SOP Patient ConfidentialitySecurity Program

By Beatrice Jackson,2014-04-11 02:49
7 views 0
20 Apr 2005 Comply with internal corporate and general industry requirements regarding patient confidentiality and security.

    Revision: 3 Standard Operating Procedures: Dosimetry & Date: 3/6/03

    Patient Patient Privacy and Security Program Planning

Author: Operations (Mit Shattuck)

    Scope: Procedures for handling confidential material Patient Confidentiality

    Keywords: patient confidentiality, security procedures See Also: HIPAA

Revision History

    Date Revisions Rev. # Author/Editor

    11/8/02 Document First Created 1 OPS

    03/8/03 Revised admin & POCs 3 OPS

    4/20/05 Revised PSO information 5 Admin

Purpose: The intent of this SOP is to provide guidance to employees and clients on

    the management of confidential patient information and material in accordance with

    (IAW) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


    CPRS manages an effective security management program that ensures Patient

    Privacy while also ensuring corporate security. The CPRS program complies with the

    administrative requirements of HIPAA that affect every aspect of operations.

    CPRS will continue to improve processes and expects that all participants will provide

    ongoing feedback in an effort to maintain the high levels of patient confidentiality and

    corporate security. Areas affected by this program are Administration, Management,

    Operations, and Information Technology.


    Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation

    covering 3 areas:

    2.1 AREA 1 - Privacy and Security

    Under HIPAA, healthcare providers must use methods to ensure a patient’s

    medical information remains private and secure. Information that is considered

    under HIPAA is:

    2.1.1 General Information:

    ? Patient’s Name

    ? Medical Record Number

    ? Social Security Number

    ? Address

    ? Date of Birth

    4/11/10 CPRS, Ltd. Proprietary & Confidential Page


    SOP: Patient Privacy and Security Program

    2.1.2 Health Information:

    ? Diagnosis

    ? Medical History

    ? Medications 2.2 AREA 2 - Insurance Portability

    This section of HIPAA gives individuals the ability to maintain health insurance

    coverage when they switch from one health plan to another. In addition, it

    prevents health plans from denying coverage to an individual who has a pre-

    existing health condition.

    2.3 AREA 3 - Administrative Simplification

    This requires healthcare providers and insurance plans to standardize the

    processes used to electronically transfer patient related information.

    3 RESPONSIBILITIES 3.1 Corporate Privacy & Security Officer (PSO)

    The PSO is overall responsible for the conduct of the program. The PSO’s specific

    duties are (for contact information, please see para 8):

    ? Monitor HIPAA and industry changes to Patient Confidentiality regulations.

    ? Inform CPRS Employees and Clients of program changes.

    ? Update and implement this SOP IAW State and Federal Guidelines (HIPAA).

    ? Conduct periodic Audits to ensure compliance and report to Management.

    ? Provide employee training in Patient Confidentiality and Security.

    rd3.2 Employees, Clients and 3 Parties Support

    Employees and Clients should adhere to the procedures within this SOP.

    Employee responsibilities include:

    ? Provide ongoing feedback for program improvement.

    ? Comply with internal corporate and general industry requirements regarding

    patient confidentiality and security.

    ? Attend scheduled Confidentiality & Security Training (optional for Clients).

    ? Immediately report any violations of program, whether perceived or not, to the

    PSO and management.


    Most monitoring will be conducted via our Reporting Checklists (daily/monthly) and/or

    no-notice Audits (semi-annual). The following areas and business/medical functions

    must be monitored to ensure program compliance:

    4.1 Administration and Management (A&M)

    ? Contracting

    ? Human Resources

    ? Billing and Collections

    ? Training

    4/11/10 CPRS, Ltd. Proprietary & Confidential Page 2/5

    SOP: Patient Privacy and Security Program

    ? Compliance

    ? Marketing Material

    4.2 Operations (OPS)

    ? Patient Scheduling and Processing Procedures (Treatment Planning)

    ? Operational Forms, distribution thereof and access to…

    ? Visitor Registration and Escort Procedures

    ? Physical Site Security

    ? Patient File Storage (archiving) and Destruction Procedures

    ? Third Party Guidance for Contractor’s, Consultants, couriers, etc… 4.3 Information Technology Management (IT)

    ? Printers, Copiers and Facsimile

    ? Computer Network

    ? Internet Security and Access Mgmt of ID/PW

    ? Work Station Security Time-out Intervals (lock-out)


    Focus Item Requirements Frequency Date

    Area Yes or

    No Admin & Contracting All service contracts Per Contract Mgmt should have patient

    (A&M) privacy and security

    Statements and/or Terms

     Contracting Documented history of Per Change

    contract starts, changes or


     Human New Personnel Training On arrival


     Training Annual Training Annual

     Compliance Management Program Quarterly

    Audit by PSO

     Marketing Must have written Per

    Material approval from patient to Publication

    publish Protected

    Healthcare Information


    Operations Treatment Maintain limited Daily

    Planning distribution of Patient

    Plans and Associated


    4/11/10 CPRS, Ltd. Proprietary & Confidential Page 3/5

    SOP: Patient Privacy and Security Program

     Forms & File Limited Distribution. All Daily

    Management documentation locked in

    Archive Cabinets when

    finished for day or leaving

    work area for more than 1


     Office Visitors Register in Visitor Log and Per Visit

    escorted at all times when

    on CPRS premises.

     Physical Site See Office Close-Out Daily

    Security Procedures Checklist for

    Pitt Office. Last and First

    Employee in/out of office

    should follow Close-Out


     File Storage All files not in active use Daily

    (archiving) and (no more than 30 minutes)

    Destruction must be stored in locked

    filing cabinets. All patient

    material to be discarded

    must be shredded.

    rd 3 Party They should be informed Per Situation

    Participation of the regulatory

    requirements and provided

    a copy of this SOP.

    IT Use of When finished copying or Per Use

    Photocopiers printing, be sure to collect

    and Printers all material (original and


     Use of When finished sending or

    Facsimile receiving, be sure to

    collect all material.

     Computer See Technology Audit Quarterly

    Network Checklist

     Internet See Technology Audit Quarterly

    Security and Checklist


     Server & Work Server ID/PW issuance & Quarterly/Daily

    Station change-over. Desktop

    Security time-out Intervals (lock-out

    after 10 minutes).

     Computer Maintain & update current Per Network,

    Virus anti-virus software. PC and

    Protection upgrade

    4/11/10 CPRS, Ltd. Proprietary & Confidential Page 4/5

    SOP: Patient Privacy and Security Program


    This SOP requires documentation to validate the success of the Patient Confidentiality

    and Security Program. There are two types of documents that require periodic use and


    6.1 Reporting Inappropriate Use of Patient Information

    If you feel that a patient’s privacy or confidentiality has been violated, immediately

    report the incident to your manager. If your manager is not available, then report

    to CPRS Operations at (301) 874-4790.

    6.2 Annual and Quarterly Report(s)

    Reports are the responsibility of the PSO. The PSO will conduct announced and

    un-announced audits (using the available checklists) . The results should be

    summarized in the Annual or Quarterly Reports, when applicable. The report(s)

    will be submitted to CPRS Operations within 24 hours of completion of the audit. 6.3 Checklists

    Audit Checklists will be used when conducting Quarterly and Annual inspections

    (please refer to paragraph #4 for initial checklist). Since this is a new program, the

    PSO will update the checklist(s) per the situational requirements while also

    accounting for new HIPAA regulation changes.


    7.1 Training Objectives

    CPRS Privacy and Security Training will enhanced our ability to maintain the

    highest standards and safeguards for any and all activity related to patient

    treatment. CPRS will focus on the following Training Objectives:

    ? How to Protect Patient Privacy

    ? Patient Privacy as related to HIPAA

    ? Patient Privacy as related to Corporate Security

    7.2 Training Requirements

    All employees are required to read this SOP and attend the annual training (via

    conference call). The Annual training class will be conducted by the PSO or OPS


    All new employees will be provided a copy of this SOP and receive an in-brief by

    the PSO on the details of this SOP (within the first 30 days of employment).

    OPS will publish the Training dates for the year in January.


    The Patient Confidentiality and Security Program SOP is the governing document for all

    activities related to patient privacy and related internal procedures.

    Any changes or recommendations should be submitted to the PSO (Kristine Goewey).

    The PSO can be contacted at tel (301) 874-4790 or email

    4/11/10 CPRS, Ltd. Proprietary & Confidential Page 5/5

Report this document

For any questions or suggestions please email