Vicki, I have not taken the time to read the Final Security rule yet so please note that my anwer is strictly limited to the context of the Privacy Rule.
The only requirement of the Privacy rule that could be construed to require a covered entity to lock up charts is section 164.530(c) which basically says that a covered entity must have in place "appropriate administrative, technical, and physical safeguards to protect the privacy of" PHI. In the preamble to the original rule (December 2000, pg. 82562) HHS does cite shredding records prior to disposal and "requiring that doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass code" as examples of appropriate safeguards. However, these are examples and they come from the preamble, not the rule itself. So the rule does not require locking up charts but that is offered as an example of what might be appropriate. Furthermore, I would note that immediately following these two examples of safeguards, the preamble goes on to say that "We intend this to be a common sense, scalable, standard." I work primarily with solo-practitioners and small group practices. Many of these providers do not have a "medical records department", nor do they have their charts in file cabinets. Their charts are on shelves, located somewhere in the office, and these shelves may or may not be in discrete rooms that can be locked up. Here is the approach I have taken with such clients: We have put in place a basic Security policy that specifies what are the normal business hours of the practice, what doors remain locked even durring business hours (such as back entrances to the practice) and what doors are unlocked durring business hours (the front entrance). Obviously the policy says all doors are locked after business hours. My contention is that if the perimeter of the facility is secure after normal business hours, then there is no need to lock up the charts in their own room or in cabinets after business hours. If someone is going to break into the facility after hours, why shoiuld we think a locked room or locked cabinet would protect records if they have already breached the perimeter? During business hours we have had to look at where are the charts relative to where patients need to have access to get to exam rooms and restrooms, and where are employees of the practice normally stationed. For example, if all of the charts are on a shelf behind the check in counter, and the practice normally staffs the check in counter continuously during normal business hours, then our approach has been to address safeguards administratively by once again using a policy. Through policy we put all employees on notice, and especially the front desk staff, that they are responsible for monitoring access to the charts and other PHI and ensuring only authorized employees of the practice are allowed behind the counter to pull charts. If the charts are not in an area that we can reasonably expect the employees will be able to monitor and control access, then we have looked at relocating the charts to where they can be monitored, or locking them up. For small providers I think this is reasonable and appropriate. I would further defend this approach by looking at what OCR has said about enforcement. Everything I have read from OCR indicates that if they audit someone and don't agree with what you are doing, you will not be fined or imprisoned but told to fix it (assuming you have been found to have violated the rule intentionally). As long as you document that you analyzed the situation, can explain the reasoning of how you came up with the system of safeguards you employed (be they physical or administrative) I think you will be able to demonstrate good faith. If they don't agree, you will told to fix it. Personally, I'd rather buy a bunch of locking cabinets or build "medical records rooms" if they tell me I have to do it, but not before if I reasonably believe the records can be safeguarded without them. Noel Chang -- Open WebMail Project (http://openwebmail.org) ---------- Original Message ----------- From: [EMAIL PROTECTED] To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Thu, 6 Mar 2003 22:06:22 EST Subject: Unlocked charts > This has probably been covered before, but for those of us still not > clear: > > Do charts have to locked up if they are within the area of the > practice to which no one but employees who may need them have > access? The cleaning crew would be in the same area at night. > > Thanks very much. > > Vicki Saunders > Pain Clinic Associates, PC > [EMAIL PROTECTED] > > Pain Clinic Associates, PC Confidentiality Notice: The information > contained in this e-mail transmission is confidential information, > proprietary to the sender and legally protected. Its purpose is > intended for the sole use of the individual(s) or entity named in > the message header. If you are not the intended recipient, you are > hereby notified that any dissemination, copying or taking any action > in reliance on the contents of this information is strictly > prohibited. If you received this message in error, please notify the > sender of the error and delete this message, any attachments and all > copies. Thank you. > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. > The discussions on this listserv therefore represent the views of > the individual participants, and do not necessarily represent the > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > receive an official opinion, post your question to the WEDI SNIP > Issues Database at http://snip.wedi.org/tracking/. These listservs > should not be used for commercial marketing purposes or discussion > of specific vendor products and services. They also are not > intended to be used as a forum for personal disagreements or > unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: > [EMAIL PROTECTED] To unsubscribe from this list, go to the > Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a > blank email to [EMAIL PROTECTED] If you > need to unsubscribe but your current email address is not the same > as the address subscribed to the list, please use the > Subscribe/Unsubscribe form at http://subscribe.wedi.org ------- End of Original Message ------- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
