Agency Guidelines for HIPAA, HITECH, FERPA, Privacy & Security (March 5, 2014) The Agency (MCFI, NHS, MCFI Home Care, iLIFE and SEDA) will maintain the confidentiality and privacy of client information in all settings. The Agency is a covered entity under HIPAA and HITECH. We require all staff, volunteers and interns to abide by the Privacy Rule and the Security Rule. FERPA (The Family Educational Rights and Privacy Act) of 1974 is a Federal law that protects the privacy of students’ education and record and established rights for students relative to disclosure of education records. Protecting Client Privacy 1) Staff will not discuss confidential client information, including Protected Health Information (PHI), among themselves in public areas. 2) Conversations with the client/family regarding confidential client information and PHI will not be held in public areas. 3) Overhead and intercom announcements will not include confidential client information or PHI. 4) Phone conversations and dictation will take place in areas where confidential client information and PHI cannot be overheard. 5) With the exception of the client’s first name, confidential client information will not be called out in a program area or other open space. 6) Staff, interns and volunteers are authorized to access only the minimum necessary information to perform their job duties. Electronic Security 1) When possible, computer monitors are positioned away from public areas to avoid observation by visitors. 2) Please log off or lock your workstation when the computer is unattended. The IT Department requires that you set a password on your screen saver so that unused computers are automatically locked when the screensaver turns on. 3) The volume on audio equipment (e.g. speaker phones, tape recorders, etc.) is turned down so information being played cannot be overheard by other staff or visitors. Voice mail passwords are not the default setting or the last four digits of your phone number. 4) Confidential client information, including PHI, may not be downloaded to nonencrypted portable devices. Document Security 1) On desks in public areas, documents with confidential client information (including PHI) will be placed face down or concealed. 2) Paper documentation and client files are stored in such a way as to avoid observation by clients, visitors, or casual access by unauthorized staff. 3) Release of confidential client information (including PHI) will only be done by staff specifically authorized to do so following applicable federal and state laws and agency policy. 4) Confidential client information (including PHI) will not be left unattended at a printer, photocopier or fax machine. Form No.: 04/2014 40-59-01 Updated 03/05/2014 Kimberley Noon, Compliance Officer 5) Confidential client information (including PHI) must be discarded in the appropriate secure container or immediately shredded. 6) Client listings are not readily visible by clients or visitors. 7) All employees are required to wear an ID badge when in the building. Those people not recognized in restricted areas should be asked for identification. 8) All client files are filed in locked storage cabinets or rooms that are locked. 9) Only authorized staff has access to confidential client information (including PHI) and use only the minimum amount necessary to accomplish their duties. Reporting Concerns and Sanctions 1) Individuals should feel comfortable and obligated to report all suspected security and privacy breaches to their supervisor, any Clinical Information staff, IT staff, to the Privacy Officer-Alex Chou, the Security Officer-David Jones, the Director of Compliance-Julie Van Alstine or via the anonymous hotline. 2) All supervisors regularly review procedures and work instructions that are applicable for their area work assignments with their staff to ensure that current practices and procedures protect client privacy and security. 3) Violations of HIPAA, HITECH and FERPA statutes may result in disciplinary action for employees, fines and/or criminal prosecution to the agency or individual. Employee Name: ___________________________________________________ Employee Signature: ________________________________________________ Date Reviewed: _________________________________________ Form No.: 04/2014 40-59-01 Updated 03/05/2014 Kimberley Noon, Compliance Officer