Off-Site: A location that is not within the confines of a participating provider’s work location. Off-site includes a home office, automobile, or any other location that is not under physical control of the provider.
On-Site: A location within the confines of a participating provider’s work location.
Protected Health Information (PHI): Individually identifiable health information that is:
- Transmitted by electronic media
- Maintained in any medium
- Transmitted or maintained in any other form or medium.
Participating providers agree to maintain the medical and claims-related data concerning services provided to members that they would maintain in the normal course of business. Upon reasonable notice and during a facility’s regular business hours, VBH-PA, its authorized representatives and duly authorized third parties (such as governments and payors) have the right to inspect and/or be given copies of medical records directly related to services rendered to HealthChoices members. Participating providers must ensure that each member’s medical record is treated as confidential so as to comply with all state and federal laws and regulations regarding the confidentiality of patient records.
Participating providers must cooperate with VBH-PA and payor to ensure that all consents or authorizations to release member records are in conformity with applicable state and federal laws and regulations governing the release of records maintained in connection with mental health and/or substance abuse treatment.
Participating providers must also maintain the security of hard copy paper files containing PHI off-site in accordance with these minimum rules:
- Only staff that are authorized to do so remove paper files from on-site locations.
- It is suggested that on-site locations maintain a log of PHI taken off-site. The log specifies when PHI is removed and when it is returned to the work location.
- PHI is kept out of sight of unauthorized persons while it is off site:
- PHI is not handled in close proximity to unauthorized individuals, who may be able to read the PHI.
- PHI is not left unattended in an unsecured area or containers.
- Paper files should be transported in containers that are not easily opened by unauthorized personnel, such as locked briefcases, or sealed boxes or envelopes.
- Documents are stored off-site at a facility that should have:
- Facility-wide security
- Fire protection such as water sprinklers, fire extinguishers, and alarms
- Disaster recovery plan
- Climate control to keep paper free from moisture
- Access security which uses ID badges, personnel log-in protocols, automatic log-off, and passwords/personal identification numbers
- Process to prevent the alteration, destruction, or inappropriate use of information
- Process for reporting and responding to security incidents
Participating providers must also ensure that any records meet all applicable federal and state laws and regulations related to the storage, transmission and maintenance of such records, including without limitation the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191) and the rules and regulations promulgated thereunder, as well as guidance issued by the United States Department of Health and Human Services (HIPAA).