Health Care Provider PHI Access Online Survey

Comprehensive Communication Campaign for HITECH ACT

0955-0005SHARPS Survey_101014

Health Care Provider PHI Access Online Survey

OMB: 0955-0005

Document [docx]
Download: docx | pdf

Form Approved

OMB No. 0955-0005

Exp. Date 09/30/2017



Your participation in this survey is completely anonymous and voluntary. NONE of the answers you give can be connected to you or your name or the organization where you work.

The information you provide in this survey will help us to better understand the challenge of working with medical records and protected health information in our health care system. Thank you!



































According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0955-0005. The time required to complete this information collection is estimated to average ten minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer.


2. A. The first set of questions ask about your work setting and the kind of w...



*1. In what type of health care setting are you currently working?

[Note: Acute­care hospital refers to an institution primarily engaged in providing inpatient

diagnostic and therapeutic services and care of injured, disabled, or sick persons. It does not include psychiatric, rehabilitation or long­term care hospitals.]


mlj


Physician Practice with 5 or fewer physicians (or other clinical practitioners who bill for services)


mlj

Physician Practice with 6­15 physicians (or other clinical practitioners who bill for services)


mlj

Physician Practice with 16 or more physicians (or other clinical practitioners who bill for services)


mlj

Acute­care Hospital with 25 or fewer beds


mlj

Acute­care Hospital with 26 ­ 250 beds


mlj

Acute­care Hospital with 251 or more beds


Shape1 mlj

Other (please specify)

3.



2. Do you work in a teaching hospital?


mlj

Yes

mlj No

mlj

I don't know



3. Is the hospital part of a multi­hospital system or

integrated health delivery system?


Shape2 mlj

Yes

mlj No

mlj

I don't know

4.



4. How long have you been working at your current organization (even if in different

roles)?


mlj

Less than 1 year


mlj

1 ­ 3 years


mlj

4 ­ 10 years


mlj

More than 10 years



5. How long have you been working in your current role/job (even if at multiple

organizations)?


mlj

Less than 1 year


mlj

1 ­ 3 years


mlj

4 ­ 10 years


Shape3 mlj

More than 10 years

6. Which of the following job activities do you currently do in your organization? Please check all that apply.

NOTE: In this question medical records refer to any records (paper or electronic) that

include protected health information.


fec

I am responsible for coding and/or billing for clinical services from medical records.


fec

I work with and/or manage medical records.


fec

I am responsible for transferring medical records or protected health information to authorized employees and departments within my


organization.


fec

I am responsible for transferring medical records or protected health information to entities outside of my organization.


fec

I work in information systems administration.


fec

I am responsible for the appropriate use and disclosure of health information.


fec

I am involved in ensuring compliance to HIPAA regulations.


fec

I am involved in ensuring compliance to HITECH regulations.


fec

I am responsible for interacting with federal and/or state compliance authorities on a routine basis.


fec

I am responsible for ensuring that medical records and protected health information is secure.


fec

I am responsible for handling the remediation of a security breach at our organization.


fec

My department is notified of security breaches in the organization that require notification.


fec

I am an information analyst working with data from medical records.


fec

None of the above


Shape4 fec

Other (please specify)

5.



*7. Do you have any of the following AHIMA certifications? Please check all that apply.

Yes No Registered Health Information Administrator (RHIA) nmlkj nmlkj Registered Health Information Technician (RHIT) mlj mlj Certified in Healthcare Privacy and Security (CHPS) nmlkj nmlkj Certified Coding Specialist (CCS) mlj mlj Certified Coding Specialist, physician­based (CCS­P) nmlkj nmlkj Certified Coding Associate (CCA) mlj mlj

Certified Health Data Analyst (CHDA) nmlkj nmlkj


Please list any other health care certifications you have


5


6


*8. Please type your current job title in the box below.

5


6


9. What is your highest educational degree?


mlj

High school/GED


mlj

Associates Degree


mlj

Bachelors Degree


mlj

Masters Degree ­ MA, MBA, MPH, MS, MSN


mlj

Medical Degree ­ MD, DO


mlj

Doctor of Science ­ SciD


mlj

Doctor of Philosophy ­ PhD


Shape5 mlj

Other (please specify)

6. B. Health Information and exchange



10. When your organization exchanges or shares clinical information with other providers,

what mechanisms are used? Please check all that apply. [AHA­adapted]


fec

Fax or eFax

fec

Email or secure Email


fec

Regular mail

fec

Electronic Health Record (EHR)


fec

Telephone

fec

I don't know


fec

Text or secure Text


fec

Other (please specify)




11. Do any current arrangements exist in your area to share electronic patient­level clinical

information through an electronic health information exchange (HIE) or a regional health information organization (RHIO), regardless of whether your organization participates in it or not? [AHA­a]


mlj


Yes, arrangements currently exist


mlj

No, arrangements do not currently exist


mlj

I don't know



12. Are clinical providers in your organization able to

electronically search or request a patient's health information (e.g., medications, test results) from sources outside of your organization or system? [AHA­a]


mlj


Yes


mlj No


mlj


I don't know



13. Are clinical providers in your organization able to send and

receive secure electronic messages containing patient's health information (e.g., medications, test results) to and from sources outside of your organization or system? [AHA­a]

Shape6

mlj


Yes


mlj No


mlj


I don't know

14. Does your organization use an electronic medical record (EMR) or electronic health record (EHR) system? [AHA]

Definition: An EMR/EHR is electronically originated and maintained clinical health information derived from multiple sources about an individual's health status and healthcare. An EMR/EHR replaces the paper medical record as the primary source of

patient information.


mlj

Yes, fully electronic


mlj

Yes, partially electronic


mlj No


Shape7 mlj

I don't know

7.



15. Has your EMR/EHR system been certified as meeting federal requirements for the objectives of Meaningful Use? [AHA­a]


mlj


Yes


mlj No


mlj


I don't know



16. In general, how would you describe your EMR/EHR system? [AHA­a]


mlj

A mix of products from different vendors


mlj

Primarily from one vendor


mlj

Primarily an in­house developed system


mlj

I don't know



17. Do you have any credentialed EMR/EHR system users who can

access patient records but are not employees of the organization? For example, a credentialed system user may be at an insurance company, Health Information Exchange, or Regional Health Information Organizations.


mlj


Yes


mlj No


mlj


I don't know



18. Are clinical providers in your organization able to remotely access

the EMR/EHR system? That is, can they electronically access the system from outside of the organization?


mlj


Yes


mlj No


mlj


I don't know



19. Does your organization currently require two­factor authentication (e.g., tokens or

biometrics) to access medical records? [AHA­a]


Shape8 mlj

Yes

mlj No

mlj

I don't know

8.



20. Does your organization have IT systems/applications that record or log access to the EMR/EHR system (i.e., access to patient protected health information)? [Note: The type of information logged by the system could include user name or ID, time­stamp, and/or commands issued.]

Shape9

mlj


Yes


mlj No


mlj


I don't know

9.



21. What type(s) of information is logged or recorded? Please check all that apply.

Yes No Don't know Date of access nmlkj nmlkj nmlkj Time of access mlj mlj mlj

Name of the person accessing the record nmlkj nmlkj nmlkj


Role of the person accessing the record (e.g., by department or professional role such as "RN")


mlj mlj mlj


Purpose of access nmlkj nmlkj nmlkj Type of information/field accessed mlj mlj mlj Action(s) taken (e.g., create/modify/delete) nmlkj nmlkj nmlkj

Other (please specify)




22. For what period of time are logs of EMR/EHR system access kept?


mlj

Less than 6 months

mlj

25 ­ 36 months


mlj

6 months ­ 12 months

mlj

More than 3 years


mlj

13 ­ 24 months

mlj

I don't know



23. How often does your organization review (or audit) the logs of EMR/EHR system

access?


mlj

Never


mlj

Every 6 months


mlj

Annually


mlj

Less often than 1/year


mlj

Only in specific circumstances (e.g., a breach)


Shape10 mlj

I don't know

10.



24. In your opinion, how likely is it that the review of system logs can (be used to)

distinguish "accidental" access (i.e., people who opened a record by mistake) from all other access?

Very likely


Somewhat likely


Very Unlikely

I don't know

nmlkj

nmlkj

nmlkj

nmlkj

nmlkj

nmlkj


25. If your organization wanted to create a list of who accessed

a given medical record, would that require gathering system log data from multiple systems?


mlj


Yes


mlj No


mlj


I don't know



26. If your organization wanted to create a list of who accessed a patient electronic

medical record over the previous MONTH, how much time would it take to do this?


mlj

Less than 1 hour

mlj

16 ­ 20 hours


mlj

1 ­ 5 hours

mlj

More than 20 hours


mlj

6 ­ 10 hours

mlj

I don't know


mlj

11 ­ 15 hours

mlj

It would not be possible to create such a list.



27. If your organization wanted to create a list of who accessed a patient electronic

medical record over the previous YEAR, how much time would it take to do this?


mlj

Less than 1 hour

mlj

16 ­ 20 hours


mlj

1 ­ 5 hours

mlj

More than 20 hours


mlj

6 ­ 10 hours

mlj

I don't know


Shape11 mlj

11 ­ 15 hours

mlj

It would not be possible to create such a list.

11.



28. Does your organization conduct regular reviews of access to medical records (i.e.,

who accessed protected health information, when and why, over some period of time)?


mlj

Yes, at least once per year or more often


mlj

Yes, but less than once per year


mlj

Yes, but only if a problem is identified (e.g., a breach)


mlj

No, we don't conduct regular reviews


mlj

I don't know



29. Does your organization allow employees who are also patients in the organization to

look at who has accessed their medical record?


mlj

Yes


mlj No


mlj

I don't know



30. In your opinion, how common is it for people in your organization to "accidentally"

access a patient electronic record (e.g., to open a record by mistake)?


Very common Somewhat common


all)

I don't know

Shape12

nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj


31. In your opinion, how likely is it that an investigation of access to medical records in

your organization would be able to distinguish "accidental" access (i.e., people who opened a record by mistake) from all other access?

Very likely


Somewhat likely


Very Unlikely

I don't know

nmlkj

nmlkj

nmlkj

nmlkj

nmlkj

nmlkj


32. In your opinion, how likely is it that an investigation of access to medical records (protected health information) in your organization would be able to clearly identify intentional access to records that is unauthorized (not allowed)?

Very likely Somewhat likely Very Unlikely I don't know


nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Shape13 12. C. Access to medical records



The next set of questions ask about how your organization handles questions about access to medical records.


33. If you or another employee in your organization who is also a patient expressed concern about (possibly inappropriate) access to your medical record, what kind of actions would be taken by your organization to address those concerns? Please check all that apply.


Yes

No

I don't know

Create a list of employees (by name) who accessed the record over a period of time

nmlkj

nmlkj

nmlkj

Interview employees about access to the record

mlj

mlj

mlj

Review IT logs of EMR/EHR system access

nmlkj

nmlkj

nmlkj

Meet with the concerned employee

mlj

mlj

mlj

Provide a list of employee names who accessed the record to the concerned employee

nmlkj

nmlkj

nmlkj

Explain the results of an internal investigation to the concerned employee

mlj

mlj

mlj

The organization has no formal organizational policy to deal with such concerns

nmlkj

nmlkj

nmlkj

Other (please specify)




13.



34. If a patient expressed concern about (possibly inappropriate) access to his/her medical

record, what kind of actions would be taken by your organization to address the patient concerns? Please check all that apply.


Yes

No

I don't know

Create a list of employees (by name) who accessed the record over a period of time

nmlkj

nmlkj

nmlkj

Interview employees about access to the record

mlj

mlj

mlj

Review IT logs of EMR/EHR system access

nmlkj

nmlkj

nmlkj

Meet with the concerned patient

mlj

mlj

mlj

Provide a list of employee names who accessed the record to the concerned patient

nmlkj

nmlkj

nmlkj

Explain the results of an internal investigation to the concerned patient

mlj

mlj

mlj

The organization has no formal organizational policy to deal with such concerns

nmlkj

nmlkj

nmlkj

Other (please specify)






35. On average, in a given month at your organization, how many patients express concern about access to their medical records (e.g., who accessed their records, or why their records were accessed, etc)?


mlj


None


mlj

1 ­ 10 patients


mlj

11­20 patients


mlj

21­50 patients


mlj

More than 50 patients


mlj

I don't know

Shape14


36. What proportion of patients are satisfied with the actions taken to address their

concerns about access to their medical records?

None of the patients


Half of the patients


All of the patients

I don't know

nmlkj

nmlkj

nmlkj

nmlkj

nmlkj

nmlkj

14. The next set of questions ask for your opinions.



37. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree


My organization has policies in place to safeguard protected health information from being seen by anyone not authorized to see it.

Technology protects patient health information from being seen by anyone not authorized to see it.

HIPAA does a good job protecting the privacy and security of patient health information.

Ethical codes of conduct for health information professionals do a good job protecting the confidentiality of patient health information.

Ethical codes of conduct for clinical professionals (e.g., doctors and nurses) do a good job protecting the confidentiality of patient health information.


nmlkj nmlkj nmlkj nmlkj nmlkj




mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj


nmlkj nmlkj nmlkj nmlkj nmlkj


38. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree

Shape15

Most patients would be surprised to see how many different people access their medical records during the course of delivering health care services.

Most patients would not understand a listing of all the different people who accessed their medical records during the course of delivering health care services.

It is important for patients to be able to find out who has accessed their medical records.

Patient privacy is more at risk with electronic health records systems (compared to paper records).

It is important for patients to be able to find out who their medical information has been disclosed to outside of their regular doctor/provider/hospital.

Patient privacy is at risk with health information exchange between multiple health care providers.


nmlkj nmlkj nmlkj nmlkj nmlkj




mlj mlj mlj mlj mlj




nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj


mlj mlj mlj mlj mlj

15. E. Organizational Characteristics



This last set of questions ask for your opinions about different aspects of your organization. Remember your answers are anonymous ­ none of your answers can be connected to you, your name, or your organization.


39. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree


People I work with are direct and honest with each other. nmlkj nmlkj nmlkj nmlkj nmlkj


People I work with accept criticism without becoming defensive.


mlj mlj mlj mlj mlj

People I work with function as a team. nmlkj nmlkj nmlkj nmlkj nmlkj People I work with constructively confront problems. mlj mlj mlj mlj mlj People I work with are good listeners. nmlkj nmlkj nmlkj nmlkj nmlkj


40. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree


Management and staff have a productive working relationship.

This organization motivates me to put out my best efforts.


nmlkj nmlkj nmlkj nmlkj nmlkj



mlj mlj mlj mlj mlj


This organization respects its workers. nmlkj nmlkj nmlkj nmlkj nmlkj


This organization treats all staff and management in a consistent and fair manner.


mlj mlj mlj mlj mlj


There is an atmosphere of trust in this organization. nmlkj nmlkj nmlkj nmlkj nmlkj


This organization motivates people to be efficient and productive.


mlj mlj mlj mlj mlj


41. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree


I get enough information to understand the big picture here.

When changes are made, the reasons why are made clear.

I know what is happening in work sections/departments outside my own.


nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj

nmlkj nmlkj nmlkj nmlkj nmlkj


I have a say in decisions that affect my work. mlj mlj mlj mlj mlj

Shape16

This organization values the ideas of workers at every level.


nmlkj nmlkj nmlkj nmlkj nmlkj

42. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree


Nonclinical staff often receive incompatible requests from 2 or more people.

Clinical staff recognize and support the work of non­

clinical staff in my organization.


Clinical staff sometimes violate organizational privacy policies in order to do their jobs.

I sometimes violate organizational privacy policies in order to do my job.


nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj

mlj mlj mlj mlj mlj


43. Please answer how strongly you agree or disagree with the following statements.


Strongly Agree Agree


Neither Agree or

Disagree


Disagree


Strongly

Disagree

This organization is typically able to adapt new standards or procedures, even those forced upon us.


nmlkj nmlkj nmlkj nmlkj nmlkj


Leadership articulates a vision for the organization. mlj mlj mlj mlj mlj

Shape17

It is hard to make any changes in this organization because everyone is already so busy.

My job requirements are made clear to me by my supervisor.

People in this organization see the larger health care system as helpful in meeting the needs of the organization.


nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj

Shape18 16. Thank you!



Thank you for taking the time to complete this survey. The information you have provided will help us better understand the work of health information professionals within hospitals and physician practices.


Shape19 44. If you have any additional thoughts or ideas you would like to share, please write them below.

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorCaton-Peters, Helen (OS/ONC)
File Modified0000-00-00
File Created2021-01-27

© 2024 OMB.report | Privacy Policy