LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Content-Type:	text/plain; charset=ISO-8859-1
Sender:	Records Management Program <[log in to unmask]>
Subject:	Re: Access Control for Physical Records
From:	"Julie J. Colgan" <[log in to unmask]>
Date:	Mon, 7 Feb 2011 15:43:27 -0500
In-Reply-To:	<[log in to unmask]>
MIME-Version:	1.0
Reply-To:	Records Management Program <[log in to unmask]>
Parts/Attachments:	text/plain (54 lines)

Hi Maggi,

I've never had a separate policy to address physical records. The policy
covered information access regardless of media. How you carry out access
procedurally is the difference and will be extremely dependent upon your
particular organization.

For example, if you are covered by HIPAA, you have an obligation to limit
access to PHI (which includes ePHI). Depending on your risk tolerance,
volumes, use patterns and needs and how/where the records are maintained,
how you limit access to physcial material that contains PHI will vary.

Expanding on the HIPAA example: In a previous life, we limited physical
access to HIPAA covered records to a specfic group of individuals (if they
weren't on the list, they were not allowed to check material out of the
records center - active or inactive files). In addition, we placed neon
green stickers on the front of the folders so when an individual had it in
their office, they could easily take measures to ensure it was protected
from accidental observation by others (kept in a closed cabinet/drawer when
not in use, etc.). The stickers also helped us file the folders properly in
the records center since we segregated files with PHI away from the general
collection (we did NOT, however, choose to lock up those records - we
decided that was overkill in our situation). In addition to all of that,
the records center was key-card protected 24/7/365. All of my staff went
through training on how to handle HIPAA covered materials and signed a
special confidentiality agreement.

For those individuals who were actively using and/or creating/receiving PHI
through the course of the day (HR staff, etc.), they were required to have
papers face-down on their desks to avoid accidental observation by
passers-by. When material was sent to the records center for the first
time, the material was either hand-delivered to one of my staff or sent in a
sealed envelope and the folder request form was marked to indicate it was
HIPAA protected.

This type of approach could be used, perhaps with slight modification where
necessary, for all kinds of "need to know" physical information.

Hope that is at least of some help!

Julie

--
Julie J. Colgan, CRM

[log in to unmask]
http://twitter.com/juliecolgan
http://www.linkedin.com/in/juliejcolgan

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US