Adams School of Dentistry: Access to Patient Information Policy

Introduction

Purpose and Scope of Applicability

This Policy outlines appropriate behaviors and expectations and applies to all Adams School of Dentistry (“ASOD”) Workforce Members who create, store, transmit, access or use any patient information in support of clinical or research purposes, whether maintained in audio, paper, or electronic format, and any individual granted electronic access (including remote access) to ASOD or UNC Health information systems containing patient health information. The University of North Carolina at Chapel Hill (UNC-Chapel Hill) Institutional Privacy Office and/or UNC Health Care System (“UNC Health”) Privacy Office may actively monitor and audit accesses of any electronic system, application, database, or Epic system to determine appropriate access.

Background

UNC-Chapel Hill has designated itself as a Hybrid Entity in accordance with the HIPAA Privacy, Security and Breach Notification Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).

By making this Hybrid Entity designation, only the parts of UNC-Chapel Hill performing covered functions ("Covered Component") are subject to HIPAA. Pursuant to UNC-Chapel Hill’s Hybrid Entity Designation, ASOD, except for the Student Health Action Coalition Medical Clinic, is a Covered Component and therefore subject to HIPAA.

ASOD is an Epic Community Connect partner of UNC Health. Community Connect assists to improve the patient care experience by, for example, allowing ASOD to access a patient’s complete medical history at UNC Health to learn about the patient’s allergies and important medical history related to the patient’s ASOD encounter.

Definitions

Business Need to Know: Information needed to provide and/or support:

1. patient care treatment activities required by that individual's job or duties;
2. the performance of health care operational activities, as defined by an individual's assigned job duties or at the instruction of an authorized supervisor or other official. Health care operational activities include by way of example, activities in support of compliance, accreditation, licensing, certification and all other administrative activities;
3. the performance of approved educational activities in support of the education of medical residents, students or others or such other professional educational activities in support of formal educational programs of the ASOD or UNC Health; and
4. the performance of clinical research activities in accordance with UNC-Chapel Hill policies, procedures, and an Institutional Review Board (“IRB”) review and approval.

Individually Identifiable Health Information (45 C.F.R. § 160.103): Information that is a subset of health information, including demographic information collected from an individual, and:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse;
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to the individual; and

• That identifies the individual; or
• With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (“PHI”) (45 C.F.R. § 160.103): Individually identifiable health information in any form or medium (paper, electronic, oral) that is created, transmitted, maintained, or stored by the ASOD or a business associate and related to past, present, or future health of an individual, the provision of health care, or the payment for health care linked to a patient.

PHI also includes identifying or personal information, as defined in Federal Trade Commission’s Red Flags Rules and the North Carolina Identity Theft Protection Act, including any name or number that may be used, alone, or in conjunction with any other information to identify an individual.

Workforce Member: ASOD faculty, staff, students, trainees, interns and volunteers whether they are full-time, part-time, paid or unpaid, whose conduct, in the performance of work for ASOD, is subject to the control of ASOD.

Policy Statement

A. Application

Protecting the privacy of patient information is an important consideration for everyone who utilizes Epic and any other electronic system containing patient information. ASOD and UNC Health have legal and ethical obligations to ensure the confidentiality and security of patient information and individuals granted access to patient information are personally responsible for ensuring that the privacy of our patients is always protected.

B. Individual Responsibilities to Protect Patient Privacy When Accessing Patient Information in Electronic Systems

1. Authorized Users

Only authorized users with a Business Need to Know to perform an ASOD role or contract responsibility are permitted to access PHI. Workforce Members may access, use or disclose of PHI for treatment, payment or health care operations purposes with a Business Need to Know in accordance with ASOD role or contract responsibility.

Additionally, Workforce Members may access, use or disclose of PHI for clinical research purposes with a Business Need to Know in accordance with UNC-Chapel Hill’s policy and an IRB review and approval. Access is not otherwise authorized without the written authorization of the patient, a subpoena, court order or pursuant to state or federal law and regulations. See Privacy of Protected Health Information Policy.

2. Duty to Safeguard Patient Information

Workforce Members who have been provisioned access to any electronic systems containing PHI must safeguard PHI in accordance with UNC-Chapel Hill, UNC Health, and ASOD policies and procedures. See Privacy of Protected Health Information Policy.

3. User Login

Workforce Members are responsible for any misuse or unauthorized use or disclosure of PHI using their login/access credentials. In accordance with applicable UNC-Chapel Hill Security Policies, Workforce Members should not write passwords down or share with others, including administrative assistants or managers. See Passwords, Pass-phrases, and Other Authentication Methods Standard. Once a Workforce Member logs into an Epic session, the Workforce Member has a responsibility to exit the Epic session when they walk away from the workstation. ASOD systems’ accesses are tracked and may be audited. Workforce Members will be held responsible for any information accessed inappropriately.

C. Appropriate Accesses

Only authorized users with a Business Need to Know to perform an ASOD role or responsibility may access PHI. Access must be required for the Workforce Member’s role and performance of the Workforce Member’s function. See The "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information. For example:

• An ASOD clinical staff member may need to access a patient’s record for treatment of the patient.
• A patient relations representative may need to access a patient’s account to update guarantor information.
• A customer service representative may need to access a patient’s account to schedule an appointment.  
• A dental assistant may need to access a patient’s prescription list to assess allergies and current medications in advance of a dental treatment visit or proposed plan of care.
• A clinical care coordinator may need to access a patient’s recent medical treatment at UNC Health that may directly impact or influence the dental treatment plan.

Authorized users who access PHI must follow applicable UNC-Chapel Hill, UNC Health, and ASOD policies and procedures regarding accurate and complete documentation within patient records.

1. My UNCChart

Workforce Members who are patients of ASOD or are parents of minor children who are patients of ASOD are required to use MyUNCChart to access their own records or MyUNCChart proxy to access the ASOD records of their minor children.

2. Medical Record Requests

Workforce Members who are patients of ASOD do not have a MyUNCChart account and do not wish to set up an account, or desire access to their own record documentation not otherwise released in MyUNCChart, may request their records from the ASOD patient records unit by completing an "Authorization to Release Patient Information" form located on the Carolina Dentistry website.

D. Inappropriate Access

Accessing PHI of any person, including co-workers, friends, or family without a Business Need to Know - regardless of intent, access duration, or number of screens accessed - is considered inappropriate access that will be subject to disciplinary action as described in Section (F) below.

Workforce Members who receive a request from family members, friends, neighbors, or co-workers to access their patient records for any reason (e.g., make payments, update demographic information, schedule appointments, upload images, release medical record information) may not access Epic to complete the request. Instead, Workforce Members must direct all patients to the appropriate business unit and follow standard unit protocol for completing patient request.

The following are examples of accesses that do not constitute Business Need to Know to perform ASOD job responsibilities or services at ASOD and are not permitted:

1. Access Outside Scope of Business Need to Know

Accessing PHI after treatment episode has ended or quality improvement project or training/education course work has completed are not permitted, even if motivated by learning.

1. An ASOD provider dental assistant may access a patient’s medical record during his/her direct care of that patient. However, “follow up” reviews of the medical record to determine patient’s recovery are prohibited when no longer involved in the care of the patient.
2. A clinical care coordinator may access a medical record while working on approved activity or project, but then terminated at the completion of the activity or project.
3. Student/trainee assigned access for education purposes only to patients on the assigned team for the duration of the project/educational activity.

2. Self-Access

Accessing one’s own ASOD or UNC Health medical records using their ASOD Epic user credentials is not permitted. To exercise your right of access to your own PHI, refer to Sections (C)(1) and (2) above.

3. Family/Friends/Neighbor

1. Access of family member/friend recently diagnosed with a condition to review prognosis to offer support.
2. Access to a family friend’s scheduled appointment to review the reason for the clinic visit.
3. Access admission to determine room location.
4. Review friend’s balance and apply a payment to account.

4. Co-Workers

1. Review co-worker’s treatment notes to review outcome.
2. Review scheduling system to confirm that a co-worker is attending an appointment for his/her children.
3. Review supervisor’s medical leave to care for a family member.
4. Review staff record to evaluate FMLA leave.
5. Cancel co-worker appointment and reschedule appointment.

5. High Profile Patient/VIP

Accessing the Epic record of a high profile patient, including a celebrity, athlete, or individual that is reported in news is not permitted.

E. Right to Perform User Access Audits

ASOD recognizes that auditing is an essential function of safeguarding confidential patient data from inappropriate access or use. Through the use of system tools and technical functionality, the UNC-Chapel Hill Institutional Privacy Office and/or UNC Health Privacy Office may perform, without prior notice, audits of any electronic system, including Epic, ASOD systems, databases and any other ASOD systems or applications containing PHI in electronic format, to ensure that any access of patient information was performed in accordance with UNC-Chapel Hill, UNC Health, and ASOD policies and procedures. If required, the UNC-Chapel Hill Institutional Privacy Office and/or UNC Health Privacy Office, through the assistance of ASOD, will assess the appropriateness of individuals’ access and use of PHI according to Business Need to Know ASOD responsibilities. Instances of unexplained access will be monitored, audited and investigated by the UNC-Chapel Hill Institutional Privacy Office and/or UNC Health Privacy Office or their designees.

F. Sanctions for Violations

Individuals who have been determined to have accessed patient information without an appropriate Business Need to Know are subject to discipline in accordance with UNC-Chapel Hill’s Standard on HIPAA Sanctions and all other applicable policies and procedures. See Standard on HIPAA Sanctions.

Related Requirements

External Regulations and Consequences

• US Code of Federal Regulations - 16 CFR § 681: Identity Theft Rules
• US Code of Federal Regulations - 45 CFR § 164.400-414: Notification in the Case of Breach of Unsecured Protected Health Information
• US Code of Federal Regulations - 45 C.F.R. § 160.103: Definitions
• US Department of Health & Human Services - Guidance on the Breach Notification Rule
• North Carolina General Statutes - Chapter 75, Article 2A: Identity Theft Protection Act
• UNC-Chapel Hill - Privacy of Protected Health Information Policy
• UNC-Chapel Hill - The "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information
• UNC-Chapel Hill - Standard on HIPAA Sanctions
• UNC-Chapel Hill - Passwords, Pass-phrases, and Other Authentication Methods Standard

Unit Policies, Standards, and Procedures

• None

Contact Information