Skip to Content
California State University, Long BeachCalifornia State University, Long Beach

Information Security Management and Compliance

Confidentiality of Medical Information

Get Acrobat Reader

  • Issue Date: August 2007
  • Revision Date: April 2010
  • Expiration Date: N/A
  1. Policy Statement

    It is the policy of California State University, Long Beach to ensure the confidentiality of all medical information maintained by any University or auxiliary organization providers of health care and to protect that information from unauthorized use and disclosure.

  2. GENERAL PROVISIONS

    1. PURPOSE

      The purpose of this policy is to provide information concerning the legal requirements for confidentiality and security of medical information.  The legal requirements are designed to:

      • Ensure the confidentiality, integrity, and availability of medical information;
      • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
      • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted; and
      • Ensure compliance with governing law and policy.
    2. SCOPE

      This policy applies to all entities of the University or auxiliary organization that provide health care or maintain employee, student or patient medical records.  Entities may include, but are not limited to, Department of Athletics, Disabled Student Services, Safety and Risk Management, University Police, Department of Kinesiology, Kinesiotherapy Clinic, Dance Department, Speech-Language and Hearing Clinic, Staff Human Resources, and Academic Personnel.

    3. DEFINITIONS

      Terms used in this Policy are defined in Appendix A.

  3. SECURITY OF HEALTH CARE FACILITIES

    Each health care facility shall implement a written policy for the control of access to the facility which addresses the following:

    1. Keys and/or access cards to the facility shall be issued only to personnel approved by the health care facility director or campus custodial service personnel.  The facility director shall review the control lists of key holders and/or access cardholders annually;
    2. Access to the health care facility during the hours the facility is closed shall be limited to personnel authorized by the health facility director; and
    3. Provisions permitting non-health care facility employees continuing access to the facility if medical records, medications, and equipment are maintained in locked rooms and/or health facility staff is on duty.  Authorization for such access shall be provided by the health care facility director.
  4. MEDICAL RECORDS

    Confidentiality of all medical information shall be maintained in accordance with the Information Practices Act, the Confidentiality of Medical Information Act, and CSU policy.

    The following standards and controls shall be implemented and maintained in all areas where medical records are located:

    1. Only persons authorized by the health care facility director may gain access;
    2. The medical record shall document any consent to treat, all exams, diagnoses, services, and follow up, indicating the date, name of patient, name of the service provider(s), and description of the service.  The provider of the service shall sign the record;
    3. When not in use, medical records shall be stored in either locked files or in a locked room;
    4. Access to keys to medical files and/or record room shall be limited to those university employees authorized by the health facility’s director to have such access; and
    5. To ensure that medical records are filed, stored, and utilized in a manner that provides maximum confidentiality, each health care facility shall review biennially its record management procedures.

    Electronic data back-up of medical information should be maintained in off-site locations.

  5. RELEASE OF MEDICAL INFORMATION

    No health care facility employee or agent shall use, disclose or knowingly permit the use or disclosure of medical information without the patient having first signed an authorization unless the disclosure is specifically compelled by any of the following:

    • Court Order
    • Subpoena
    • Search Warrant
    • The Patient or the Patientís Representative
    • Coroner Request
    • Other Circumstances Required by Law

    The University Information Security Officer shall be consulted by the Health Care Provider prior to the release of medical information not requiring the patientís authorization.

  6. AUTHORIZATION FOR RELEASE OF MEDICAL INFORMATION

    Any person or entity that wishes to obtain medical information other than a person or entity authorized to receive medical information, shall obtain a valid authorization for the release of information.  An authorization for the release of medical information by a provider of health care shall be valid if it is:

    1. Handwritten by the person who signs it or is in a typeface no smaller than 14-point type.
    2. Is clearly separate from any other language present on the same page and is executed by a signature which serves no other purpose than to execute the authorization.
    3. Is signed and dated by one of the following:
      1. The patient
      2. The legal representative of the patient, if the patient is a minor or an incompetent
      3. The beneficiary or personal representative of a deceased patient
      4. The spouse of the patient or the person financially responsible for the patient under specific conditions
  7. RETENTION AND DISPOSITION OF RECORDS

    Records shall be maintained in accordance with the CSU Record Retention Schedules. Disposition of records shall comply with the CSULB Media Sanitation Standard.

  8. DISCLAIMER

    This document is a guide and does not purport to be a complete or comprehensive articulation of the governing laws and policies, nor is it intended to be a substitute for legal advice.

FURTHER INFORMATION

Information Security Management and Compliance
(562) 985-4862

Approved by President Alexander
F.King Alexander
August 2007