Children's Behavioral Health

Privacy Policy # 03-AP-17

Issued: 8/21/03

A. Introduction: Policy, Background, and Scope

Policy

BH is responsible for the maintenance of confidentiality concerning private information, whether consumer, employee, or administrative in nature. This information shall be specifically and formally protected and managed through the design, development, implementation, and administration of policies and procedures, technical controls, and education. All systems and staff, whether in fiscal, quality improvement, administrative, direct service, or other roles, must adhere to this policy and to the laws and regulations regarding access to and use of information.

This policy addresses the collection, use and maintenance of identifying information about DHHS clients.

BH recognizes and protects the rights of the individuals it serves, including their right to control the use and dissemination of their personal and confidential information. DHHS prohibits access to and collection, use, or disclosure of identifiable information except with the documented informed consent and/or authorization of the consumer or guardian, or as explicitly permitted by State or Federal legislation or regulation. Such use of information will be limited to the minimum necessary to accomplish the stated purpose. It is based on the following premises:

  • Clients will be treated with dignity and respect, and their rights will be safeguarded by all who provide services to them. Privacy and confidentiality procedures will control the use and dissemination of personal and confidential information.
  • A client or guardian (as applicable) has control over disclosures of personal and confidential information except as otherwise permitted by law or regulation.
  • Authorization and consent for release of personal and confidential information may be withdrawn by a client or guardian at any time for any reason.
  • The client or guardian has the right to access all of the client’s personal and confidential information except as otherwise specified by law or regulation

Background

This policy addresses the privacy, availability, and integrity of information and is based on State and Federal laws and regulations, DHHS policies and practices, professional ethical codes of conduct, and exemplary policies used by other states and organizations. It does not supersede State and Federal laws and regulations that are more protective of individual confidentiality. Nor does a familiarity with this policy substitute for a knowledge of these relevant laws and regulations.

Scope

The following policy and procedures are intended to serve both as a policy statement and as a guide to DHHS staff and others involved in its work. It applies to all Departmental staff and other individuals, such as interns, volunteers, consultants, and other contractors involved in departmental work, who might gain access to confidential information. It covers all DHHS service populations and services and all information regardless of format (oral, signed, electronic, or written) unless otherwise specified. Exceptions occur most frequently with confidentiality requirements in substance abuse programs and are specifically noted in this policy.

This policy assures the ongoing development, implementation, monitoring, and evaluation of these and related policies and procedures, systems, and practices, as well as an information training/education program for both existing and new employees.

B. Definitions

As used in this policy, the following terms are defined as below:

  • Anonymous.
    Information from a source who is unknown or has asked to be not identified.
  • Availability of Information.
    Assures that information is accessible by authorized users whenever needed. This assurance of access can be as important as the restriction of access.
  • Authorization.
    Document, with approval by the individual, required for any use of specific protected health information for specified purposes other than for treatment, payment, or health care operations of the health care provider or for any disclosure of specified health information to a third-party specified by the individual except as otherwise cited in law or rule. An authorization is more detailed and specific than a “consent.” Both an authorization and a consent from the same person need not be obtained for a single/same use or disclosure. Treatment, payment, or enrollment cannot be conditioned on whether or not the individual signs an authorization.
  • C.A.B. v. Duby.
    Refers to the class action lawsuit brought against BDS by adult MR clients in 1991 and the resulting consent decree signed in 1994. References in this policy are to various numbered paragraphs in the consent decree.
  • Capacity (to consent).
    The ability to understand information and to make and communicate informed decisions.
  • Certified copy.
    A copy of a record including a notarized statement of accuracy and completeness.
  • CFR.
    Code of Federal Regulations.
  • Client.
    For the purposes of this policy only, “client” means any individual who is requesting, is receiving, or has received services funded in part or in whole by the Department.
  • Confidential information.
    Private, identifiable information that is based, for example, on examination, treatment, observation, data collection, or conversation. This applies to client, employee, and administrative information.
  • Consent.
    A general document that gives health care providers, if they have a direct treatment relationship with an individual, permission to use and disclose all protected health information for treatment, payment, or other health care operations (TPO) purposes. It gives permission only to that provider, not to any other person. Health care providers may condition the provision of treatment on the individual providing this consent. One consent may cover all uses and disclosures for TPO by that provider, indefinitely and must be retained for at least six years after the last effective date. A consent need not specify the particular information to be used or disclosed, not the recipients of disclosed information. In indirect treatment relationships, obtaining consent is optional. Generally indirect treatment providers such as laboratories, health plans, and health care clearing houses need not obtain consent.
  • Confidentiality.
    The protection of private, identifying information. If information is accorded a confidential status, that status mandates specific controls, including strict limitations on access and disclosure, so that unauthorized persons cannot access it. These controls must be adhered to by those handling the information.1 Confidentiality is an inclusive concept that is designed to assure that information will be used responsibly. It is an integral part of professional codes of ethics that regulate the disclosure of information obtained in the course of professional interactions.
  • Correspondent:
    A volunteer (not a family member or a paid staff) who is matched with an MR class member who has no active family involvement. Correspondents are recruited and coordinated through the Consumer Advisory Board. It is an official designation that is recorded in DHHS files together with information about next of kin, guardian, and other relationships.
  • De-identified information.
    That information from which all elements that can identify a specific individual has been removed.
  • Disclosure.
    The release, transfer, or provision of access to health care information in any manner to a person or entity other than the originating individual or entity, whether accidental or deliberate. Includes the ability to review and/or obtain previously collected and stored information.
  • Emancipated minor.
    A person 16 – 18 years of age who is not living with or under the control of a parent or legal guardian and who has been declared to have the rights of an adult (emancipated) by a District Court.
  • Emergency.
    A situation where there is clear imminent threat or danger to a person. In an emergency or when there is suspected abuse or neglect, necessary information may be released without the person’s consent. This is limited only to that information necessary to accomplish the purpose of disclosure.
  • Individually Identifiable Information.
    Information, which makes it possible to identify an individual. This may be direct (name, SS#, etc.) or indirect (information from which one can reasonably figure out the identity of an individual).
  • Incapacitated person.
    A person found by the court to lack sufficient understanding or capacity to make or communicate responsible decisions concerning him/herself.
  • Informed consent for disclosure.
    Consent that is freely given and based on explanation and understanding of what is to be released, to whom, and the purpose, as well as the right to revoke the consent.
  • Information sharing.
    Information that may be shared within an organization among those persons involved in the service and treatment.
  • Integrity of information.
    Protection of information from intentional or accidental unauthorized changes or other harm (such as fire and water damage).
  • MRSA.
    Refers to Maine Revised Statutes Annotated, the official compilation of all laws enacted by the Maine Legislature. Title 34-B contains most of the laws controlling the operations of BH.
  • Next of kin.
    A person having the following relationship to the subject, in order of priority: a spouse; an adult son or daughter; a parent; an adult brother or sister; an adult grandchild; an adult niece or nephew who is the child of a brother or sister; a maternal grandparent; a paternal grandparent; an adult uncle or aunt; an adult first cousin; any other adult relative in order of blood relation.
  • Non-confidential information.
    Information that is generally common knowledge and about which there is no specific request or entitlement by the subject to restrict disclosure, (information in the public realm about OUIs, divorces, courts, and news).
  • Notice of Privacy Practices.
    A plain language document (or other means as needed by the individual), describing how protected health information is used and disclosed by the health care provider/plan and individuals’ rights regarding that information. This notice must be provided to each individual.
  • Personal Information.
    Information having to do with an individual. Not all personal information is confidential.
  • Personal Representative.
    One who has legal authority to give consent on behalf of an incapacitated or deceased person--for example, a guardian, a conservator, or a holder of a power of attorney. However, note that the person’s authority may be limited in scope or in duration by a written document or court order, so that the document or court order must be read in order to determine what kind of authority has been granted.
  • Privacy.
    The ability of the individual to control the use and dissemination of information that relates to him or herself.
  • Privileged communications.
    These are confidential communications made for the purpose of diagnosis or treatment of a person’s physical, mental or emotional condition, including drug or alcohol addiction, between the patient, his physician or psychotherapist, and/or other persons who are participating in treatment under the direction of the physician or psychotherapist. Note that the privilege exists only for communications with certain types of professionals.
  • Protected health information.
    Individually identifiable health information transmitted or maintained, regardless of form, excluding that found in education records.
  • Release of information.
    Release or authorization document signed by the client or legal representative authorizing disclosure of confidential personal information in accordance with state and federal regulations. In limited circumstances this may also be oral.
  • Rights of Recipients.
    These are rights of recipients of mental health services that BH has adopted as part of its regulations. The references are to various sub-sections of Part A, containing rules of general applicability to recipients of mental health services.
  • Security.
    For purposes of this policy, measures to safeguard the availability, integrity, and confidentiality of information. Security includes physical, electronic, and administrative safeguards: access, training, policies and procedures, physical environment, and behaviors (e.g.: a locked room, or cabinet; computerized records protected by passwords; policies, statutes and procedures that restrict access or disclosure). It includes all the safeguards in a computer-based information system. Security protects both the system and the information contained within it from unauthorized access, misuse, and accidental damage.
  • Substance Abuse Program.
    A person or entity that in whole or in part holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. For example, “for a general medical facility or any part thereof to be a [substance abuse] program, it must have: (a) An identified unit which provides alcohol or drug abuse diagnosis, treatment, or referral for treatment or (b) Medical personnel or other staff whose primary function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment and who are identified as such providers.” [42 CFR Ch.1] Note: “program” is by self-definition. A physician or mental health practitioner may diagnose substance abuse or refer for substance abuse treatment in the general course of a practice, but not specialize in this area or identify the practice as such a program.

C. Policy/Guidelines

1 General

a) All DHHS employees are responsible for the maintenance of confidentiality about private information, whether consumer, employee, or administrative in nature. All staff, whether in fiscal, quality improvement, administrative, direct service, or other roles, must understand the specific guidelines governing confidentiality.

b) When DHHS standards and guidelines do not clearly specify appropriate action or when there is doubt regarding confidentiality or disclosure of information, DHHS employees must consult their supervisors or designees before disclosing information.

c) DHHS employees shall not solicit private and confidential information from a client or collateral contact unless it is essential for the provision or administration of services, conducting client and program evaluations, quality improvement activities, or research, as applicable given the employee’s specific job responsibilities at the time of solicitation.

d) DHHS employees must discuss with clients and other interested parties the nature of confidentiality, client rights, and system limitations regarding confidentiality, as well as the circumstances when such information could be requested or required. [Rights of Recipients IX; 34-B MRSA §5607]

e) The requirement to maintain the confidentiality of client information extends beyond the length of the employment of BH employees and beyond the life of the service recipients. [42 CFR §2.2]

f) If a client is deceased, that client’s information may be released to their personal representative or, upon authorization, to the next of kin. [34-B MRSA §1207(1)(D); 42 CFR §2.15(2)(b)(1)]

g) DHHS employees shall treat secondary confidential information (information shared by colleagues or other providers in the course of their professional interactions) with the same responsibility, ethics, and under the same guidelines as primary confidential information.

h) DHHS employees shall protect client privacy to the best of their ability and shall include only information directly relevant to the delivery of services and treatment in their documentation and data collection.

i) In a substance abuse program, when substance abuse treatment or referral is offered in conjunction with mental health treatment or mental retardation services, the entire record will be treated as a substance abuse record unless the substance abuse portion is separated from the rest of the record. [42 CFR §2.12(e)(1)]

j) DHHS employees shall not acknowledge any knowledge of clients, their presence, or any service provision to them unless there is a signed release giving permission to do so. [34-B MRSA §1207]

  • Note: there is no current regulation restricting an employee from saying that an individual is not receiving services and that he/she has never been a client. However, this practice could lead to the inference that, when this statement is not made and information is not given out, the person is a client. Therefore, it is best to respond to any inquiry regarding client status by saying that information about any individual cannot be provided without a release of information from that person.

2 Informed Consent

a) DHHS employees must respect, promote, and assist all clients with the informed consent process regarding releases of confidential information.

b) Clients must be informed about the laws, rights, and regulations that protect client records and be given a written summary of this information. [Rights of Recipients IX; 34-B MRSA §5607; 42 CFR §2.22]

c) DHHS employees shall use clear and understandable communication regarding the limitations, risks, and benefits associated with requests for and releases of information. This applies to information in all formats, such as written and oral information, audiotapes, videotapes, and photographs. This communication shall include the following:

  • purpose of the release of information,
  • risks and benefits related to the release,
  • limits of the release,
  • alternatives to the release,
  • consequences of not releasing confidential information (e.g., payment for services not being made if information is not released to the insurance company.), and
  • right to revoke the release.

d) If the client has any difficulty understanding this information, reasonable steps shall be taken to assist the client’s comprehension, which may include the use of interpreters, translators, or other written, oral, symbolic, or gesture-based explanations. [Americans with Disabilities Act; Maine Human Rights Act; Rehabilitation Act of 1973; 45 CFR Part 84]

e) If a client lacks the capacity to decide whether to release confidential information, a guardian or appropriate third-party who appropriately represents the client’s desires and interests must be consulted. Even in these circumstances continuous attempts must be made to engage and explain these decisions to the client. [34-B MRSA §5607; 42 CFR §2.15(a)(1)]

3 Release of Information

a) DHHS employees may disclose confidential information when an emancipated minor, competent adult client, or person legally authorized to consent for a client has signed a release of information form. If unable to sign, individuals may specify approval by using their initial or stamp. [34-B MRSA §1207(1)(A)]

  • In substance abuse programs, confidential information may be released when a minor, competent adult client, or guardian has signed a release of information form. The minor does not have to be emancipated. When the client has been found by the court to be incapacitated, the “person legally authorized” may be a guardian or, in those instances where it survives the court finding of the client’s incapacity, a durable power of attorney. Parents who have not been court appointed to be guardians are not included. [42 CFR §2.33

b) The original copy of the release used to secure the information shall be kept in the client record. If a release must be faxed due to an emergency, the faxed copy should be followed promptly by mailing a copy of the original.

c) Whenever a release of information is authorized by the client’s guardian or holder of a durable medical power of attorney, a photocopy of the guardianship order or the power of attorney document shall be kept in the client’s record.

  • In substance abuse programs, this applies primarily to a guardian, for the client must be found by the court to be incapacitated. A durable power of attorney is also included but only if it survives the court finding of client incapacity

d) Information being released shall be stamped or marked to indicate that it may not be re-released by the person receiving it without permission from DHHS. [42 CFR §2.32]

  • Substance abuse records must be marked with a warning that informs the recipient of the confidential nature of the information, as well as the prohibition against further disclosure of the information. [42 CFR §2.32]

e) If a release is not correctly filled out, has blanks, or is on an invalid form, it is unacceptable. The incorrect release shall be returned to the sender with a correct form (if needed) along with directions as to what areas must be corrected to have the release honored and the information released.

f) Information released must be limited to that of which the staff has direct knowledge or which is within their area of expertise and training as a professional. For example, it would be inappropriate for a caseworker who has a signed release to talk with a client’s family member to interpret what the doctor meant by a note he wrote in the client’s chart.

g) A provider may refuse to release a mental health record to legally responsible parents, guardians, or providers when access to the records could cause danger to the physical or mental well-being of the client. [Rights of Recipients IX(K)(3)(a)]

h) In the event of divorce, both parents have an equal right to access the child’s record unless the court has ordered otherwise in the divorce decree or subsequent order. A stepparent does not have the power to access or release information for a stepchild unless the stepparent is the adoptive parent of that child. A copy of the adoption order shall be kept in the child’s record.

i) When a minor is incarcerated, the correctional facility professional responsible for the child can authorize the release of information for services received in a mental health program but not in a substance abuse program.

j) Releases must note if the release is a partial release of confidentiality.

k) Releases must not exceed a 12-month period. If no time frame is specified on the release, the release’s duration will automatically be limited to a 3-month period.

l) Where a request for release of confidential information involves a combined record of more than one individual, such as in the case of a family therapy record, the information released shall be specific to the individual who signed the release. It must not include information about the other family members mentioned in the record. This can be done by a written summary of that specific client’s information or by getting releases signed by all the individuals who have the capacity and are part of the record. [Rights of Recipients IX(I)]

  • For children, capacity is determined by their ability to understand the reason for the release. If the child is unable to understand, the person legally authorized to consent on their behalf should be consulted.

m) Disclosure of confidential information shall be limited to the minimum information needed to achieve the desired purpose. It shall be limited to information that is directly relevant to the purpose for which the disclosure is made. In no instance, shall the information released exceed what has been authorized for release.

n) In a substance abuse program, minors who have requested substance abuse treatment for themselves have a right to confidentiality. Federal law requires that their records be withheld from their parents unless the minor consents to the disclosure. Substance abuse information may be released if the minor lacks capacity to make a rational decision, as determined by the program director, and if the disclosure would prevent a life-threatening situation jeopardizing the health of the minor or anyone else. [42 CFR §2.14]

  • This applies only if the minor is applying for services or treatment, but not if the minor is already in treatment or receiving substance abuse services in a substance abuse program.

o) State law allows a minor to request mental health or substance abuse treatment for themselves without their parents’ permission. The minors are considered financially responsible for the cost of this treatment. The use of a parent's insurance to pay the minor’s bill is not allowed unless the minor has signed a release. [42 CFR §2.14]

p) In circumstances where a minor’s consent to treatment is accepted as permission to treat, the minor must also be the one to authorize the release of information.

q) Requests of information regarding test results for HIV, tuberculosis, or sexually transmitted disease must have a clear and specific release in writing explicitly requesting this type of information before the information can be released, except when release is required by law. [22 MRSA §§815, 822, 824]

r) Information likely to result in employee disciplinary action may not be released to the Office of Advocacy until that action has been resolved, including all appeals, and only when the result is disciplinary action imposed on the employee. [5 MRSA §7070]

s) A record of all disclosures shall be maintained in the record for the life of the record and be available to the client upon request. This includes disclosures authorized and not authorized by the client.

4 Revocation/Change of Release

a) Clients must be informed of their right to withdraw or modify consent for release of confidential information and to change time frames covered by the release or the nature of the information being released.

b) Oral withdrawal of a written consent must be dated and documented on the release form(s) and the original kept in the client’s record.

5 Release Exceptions

a) While continuing to support the well-being of their clients, DHHS employees have certain responsibilities to the client and society that supersede the responsibility of maintaining client confidentiality. These include mandated legal obligations, including State and Federal laws and regulations, and the need to respond in emergency circumstances, which may require some information disclosure without a client’s consent.

  • In these circumstances there are specific requirements to be followed, including providing to clients information about their rights concerning disclosure of their private and confidential information when they first begin to get services and prior to the disclosure.

b) A release without consent may occur in the following circumstances:

  1. In the process of an involuntary commitment of a client to a psychiatric facility, when it has been determined by an appropriately clinically licensed individual that the client’s actions or potential actions pose a serious and imminent risk to themselves or others. [Note: this rule is not applicable in substance abuse programs].
    (a) This determination shall be documented and explained in the client’s record.
    (b) The information released shall be limited to what is relevant and necessary to address the specific situation.
  2. When there is clear and substantial reason to believe that there is imminent danger of serious physical harm being inflicted by the client upon him/herself or another person. Information regarding such danger or harm shall be immediately given to supervisory personnel or clinical mental health professionals who, if they concur in the assessment of imminent danger, shall notify civil authorities and any specific person threatened with direct harm. [Rights of Recipients, Sec.IX(J)(3)] [Note: this rule is not applicable in substance abuse programs.]
    (a) This determination must be documented and explained in the client’s record.
    (b) The information released shall be limited to what is relevant and necessary to address the specific situation.
  3. To report abuse and/or neglect to adult or child protective services, to the State-designated protection and advocacy agency, or to a DHHS Advocate. [34-B MRSA §1207; 5 MRSA §19506]
    1. In substance abuse programs, substance abuse staff may report/refer the child to the protective service office but may not afterward provide any information to the protective services office. There is no substance abuse program provision regarding adult protective service referrals.
  4. In response to a written inquiry from DHS about a client whose behavior DHS suspects is relevant to a determination of the level of harm to a child in a DHS child protection investigation. The inquiry must be in a format specified by rule and include the nature of the harm or threat to the child. [34-B MRSA §1207(1)(B)]
  5. As part of a request to DHHS to act as public guardian or conservator. [34-B MRSA §1207(1)(A)]
  6. For reimbursement and payment of services, including release to insurance companies for billing purposes. [34-B MRSA §1207(1)(E)] [Note: this rule is not applicable to substance abuse programs.]
  7. For limited information, to a spouse, or to next of kin regarding the individual’s physical and mental status. [34-B MRSA §1207(1)(D)] [Note: this rule is not applicable to substance abuse programs.]
  8. For more extensive information, such as diagnosis, medications, and treatment plan needs of an adult, to someone with whom the person lives or who provides direct care. [34-B MRSA §1207(5)] [Note: this rule is not applicable to substance abuse programs.]
    1. This is conditioned upon the caregiver’s written request and proof of the facts that, without the information, there would be significant deterioration in the client’s daily functioning and that disclosure is in the client’s best interest.
    2. This disclosure also requires that the client first be given advance written notice and an opportunity to consent. If the client refuses disclosure, the requesting person can appeal to the Commissioner of BH, and, with the Commissioner’s permission, a release without the client’s consent may occur
  9. In response to a unique court order (not a subpoena) that is specifically addressed to the program and describes the nature of the information to be disclosed. [34-B MRSA §1207(1)(C)]
  10. Within a DHHS Local Service Network to members of the treatment team for the individual to ensure continuity and coordination of mental health services. [Note: this rule is not applicable to substance abuse programs.]
  11. Internally within DHHS for administrative planning and management related to the provision of health care, quality assurance/improvement, and regulatory functions.
  12. Disclosures as required by law (e.g. blood-borne pathogen test results, suspected lead poisoning, reports of HIV).
  13. Court Masters or others may be designated by consent decrees to have access to identifying client information.
  14. For mental retardation services, correspondents have access to the records of the person for whom they are correspondent. [C.A.B. v. Duby, paragraph XVI-5]
  15. For mental retardation services, members of the Consumer Advisory Board have access to records of Pineland class members. [34-B MRSA §1216; C.A.B. v Duby, paragraph XIII-4]
  16. In substance abuse programs, confidential information may be released in medical emergency situations to medical personnel/staff.

6 Court Proceedings

a) DHHS employees must protect the confidentiality of clients during legal proceedings to the extent permitted by law.

b) If a subpoena for confidential client information is received, the sender should be informed that information is not available without a court order or a signed release.

c) If a court order is received to appear and testify with documents, the BH employee will appear and inform the judge of the relevant statutes and regulations regarding confidentiality and let the judge decide what information will be produced and how it will be handled.

d) The court may also be asked to examine the records “in camera” to avoid disclosure of sensitive information.

e) If the release of confidential information could cause injury to a client, this fact shall be made known to the court so that appropriate limits to the order can be imposed by the court, up to and including keeping the records sealed and unavailable for public inspection.

f) Information from substance abuse program records cannot be used to initiate a charge or substantiate a criminal act unless the court has ordered that it may.

7 Security

a) Employee access to identifiable client data shall occur only when there is a relationship and/or a responsibility that allows for such access. It must be on a professional “need to know” basis, so that access to confidential information is limited to that needed for employees to perform their job functions. For example, a person who provides transportation for a client does not need to know the client’s medical history when it does not affect the transportation.

  • Some computerized information programs have areas of confidential information that are not necessary for employees to access in order to perform their jobs, and, even though these areas may be available, they shall not be accessed.

b) DHHS employees shall not discuss confidential information in places where they could be overheard by those not authorized to have the information.

c) Use of cell phones, 2-way radios, e-mail, faxes, answering machines, and other electronic forms of communication shall not include confidential client information except when there are safeguards in place to prevent unauthorized access.

  1. Fax numbers must be verified before a fax is sent, and the person who is receiving the information must be aware that the information is being sent. Cover sheets on the faxes shall identify the enclosed information as confidential and provide clear direction to limit who can receive the information.
  2. E-mail containing protected health information (PHI) can only be sent as follows:
    1. A. Email transmissions shall not contain PHI in the body of the message text or in the subject line.
    2. B. Any PHI contained in an email must be in the form of a password protected attachment as described below.
    3. C. Passwords shall not be communicated over any email transmission. When sharing your password with your intended recipient, communicate the password for the protected file over the telephone or fax machine.
    4. D. Shared passwords should be modified on a periodic basis with the goal of preventing unauthorized access.
    5. E. Listing of all passwords must be securely protected at all times. At no time shall a printed version of passwords be visible to any passer-by. Supervisors shall have copies of passwords for all protected files.
    6. F. Printed material containing PHI must be sent to a printer within an individual’s workgroup or other location where the individual printing the PHI can readily access the material once it is printed. Printers must be located in non-public areas or offices that require security keys, badges, or similar mechanisms in order to limit access. Users and/or their supervisors shall have the administrative privileges of terminating a print job once in the network queue. If printing problems are encountered, user shall delete the print job to prevent unauthorized disclosure of PHI.
  3. Analog cell phone and two-way radio signals may be picked up by other receivers and must not be used to convey confidential information.
  4. Answering machines whose access is not limited to only the individual receiving the message shall not be used to convey confidential information.

d) Once access to confidential computerized information has been opened, the computer equipment (desktops, laptops, hand-held devices, etc.) must not be left unattended, unless appropriate security measures are in place to protect the confidential information.

e) Computer screens shall be turned away from doorways or areas where unauthorized viewing could occur.

f) Paper records, computer discs, or any form of stored client information shall not be left out on desks or in unsecured locations. They shall be stored in locked file cabinets and in secure locations and shall be unavailable to people not authorized to have access.

g) Client information shall be protected so that, whatever its storage format, it is protected from fire and water damage. In addition, where held electronically, client information must be maintained with complete backup files.

h) Transfer or disposition of records for research must be done in a way that protects client confidentiality and is consistent with State statutes or regulations regarding record disposition.

i) Original records are not to be removed from the DHHS site unless needed for the compliance of a court order and then only when a certified copy is not acceptable. If the original record is removed, a complete certified copy of the entire record must be retained.

j) When anyone, other than staff, review original health service records, they must be supervised to assure that no documents are removed from the record and no changes are made to it.

8 Client Access

a) DHHS employees must provide their clients with reasonable access to their own individual records. [Rights of Recipients IX(A), IX(K)(1)]

b) If there are concerns that the access could cause harm to the client, a qualified individual must provide assistance in interpreting the record. The records may also be sent to a mental health professional of the client’s choice to supervise the review. This must occur within 3 working days after the request. [Rights of Recipients IX(K)(3)(a)]

  • Maine law currently allows for any health practitioner to deny a client access to his own records if the practitioner believes that the release of the records is detrimental to the health of the client, but the practitioner must release the information to the client’s authorized representative, guardian, or to a person designated by a durable medical power of attorney. The client’s request and the response to it, as well as accompanying justification in the event of a denial, shall be documented in the record.

c) When a client is denied a review of his/her complete record because one or more sections are deemed to be detrimental, the client shall be allowed to review, to the maximum extent possible, any portions of the record that will not be a detriment to his or her health. The reason for the denial and an explanation of how the client would be harmed shall be documented in the client’s record. [Rights of Recipients IX(K)(3)(b)]

d) If after the review of a record, the client wishes to submit corrective or additional information to the record, this information shall be placed in the record. [Rights of Recipients IX(K)(7)]

e) Inability to pay the reasonable cost for the copy of the record shall not be justification for denying the client a copy of their record. [Rights of Recipients IX(K)(6)]

f) Access shall be limited to the record(s) or portions of the record(s) that originate from DHHS as the source unless the primary source has not required continuing confidentiality or has not been promised that DHHSwill restrict re-disclosure. [Rights of Recipients IX(K)(8)]

g) When information from secondary sources that cannot be re-disclosed exists in a client’s record, the client should be informed of those portions of the record and of how to access them by contacting the originator of the material. Clients shall be helped to do this if they wish. The client’s request and the response to it shall be documented in their file. [Rights of Recipients IX(K)(8)]

h) Clients must be notified at admission or intake to a facility or program about their rights to access their record. This includes but is not limited to the following: {Rights of Recipients IX(C),(D),(E)]

  1. What records and duplicates are kept including copies.
  2. How to access these records and what they are used for
  3. What happens to the records after service is completed
  4. How to add information to their own records
  5. How to get copies at a reasonable cost
  6. The limits to confidentiality
  7. Their right to review information from their record prior to its release
  8. That they can require informed consent for release of material that discloses their identity to students unless they are part of a professional formal program or have a formal relationship with the Department
  9. That they are entitled to separate personalized records unless they are receiving conjoint family treatment with documented consent of joint record keeping. [Rights of Recipients IX(I)]
  10. That, if they want to review their records, this may be done under the supervision of the chief administrative officer or their designee. However, if they want to review their substance abuse record, a copy will be given to them, with no requirement that they review it in a supervised setting.
  11. If the review is not to be done on site, a copy will be sent to a clinical professional designated by the client to supervise the review process.

i) If it is determined that a record review may have harmful effects, the review will be supervised by the Clinical Director or designee.

j) If access to information by a guardian could cause imminent danger, a decision to refuse all or any part of the record to the guardian or client may occur and must be documented in the record.

k) Limited guardianships allow for access only to the part of the record directly related to that guardianship (e.g. medical guardianship allows access to medical information.).

9. Anonymous Information

a) If anonymity is requested by an information source, the name of the person requesting anonymity shall not be entered into the record.

b) If the nature of the information would reveal the source, this shall be considered before the decision is made to make the information a formal part of the record.

10. Research, Evaluation, and Training

a) In consultation, teaching, or research situations, de-identified information, rather than identified information, shall be used to the greatest extent possible.

b) In clinical evaluation or research, the DHHS employees involved must obtain written informed consent and signed releases of information from participants. They must consider with due regard the clients’ well-being, privacy, and dignity throughout the process.

c) Substance abuse law does not require consent for identifiable information in substance abuse programs when used in research or evaluations. Similarly, mental health law allows for identifiable information to be used without consent, but with the approval of the Commissioner, for statistical compilation/analysis for administration, planning, or research purposes. In neither instance shall identifiable information be disseminated or otherwise made public.

d) Information disclosed for evaluation and research shall be limited to what is needed to accomplish the task for which it was accessed.

e) If participants in evaluation and research are unable to provide consent, an appropriate legal proxy may provide consent, such as their guardians. Any exceptions to this process must be previously evaluated and approved by the DHHS Commissioner and the Institutional Review Board (IRB).

f) External use of any information post research must be de-identified. Use of any research findings should be for professional purposes and in a professional context.

g) Access to information being collected in the course of a clinical trial may be denied to a client while the trial is in progress if the IRB has approved the denial of access and the client agreed to the denial of access when consenting to participate.

11. Unlawful Disclosure of Mental Health Records

a) If a DHHS employee or a contracted or licensed service provider unlawfully discloses mental health, mental retardation, or substance abuse information, they may be subject to a law suit, loss of professional licensure, or the imposition of criminal penalties of up to 364 days in prison and/or fines imposed on the individual of up to $2000, and as much as $10,000 for their organization. More stringent Federal penalties may also be imposed.

12 Employee Information Access Protocol

a) Prior to receiving access to confidential/identified employee and/or consumer information, employees must complete the following:

  1. Confidentiality training specific to the department.
  2. Employee Confidentiality Understanding statement to indicate their understanding of confidentiality.
  3. Employee Access form specifying their job functions related to their need to know confidential/identified information and detailing the nature of the information to which they are requesting access. The forms for Understanding and Access must be properly authorized and routed.

    iv In the instance of electronic access, the employee must also have evidenced basic computer proficiency through the departmental assessment process.

b) All interns, volunteers, contractors, and other persons requesting access to confidential information in the performance of departmental work must adhere to the same access protocol required of employees.


 

¹ National Information Infrastructure Advisory Council, "Common Ground: Fundamental Principles for the National Information Infrastructure, "March 1995 in "Telemedicine Report to Congress, "January 1997.