September 1, 2013 (rev)
September 23, 2015 (rev)
December 1, 2016 (rev)
August 21, 2018 (rev)
See also WWRC Administrative Governance Procedure 2.3.6, Client Records, Safeguarding Client Records.
WWRC employees, affiliates, volunteers, and contractors are expected to protect the confidentiality and privacy of client information and records at all times.
Information disclosure is governed and regulated by applicable federal and state laws. WWRC's Records Management Services Department will accept a written consent form as a current release when received within one year of the client's dated signature, unless there is an earlier expiration date or the client has died. WWRC will only release information with the written informed consent of the client or his/her authorized representative, except under the following conditions:
Family members, friends whom clients may consider a "significant other", attorneys, employers, and other parties may not have access to information unless they are representatives of a client who has been declared legally incompetent. These representatives are court-appointed and may be either individuals or committees. WWRC Records Management Services Department will request that these representatives furnish proof of their responsibility. When the client is under the age of 18, only the parent(s)/guardian(s) of the client may access information/records. The parent/guardian is expected to show personal identification and sign a statement regarding their relationship to the client. Consumers aged 18 and above may review, challenge, amend, obtain a copy of, or disclose any information about themselves, per established protocols contained in this governance procedure. Note: WWRC includes pre-admission information as part of the official chart/record for admitted clients. However, as this information was obtained for the purpose of planning WWRC services and not for subsequent re-disclosure, WWRC's Records Management Services Department will release pre-admissions records obtained from another agency or organization only when there is a signed authorization from the client or his/her legal guardian; the signed authorization must specifically authorize WWRC to release the pre-admissions information and must include the report title, report date, and originating facility for each report to be released. WWRC's Records Management Services Department will advise clients and other parties who seek pre-admission information to contact the original source as the preferred action of choice.
Special Circumstances for WWRC Consumers in the PERT Program (HIPAA vs. FERPA)
According to guidance from the Virginia Attorney General's Office (email dated March 19, 2018), a WWRC consumer who is referred to PERT from a local school division, regardless of age (under vs. over the age of 18), is subject to the laws and regulations of the Family Educational Rights and Privacy Act (FERPA) governing "education records". "Education records" are defined as records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution. A summary of the AG's Office findings include:
Clients may not have direct access to their own records when the treating physician or clinical psychologist has written on any report: "In my opinion, a review of such records by the client would be injurious to the client's physical or mental health or well-being". Under these circumstances, the client is required to access information about the report directly from a clinical psychologist, a physician, or a licensed certified psychologist. The treating physician is the only professional who, by statute, has the authority to identify and label a record, which will deny access to the client. No other professional can restrict any other information.
Personal information may be released to an organization, agency, or individually engaged in audit, evaluation, or research, only:
Individuals who are conducting educational research are expected to inform the RMS Department of their project. The researcher must provide a copy of research approval from the DRS Human Subjects Research Review Committee.
Federal and state agencies listed on the next page's chart are granted regular access (meaning that written consent is not required) for the purpose of cooperative planning and the provision of rehabilitation services or by authority of federal or state law:
When confidentiality is protected and referenced within the Agreement
Medical and financial records may be reviewed and audited on specific client accounts.
As relevant to the administration of rehabilitative services
Information may be disclosed regarding clients who apply for or receive benefits
Financial information on clients who apply for or receive benefits
Clients who apply for or receive services
Assist in job placement and post-employment services for clients
VA personnel who have responsibility to process an application or those assigned to provide benefits.
Role-Specific Program Responsibilities
Admissions will identify what specific reports need to be sent to a sponsor as part of the rehabilitation program. If the sponsor is not on the Regular Access List, WWRC's Admissions personnel will obtain written informed consent from the client using the Consent to Release Information Form prior to adding sponsor's name to the enrollment sheet as a recipient of routine Center reports.
During initial interviews, counselors are expected to explain confidentiality policies and conditions for releasing information. Clients (except minors and those who have an appointed guardian) will be personally responsible for decisions and activities while at the Center and away from the facility. Therefore, the counselor needs to determine with the client what information may be shared with family or friends who may be involved with the client's personal life.
"Informed consent" means that the client is aware of what specific information is to be disclosed. Therefore, counselors will ask the client to sign the Consent Form, which identifies what information may be released. Statements can include, but are not limited to: setting program objectives or deciding future discharge and employment plans; being hospitalized for planned medical services (individual who is named on enrollment sheet for emergencies will be contacted for any life-threatening situations); and discussing any actions and decisions which may involve disciplinary matters, suspension or discharge.
When a client requests a review of his/her WWRC records, the individual should be referred to the Center counselor or, in his/her absence, the counselor's supervisor. This employee will confirm the client's age and competency status for accessing information.
Clients who request a copy of records will be instructed to complete a Consent Form. The counselor sends the form to the Records Management Services Department that will prepare a copy for the client. The counselor shall ensure that the client is aware of the charge for this service.WWRC Physician WWRC employees who question whether their record may be injurious to the client's physical or mental health or well-being, may request the treating physician to review the record, and if it is felt to be appropriate, will restrict access to the client.WWRC medical staff members may release information to other physicians for consultation and treatment purposes. The attending physician may include pre-admission material when deemed necessary.Responding to External Requests for Client InformationWWRC employees are expected to refer any external request for client information to the Center's Records Management Services Department and to notify their supervisor and Division Director upon receipt. WWRC's Records Management Services Department will manage requests during normal business hours and respond within a fourteen (14) day period, except for emergency situations which will be handled immediately in accordance with the protocol listed below. The Records Management Services Department will record each request and document the action taken.
There will be a charge for copies of records unless the request is from those who need information to assist the client in assuring continuity of care in the rehabilitation process. When records are copied, the Records Management Services Department will charge as follows:
Finder's Fee - $5.00 and $0.50 per page for first 50 pages;
$0.25 for pages after 50
A bill for copied material will be attached to the information with instructions to make payment to the WWRC Business Office. A copy of the bill will be sent to the Business Office cashier.
Emergencies and Life-Threatening Situations
Information may be disclosed during an emergency when it is reasonable to believe that a delay will pose a threat to the client's safety, the safety of others, or result in either serious bodily injury, deterioration of physical/mental health, or death. Under these circumstances, authority to disclose information is delegated to the Rehabilitation Counselor, Rehabilitation Counselor Manager, WWRC Physician, or On-Call Administrator if Records Management Services Department personnel are not available (i.e. outside of normal business hours). Authority to disclose information is limited to that which is necessary to deal with the emergency or life-threatening situation.
Examples may include (but are not limited to):
When it is necessary to disclose client information during an emergency or life-threatening situation, the responsible employee is expected to sign and date entry into the client's record with reference to WWRC policy and governance procedure, the reasons and specific information released, reason why a written informed consent could not be obtained, and the person to whom the information was released.Depositions, Subpoenas, Subpoenas Duces Tecum, and Court Orders
Depositions, subpoenas, subpoenas duces tecum, and court orders require either informed written consent or a judicial order. A judicial order can either be a court order signed by a judge or a judge's written command to testify or produce records in court.
Records Management Services personnel are expected to request or confirm that a current (dated within the past year) informed written consent is on file. If consent is not available, RMS personnel will require a judicial order. RMS personnel will coordinate a response with the affected WWRC employee, WWRC Administration, the respective attorney, and if necessary, the Attorney General's Office prior to a response. Unless ordered, pre-admission material will not be released as a WWRC document.
WWRC employees who are required to testify as a rehabilitation service provider are only authorized to disclose information about which they have personal knowledge or experience.Special Requests
A written informed consent is required, except for public events and disclosure as Directory Information.
Personal information will be released only to the extent necessary to respond to investigations in connection with law enforcement, fraud, or judicial order.
Protocols for Changing a Client Record
Revoking a Consent AuthorizationA client may rescind a prior authorization. This must be done in writing and once received, revokes all current authorizations, except to those individuals or parties named on the Regular Access List. Records Management Services Department personnel are expected to clearly mark client records where a prior authorization has been rescinded. Challenging and Correcting a Record by Client or RepresentativeUpon request to do so, a client or his/her representative will be clearly advised of the right to challenge, correct or have explained any information in the information system, except when access is restricted by the treating physician. The following procedures will be followed:
Correcting/Changing a Report Entry by Employees
Employees may correct their own entries in an active chart/report which has not been sent to anyone by marking through the error with one line, inserting new wording above the error, and then signing and dating the entry.
Once a report has been distributed or filed in the Records Management Services Department, it becomes part of the permanent record and no hand corrections will be made. If corrections/changes are necessary, the employee will prepare an addendum to the report that explains the change. This addendum will be sent to the RMS Department, where it will be attached to the original report and forwarded to recipients of the earlier records.
Records will not be changed any time there is a request to release information.
No employee may change or remove another employee's report. In the event a change is required after the individual originating the report has left employment with WWRC, the former employee's supervisor may dictate an addendum and the reason requiring the addendum.Breach and Sanctions
Unauthorized access of any client record or sharing of information from such records constitutes a breach of the confidentiality of the record, which may lead to sanctions including, but not limited to, termination of employment or other relationship with WWRC, loss of clinical privileges, removal of access to client records at WWRC, and /or applicable civil and criminal penalties.
WWRC employees are expected to immediately report any breach, or suspected breach, of confidential information to their manager, the Records Management Services Director/HIPAA Privacy Officer, or the Information Security Officer immediately. This report can be anonymous.
A confidentiality statement is included within each classified employee's Employee Work Profile (EWP), is reviewed annually as part of the annual performance planning process and is documented in the EWP by signature of staff and supervisor.
WWRC Supervisors are also expected to review this confidentiality statement with hourly staff, student interns/affiliates, and volunteers. Supervisors are expected to provide a signed copy to the staff member, student intern/affiliate or volunteer, keep a copy for their files, and to forward the original to HR or the HIPAA Privacy Officer, dependent on whether the person is a paid employee of WWRC or not.
Where relevant and appropriate, the WWRC Contracts Office will attach a Business Associate Agreement as part of negotiated contracts and Memoranda of Understanding in compliance with HIPAA policies and regulations. Contract staff will be held accountable for compliance with terms and conditions of the associated Business Associate Agreement.
While I am working, observing, or volunteering at the Wilson Workforce and Rehabilitation Center, I may learn things I would not ordinarily know about our clients. I must protect their privacy. I will use confidential information only as needed to perform my legitimate duties as an employee/volunteer/student affiliated with the Wilson Workforce and Rehabilitation Center. This means among other things, that:
I understand that it is mandatory for employees, observers, and volunteers to maintain the privacy and confidentiality of all clients in order to maintain a position of trust in the community and to protect our client's rights.
I have read, understand, and will abide by the stated rules of confidentiality at the Wilson Workforce and Rehabilitation Center.
Orientation and Training Requirements
Agency Information Security Officers and HIPAA
Privacy Officers are the designated content experts for orientation and ongoing education, awareness, and training of WWRC employees, affiliates, volunteers, and contractors regarding roles, responsibilities, and expectations for protection of client information and records through appropriate safeguarding of confidentiality and privacy.
Orientation and training topics are expected to include, but are not limited to:
All new employees (classified, temporary workers, and part-time staff) as well as contractors and volunteers are expected to complete training on how to properly handle federally-protected data and what the consequences are for non-compliance as soon as practical to comply with federal and state requirements, no later than thirty (30) days after the start date . If training is not completed within that time frame, access to sensitive hard copy and electronic data, should be suspended until the training is completed.
All WWRC employees (classified, temporary workers, and part-time staff) as well as contractors, interns and volunteers who have access to the Commonwealth of Virginia network are expected to complete annual training on these topics. If training is not completed, access to sensitive data should be suspended until the training is completed. For individuals that do not typically have access to electronic data (e.g. housekeeping / janitorial workers), working in areas where sensitive hard copy is handled should be suspended until training is completed.