Your access policy shouldn't serve as a barricade keeping employees from taking on other roles during an emergency. Rather, it must be flexible enough to allow for patient care in all situations while protecting PHI. Use this sample policy for granting temporary access to help you figure out the best strategy for your organization.
Emergency Access To Protected Health Information
Purpose: The purpose of this policy is to comply with the requirements for using and disclosing protected health information (PHI) in compliance with the minimum necessary standard. Our physicians and staff must have the necessary information available to them at all times in order to provide the highest quality medical care possible. To this end, it may be necessary for employees to assume additional/different job duties due to the absence of other employees, an increased workload, emergency situations or for other issues deemed necessary by their supervisor. This policy is to ensure that our physicians and staff have available the needed support in such circumstances.
Policy:
1. When it is deemed necessary by the departmental supervisor that the employee assume additional or different duties that will necessitate a change in employee's access to PHI, [Organization] employees will still follow all proper privacy policies, practices and procedures to ensure that only the minimum amount of PHI necessary to accomplish the specific purpose of a use or disclosure is actually used or disclosed for the job functions they are currently performing.
2. [Organization] employees will continue to adhere to all applicable laws, regulations, policies and procedures when maintaining, using and disclosing PHI regardless of their level of access.
3. [Organization] employees will request only the minimum amount of PHI necessary to accomplish the specific purpose of the request for the job functions they are currently performing.
4. Departmental supervisor will take appropriate steps to return employee to previous PHI access level when employee is no longer needed to perform additional/different job functions.
Procedure:
1. Departmental supervisor will make the determination when it is necessary for an employee to assume additional/different job duties in accordance with the staffing needs in the department.
2. Departmental supervisor will inform employee of change/addition to job duties and make necessary adjustments to ensure employee's PHI access level is commensurate with that needed to properly perform those job functions.
3. Employee will perform such functions in adherence to all of [Organization's] privacy policies, practices and processes regardless of his/her access level.
4. Once employee returns to previous job duties, the supervisor will take appropriate steps to return PHI access level to original status.
Reprinted with the permission of Susie Honeycutt, privacy officer for Cardiovascular Associates in Kingsport, TN.