A shadow chart is a partial copy of a patient’s medical history, kept by health care providers or departments for the sake of convenience. A shadow chart is not part of the official medical record. It is a working document where information can be added and removed as necessary to aid in the decision-making process. It may include reminder systems, scheduling information, research activities, and information not considered appropriate for the permanent record. It is frequently used to support inter-professional or inter-departmental communication.
Shadow charts are usually products of paper records, and hybrid record systems, which are combinations of both paper and digital files. There are inherent problems associated with shadow charts. Because they contain protected patient information, they are often subject to security breaches, as they are frequently left in unsecure locations. They may contain original documents and data that should be part of the permanent record, but never become part of the permanent record. Shadow charts do not contain the most current information.
Computer databases that have been independently created, usually for research purposes, have the same inherent problems as shadow records. Release of Information: Shadow Chart Policy A shadow chart is a duplicate health record kept for the convenience of the medical provider. In the event that authorized individual requests health information pertaining to a specific episode of care, health information management staff will review any shadow charts kept by medical providers for that patient to determine if any such shadow charts contain information related to the episode of care.
If the shadow chart contains information related to the episode of care and is not found in the electronic record, the information from the shadow chart will also be copied, in addition to requested information found in the electronic record. Addendum: As per state and federal laws, patients have the right to access and copy protected health information within designated record sets (DRS). Designated record sets are medical records, billing records, or any record that is used to make a decision about a person. The use of shadow charts should be limited.
All aspects of care related to the current episode of care must be documented in the patient’s permanent medical record, as shadow charts are not part of that record. Confidentiality must be maintained at all times. Shadow charts are the property of the providing facility, and are to be accessed by limited staff. When not in use, they are to be secured in designated locked storage areas. Shadow charts and all documents contained within them must be properly identified with the patient’s full name, birth date, and medical record number.
Shadow charts are to contain CERTIFIED COPIES ONLY of original documentation. A copy is considered certified as an exact duplicate of the original when it has been signed and dated by the person responsible for issuing or maintaining the original. All original documentation must be maintained in the patient’s permanent medical record. Shadow charts are considered designated record sets (DRS), as they contain protected health information, including information that is used to make health care decisions.
The HIPAA Standards for Privacy of Individually Identifiable Health Information (the privacy rule) mandates an individual’s right to access information contained within any DRS, including shadow charts. Upon an authorized individual’s written request of access to health information, any information that is contained within the shadow chart that is not part of the permanent medical record, either in electronic form or paper form, will be copied along with all other requested information.
An authorized individual is defined as the patient, or any person who has legal authorization to consent to health care of the patient. Set retention and destruction schedules will be applied to all shadow charts. Information Security: Workstation Policy “Employees are required to secure their personal workstations when not in use. Confidential health information must not be displayed on computer screens unless the employee is performing work functions on the computer and using the information.
Employees may not access another employee’s computer while it is in use nor may employees use another’s password for any reason. Violation of this policy will result in disciplinary action, and depending upon nature of violation, termination may result. ” The HIPAA Security Standards for the Protection of Electronic Protected Health Information (the security rule) “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity” (U.
S. Department of Health and Human Services, n. d. ). The security rule requires that specific standards be established and implemented into three categories; compliance in one category may overlap into another: Administrative Physical Technical Administrative standards are policies and procedures established “to prevent, detect, contain, and correct HIPAA security violations” (The HIPAA Security Rule Primer, n. d. ). They are administrative actions used to satisfy security requirements as mandated by federal and state laws.
Administrative standards include, but are not limited to: Workforce Security – employee access to ePHI is on a need-to-know basis; establishes workforce clearing procedures. Security Awareness Training – required training for all members of the workforce. Security Incident Procedures – addresses security breaches. Contingency Plan – establishes emergency response procedures for occurrences that pose threats to the security of electronic health records. Business Associate Contracts – establishes provisions that become part of the business associate’s contract, ensuring Security Rule compliance.
The security rule requires that some standards be implemented in specific ways. These Implementation Specifications provide additional direction and guidance. Some Implementation Specifications are mandatory (required), and some are flexible (addressable). For example, a required Implementation Specification of the Business Associate Contract Standard, states that the covered entity must obtain a contract or agreement from a business associate, that assures the associate will comply with security rule mandates.
An addressable Implementation Specification of the Workforce Security Standard is that employees must have the appropriate clearance to access ePHI, which can be accomplished in ways that the covered entity deems the most suitable. Although some standards have no implementation specifications attached to them at all, all standards are still required. Physical standards are policies and procedures that limit access by creating physical barriers to electronic health records, computer systems, and the areas that house them.
Door locks are the most obvious of these barriers. Computer workstations must be physically secured at their locations. Monitors at the workstations are to be viewed by authorized personnel only, and their screens obstructed from public view. Media Reuse – attached Implementation Specification (required) dictates that all removable storage devices containing ePHI be purged of all data prior to relocating, or user transfer. Facility Access Controls – ensures that only authorized personnel can enter offices to remove computer systems and their components containing ePHI.
Technical standards are policies and procedures that limit access to ePHI by creating technical barriers, such as passwords and encryption. Encryption software scrambles electronic data, so that the data can only be read by the person who possesses the proper encryption key to unscramble it. Integrity – implementing policies and procedures that protect the integrity of electronic health records, such as installing firewalls, and routine scanning for viruses. Person or Entity Authentication – ensures the identification of an individual or entity, verified by assigned passwords that are changed regularly.
Attached Implementation Specification (required) states that each person obtains a unique password to access the computer system. Passwords cannot be shared under any circumstances. Transmission Security – ensures protection of electronic data during transmission over a network. An Implementation Specification (addressable) suggests the use of encryption software, and establishing policies for sharing encryption keys. Criminal liability/Clinical Staff Impact 41-1-402. Validity of consent of minor for health services Subsection 2c of MT Code § 41-1-402 (2013), states:
a minor who professes or is found to be pregnant or afflicted with any reportable communicable disease, including a sexually transmitted disease, or drug and substance abuse, including alcohol. This self-consent applies only to the prevention, diagnosis, and treatment of those conditions specified in this subsection. The self-consent in the case of pregnancy, a sexually transmitted disease, or drug and substance abuse also obligates the health professional, if the health professional accepts the responsibility for treatment, to counsel the minor or to refer the minor to another health professional for counseling.
Whether the minor is emancipated or not, the conditions as specified in subsection 2c of MT Code § 41-1-402 (2013), affords the minor the right of self-consent to health care services, and the right of access to ePHI. Consent obligates health care providers and health care facilities to provide that care. As per MT Code § 41-1-407 (2013), “This section may not be construed to relieve any physician, surgeon, dentist, or health or mental care facility from liability for negligence in the diagnosis and treatment rendered to a minor”.
Furthermore, in cases of pregnancy, substance abuse, or sexually transmitted diseases, the physician is expected to offer counseling, or refer the minor to another counselor. In other words, the covered entity, to include the organization and the health care provider, is subject to criminal liability for refusing to render service to a legally consenting minor as it is specified in subsection 2c of MT Code § 41-1-402. The covered entities may also be held criminally liable should they disclose information to the parents/guardians of the minor.
The conditions specified in MT Code § 41-1-402, states that the unemancipated minor can legally obtain health care without parental consent, if the treatment involves female reproductive rights, and/or substance abuse. As per state law, a valid release of information must be obtained from the minor before any disclosures can be made to family members. The legal consenting minor is privy to the same considerations as a consenting adult. Upon the acceptance of treatment, the provider is expected to counsel young patients, and not simply treat and release.
HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a criminal statute, which broadly states that a criminal penalty will be applied to anyone “who knowingly and in violation of [the HIPAA privacy rule] uses or causes to be used a unique health identifier; obtains individually identifiable health information relating to an individual; or discloses individual identifiable health information to another person…” (Nutter McClennen & Fish LLP, and Sethi, 2009).
It’s important to note that the HIPAA statute defines the punishment for criminal violations, but it does not define the criminal conduct. It is the Standards for Privacy of Individually Identifiable Health Information, also known as the HIPAA privacy rule, which established the national standards (or rules) that measure misconduct. But according to the privacy rule, the standards apply only to “covered entities”, so one could assume that only covered entities would be subject to criminal liability.
Covered entities include all health plans, all health care clearinghouses, and most health care providers. The Department of Justice, however, has determined that “depending on the facts of a given case, certain directors, officers and employees of these entities may also be liable…” (as cited in Nutter McClennen & Fish LLP, and Sethi, 2009). Montana Code 50-16-603: Confidentiality of health care information To maintain the confidentiality of health care information, no individually identifiable health information can be knowingly disclosed to another person.
Any information that can be used to identify an individual must remain confidential, such as age, sex, account numbers, photographs, information related to past, present or future health provisions, or any information that one may reasonably believe can identify the individual. Health statistics and data are collected and analyzed for many reasons, most beyond the scope of this paper. But in general, health statistics are used to analyze and identify a population’s overall health, whether that population is comprised of a school, community, region, state, or country.
Statistics are used to analyze clinical studies, evaluate health and treatment programs, assess health care costs, and to identify needs. Data used in statistics come from all aspects of the health care ecosystem. Statistics are not used to study health records; they are used to study people. Recognizing the benefits of statistical data collection, a provision under the Montana Code 50-16-603 states that health care information may not be released by any covered entity except for statistical purposes, and if no individually identifiable information can be obtained from the released information.
The HIPAA privacy rule supports this rationale. A covered entity can disclose protected health information according to the privacy rule’s de-identification standard and implementation specifications. The standard mandates that de-identification methods be determined by a qualified expert, OR by removing individual identifiers AND by the absence of knowledge that any of the released information can be used to identify the individual, either alone or in combination with other information. It is the responsibility of the covered entity to implement the De-identification Standard, or face criminal liability.
Confidentiality Policy Statement As specified in MT Code § 15-16-603, no protected health information may be disclosed, except: for statistical purposes, if all individually identifiable information has been removed; when written consent has been obtained by named person, and a written request made for the proper disclosure of requested health information; to emergency medical personnel in the event of a life-threatening, or life-altering emergency; to state and local public health agencies as necessary to protect the health of the public.
The Centers for Disease Control and Prevention website contains a list of nationally notifiable infectious conditions that must be reported. Any release of chemical, biological, or radiological agents, whether accidental or intentional, must be reported. Incidences of child abuse, fetal death, and injury and death caused by the use of deadly weapons, must be reported. Montana Codes vs. HIPAA Privacy Rule Federal HIPAA laws preempt state laws, but not always. For example, if state law is more stringent at protecting personal health information than HIPAA, the state law will apply.
Similarly, state law will apply if it allows an individual greater access, or greater control of his or her health information. Right of access The HIPAA privacy rule allows patients the right to inspect and copy their medical records. Patients must request the information in writing. Covered entities must respond to the request within 30 days. The information that patients can access is called the designated record set. The designated record set is a group of records that includes medical, billing, payment, claims, and medical management records, or any information that is used to
make to make a decision about the individual. The patient may request a copy of the designated record set in either electronic or paper formats. The Montana code 50-16-541 offers the patient quicker access and more control of protected health information. A written request for the health information is required, but the state has no more than 10 days to respond to the request, rather than 30 days. The patient can examine and copy all or part of his or her health record. There is no designated records set that could limit access. Fees
According to the Montana code 50-16-540, reasonable fees are permitted. The covered entity may charge handling and searching fees up to $15. The HIPAA privacy rule prohibits such search and handling fees, most likely because the HIPAA privacy rule does not require the covered entity to obtain more than one record set, and from more than one location at a time. Additional records sets would be required only upon additional written requests. Provisions that allow for the lawful denial of access to requested health information are virtually identical in both the state and federal mandates. Confidentiality
According to the Montana code 50-16-603, no covered entity can disclose protected health information except to public health agencies, local and/or interstate, to initiate public health efforts to prevent or disrupt the transmission of infectious disease, and/or to prevent injury or death. In accordance with International Health Regulations (IHR), incidences that involve exposure to chemical, biological or radiologic substances, whether deliberate or accidental, must be reported to public health authorities. Cases of child abuse, infant death, and injury or death caused by deadly weapons must be reported.
Realizing the need of public health officials to protect the public, the HIPAA privacy rule implemented its “public health exception”. The public health exception to the privacy rule supports the state’s obligation to protect the public. To reiterate, the privacy rule does not preempt state law for the reporting, investigating and surveillance of public health issues. Whereas the Montana code 50-16-603 authorizes “covered entities” to disclose health data for the purposes of public health, please note that authorized public health officials are not covered
entities, and thus are not subject to privacy rule requirements. Although the HIPPA privacy rule permits the disclosure of protected health information without authorization for the purposes of public health, it does NOT require it. States law, however, requires that public health threats be reported to appropriate public health agencies. Release of information policy statement to Montana Code 50-16-541 In accordance with state and federal laws, all patients have access to their own medical records. Upon written request, patients can view and receive copies of their medical records.
Medical providers have 10 days to respond to the request. All written requests to medical records must come from the named patient only, OR from those authorized to receive such records, such as spouse or legal power of attorney. Please note: In absence of a legal power of attorney, the decision to release a spousal’s medical records is dependent upon the discretion of the medical provider. An administration fee not to exceed $15. 00 may be charged, not including a charge of up to 50 cents per page of any photocopies provided.