Medical Record Security Plan

It is the policy of this company that all personnel must preserve the integrity and the confidentiality of medical and other sensitive information pertaining to our residents. The purpose of this policy is to ensure that all staff have the necessary information to provide the highest quality of care possible while protecting the confidentiality of that information to the highest degree possible so that residents do not fear to provide information to the facility for purposes of treatment. To that end, the facility will:

Collect and use individual medical information only for the purposes of providing services and for supporting the delivery, payment, integrity, and quality of those services.
The company will not use or supply individual medical information for non-health care uses,
such as direct marketing, employment, or credit evaluation purposes other than as
authorized by the Health and Human Services Privacy Regulations (“HHS”) (“privacy
regulations’).
To provide proper diagnosis and treatment.
With the individual’s knowledge and consent/authorization.
Recognize that medical information collected about residents must be accurate, timely,
complete, and available when needed. The company will:
o Use their best efforts to ensure the accuracy, timeliness, and completeness of data
and to ensure that authorized personnel can access it when needed.
o Complete and authenticate medical records in accordance with the law, ethics, and
accreditation standards.
o Maintain records for the retention periods required by law and professional
standards.
o Not alter or destroy an entry in a record, but rather designate it as an error while
leaving the original entry intact and create and maintain a new entry showing the
correct data.
o Implement reasonable measures to protect the integrity of all data maintained about
residents.
Recognize that residents have a right of privacy. The facility will respect residents’ individual
dignity at all times.
Act as responsible information stewards and treat all individual medical record data and
related financial, demographic, and lifestyle information as sensitive and confidential.
Consequently, the company will:
o Not divulge medical record data unless the resident (or his or her authorized
representative) has properly consented to the release or the release is otherwise
authorized by the privacy regulations and/or other law, such as communicable
disease reporting, and child abuse reporting.
o Remove resident identifiers when appropriate, such as in statistical reporting and in
evaluation studies.
MedicalRecordSecurityPlan.MEDICAL 2
o Not disclose financial or other resident information except as necessary for billing or
other authorized purposes as authorized by the privacy regulations, other laws, and
professional standards.
o Recognize that some medical information is particularly sensitive, such as:
§ HIV/AIDS information
§ Mental health and developmental disability information
§ Alcohol and drug abuse information;
§ and other information about sexually transmitted or communicable diseases.
The disclosure of such information could severely harm residents, such as by
causing loss of employment opportunities and insurance coverage, as well as the
pain of social stigma. Consequently, the company will treat such information with
additional confidentiality protections as required by law, professional ethics, and
accreditation requirements.
o Recognize that, although the company “owns” the medical record, the resident has a
right of access to information contained in the record. The company will:
Permit residents to access and copy their protected health information in
accordance with the requirements of the privacy regulations.
Provide resident an opportunity to request correction of inaccurate data in
their records in accordance with the requirements of the privacy regulations.
Provide residents an accounting of uses and disclosures other than those for
treatment, payment, and healthcare operations in accordance with the
requirements of the privacy regulations.
All employees will receive annual in-services/trainings on HIPPA regulations and general confidentiality standards.
Clients can request their medical records at any point and time.
Medical records are kept on file for a total of 3 years.

All employees must adhere to this policy. The company will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions.