A shadow chart is a useful document used by healthcare providers or departments as a decision-making tool. Although it is not an official part of a patient’s medical record, it helps facilitate communication among professionals or departments. Besides medical history, the shadow chart can include reminder systems, scheduling information, research activities, and other data that are not suitable for the permanent record.
Shadow charts are typically formed from paper records and hybrid record systems, which are a mix of both paper and digital files. Shadow charts pose various issues. Due to their inclusion of sensitive patient data, they are prone to security breaches, as they are often left in insecure locations. Additionally, they may include original documents and data that should be incorporated into the permanent record but never actually do so. Moreover, shadow charts lack the most up-to-date information.
Computer databases created independently for research purposes face the same challenges as shadow records. The release of information policy regarding shadow charts states that they are duplicate records for the medical provider’s convenience. When an authorized individual requests health information for a specific episode of care, the health information management staff will assess any shadow charts maintained by the medical providers for that patient to check for relevant information.
If the shadow chart contains information related to the episode of care and is not in the electronic record, the information from the shadow chart will be copied along with requested information found in the electronic record. Addendum: Patients have the right to access and copy protected health information within designated record sets (DRS) according to state and federal laws. Designated record sets include medical records, billing records, or any record used to make decisions about a person. The use of shadow charts should be restricted.
The patient’s permanent medical record must include documentation of all care related to the current episode of care. Shadow charts, which are not part of the permanent record, must be kept confidential. Limited staff at the providing facility may access the shadow charts, which are owned by the facility. When not in use, the shadow charts should be stored securely in designated locked areas. The patient’s full name, birth date, and medical record number must be clearly identified on the shadow charts and all documents within them.
Shadow charts are required to store ONLY certified copies of original documents. A copy is certified when it is signed and dated by the person responsible for the original. All original documents should be kept in the patient’s permanent medical record. Shadow charts are considered designated record sets (DRS) and contain protected health information, including data used in healthcare decision-making.
The privacy rule, also known as HIPAA Standards for Privacy of Individually Identifiable Health Information, mandates that individuals possess the right to access information in any DRS (Data Retrieval System), including shadow charts. If an authorized individual submits a written request for health information access, all requested information will be copied, including any data present in the shadow chart that is not part of the permanent medical record, regardless of whether it exists in electronic or paper format.
Consent for healthcare can be granted by the patient or legal representative. Shadow charts have specific retention and destruction schedules. The Information Security Workstation Policy mandates employees to secure their personal workstations when not in use. Confidential health information may only be visible on computer screens if actively accessed for work tasks.
The policy prohibits employees from accessing or using another employee’s computer or password. Violating this policy can result in disciplinary action, such as termination, based on the severity of the violation. The HIPAA Security Standards aim to safeguard electronic personal health information and establish national standards for covered entities.
The security rule mandates the establishment and implementation of specific standards in three categories: administrative, physical, and technical. Compliance with one category may also cover requirements in another category. Administrative standards encompass policies and procedures that aim to prevent, detect, contain, and correct violations of the HIPAA security regulations. These administrative actions are necessary to meet the security requirements set by federal and state laws.
Administrative standards encompass various components, such as:
- Workforce Security – grant ePHI access to employees only on a necessary basis; establish procedures for workforce clearance
- Security Awareness Training – mandatory training for all workforce members
- Security Incident Procedures – address security breaches
- Contingency Plan – establish emergency response procedures for threats to electronic health records’ security
- Business Associate Contracts – include provisions in the business associate’s contract to ensure compliance with Security Rule
The security rule mandates the implementation of certain standards in specific ways. Implementation Specifications offer additional guidance and direction. Some Implementation Specifications are required, while others are addressable. An example of a required Implementation Specification is the Business Associate Contract Standard, which stipulates that a covered entity must procure a contract or agreement from a business associate to ensure compliance with the security rule’s requirements.
One specific Implementation Specification of the Workforce Security Standard states that employees must obtain the necessary clearance in order to access electronic Protected Health Information (ePHI). The covered entity has the flexibility to determine the most suitable ways to achieve this requirement. While certain standards do not have any related implementation specifications, they are nonetheless obligatory. Physical standards consist of policies and procedures that restrict access by employing physical barriers for electronic health records, computer systems, and their respective facilities.
Door locks are the most obvious barriers for securing computer workstations. These workstations must be physically secured at their locations, and the monitors at the workstations should only be viewed by authorized personnel. The screens of the monitors should also be obstructed from public view. The Media Reuse – attached Implementation Specification (required) states that all removable storage devices with ePHI should have all data cleared before being relocated or transferred by a user. Facility Access Controls ensure that only authorized personnel can enter offices to remove computer systems and their components that contain ePHI.
Technical standards are policies and procedures that establish barriers, such as passwords and encryption, to limit access to ePHI. Data encryption is a process of scrambling electronic data, making it readable only by those with the correct decryption key. To protect the integrity of electronic health records, policies and procedures are implemented, including the installation of firewalls and regular virus scanning. Person or Entity Authentication guarantees the verification of an individual or entity through regularly updated passwords.
The Implementation Specification (required) attached mandates that each individual must have their own unique password in order to access the computer system. It is strictly prohibited to share passwords under any circumstances. The Transmission Security aspect focuses on safeguarding electronic data while being transmitted over a network. An Implementation Specification (addressable) recommends the utilization of encryption software and the creation of policies regarding the sharing of encryption keys. Regarding Criminal liability/Clinical Staff Impact, Subsection 2c of MT Code § 41-1-402 (2013) establishes the legality of consent by minors for health services.
A minor who is pregnant or has a reportable communicable disease, such as a sexually transmitted disease, or drug and substance abuse, including alcohol, can give their own consent for prevention, diagnosis, and treatment of these conditions. This self-consent obligation also applies to health professionals who accept the responsibility for treatment. The health professional must provide counseling to the minor or refer them to another professional for counseling.
According to MT Code § 41-1-402 (2013), regardless of whether a minor is emancipated or not, they have the authority to give consent for health care services and access ePHI. Health care providers and facilities are required to offer this care. However, MT Code § 41-1-407 (2013) specifies that physicians, surgeons, dentists, or health or mental care facilities are still liable for negligence in diagnosing and treating minors despite this exemption.
In addition, the physician has a duty to provide guidance or refer another counselor for matters involving minors such as pregnancy, substance abuse, or sexually transmitted diseases. It is crucial to acknowledge that both the organization and healthcare provider can be held responsible for denying aid to a minor with legal consent, as stated in subsection 2c of MT Code § 41-1-402. Moreover, these entities could potentially face criminal charges if they disclose information to the minor’s parents or guardians.
As stated in section 41-1-402 of the MT Code, unemancipated minors have the right to receive healthcare for female reproductive rights and substance abuse without needing parental consent. To share any information with family members, a valid release of information must be obtained from the minor as mandated by state law. The minor who gives legal consent should be treated on par with consenting adults. Providers are expected to offer counseling to young patients instead of solely providing treatment and sending them off.
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), individuals who intentionally violate the HIPAA privacy rule by using a unique health identifier, accessing personally identifiable health information about someone, or sharing such information with others will be subject to criminal penalties (Nutter McClennen & Fish LLP, and Sethi, 2009).
The HIPAA statute lacks a precise definition of criminal behavior, but it specifies the consequences for violations. The privacy rule, referred to as the Standards for Privacy of Individually Identifiable Health Information, establishes national standards for identifying misconduct. It clarifies that these standards solely pertain to “covered entities,” implying that only such entities would face criminal penalties.
The Department of Justice mandates that health plans, health care clearinghouses, and most health care providers must uphold the confidentiality of any health care information they handle. Additionally, directors, officers, and employees of these entities may be held liable in certain circumstances (Nutter McClennen & Fish LLP, and Sethi, 2009). Montana Code 50-16-603 declares it illegal to knowingly reveal identifiable health information to another person.
It is essential to maintain the confidentiality of information that can disclose an individual’s identity, such as age, sex, account numbers, photographs, and health data (past, present, future), along with any other identifiable particulars. Although health statistics and data have broader applications beyond this paper’s focus, they generally aid in analyzing and assessing the overall well-being of different populations – be it within a school, community, region, state or country.
Statistics play a crucial role in various areas such as analyzing clinical studies, evaluating health and treatment programs, assessing healthcare expenses, and identifying needs within the healthcare ecosystem. It is important to mention that statistics focus on studying individuals rather than health records. The Montana Code 50-16-603 acknowledges the advantages of collecting statistical data and prohibits covered entities from disclosing healthcare information unless it is utilized for statistical purposes while protecting personally identifiable information.
The HIPAA privacy rule endorses this reasoning. According to the rule, a covered entity can reveal protected health information based on the de-identification standard and implementation specifications. The standard requires that de-identification techniques be determined by a qualified expert or through the removal of individual identifiers and the absence of knowledge that the released information can be used to identify the individual, both alone or when combined with other information. The covered entity is accountable for implementing the De-identification Standard or else may face criminal liability.
The Confidentiality Policy Statement, outlined in MT Code § 15-16-603, prohibits the divulgence of protected health information unless specific criteria are fulfilled. These criteria entail utilizing health data for statistical purposes without revealing any identifiable details, obtaining written consent from the individual and a written request for disclosure, sharing information with emergency medical personnel in critical situations that may result in substantial harm or life-altering consequences, and providing essential health information to state and local public health agencies to protect public welfare.
The Centers for Disease Control and Prevention website provides a complete list of infectious conditions that require nationwide reporting. Reporting is also required for any accidental or intentional release of chemical, biological, or radiological agents. Additionally, cases involving child abuse, fetal death, and injuries or deaths caused by lethal weapons must be reported. However, in the event of conflict between Montana Codes and the HIPAA Privacy Rule, federal HIPAA laws take precedence over state laws unless the latter offer greater protection for personal health information.
Furthermore, if state legislation offers individuals greater opportunities or authority regarding their health data, it will be given priority. In accordance with the HIPAA privacy rule, patients are empowered to examine and replicate their medical records. To access this information, patients must submit a written request. Covered entities have an obligation to respond within a 30-day timeframe. The data that patients can acquire is known as the designated record set, encompassing medical, billing, payment, claims, and medical management records or any pertinent information.
When making a decision about an individual, it is important to consider their rights regarding their health information. In Montana, patients have the option to request a copy of their designated record set in electronic or paper format. This is governed by the Montana code 50-16-541, which grants patients faster access and more control over their protected health information. To obtain this information, a written request is necessary, but the state must respond within 10 days instead of the usual 30 days. The patient has the right to examine and copy any part of their health record, without any limitations on access. It is important to note that fees may apply.
According to the Montana code 50-16-540, reasonable fees are allowed. The covered entity can charge handling and searching fees up to $15. However, the HIPAA privacy rule prohibits these search and handling fees. This is probably because the HIPAA privacy rule does not require the covered entity to obtain multiple record sets from different locations simultaneously. Additional record sets would only be necessary if there are additional written requests. The provisions that permit the lawful denial of access to requested health information are very similar in both state and federal mandates. Confidentiality is also a key aspect.
According to the Montana code 50-16-603, covered entities are prohibited from disclosing protected health information, except for certain purposes. These purposes include sharing information with public health agencies to prevent the spread of infectious disease and to prevent injury or death. Additionally, any incidents involving exposure to chemical, biological, or radiologic substances, whether intentional or accidental, must be reported to public health authorities in accordance with International Health Regulations (IHR). It is also mandatory to report cases of child abuse, infant death, and injuries or deaths caused by deadly weapons.
Recognizing the importance of safeguarding the well-being of the public, the HIPAA privacy rule has established the “public health exception”. This exception upholds the state’s responsibility to ensure public protection. It should be emphasized that state law governs the reporting, investigation, and monitoring of public health matters, despite the privacy rule. The Montana code 50-16-603 grants “covered entities” the authority to disclose health information for public health purposes. However, it is important to note that public health officials who are authorized are not considered “covered entities”.
Entities are not subject to privacy rule requirements, although the HIPPA privacy rule allows the disclosure of protected health information for public health purposes without authorization. However, it does not mandate it. On the other hand, state law mandates reporting public health threats to appropriate public health agencies. In compliance with state and federal laws, all patients have the right to access their own medical records. Patients can view and obtain copies of their medical records by submitting a written request.
Medical providers must respond to the request within 10 days. Only the named patient or authorized individuals, such as a spouse or legal power of attorney, can make written requests for medical records. It is important to note that without a legal power of attorney, the decision to release a spouse’s medical records is at the discretion of the medical provider. An administration fee of up to $15.00 may be charged, excluding a charge of up to 50 cents per page for photocopies.
