MAINTAINING, CONFIDENTIALITY, INTEGRITY & SECURITY OF THE RECORDS POLICY

1.0 PURPOSE:
Protected patient information (PPI) is confidential and protected from access, use, or disclosure except to
authorized individuals requiring access to such information. Attempting to obtain or use, actually obtaining
or using, or assisting others to obtain or use PPI, when unauthorized or improper, results in performance
counseling or disciplinary action up to and including termination.
All hospital staff members must access and use protected patient information on a "need to know" basis
as defined by their job role. In addition, when using or disclosing patient information the amount of
information used or disclosed is limited to the minimum amount necessary to accomplish the intended
purpose. When requesting patient information from other health RML providers, staff limits the request to
the minimum amount necessary. This minimum necessary expectation generally does not apply to
situations involving treatment or clinical evaluation.
2.0 SCOPE:
This policy is applicable to following
 Patient Information contained in HMIS
 Data and information in HMIS regarding various use of hospital management and analysis
 Information in Medical records.
 Information kept in manual registers, forms and files
 Hospital Personnel’s information in their personnel files

3.0 RESPONSIBILITY: MRD Incharge.

4.0 AUTHORITY: This Policy cannot be changed without the prior written approval from Chief Executive
Officer.
5.0 POLICY & PROCEDURE:

POLICY:
To appropriately, confidentially and securely keep all the patient and non-patient related data and
information generated, provided or contained in the hospital.
Ref. Doc./
S. No. Activity/ Description Responsibility
Records

Storage of data is managed to ensure adequate safeguards for

5.1 Incharge - MRD
protection of data after indexing is filed

Accessibility of medical records are traced through register for

5.2 Incharge – MRD
movement of the file in /out of the medical record department

Page 1 of 5
 All the medical records of the departments are ensured and within
5.3 Incharge - MRD
the reach of relevant care providers

After the office hours and emergency only the authorized person
5.4 Incharge - MRD
has right to access the medical records

Medical records are kept in a safe manner ensured that there are
adequate pest and rodent control measures periodically.
5.5 Adequate (and appropriate) fire-fighting equipment Fire safety Fire Officer
measures has been taken For fire safety, Fire extinguishers are
also available.

Electronics data are also protected against virus/trogons and other

5.6 Sr. Manager - IT
proper back up procedures

Clinical Audit Committee monitors the compliances of the effective

process of medical records by reviewing at least quarterly the
active and discharged patient clinical records focusing on
timeliness, legibility, and completeness of the clinical record,
5.7 Management
Record contents required by laws or regulations.

Results of the review process are incorporated into the hospital’s

quality oversight mechanism.

Medical Record Department maintained confidentiality, integrity

5.8 and security of information in moving file one place to another Incharge - MRD
place or person. Tracer card is used for this purpose.

Electronics data are accessible only by the authorized person and

5.9 Sr. Manager - IT
system is in a place for auto back up and day back up

Specially care is given in medical legal cases VIPs identified by

5.10 Incharge - MRD
the Govt. of India and the organization

5.11  A medical record is shared to patient/ attendant, public Incharge - MRD

agencies and the RTI act in accordance with the Code of
Medical Ethics 2002 only after taking written approval
from patient and management and same is recorded.
 Special care is taken in medico-legal cases and other
special situations identified by Government and the

Page 2 of 5
 hospital.
Policies and procedures follow applicable laws like Indian Indian
Evidence Act, Indian Penal Code and Code of Medical Ethics. For Evidence
example, privileged communication. Act,

Indian
5.12 Incharge - MRD Penal
Code,

Code of
Medical
Ethics

Technological features are reviewed and if required updated to

5.13 Sr. Manager – IT
improve confidentiality, integrity and security of information.

PROCESS DETAILS:
DESCRIPTION OF THE PROCESS
All patient and non-patient related data and information generated, provided or contained in the hospital
should be kept appropriately confidential, integrated and secured.
All information concerning a user, including information relating to his / her health status, treatment or stay
in the hospital, is confidential, and is to be treated as such
No person may disclose any information contemplated in above mentioned point unless,
 The user consents to that disclosure in writing
 A court order or any law requires such disclosure
Without prejudice to the generality of this section, special precautions for the maintenance of
confidentiality shall be taken, with respect to
 Persons affected with HIV / AIDS and
 Persons with mental health problems
 Person is danger to the national security or to the society.
This shall be in accordance with Indian Evidence Act, Indian Penal code, Code of Medical ethics.
These records shall be safe guarded against loss, destruction and tampering. Adequate space,
cleanliness and storage furniture shall be maintained in Medical records department
Privileged health information shall be used for the purposes of medico legal cases only.
Patient /physician and other public agency requesting for access to medical records shall be done as per
Document.

PROTOCOLS:

Page 3 of 5
Electronic records:
These records are kept in HMIS and include patient related information, administrative information and
various reports.
Following shall be done to keep the confidentiality, integrity and security of these information.
1. Access shall be restricted and only through User ID and password
2. User ID and Password shall be provided to identify personnel depending on the type of
information required by him for his job.
3. The IT department shall provide the right to access only after clearance from head of the
department
4. Right to access shall be provided only after proper justification
5. Any external person request for specific information from HMIS shall be allowed only after written
permission from either Medical Administrator
6. Back up all information and data shall be taken at the end of every day
7. Any drive for connecting external hard disk shall restrictively provide in CPUs in hospital. Internet
facility shall also be restricted, to prevent data or information stealing.
8. Electronic data shall be protected from virus / Trojans and other computer bugs. Any software, if
required to be used on computers with hospital information shall be validated and authenticated
by IT department.

Medical records:
1. Medical records shall be stored in MRD after patient discharge and shall be kept under security
2. Medical records for admitted patient shall be kept under custody of nursing staff and shall not be
allowed for access to people not involved in direct patient RML.
3. A proper track of medical records shall be kept in case these records are transferred from one
place to another
4. It shall be ensured by staff and medical records department that all pages and contents in the
medical records and appropriately kept and are prevented from loss, tampering or destructions.
No loose paper shall be allowed in medical records

ACTIVITY AND RESPONSIBILITY

S. Activity Responsibility
No
All patient and non-patient related data and information Medical record department, all
generated, provided or contained in the hospital should hospital consultants.
be kept appropriately confidential, integrated and
secured.
All the protocols for electronic records and medical Medical record department &
records must be followed. IT.

6.0 REFERENCES:

Page 4 of 5
7.0 RECORDS AND FORMATS:

Page 5 of 5