Statutes, codes, and regulations
New Mexico Administrative Code
Title 8 - SOCIAL SERVICESChapter 300 - MEDICAID GENERAL INFORMATION
Part 2 - HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) POLICIES
Section 8.300.2.22 - SAFEGUARDING PROTECTED HEALTH INFORMATION

N.M. Admin. Code § 8.300.2.22

Download
PDF
Current through Register Vol. 36, No. 1, January 14, 2025
Section 8.300.2.22 - SAFEGUARDING PROTECTED HEALTH INFORMATION

PHI shall be confidential and shall be subject to safeguarding procedures. PHI shall be restricted from the public 45CFR 164.530(c).

A. Restricting access to PHI: When meeting with recipients or their personal representative, HCC employees shall ensure that any PHI that does not belong to that recipient is not visible. If meeting with the general public, HCC employees shall ensure that no PHI is accessible or visible.
B. Computer monitors: The HCC workforce shall:
(1) ensure that all computer monitors that provide access to PHI that are located in an area accessible to or visible by the general public are not facing the public; and
(2) ensure that each computer monitor that provides access to PHI is locked with a password-protected screen saver or otherwise secure the computer monitor by a method approved by the PSO before leaving the computer monitor for any reason.
C. Facsimile machines: The HCC workforce shall:
(1) when a fax machine is located in an area accessible by the general public, remove incoming and outgoing faxes immediately; and
(2) prior to sending any fax document containing PHI, verify the disclosure is in accordance with 8.300.2.12 NMAC;
(a) apply the minimum necessary criteria in accordance with 8.300.2.16 NMAC;
(b) verify that the number to which the PHI is being sent is the correct number;
(c) determine if the disclosure is required to be recorded, in accordance with 8.300.2.15 NMAC; and
(d) record any required disclosure of PHI in the PSO's database in accordance with 8.300.2.15 NMAC.
D. Electronic mail: Prior to sending an e-mail that contains PHI, the HCC workforce shall:
(1) verify the disclosure is in accordance with 8.300.2.15 NMAC;
(2) apply the minimum necessary criteria in accordance with 8.300.2.16 NMAC;
(3) enter a notation referring to the confidential or sensitive nature of the information in the subject line to further safeguard the confidentiality of electronically submitted data;
(4) verify the recipient's e-mail address; and
(5) determine if the disclosure is required to be recorded in the PSO's database in accordance with 8.300.2.15 NMAC, and if so, record it.
E. Document disposal: When documents that contain PHI that are no longer needed and are not required to be retained under state of New Mexico records and archives requirements, authorized members of the HCC workforce shall request such records be destroyed in accordance with 1.13.30.9 NMAC.
(1) HCC workforce members shall destroy any form of paper that contains PHI by shredding or equivalent means as approved by the PSO. If a shredder is not available at the time the paper containing PHI needs to be destroyed, the papers shall be placed in a secure, locked environment until a shredder is available.
(2) Under no circumstances shall un-shredded paper containing PHI be placed in a trashcan, recycle bin or otherwise disposed of.
F. Physical security: The HCC shall have in place appropriate physical safeguards to protect the privacy of protected health information 45CFR 164.530(c).
G. Violations:
(1) The PSO shall perform random audits to assure compliance with this procedure and shall report any confirmed violation to the HCC workforce member's supervisor/coordinator.
(2) The PSO shall implement the appropriate disciplinary action and training (if applicable) described in 8.300.2.24 NMAC and record the confirmed violation and disciplinary action into the employee's file in the HCA office of human resources.

N.M. Admin. Code § 8.300.2.22

8.300.2.22 NMAC - N, 7-1-03, Adopted by New Mexico Register, Volume XXXV, Issue 12, June 25, 2024, eff. 7/1/2024