HIPAA home page | Security | Guidelines for Physical Security

Yale University School of Medicine
Guidelines for Physical Security

Paper Medical Records and PHI

Definitions || General Information || In Use || In Transit || Storage

Definitions

Designated Record Set - Medical, clinical research and billing records about an individual maintained or used to make decisions about the individual and the individual’s treatment. and subject to an individual’s right to request access and amendment.

Medical Record [from Exhibit 5002A]: for the purposes of these guidelines the 'medical record' is considered to include Identification Sheet/Face Sheet; Advance Directives; Problem List; History and Physical; Progress Notes (including documentation); Consultations; Diagnostic Imaging Reports; Laboratory Reports; EKG Reports; EEG Reports; Pathology Reports; Reports of Operations/Procedures; Therapy Reports; Graphic Sheets; Medication Records; Nursing Documentation; Immunization Records; Discharge Instructions; Consents and Authorizations; Home Health Documentation; Photographs (if included in the medical record); Medical Release Forms; Life Time Insurance Authorization (LTIA) (scanned image); Explanation of Benefits (EOB) (scanned image); Patient Checks (scanned image)

Protected Health Information (PHI): individually identifiable health information that is held by a covered component and transmitted or maintained in any form or medium. PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer. (see HIPAA glossary)

General Information

  • Medical records and PHI must be located and used so as to minimize incidental disclosure of PHI
  • Individual documents should not be separated from the medical record and PHI.
    Exception: Pages can briefly be removed for administrative purposes, such as making copies
  • We recommend having a process for tracking/logging the location of medical records and PHI while in use, transit or storage
  • YSM, YSN & YNHH primary source medical records and PHI should not leave the worksite
    Exception: medical records and PHI in transit between worksites
    Exception: inactive records and PHI stored in off-site archives

In Use

  • If the medical record and PHI is in use, but not actively being viewed, it should be closed, covered or placed in a position to minimize incidental disclosure. This is especially important in patient or research subject areas.

In Transit (including YNHH medical records)

  • Medical records and PHI should be covered, so that no personal identifiers are visible
    When moving medical records and PHI in volume use procedures that minimize exposure.

Storage

  • Medical records and PHI must be stored where there is controlled access
    • We recommend that medical records and PHI stored in hallways that are accessible by unauthorized individuals should be in locked cabinets.
    • No open shelves in a patient or research subject area.
    • No open shelves in a hallway that allows access to individuals not authorized to access those medical records and PHI.
  • Medical Records and PHI should be stored out of sight of unauthorized individuals, and should be locked in a cabinet, room or building when not supervised or in use.
  • Options for providing physical access control for offices/labs/classrooms including:
    • Locked file cabinets, desks, closets or offices
    • Mechanical Keys
    • ID swipes (can be designed to accept YU/YNHH IDs)
    • Alarm keypad systems (mechanical or electronic)
    • Change keypad access codes on a regular basis
  • We recommend you assign someone to manage and document access issues (keys, card swipe, keypad access):
  • Identify individual(s) with the authority to grant access to an area
  • If possible, use the HR Oracle Move and Gone report to remove access ASAP when an individual’s status changes or if the individual leaves the University.
 

Additional Recommendations for Computing Devices with PHI 

  • When possible use ITS Data Center centralized services, so that primary source electronic data resides where adequate environmental and physical safeguards are maintained.
  • If your department has primary source (electronic) PHI for patient care, approved research, pre-research, or billing or scheduling, an adequate backup system at an alternate location is recommended.
  • Avoid having the display monitor or keyboard in a location where they can be seen by unauthorized individuals.
  • Use reasonable safeguards to limit unauthorized physical access to computing devices. If someone can get physical access to a computing device they will probably be able to get administrative access to it.
  • Store portable/hand-held computing devices in locked cabinets/desks, when not in use. Security includes preventing computing devices from being stolen. Use reasonable safeguards to secure the machines to non-movable furniture (such as a desk) if they are in area where it is difficult to restrict access.

Last revision: 03/16/2004

Top of page.
     
Yale University.  
HIPAA at Yale Home.