Health Care Provider PHI Access Online Survey
Comprehensive Communication Campaign for HITECH ACT
0955-0005 final instrumentAppendixB
Health Care Provider PHI Access Online Survey
OMB: 0955-0005
Form Approved
OMB No. 0955-0005
Exp. Date 09/30/2017
Your participation in this survey is completely anonymous and voluntary. NONE of the answers you give can be connected to you or your name or the organization where you work.
The information you provide in this survey will help us to better understand the challenge of working with medical records and protected health information in our health care system. Thank you!
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0955-0005. The time required to complete this information collection is estimated to average ten minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer.
2. A. The first set of questions ask about your work setting and the kind of w...
*1. In what type of health care setting are you currently working?
[Note: Acutecare hospital refers to an institution primarily engaged in providing inpatient
diagnostic and therapeutic services and care of injured, disabled, or sick persons. It does not include psychiatric, rehabilitation or longterm care hospitals.]
mlj
Physician Practice with 5 or fewer physicians (or other clinical practitioners who bill for services)
mlj
Physician Practice with 615 physicians (or other clinical practitioners who bill for services)
mlj
Physician Practice with 16 or more physicians (or other clinical practitioners who bill for services)
mlj
Acutecare Hospital with 25 or fewer beds
mlj
Acutecare Hospital with 26 250 beds
mlj
Acutecare Hospital with 251 or more beds
mlj
Other (please specify)
3.
2. Do you work in a teaching hospital?
mlj
Yes
mlj No
mlj
I don't know
3. Is the hospital part of a multihospital system or
integrated health delivery system?
mlj
Yes
mlj No
mlj
I don't know
4.
4. How long have you been working at your current organization (even if in different
roles)?
mlj
Less than 1 year
mlj
1 3 years
mlj
4 10 years
mlj
More than 10 years
5. How long have you been working in your current role/job (even if at multiple
organizations)?
mlj
Less than 1 year
mlj
1 3 years
mlj
4 10 years
mlj
More than 10 years
6. Which of the following job activities do you currently do in your organization? Please check all that apply.
NOTE: In this question medical records refer to any records (paper or electronic) that
include protected health information.
fec
I am responsible for coding and/or billing for clinical services from medical records.
fec
I work with and/or manage medical records.
fec
I am responsible for transferring medical records or protected health information to authorized employees and departments within my
organization.
fec
I am responsible for transferring medical records or protected health information to entities outside of my organization.
fec
I work in information systems administration.
fec
I am responsible for the appropriate use and disclosure of health information.
fec
I am involved in ensuring compliance to HIPAA regulations.
fec
I am involved in ensuring compliance to HITECH regulations.
fec
I am responsible for interacting with federal and/or state compliance authorities on a routine basis.
fec
I am responsible for ensuring that medical records and protected health information is secure.
fec
I am responsible for handling the remediation of a security breach at our organization.
fec
My department is notified of security breaches in the organization that require notification.
fec
I am an information analyst working with data from medical records.
fec
None of the above
fec
Other (please specify)
5.
*7. Do you have any of the following AHIMA certifications? Please check all that apply.
Yes No Registered Health Information Administrator (RHIA) nmlkj nmlkj Registered Health Information Technician (RHIT) mlj mlj Certified in Healthcare Privacy and Security (CHPS) nmlkj nmlkj Certified Coding Specialist (CCS) mlj mlj Certified Coding Specialist, physicianbased (CCSP) nmlkj nmlkj Certified Coding Associate (CCA) mlj mlj
Certified Health Data Analyst (CHDA) nmlkj nmlkj
Please list any other health care certifications you have
5
6
*8. Please type your current job title in the box below.
5
6
9. What is your highest educational degree?
mlj
High school/GED
mlj
Associates Degree
mlj
Bachelors Degree
mlj
Masters Degree MA, MBA, MPH, MS, MSN
mlj
Medical Degree MD, DO
mlj
Doctor of Science SciD
mlj
Doctor of Philosophy PhD
mlj
Other (please specify)
6. B. Health Information and exchange
10. When your organization exchanges or shares clinical information with other providers,
what mechanisms are used? Please check all that apply. [AHAadapted]
fec
Fax or eFax
fec
Email or secure Email
fec
Regular mail
fec
Electronic Health Record (EHR)
fec
Telephone
fec
I don't know
fec
Text or secure Text
fec
Other (please specify)
11. Do any current arrangements exist in your area to share electronic patientlevel clinical
information through an electronic health information exchange (HIE) or a regional health information organization (RHIO), regardless of whether your organization participates in it or not? [AHAa]
mlj
Yes, arrangements currently exist
mlj
No, arrangements do not currently exist
mlj
I don't know
12. Are clinical providers in your organization able to
electronically search or request a patient's health information (e.g., medications, test results) from sources outside of your organization or system? [AHAa]
mlj
Yes
mlj No
mlj
I don't know
13. Are clinical providers in your organization able to send and
receive secure electronic messages containing patient's health information (e.g., medications, test results) to and from sources outside of your organization or system? [AHAa]
mlj
Yes
mlj No
mlj
I don't know
14. Does your organization use an electronic medical record (EMR) or electronic health record (EHR) system? [AHA]
Definition: An EMR/EHR is electronically originated and maintained clinical health information derived from multiple sources about an individual's health status and healthcare. An EMR/EHR replaces the paper medical record as the primary source of
patient information.
mlj
Yes, fully electronic
mlj
Yes, partially electronic
mlj No
mlj
I don't know
7.
15. Has your EMR/EHR system been certified as meeting federal requirements for the objectives of Meaningful Use? [AHAa]
mlj
Yes
mlj No
mlj
I don't know
16. In general, how would you describe your EMR/EHR system? [AHAa]
mlj
A mix of products from different vendors
mlj
Primarily from one vendor
mlj
Primarily an inhouse developed system
mlj
I don't know
17. Do you have any credentialed EMR/EHR system users who can
access patient records but are not employees of the organization? For example, a credentialed system user may be at an insurance company, Health Information Exchange, or Regional Health Information Organizations.
mlj
Yes
mlj No
mlj
I don't know
18. Are clinical providers in your organization able to remotely access
the EMR/EHR system? That is, can they electronically access the system from outside of the organization?
mlj
Yes
mlj No
mlj
I don't know
19. Does your organization currently require twofactor authentication (e.g., tokens or
biometrics) to access medical records? [AHAa]
mlj
Yes
mlj No
mlj
I don't know
8.
20. Does your organization have IT systems/applications that record or log access to the EMR/EHR system (i.e., access to patient protected health information)? [Note: The type of information logged by the system could include user name or ID, timestamp, and/or commands issued.]
mlj
Yes
mlj No
mlj
I don't know
9.
21. What type(s) of information is logged or recorded? Please check all that apply.
Yes No Don't know Date of access nmlkj nmlkj nmlkj Time of access mlj mlj mlj
Name of the person accessing the record nmlkj nmlkj nmlkj
Role of the person accessing the record (e.g., by department or professional role such as "RN")
mlj mlj mlj
Purpose of access nmlkj nmlkj nmlkj Type of information/field accessed mlj mlj mlj Action(s) taken (e.g., create/modify/delete) nmlkj nmlkj nmlkj
Other (please specify)
22. For what period of time are logs of EMR/EHR system access kept?
mlj
Less than 6 months
mlj
25 36 months
mlj
6 months 12 months
mlj
More than 3 years
mlj
13 24 months
mlj
I don't know
23. How often does your organization review (or audit) the logs of EMR/EHR system
access?
mlj
Never
mlj
Every 6 months
mlj
Annually
mlj
Less often than 1/year
mlj
Only in specific circumstances (e.g., a breach)
mlj
I don't know
10.
24. In your opinion, how likely is it that the review of system logs can (be used to)
distinguish "accidental" access (i.e., people who opened a record by mistake) from all other access?
Very likely |
|
Somewhat likely |
|
Very Unlikely |
I don't know |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
25. If your organization wanted to create a list of who accessed
a given medical record, would that require gathering system log data from multiple systems?
mlj
Yes
mlj No
mlj
I don't know
26. If your organization wanted to create a list of who accessed a patient electronic
medical record over the previous MONTH, how much time would it take to do this?
mlj
Less than 1 hour
mlj
16 20 hours
mlj
1 5 hours
mlj
More than 20 hours
mlj
6 10 hours
mlj
I don't know
mlj
11 15 hours
mlj
It would not be possible to create such a list.
27. If your organization wanted to create a list of who accessed a patient electronic
medical record over the previous YEAR, how much time would it take to do this?
mlj
Less than 1 hour
mlj
16 20 hours
mlj
1 5 hours
mlj
More than 20 hours
mlj
6 10 hours
mlj
I don't know
mlj
11 15 hours
mlj
It would not be possible to create such a list.
11.
28. Does your organization conduct regular reviews of access to medical records (i.e.,
who accessed protected health information, when and why, over some period of time)?
mlj
Yes, at least once per year or more often
mlj
Yes, but less than once per year
mlj
Yes, but only if a problem is identified (e.g., a breach)
mlj
No, we don't conduct regular reviews
mlj
I don't know
29. Does your organization allow employees who are also patients in the organization to
look at who has accessed their medical record?
mlj
Yes
mlj No
mlj
I don't know
30. In your opinion, how common is it for people in your organization to "accidentally"
access a patient electronic record (e.g., to open a record by mistake)?
Very common Somewhat common
all)
I don't know
nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj
31. In your opinion, how likely is it that an investigation of access to medical records in
your organization would be able to distinguish "accidental" access (i.e., people who opened a record by mistake) from all other access?
Very likely |
|
Somewhat likely |
|
Very Unlikely |
I don't know |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
32. In your opinion, how likely is it that an investigation of access to medical records (protected health information) in your organization would be able to clearly identify intentional access to records that is unauthorized (not allowed)?
Very likely Somewhat likely Very Unlikely I don't know
nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj
12.
C.
Access
to
medical
records
The next set of questions ask about how your organization handles questions about access to medical records.
33. If you or another employee in your organization who is also a patient expressed concern about (possibly inappropriate) access to your medical record, what kind of actions would be taken by your organization to address those concerns? Please check all that apply.
|
Yes |
No |
I don't know |
Create a list of employees (by name) who accessed the record over a period of time |
nmlkj |
nmlkj |
nmlkj |
Interview employees about access to the record |
mlj |
mlj |
mlj |
Review IT logs of EMR/EHR system access |
nmlkj |
nmlkj |
nmlkj |
Meet with the concerned employee |
mlj |
mlj |
mlj |
Provide a list of employee names who accessed the record to the concerned employee |
nmlkj |
nmlkj |
nmlkj |
Explain the results of an internal investigation to the concerned employee |
mlj |
mlj |
mlj |
The organization has no formal organizational policy to deal with such concerns |
nmlkj |
nmlkj |
nmlkj |
Other (please specify) |
|
|
|
13.
34. If a patient expressed concern about (possibly inappropriate) access to his/her medical
record, what kind of actions would be taken by your organization to address the patient concerns? Please check all that apply.
|
Yes |
No |
I don't know |
Create a list of employees (by name) who accessed the record over a period of time |
nmlkj |
nmlkj |
nmlkj |
Interview employees about access to the record |
mlj |
mlj |
mlj |
Review IT logs of EMR/EHR system access |
nmlkj |
nmlkj |
nmlkj |
Meet with the concerned patient |
mlj |
mlj |
mlj |
Provide a list of employee names who accessed the record to the concerned patient |
nmlkj |
nmlkj |
nmlkj |
Explain the results of an internal investigation to the concerned patient |
mlj |
mlj |
mlj |
The organization has no formal organizational policy to deal with such concerns |
nmlkj |
nmlkj |
nmlkj |
Other (please specify) |
|
|
|
35. On average, in a given month at your organization, how many patients express concern about access to their medical records (e.g., who accessed their records, or why their records were accessed, etc)?
mlj
None
mlj
1 10 patients
mlj
1120 patients
mlj
2150 patients
mlj
More than 50 patients
mlj
I don't know
36. What proportion of patients are satisfied with the actions taken to address their
concerns about access to their medical records?
None of the patients |
|
Half of the patients |
|
All of the patients |
I don't know |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
nmlkj |
14. The next set of questions ask for your opinions.
37. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
My organization has policies in place to safeguard protected health information from being seen by anyone not authorized to see it.
Technology protects patient health information from being seen by anyone not authorized to see it.
HIPAA does a good job protecting the privacy and security of patient health information.
Ethical codes of conduct for health information professionals do a good job protecting the confidentiality of patient health information.
Ethical codes of conduct for clinical professionals (e.g., doctors and nurses) do a good job protecting the confidentiality of patient health information.
nmlkj nmlkj nmlkj nmlkj nmlkj
mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj
nmlkj nmlkj nmlkj nmlkj nmlkj
38. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
Most patients would be surprised to see how many different people access their medical records during the course of delivering health care services.
Most patients would not understand a listing of all the different people who accessed their medical records during the course of delivering health care services.
It is important for patients to be able to find out who has accessed their medical records.
Patient privacy is more at risk with electronic health records systems (compared to paper records).
It is important for patients to be able to find out who their medical information has been disclosed to outside of their regular doctor/provider/hospital.
Patient privacy is at risk with health information exchange between multiple health care providers.
nmlkj nmlkj nmlkj nmlkj nmlkj
mlj mlj mlj mlj mlj
nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj
mlj mlj mlj mlj mlj
15. E. Organizational Characteristics
This last set of questions ask for your opinions about different aspects of your organization. Remember your answers are anonymous none of your answers can be connected to you, your name, or your organization.
39. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
People I work with are direct and honest with each other. nmlkj nmlkj nmlkj nmlkj nmlkj
People I work with accept criticism without becoming defensive.
mlj mlj mlj mlj mlj
People I work with function as a team. nmlkj nmlkj nmlkj nmlkj nmlkj People I work with constructively confront problems. mlj mlj mlj mlj mlj People I work with are good listeners. nmlkj nmlkj nmlkj nmlkj nmlkj
40. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
Management and staff have a productive working relationship.
This organization motivates me to put out my best efforts.
nmlkj nmlkj nmlkj nmlkj nmlkj
mlj mlj mlj mlj mlj
This organization respects its workers. nmlkj nmlkj nmlkj nmlkj nmlkj
This organization treats all staff and management in a consistent and fair manner.
mlj mlj mlj mlj mlj
There is an atmosphere of trust in this organization. nmlkj nmlkj nmlkj nmlkj nmlkj
This organization motivates people to be efficient and productive.
mlj mlj mlj mlj mlj
41. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
I get enough information to understand the big picture here.
When changes are made, the reasons why are made clear.
I know what is happening in work sections/departments outside my own.
nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj
nmlkj nmlkj nmlkj nmlkj nmlkj
I have a say in decisions that affect my work. mlj mlj mlj mlj mlj
This organization values the ideas of workers at every level.
nmlkj nmlkj nmlkj nmlkj nmlkj
42. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
Nonclinical staff often receive incompatible requests from 2 or more people.
Clinical staff recognize and support the work of non
clinical staff in my organization.
Clinical staff sometimes violate organizational privacy policies in order to do their jobs.
I sometimes violate organizational privacy policies in order to do my job.
nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj
mlj mlj mlj mlj mlj
43. Please answer how strongly you agree or disagree with the following statements.
Strongly Agree Agree
Neither Agree or
Disagree
Disagree
Strongly
Disagree
This organization is typically able to adapt new standards or procedures, even those forced upon us.
nmlkj nmlkj nmlkj nmlkj nmlkj
Leadership articulates a vision for the organization. mlj mlj mlj mlj mlj
It is hard to make any changes in this organization because everyone is already so busy.
My job requirements are made clear to me by my supervisor.
People in this organization see the larger health care system as helpful in meeting the needs of the organization.
nmlkj nmlkj nmlkj nmlkj nmlkj mlj mlj mlj mlj mlj nmlkj nmlkj nmlkj nmlkj nmlkj
16.
Thank
you!
Thank you for taking the time to complete this survey. The information you have provided will help us better understand the work of health information professionals within hospitals and physician practices.
44.
If
you
have
any
additional
thoughts
or
ideas
you
would
like
to
share,
please
write
them
below.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Caton-Peters, Helen (OS/ONC) |
| File Modified | 0000-00-00 |
| File Created | 2021-01-27 |
© 2024 OMB.report | Privacy Policy