It is critical for HIM professionals to assist in the safety, qual-
ity of care, and positive customer satisfaction. As the custodians
of patient information, HIM professionals have the knowledge
and understanding to provide leadership for the organization
in meeting these challenges. Some questions HIM professionals
must now consider include:
x Is the minimum necessary rule being met? When does it
have to be met?
x When disclosing medication information, is a patient’s
psychiatric condition included in the disclosure? Is that
permissible? What safeguards should be in place to en-
sure patient safety and prevent inappropriate disclosure
of sensitive PHI?
x Are health information professionals requesting an au-
thorization or is this information being freely provided
under continuity of patient care?
x Is the patient informed of this disclosure and is he or she
aware it is being disclosed? Who is responsible for inform-
ing the patient?
HIM professionals must also ensure that their organization’s
vendors, HIEs, business associates, and physician office practices have safeguards in place to ensure sensitive PHI is not disclosed when access is granted to an electronic record.
Some healthcare entities, like HIEs, have not fully embraced
how mental health and substance abuse records should be
managed and disclosed. When an individual is part of an HIE,
his or her mental health or substance abuse records would also
be contained within it. It is important for patients to know their
rights in regards to how their PHI is exchanged within an HIE.
Tips and Guidance
There is no one right answer or best practice to ensure the protection of sensitive PHI. Furthermore, every EHR and HIE are
unique in their processes, functions, and capabilities. Each difference must be strongly considered and planned for when developing and implementing privacy and security protections.
At a minimum, the following should be taken into account:
x The use and disclosure of sensitive PHI must be stated in
a clear and concise manner within the notice of privacy
x Policies and procedures for disclosure of mental health
and substance abuse records must be reviewed and up-
dated regularly to reflect any changes in regulations and
requirements and changes in organizational processes.
For example, updates should be completed when new up-
grades or revisions to the EHR occur.
x Regular employee education and training is impera-
tive for staff disclosing this information. Staff should be
educated on how to restrict sensitive PHI disclosure if the
EHR system has the capability to block or limit access to
this information. Staff must receive ongoing training on
current and up-to-date regulations, requirements, and
organizational systems and processes.
x Organizations should regularly track and audit informa-
tion that is released to ensure:
x Policies and procedures are followed
x The request meets appropriate guidelines for releas-
ing sensitive data
x Only information requested was released
x Organizations should audit access in the EHR if and when
auditors are granted access to review sensitive informa-
HIM professionals must ensure that mental health and substance abuse records are maintained at the highest level of
confidentiality without impeding patient safety or obstructing
a valid authorization to disclose information. As the healthcare
industry advances electronically, HIM professionals need to
campaign for regulations and statutes governing mental health
and substance abuse records to be reviewed and updated to reflect current practices in the management and storage of sensitive health information.
Regulations must be augmented to meet the expectations of
confidentiality, privacy, and security of these records in electronic systems. ¢
Elisa R. Gorton ( email@example.com) is assistant director, medical records at St. Vincent’s Medical Center.
e You In The C ros
shair CommandHealth Find out how Narrative Notes can mitigate audit risk in your practice
877-255-8811 | www.commandhealth.com