadvertent disclosure of such information.
VI.
POLICY / PROCEDURE:
Confidentiality is vital to the free and candid discussions necessary to efficiently service PHC's members'
needs. Members' protected health information is safeguarded from unauthorized disclosure by limiting
access to such information to appropriate HealthPlan employees, agents, contractors and other persons or
organizations with a legitimate insurance or health-related need to know; to regulators of the insurance
business and/or healthcare oversight agencies; and to others as required by law (including subpoena or other
legal process) or when necessary to prevent or prosecute fraud or other illegal activity. In accordance with
HIPAA requirements, members may authorize use and disclosure of protected health information. Members
may file a written complaint regarding PHC’s privacy policies. PHC will respond in writing to those
complaints.
A. Oversight
1. The Compliance Committee is designated as the internal body charged with: reviewing this policy
and related initiatives on confidentiality, reviewing external requests for using members' personally
identifiable health information, identifying opportunities where such member-specific information is
not absolutely necessary, determining which staff need what level of access, and determining
operational mechanisms for abiding by specific member requests to limit access to data.
a. The HealthPlan shall appoint a Privacy Officer who sits on the Compliance Committee.
Document1
Page 1 of 5
Policy/Procedure Number: CMP-10 (Formerly ADM-2)
Policy/Procedure Title: Confidentiality
Original Date: 04/24/1994
Applies to:
☒ Medi-Cal
Lead Department: Administration
☒ External Policy
☐ Internal Policy
Next Review Date: 03/26/2015
Last Review Date: 03/26/2013
☒ Healthy Kids
☐ Employees
B. Definitions
1. Protected health information referred to herein includes, but is not necessarily limited to:
a. Information received or otherwise collected on claim forms and their attachments, referral
forms, medical records, utilization management review notes, logs, reports, treatment plans,
committee records, and eligibility files and other administrative data that are personally
identifiable.
b. Information received and/or collected by any individual is limited to that essential in the
performance of his/her specific job function. PHC conducts research and measures quality
using aggregated or non-personally identifiable protected health information to the extent
possible.
C. Routine Member Consent
1. All PHC members sign a consent form at the time of enrollment in the Medi-Cal program. This
consent allows the County and the HealthPlan to utilize protected health information in order to verify
eligibility.
2. Members who obtain Medi-Cal benefits through the Social Security Administration are made aware
that their protected health information may be used in order to provide medical care.
3. Members who enroll in the PartnershipAdvantage program are made aware that
a. their protected health information may be released to Medicare and other plans as necessary for
treatment, payment and health care operations; and
b. that their protected health information, including their prescription drug event data may be
released to Medicare, who may release it for research and other purposes which follow all
applicable Federal statutes and regulations.
4. As a contractor with County Children’s Health Initiatives (CHIs), DHCS, CMS, and MRMIB, PHC
utilizes this consent to allow PHC the ability to share necessary protected health information with
subcontractors, such as medical providers, in order to fulfill the requirements of PHC's contracts
with these agencies or to provide additional services and benefits. Special authorization may be
requested of the member by PHC or its subcontracted providers before protected health information
can be shared with an outside organization.
a. Examples of situations that may require authorization include, but are not limited to:
1) Research projects where a member is personally identifiable, release of health information
pertaining to a sensitive diagnosis (release of information from a behavioral health specialist
to the PCP is required by the behavioral health organization). In such instances, PHC or its
subcontracted providers notify members of their right to limit the scope, or decline release,
of their protected health information. Members are made aware of PHC's confidentiality
policies in the Member Handbook/EOC and other member communications.
a) For release of information guidelines or authorization form, contact the PHC
Compliance Department.
D. Access to Medical Records
1. All PHC members may access their medical records by contacting their primary care provider, or the
treating provider in instances where a member is not assigned to a primary care provider.
a. Members are not charged for copies of their medical records, and providers are made aware of
this prohibition in the Provider Manual. Members are made aware of this process in the Member
Handbook, via the PHC website and in other member communications.
Document1
Page 2 of 5
Policy/Procedure Number: CMP-10 (Formerly ADM-2)
Policy/Procedure Title: Confidentiality
Original Date: 04/24/1994
Applies to:
☒ Medi-Cal
Lead Department: Administration
☒ External Policy
☐ Internal Policy
Next Review Date: 03/26/2015
Last Review Date: 03/26/2013
☒ Healthy Kids
☐ Employees
b. Members may file a request to amend protected health information, other than medical records
that are retained by the HealthPlan (e.g. care coordination database), although this request may
not be granted by PHC. If a request to amend is denied, members are notified of the denial in
writing.
E. Safeguarding Protected Health Information (PHI)
1. Internal
a. All PHC employees are apprised of PHC's prohibition against inappropriate disclosure of
confidential information and sign confidentiality agreements at date of hire (during orientation)
and annually thereafter.
1) This confidentiality statement includes a written attestation that the employee has read and
understands this policy.
2) This signed Agreement is maintained by Human Resources in each employee’s file.
3) Immediate action will be taken in the event of a breach of confidentiality in accordance with
current policies and procedures.
b. All PHC employees are directed to dispose of paper files containing PHI in confidential and secure
shred bins located throughout the building. Paper files containing PHI are not to be disposed of
through regular trash or recycle bins.
F. Clinical or Administrative Services Subcontractors
1. All subcontractor Business Associate agreements, including those with providers, explicitly state
PHC's expectations about maintenance of confidentiality of member information and records.
2. Primary care provider practices are assessed as to their ability to safeguard confidentiality of
members' protected health information in accordance with the facility review process.
G. Research and Quality Measurement
1. To the extent possible, PHC utilizes aggregate or other non-personally identifiable health
information when conducting research, quality studies, or other measurements. When this is not
possible, PHC ensures that any subcontractors and committee members sign confidentiality
agreements annually or their contracts contain confidentiality protection clauses.
H. Peer Review Records
1. Proceedings and records obtained for the quality/peer review process are protected by California
Evidence Code § 1157 and are not subject to discovery when confidentiality has been maintained.
To maintain confidentiality, peer review records are retained by the Quality Monitoring and
Improvement department and are not released to anyone for purposes other than peer review.
a. Records are maintained in a locked file cabinet with access restricted to the Chief Medical Officer,
Director of Quality and Performance Improvement, QI Coordinators, the QI Assistant, and peer
reviewers.
b. While records are being reviewed, or during transport to peer review meetings, a QI staff person
accompanies them at all times.
I.
Procedure
1. All departments are to maintain sensitive files in locked cabinets or secured file rooms. Sensitive
files include, but are not limited to those department files which involve PHC member or provider
specific information, i.e. documents with member names, diagnosis, procedures, complaints,
grievances, authorizations, medical records, claims, or member/provider call logs with
member/provider information, and provider credentialing information.
Document1
Page 3 of 5
Policy/Procedure Number: CMP-10 (Formerly ADM-2)
Policy/Procedure Title: Confidentiality
Original Date: 04/24/1994
☒ Medi-Cal
Applies to:
Lead Department: Administration
☒ External Policy
☐ Internal Policy
Next Review Date: 03/26/2015
Last Review Date: 03/26/2013
☒ Healthy Kids
☐ Employees
a.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Files not being used are to be returned to secured cabinets.
1) No sensitive files are to be left in work stations when unattended.
2) At the end of the day, all sensitive files are to be returned to the locked file cabinet.
b. Files taken offsite must be secured and not left unattended at any time.
1) Sensitive files may not be checked in baggage on commercial planes, or be left unattended
in vehicles or on planes.
c. Files containing PHI are not to be removed from PHC’s offices except for routine business
purposes or with the express written permission of the health oversight authority.
d. Computer reports and listings with sensitive member and provider data are to be stored in locked
file cabinets or secure file rooms when not being used.
1) Old computer reports and listings are to be shredded when they are no longer needed.
e. Faxes and emails containing PHI must contain a confidentiality statement notifying persons who
receive these documents in error to destroy them. Staff shall verify email addresses and/or fax
numbers prior to sending documents.
PHI may be mailed using secure methods only.
a. Paper documents must be sent via certified mail (USPS), or via FedEx.
b. CDs, or other transportable media must be sent through the same means, and the contents of
CDs or other transportable media must be encrypted using PGP.
1) Passwords for encrypted media must be sent separately (via email) to the recipient of the
PHI.
Inactive/dead files and medical records are to be shredded.
Working documents and notes relating to member/provider specific information are to be stored in
locked work station drawers at the end of each day and when away from the work area.
PHC staff are to log out of the computer database during breaks, lunch, meetings and when leaving
for the day.
When at their work station, but not actively working in the system, PHC staff are to return the
computer screen to the main menu of the subsystem they generally access.
Member or provider information may not be left displayed on the computer screen when visitors are
present at the PHC office.
Non-PHC staff are asked to sign in and wear a visitor’s badge.
a. Non-PHC staff are not left unattended while visiting PHC, unless using common space such as
the employee lounge and conference rooms
b. CD’s are to be stored in locked file cabinets
All work stations are to be cleared of member and provider sensitive information/documentation at
the end of each day, and notes and papers on members locked in desk drawers.
Member Focus Groups
a. Tapes can be viewed by PHC staff on site at PHC only.
b. Departmental Director approval is required for any staff to view the tape.
1) If the tape is shown to any individuals other than PHC staff or Board members, Departmental
Director approval is required-complete with an explanation of which PHC staff member will
be present with those who view the tape
2) For any non-employee to view the tape while here at PHC, the Member Services Department
is responsible to provide the confidentiality page for signature and to make sure these are
received back when the tape is returned
3) Designated staff within the Member Services Department will maintain the tapes in a locked
drawer.
4) PHC staff requesting the tapes for viewing must have approval from their department director
prior to requesting the tapes from Member Services Department.
Document1
Page 4 of 5
Policy/Procedure Number: CMP-10 (Formerly ADM-2)
Policy/Procedure Title: Confidentiality
Original Date: 04/24/1994
Applies to:
☒ Medi-Cal
Lead Department: Administration
☒ External Policy
☐ Internal Policy
Next Review Date: 03/26/2015
Last Review Date: 03/26/2013
☒ Healthy Kids
☐ Employees
5) On a case-by-case basis, a Departmental Director may have special circumstances that are
outside of these guidelines. In those instances, approval from the CEO and/or PHC Privacy
Officer must be obtained.
VII.
REFERENCES:
A. Policy CMP-13: Minimum Use Necessary or Disclosure of Member Information
VIII.
DISTRIBUTION:
A. HRWEB
B. Directors
C. Provider Manual
D. Practitioner Manual
IX.
POSITION RESPONSIBLE FOR IMPLEMENTING PROCEDURE:
X.
REVISION DATES:
Medi-Cal
01/27/95, 10/10/97 (name only), 12/98, 02/13/01, 10/30/02, 12/11/02; 01/26/04, 10/13/06, 05/01/09,
06/18/10, 12/06/11, 12/04/12, 03/26/13
Healthy Kids
10/13/06, 05/01/09, 06/18/10, 12/06/11, 12/04/12, 03/26/13
PREVIOUSLY APPLIED TO:
PartnershipAdvantage:
CMP-10 – 06/01/2006 to 01/01/2015
Healthy Families:
CMP-10 – 10/01/2010 to 03/01/2013
Document1
Page 5 of 5