Health informatics professionals are required to possess an effective working knowledge of the Health Insurance
Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule.
This task will provide you with two documents. First, read the attached “Health Record Policies,” which includes
policy draft excerpts. Next, read the attached “Sections of Montana Code,” which includes definitions from Montana
law pertaining to the validity of consent of minor for health services (41-1-402), confidentiality of health
information (50-16-603), patients’ examination and copying (50-16-541 and 50-16-542), and reasonable fees allowed
A. Evaluate the two policies in the attached “Health Record Policies” by doing the following:
1. Discuss what information should be included in an addendum pertaining to a shadow chart.
2. Discuss how information technology staff can help decrease incidents of security breaches.
B. Discuss one situation from Montana Code 41-1-402 (2a through 2d) that may result in criminal liability to the
organization if not followed.
1. Summarize how HIPAA defines criminal liability.
2. Explain which part of 2a through 2d of Montana Code 41-1-402 would directly impact actions of clinical staff.
C. Discuss one situation from Montana Code 50-16-603x (1 through 7) specific to health record identification that
may result in a legal claim against the organization if not followed.
1. Develop a confidentiality policy statement (suggested length of 1–2 sentences) using either Montana Code
41-1-402 or Montana Code 50-16-603.
D. Compare three points in the Montana codes to HIPAA laws as they refer to release of information.
1. Develop a release of information policy statement (suggested length of 1–2 sentences) using either Montana
Code 50-16-541 or Montana Code 50-16-542 for a policy book.
E. If you use sources, include all in-text citations and references in APA format.
Note: Please save word-processing documents as *.rtf (Rich Text Format) or *.pdf (Portable Document Format) files.
Note: When bulleted points are present in the task prompt, the level of detail or support called for in the rubric
refers to those bulleted points.
Note: For definitions of terms commonly used in the rubric, see the Rubric Terms web link included in the
Evaluation Procedures section.
Note: When using sources to support ideas and elements in a paper or project, the submission MUST include APA
formatted in-text citations with a corresponding reference list for any direct quotes or paraphrasing. It is not
necessary to list sources that were consulted if they have not been quoted or paraphrased in the text of the paper
Note: No more than a combined total of 30% of a submission can be directly quoted or closely paraphrased from
sources, even if cited correctly. For tips on using APA style, please refer to the APA Handout web link included
in the General Instructions section.
Health Record Policies
You work in a health information management department for an outpatient clinic. Your manager is revising the
policy and procedural manuals for the department and is particularly interested in confirming that policies are in
compliance with state law and Health Insurance Portability and Accountability Act (HIPAA) Privacy Law. Your
manager asked you to review several policies and to review state code as they apply to HIPAA Law.
Your manager left the following two policies on your desk for review:
Release of Information: Shadow Chart Policy
“A shadow chart is a duplicate health record kept for the convenience of the medical provider. In the event that
an authorized individual requests health information pertaining to a specific episode of care, health information
management staff will review any shadow charts kept by medical providers for that patient to determine if any such
shadow charts contain information related to the episode of care. If the shadow chart contains information related
to the episode of care and is not found in the electronic record, the information from the shadow chart will also
be copied, in addition to requested information found in the electronic record.”
Your supervisor left a note that this policy needs an addendum.
Information Security: Workstation Policy
“Employees are required to secure their personal workstations when not in use. Confidential health information
must not be displayed on computer screens unless the employee is performing work functions on the computer and
using the information. Employees may not access another employee’s computer while it is in use nor may employees
use another’s password for any reason. Violation of this policy will result in disciplinary action, and depending
upon nature of violation, termination may result.”
You now move on to review several documents containing Montana Code and draft policy language. The Montana Code
documents pertain to release of information, protected health information of minors, and health information
SUBJECT: Information Security: Release of Information
50-16-541. Requirements and procedures for patient’s examination and copying.
(1) Upon receipt of a written request from a patient to examine or copy all or part of the patient’s recorded
health care information, a health care provider, as promptly as required under the circumstances but no later than
10 days after receiving the request, shall:
(a) make the information available to the patient for examination, without charge, during regular business
hours or provide a copy, if requested, to the patient;
(b) inform the patient if the information does not exist or cannot be found;
(c) if the health care provider does not maintain a record of the information, inform the patient and provide
the name and address, if known, of the health care provider who maintains the record;
(d) if the information is in use or unusual circumstances have delayed handling the request, inform the
patient and specify in writing the reasons for the delay and the earliest date, not later than 21 days after
receiving the request, when the information will be available for examination or copying or when the request will
be otherwise disposed of; or
(e) deny the request in whole or in part under 50-16-542 and inform the patient.
(2) Upon request, the health care provider shall provide an explanation of any code or abbreviation used in the
health care information. If a record of the particular health care information requested is not maintained by the
health care provider in the requested form, the health care provider is not required to create a new record or
reformulate an existing record to make the information available in the requested form. The health care provider
may charge a reasonable fee for each request, not to exceed the fee provided for in 50-16-540, for providing the
health care information and is not required to provide copies until the fee is paid.
History: En. Sec. 13, Ch. 632, L. 1987; amd. Sec. 5, Ch. 300, L. 1999.
50-16-540. Reasonable fees allowed. A reasonable fee for providing health care information may not exceed 50
cents for each page for a paper copy or photocopy. A reasonable fee may include an administrative fee that may not
exceed $15 for searching and handling recorded health care information.
History: En. Sec. 1, Ch. 300, L. 1999.
50-16-542. Denial of examination and copying.
(1) A health care provider may deny access to health care information by a patient if the health care provider
reasonably concludes that:
(a) knowledge of the health care information would be injurious to the health of the patient;
(b) knowledge of the health care information could reasonably be expected to lead to the patient’s
identification of an individual who provided the information in confidence and under circumstances in which
confidentiality was appropriate;
(c) knowledge of the health care information could reasonably be expected to cause danger to the life or
safety of any individual;
(d) the health care information is data, that is compiled and used solely for utilization review, peer
review, medical ethics review, quality assurance, or quality improvement;
(e) the health care information might contain information protected from disclosure.
(f) the health care provider obtained the information from a person other than the patient; or
(g) access to the health care information is otherwise prohibited by law.
(2) A health care provider may deny access to health care information by a patient who is a minor if:
(a) the patient is committed to a mental health facility; or
(b) the patient’s parents or guardian has not authorized the health care provider to disclose the patient’s
health care information.
(3) If a health care provider denies a request for examination and copying under this section, the provider, to
the extent possible, shall segregate health care information for which access has been denied under subsection (1)
from information for which access cannot be denied and permit the patient to examine or copy the information
subject to disclosure.
(4) If a health care provider denies a patient’s request for examination and copying, in whole or in part, under
subsection (1)(a) or (1)(c), the provider shall permit examination and copying of the record by the patient’s
spouse, adult child, or parent or guardian or by another health care provider who is providing health care
services to the patient for the same condition as the health care provider denying the request. The health care
provider denying the request shall inform the patient of the patient’s right to select another health care
provider under this subsection.
History: En. Sec. 14, Ch. 632, L. 1987; amd.Sec. 6, Ch. 657, L. 1989; amd.Sec. 19, Ch. 515, L. 1995; amd.
Sec. 6, Ch. 359, L. 2001.
SUBJECT: Uses and Disclosures of PHI of Minors; Confidentiality of Healthcare Information
41-1-402. Validity of consent of minor for health services.
(1) This part does not limit the right of an emancipated minor to consent to the provision of health services or
to control access to protected health care information under applicable law.
(2) The consent to the provision of health services and to control access to protected health care information by
a health care facility or to the performance of health services by a health professional may be given by a minor
who professes or is found to meet any of the following descriptions:
(a) a minor who professes to be or to have been married or to have had a child or graduated from high school;
(b) a minor who professes to be or is found to be separated from the minor’s parent, parents, or legal
guardian for whatever reason and is providing self-support by whatever means;
(c) a minor who professes or is found to be pregnant or afflicted with any reportable communicable disease,
including a sexually transmitted disease, or drug and substance abuse, including alcohol. This self-consent
applies only to the prevention, diagnosis, and treatment of those conditions specified in this subsection. The
self-consent in the case of pregnancy, a sexually transmitted disease, or drug and substance abuse also obliges
the health professional, if the health professional accepts the responsibility for treatment, to counsel the minor
or to refer the minor to another health professional for counseling.
(d) a minor who needs emergency care, including transfusions, without which the minor’s health will be
jeopardized. If emergency care is rendered, the parent, parents, or legal guardian must be informed as soon as
practical except under the circumstances mentioned in this subsection (2).
(3) A minor who has had a child may give effective consent to health service for the child.
(4) A minor may give consent for health care for the minor’s spouse if the spouse is unable to give consent by
reason of physical or mental incapacity.
History: En. Sec. 1, Ch. 189, L. 1969; amd.Sec. 1, Ch. 312, L. 1974; amd.Sec. 23, Ch. 100, L. 1977; R.C.M.
1947, 69-6101; amd.Sec. 14, Ch. 440, L. 1989; amd.Sec. 188, Ch. 42, L. 1997; amd. Sec. 2, Ch. 396, L. 2003.
50-16-603. Confidentiality of health care information.
Health care information in the possession of the department, a local board, a local health officer, or the
entity’s authorized representatives may not be released except:
(1) for statistical purposes, if no identification of individuals can be made from the information released;
(2) when the health care information pertains to a person who has given written consent to the release and has
specified the type of information to be released and the person or entity to whom it may be released;
(3) to medical personnel in a medical emergency as necessary to protect the health, life, or well-being of the
(4) as allowed by Title 50, chapters 17 and 18;
(5) to another state or local public health agency, including those in other states, whenever necessary to
continue health services to the named person or to undertake public health efforts to prevent or interrupt the
transmission of a communicable disease or to alleviate and prevent injury caused by the release of biological,
chemical, or radiological agents capable of causing imminent disability, death, or infection;
(6) in the case of a minor, or pursuant to an investigation under or if the health care information is to be
presented as evidence in a court proceeding involving child abuse Documents containing the information must be
sealed by the court upon conclusion of the proceedings.
(7) to medical personnel, the department, a local health officer or board, or a district court when necessary to
implement or enforce state statutes or state or local health rules concerning the prevention or control of
diseases designated as reportable if the release does not conflict with any other provision contained in this
History: En. Sec. 3, Ch. 481, L. 1989; amd.Sec. 10, Ch. 391, L. 2003; amd. Sec. 26, Ch. 504, L. 2003