Confidential Records and Information (Security, Storage and Destruction) - CAM 368

Description:
Medical records are any documents or files containing medical information.  All personal information, solicited or non-solicited, regarding a member.  This includes, but not limited to, diagnoses, or other medical information filed on a claim form and such information stored within our internal information systems.

Policy Statement:
All protected health information (PHI) regarding a member is strictly confidential.  Protected health information is defined as any individually identifiable health information that is transmitted or stored in any form including electronic, paper or oral communications.

BCBSSC complies with all State and Federal Laws and Regulations pertaining to the security and confidentiality of member specific medical information.

BCBSSC will not disclose member personal health information (PHI) without consent from the individual and only for purposes of payment and health care operations and as permitted by law, unless otherwise requested by the individual and agreed to by the appropriate privacy officer.

Member identified personal health information will be used solely for the purpose of conducting medical management activities (example: Utilization Management, Case Management, Disease Management, Post Pay Appeals).

The use of non-digital cell phone is prohibited in connection with any medical management activity.

The use of INTERNET is prohibited for transfer of protected health information except as allowed through secure INTERNET sites approved for corporate use or when corporately approved encryption software is utilized.

The transfer of personal health information by fax will only be permitted by the use of secured fax machines.  Fax machines will be located in a secure area and accessability to the fax machines will be limited to authorized staff/personnel only.  All information transmitted by fax will be sent with a "confidential disclaimer" on the cover sheet.

BCBSSC staff and any consultant/contracting entities are required not to disclose any information learned in the performance of their job to anyone, either inside or outside of the Plan, with regard to personal information about a subscriber/member/patient, except as necessary in handling of a claim, authorization or appeal.  BCBSSC staff must also exercise extreme care not to access confidential information unless authorized to do so as a necessary part of their job duties. Improper handling of medical records or claims or unauthorized accessing of a member's claims/history or discussion of such information is just cause for immediate disciplinary action up to and including termination of employment.

If there is any doubt regarding the validity of requests for medical and other information, staff should bring it to the attention of their supervisor or manager.  Management will refer to the legal department for direction prior to release of any member specific health information.

BCBSSC requires all contracted providers to have a confidentiality policy in place that guard against unauthorized or inadvertent disclosure of confidential information.
Member information is not released for any purpose that could result in the member being contacted by another organization for marketing purposes.

Definition:
Personal health information includes medical records, claims, benefits, and other administrative data that are personally identifiable.  This includes explicit and implicit information.

Explicit information is clearly identifiable, with member names or identification numbers.

Implicit information does not include specific member names, but includes information that could be used to identify members, such as dates of service.

Procedural Guidelines:
This corporation takes steps to protect the privacy of members' personal health information. The following outlines how this information is protected.

Internal Confidentiality:

Maintenance of Medical Record/Personal Health Information
All protected health information which is used for customer service, utilization management, case management, disease management or quality improvement and claims processing activities are maintained in a secured area.  Only authorized employees have access to this information as necessary to complete their job responsibilities.

After any paper copy of protected health information is used for medical management, the information is imaged and/or stored electronically.  Please see "Electronic Storage and Destruction of Member Specific Medical Information" for disposal methods of paper documentation. 

Any employee transporting protected health information outside of the corporation will do so in a locked case whenever traveling by vehicle or a sealed envelope when walking between buildings.

If disposal of copies of protected health information is necessary, the employee will place the information in designated locked receptacles for shredding and destruction.
While working with protected health information, staff will abide by the following rules:

  1. When leaving their designated work area, all protected health information will be secured in a folder so that information is covered and cannot be viewed
  2. When leaving for the day, all protected health information is secured in folders and placed in a locked drawer.
  3. When leaving the work area for short periods of time, all computer screens, which pertain to personal health information, are to be minimized so that the screen is not viewable.
  4. When leaving the work area for lunch, breaks or the end of the day, all computer screens are closed and system is secured by password protection.
  5. All PHI data stored on a portable USB drive or removable file like a CD Rom musst be encrypted with the corporate encryption software.

Data System Security
All data maintained on the Plan's computer system have built in security measures to restrict access to data in accordance with corporate policy.

Disclosure in Connection with the Review or Adjudication of Claims/Authorization
Protected health and other identifying information pertaining to a subscriber or patient may be disclosed only to those persons within the Plan, including contracting entities, who, in the regular course of their business, need such information in order to process or review an authorization, precertification, etc.  All employees must sign an annual confidentiality agreement.  In addition, contracts with organizations that conduct administrative services for this corporation, such as the pharmacy benefit manager, include requirements that the organization follow BCBSSC confidentiality policies.

Corporate Audit
The Corporate Audit Department monitors the clinical quality of care through the analysis of medical information.  Due to the nature of performance measurement, member identifiable information is at times collected.  This information may be collected via the medical record or through claims submission.  This information is stored in a secure area, and is used only to analyze the quality of care provided to members by providers.  Any employee with access to this information must sign confidentiality agreements, and are made aware of the sensitive nature of the data.  Aggregated results based on these reviews may be released for quality improvement; member-identifiable information is not released.

External Confidentiality:
Disclosure Required by Order of a Court, Government Agency, or as Otherwise Required by Law.
The Plan may release medical or other information without a member's written consent to the extent required by the terms of a valid court order or subpoena issued by any criminal or civil action or by the terms of an enforceable order of government agency, such as a summons issued by the Internal Revenue Service, or as may otherwise be required by local, state, or federal law.

The legal department shall handle all disclosures in this category.  All court orders or subpoenas should go directly to the legal department who will then collect the information required.  All requests will be handled promptly with complete cooperation for any request from the legal department.  Court orders or subpoenas should be sent immediately to the legal department.

Disclosure of Information Which Does Not Identify Subscribers
If disclosed information does not reveal the identity of subscribers or patients, or could not be reasonably be used to identify subscribers or patients, and if otherwise permitted by law, requests for personal health information in the Plan's possession may be released to responsible individuals, organizations and government agencies, who in the Plan's judgement, have a legitimate interest in such information.  For example, data may be requested related to a particular class of claims for the purpose of conducting a statistical study.  Disclosure in such cases is permissible if the following identifying information is deleted.

Identifying Information

  • Names
  • All geographic codes smaller than the state including street, city, precinct or zip code (some exception for zip code)
  • All elements for dates (except can use year unless age indicator for individuals is over age 89)
  • Telephone numbers
  • Fax numbers
  • E-mail addresses
  • SSN numbers
  • Medical records numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificates/license numbers
  • Any vehicle numbers
  • Device identifier numbers
  • Serial numbers
  • URLs
  • IP Addresses
  • Biometric identifiers (including fingerprints and voice prints
  • Full face photographic or comparable images
  • Any other unique identifying number (s), characteristic or code

Disclosure of Information for Quality Purposes
If Blue Cross Blue Shield of South Carolina contracts with a vendor or other entity to assist in evaluating personal health information for the purposes of quality measurement, this information will be encrypted or redacted to ensure that member information is not identifiable.

Disclosure to Employer Groups
No patient/member identifiable personal health information is provided to employer groups.  No member specific health information will be provided to an employer without a written consent from the member, unless such release is required by legal obligations.

Administrative Service Only (ASO) accounts may require access to member identifiable personal health information.  In these situations, a signed indemnification agreement that specifically outlines the individuals who will have access to the information, for what purposes they may access the information is required and maintained by the marketing service representative for each employer group.  The indemnification agreement requires the employer to agree to only use the information to legitimately administer the group health plan, and not to use the information to identify any individual group member for any improper, unlawful or otherwise unauthorized purpose.  In addition, security measures are implemented to prevent unauthorized access.  Member identifiable mental health and substance abuse information is not released to any employer, including employers, under any circumstances, unless the member specifically signs a consent to release this information.

Disclosure Under Other Circumstances
Requests for disclosure of medical or other information which do not fall within the above guidelines should be referred, as appropriate, to the person or institutions having possession of the information requested, such as a hospital or physician, or the subscriber or patient, or his/her duly authorized representative.  Under no circumstances is personal health information released (other than in the above guidelines) without a written release from the member and verification from a supervisor or manager.

Release of Member Identifiable Information
If a situation is identified where there is a need to release member identifiable information other than for purposes outlined above; the person who wished to release the information will obtain a written consent form from the member.  The form will outline what information the member authorizes for release, and for what purpose.  The following are examples of such request to release information:

  • Release of information to a non-custodial parent
  • Discussion of out of contract coverage with an ASO account group leader when member identifiable information is requested
  • Requests from members to release medical record information we have in our files to a provider

In the event that the member is unable to provide consent, information will be released only when a third party who has one of the following signs consents:
      (1) durable power of attorney
      (2) is the court appointed guardian
      (3)a court order (not just a subpoena), or
      (4)in the case of a minor, the legal guardian

In any other circumstance, the party must obtain information directly from the provider (s).  In addition, the above four circumstances outline the only situations where it would be allowed for someone (other than the member) to have access to information on a member.

Member Confidentiality:
Member Consent
Subscribing members sign a medical release statement at the time of enrollment.  The signature of the subscriber provides consent for all members covered under the policy.  This statement allow the following use of health information:

  • Release of medical records from practitioners and providers to BCBSSC for the purpose of administering the contract, such as claims processing, determining medical appropriateness of care, investigation of complaints, appeals and quality of care concerns.

Except for this consent received at the time of enrollment, we will not seek consent for use of PHI for treatment, payment or operations as allowed by law.  Any other use of member identifiable information will require an authorization signed by the member, or in the case of a minor, his or her legal guardian.  If the subscribing member is a minor (under the age of 17), the parent or guardian who enrolled the member is required to sign the routine consent on behalf of the minor.

Member Access to Medical Records
An individual has a right of access to inspect, amend and obtain a copy of PHI about themselves in designated record set for as long as the PHI is maintained except psychotherapy notes, information gathered in reasonable anticipation of a legal proceeding and certain laboratory information protected by the CLIA law of 1988.  Any member request for access to medical records should be forwarded to the customer service unit for the member’s contract.  Customer Service representatives will hand the process of all such requests.

Member Right to Request Confidential Communications
All members have the right to receive any protected health information about themselves by alternative means or at an alternative location from the subscriber address on the member’s policy.  Any requests received from members to designate a different location or means of communication of their protected health information should be sent to the customer service unit responsible for the member’s contract.  Customer service representatives will handle the processing of these requests.

Right to Appeal
If a member disagrees with anything related to this confidentiality policy; he/she may file a complaint and/or appeal through the complaint and appeal process.

Oversight of Confidentiality:
The Corporate Security Officer or its designee is assigned to the oversight responsibility of corporate confidentiality policies and to review practices regarding the collection, use and disclosure of personal health information.

Electronic Storage and Destruction of Member Specific Medical Information:
Electronic storage and destruction ensures that the confidentiality of member specific information is protected and provides a well documented process to address the electronic storage of member specific medical information and destruction of paper documents.  This process, through the use of image technology, allows for archiving and storage of documents in a confidential and secure environment.  Blue Cross Blue Shield of South Carolina will abide by all applicable State and Federal laws/regulations governing confidentiality and storage of member specific medical information.

All documents shall be prepared, indexed, and imaged into either the subscriber's identification number or provider's identification number as appropriate.  These documents will be available for viewing and printing through the retrieval process.

Blue Cross Blue Shield of South Carolina has contracted with paper disposal vendors who place locked paper receptacles within each department.  The paper shredding receptacles are changed periodically and replaced with empty locked receptacles.  BCBSSC contracts with paper disposal companies as the method of document destruction.  Each vendor signs a confidentiality statement and attests that they are in compliance with all State and Federal laws that govern destruction of records.

Complementary Content
${loading}