United fundamental values including personal autonomy, individuality, respect, dignity

United General Hospital Policy Manual

Part I: Policy Manual Introduction

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now


As the development of electronic medical
records/ electronic health records grows so does the importance of the privacy
of personal information, in particular health information. It continues to be a
great focus. Health information technology and its continuous development brings
about additional health information becoming computerized. There are general
concerns with the public and how private their information is. In order to
assist with these concerns there are federal rules governing the use and
disclosure of health information. These fall under the Health Insurance
Portability and Accountability Act (HIPAA). HIPAA restrict the manner in which
health care providers may use and disclose health information. United General
Hospital and its providers are required to safeguard the confidentiality and
accuracy of member records that identify a particular patient, including both
medical documents and enrollment information. Specific personal patient
information will not be disclosed outside the organization without specific
authorization from the patient.

What is privacy and why is it so important?
The privacy is valuable because it promotes other fundamental values including
personal autonomy, individuality, respect, dignity and worth as human beings.
Privacy allows patients to make their own decisions, to totally be oneself and
potentially engage in behavior that might deviate from social norms. It allows
for the time and space for self-evaluation. Informational privacy is seen as
enhancing individual autonomy by allowing individuals control over who may
access different parts of their personal information. It also allows people to
maintain their dignity, to keep some aspect of their life or behavior to
themselves. Privacy also allows people to protect their assets or to avoid
sharing information with others who would use it against them, such as
discrimination by employers, educators, or insurers. Protecting the
confidentiality of health information also protects against the perceived and
real potential for economic harm resulting from discrimination in health
insurance and employment.


Part II: Risk Assessment


are risks with both electronic patient records and paper patient record. These
risks include unauthorized access to patient information, inaccurate patient
information if records are not updated in real-time, unavailability of EHR
system due to technical problems (downtime), Potential malpractice liability
(data loss or destruction, inappropriate corrections to the medical record,
inaccurate data entry, errors related to problems that arise during the
transition to EHRs), over reliance by staff on EHR system resulting in health
care professionals spending less time with the patient, patient access to
information about conditions that they may not understand which may frighten

The United General
Hospital can remedy these risks by providing the privacy and security of data
to all who would have access to the record using a secure sign in and tracker
of who is accessing the records, having a continuous on-site health information
technology team who can access the HER system at any time if there are
technical difficulties, and offering a patient portal for patients to access
but the hospital has to approve of which documents are viewable so patients are
not seeing documents before the provider has time to go over them.

United General Hospital has established a policy and member-specific
information regarding members’ rights and responsibilities/roles that are
consistent with United Generals policies and that meet state and federal
regulatory requirements such as HIPAA. This information is shared with patients
and providers so that they may be aware of their accountabilities as well as
commitment. Patients have a right to be protected against unauthorized
disclosure and use of information pertaining to them. This right shall be
protected by a presumption against disclosure and applies to all settings. The
procedure for the handling and flow of medical records, reports, and other
written materials throughout the facility shall ensure that these records,
reports, and materials are at no time accessible to unauthorized persons or
entities. Patient’s explicitly or implicitly identifiable health and enrollment
information shall not be released unless there is written consent, either
routine or special, from the patient has been obtained, release of information
is authorized by law, or when there is a valid insurance-related, plan-related,
or health-related need to know by a person whose job description or position in
United General has the authority to request and evaluate any patient-specific

 The United General staff should be trained on
the following topics include identifying PHI,
the minimum necessary rule, the rules about when and how PHI may be disclosed,
the importance of confidentiality, avoiding snooping (even when one has access
to PHI), the need to keep an accounting of disclosures, patient rights and
authorization, basic information about business associate obligations, and
discuss the consequences of failing to follow the HIPAA Privacy Rule such as how
people can be victimized by medical identity theft, how people can lose trust,
how organizations can be penalized by HHS and other regulators for violations,
and how employees can be penalized by their organizations, by civil and
criminal penalties under HIPAA, and by state law.


Part III: Alignment with Regulatory Requirements



General Hospital will follow HIPAA
regulations that address patient health care record handling and disposal.
In doing so a copy of consent form must be kept in the patient’s medical record
or case file for a minimum of six years. An authorization and/or special
consent is required for use and release of such patient records. Other
categories of records that may require an authorization/special consent for use
and release include medical records related to the treatment of a mental
illness, results of genetic testing and blood tests for HIV.

 When patients are unable to give consent the
individual who legally can give consent on behalf of the patient may authorize
the release of information, authorize the member’s care and treatment, and have
access to information about the member. Providing access to confidential patient
health information patients may access their confidential patient health
information, including medical records, at any time by contacting United
General hospital. Patients must be given the opportunity to review their
medical records in a timely fashion. The provider has a right under certain
circumstances to deny access to medical records if the provider believes
release of the records will cause substantial harm to the member or another

patient health information is not to be sent or received by fax equipment that
is shared by parties not authorized to have access to the information or is not
dedicated for use by authorized parties, unless arrangements have been made to
verify that the intended party receives the information and removes it from the
fax equipment immediately. Use of measurement data United General Hospital will
inform participants in peer review and/or quality improvement activities of the
immunities available to them under the Federal Health Care Quality Improvement
Act and related state laws and that such immunities may be compromised, thereby
exposing participants to liability, if participants improperly disclose
confidential peer review and/or quality improvement information outside of the
professional review proceeds. The release of quality improvement information
containing specific patient information will not be circulated outside the
organization without the specific authorization from the patient. Release of
information will be in accordance with state and federal laws such as HIPAA

of the best ways of learning is through practice, and hands-on training of
small groups of personnel should be considered where appropriate. This practice
should include testing, testing of the participants at the end of the course is
required to ensure retention of material. Testing can be completed using  true/false or multiple-choice questions, everyone
is more in tuned to the material knowing they will be tested on it, it often
provides an incentive for learning, and allows the course organizers to assess
the knowledge acquired by participants. Topics include lost, stolen or
improperly disposed of  paper or device
upon which the information is recorded cannot be accounted for, hacked into by
people or mechanized programs that are not authorized to have access to the
system in which the information is located is compromised through a
“worm”),  communicated or sent to others
who have no official need to receive it such as gossip about information
learned from a medical record. Sensitive information exists in many forms such
as printed, spoken, and electronic. Thiss sensitive information includes Social
Security numbers, credit card numbers, driver’s license numbers, personnel
information, computer passwords, and PHI. 
There are a number of state and federal laws that impose privacy and
security requirements.

are two primary HIPAA regulations they are Privacy Rule and the Security Rule. When
it related to identify a patient and when this is combined with health
information, HIPAA identifiers create PHI. An employee must have a patient’s
written authorization or a job-related reason for accessing or disclosing
patient information. Breaches of information privacy and security may result in
both civil and criminal penalties, employees must report all breaches.


Part IV: Managerial Oversight


Management oversight in
the area of handling and accessing patient records is very important. Effective management oversight is much more
than countersigning. It also includes elements of quality assurance, staff
supervision, dealing with developing areas of concern in individual cases and
facilitating improvements in practice. It is particularly focused on ensuring
that actual or potential victims in individual cases are sufficiently protected
from harm. Management oversight of risk for harm and vulnerability is additional
to regular staff supervision and the general oversight of practice, although it
may sometimes be undertaken at the same time, and discussions in supervision
may support identification of the need for management oversight.

management oversight takes into account the unique demands of the individual
case, and the skills, knowledge and experience of the case manager or
responsible officer. A skilled manager, taking a fresh look at a case can help
practitioners take a more balanced and informed view of a case, and identify
more appropriate interventions and responses than through working in isolation.
Managers are responsible for ensuring that cases are allocated to staff with
appropriate skills and experience, according to the circumstances of the case. Managers
should then normally be accountable for ensuring the quality of work where they
were, or should reasonably have been, aware of the raised risk of harm or

results in managers ensuring there are specific systems in place for management
to identify cases with raised risk of harm and vulnerability. These systems are
required to ensuring all staff are aware and clear about their responsibility
to raise these cases with their manager. If information systems could
reasonably have identified to the manager the need to provide. The outcomes of
oversight in individual cases should be clearly recorded in the case record, so
that they are available as appropriate to all who may be involved in the case.

oversight will ensure that actions taken are defensible and clearly recorded.
This includes ensuring that an explanation is recorded as to why a particular
action has been agreed and followed, and if not why not, along with reasons for
any variance from national or local procedures where they exist. Evidence of
where effective oversight has taken place should include assessments and plans
being rolled back and improved, case discussions, direct observation of work
and communications between the manager and other agencies involved in the case.

In order to support this policy methods to set security levels for
accessing patient records is required. These methods include conducting a
security risk analysis and a reassessment if the initial risk analysis was
already conducted. These methods compare current security measures regarding
what is legally required to keep patient health information safe and onfident.
The risk analysis also identifies high priority threats and vulnerabilities.
Required written and up-to-date
policies and procedures about how United General Hospital protects EMR/HER,
also retain outdated policies and procedures to look back on. Patients
education is key and patients should be made aware of the confidentiality and
security of health information in an EHR. Emphasizing on the benefits of EHRs
to patients, while using patient education material.