HIPAA Security and Privacy

advertisement
Agency Guidelines for HIPAA, HITECH, FERPA, Privacy & Security
(March 5, 2014)
The Agency (MCFI, NHS, MCFI Home Care, iLIFE and SEDA) will maintain the
confidentiality and privacy of client information in all settings. The Agency is a covered entity
under HIPAA and HITECH. We require all staff, volunteers and interns to abide by the
Privacy Rule and the Security Rule.
FERPA (The Family Educational Rights and Privacy Act) of 1974 is a Federal law that
protects the privacy of students’ education and record and established rights for
students relative to disclosure of education records.
Protecting Client Privacy
1) Staff will not discuss confidential client information, including Protected Health Information
(PHI), among themselves in public areas.
2) Conversations with the client/family regarding confidential client information and PHI will
not be held in public areas.
3) Overhead and intercom announcements will not include confidential client information or
PHI.
4) Phone conversations and dictation will take place in areas where confidential client
information and PHI cannot be overheard.
5) With the exception of the client’s first name, confidential client information will not be
called out in a program area or other open space.
6) Staff, interns and volunteers are authorized to access only the minimum necessary
information to perform their job duties.
Electronic Security
1) When possible, computer monitors are positioned away from public areas to avoid
observation by visitors.
2) Please log off or lock your workstation when the computer is unattended. The IT
Department requires that you set a password on your screen saver so that unused
computers are automatically locked when the screensaver turns on.
3) The volume on audio equipment (e.g. speaker phones, tape recorders, etc.) is turned
down so information being played cannot be overheard by other staff or visitors. Voice
mail passwords are not the default setting or the last four digits of your phone number.
4) Confidential client information, including PHI, may not be downloaded to nonencrypted portable devices.
Document Security
1) On desks in public areas, documents with confidential client information (including PHI)
will be placed face down or concealed.
2) Paper documentation and client files are stored in such a way as to avoid observation by
clients, visitors, or casual access by unauthorized staff.
3) Release of confidential client information (including PHI) will only be done by staff
specifically authorized to do so following applicable federal and state laws and agency
policy.
4) Confidential client information (including PHI) will not be left unattended at a printer,
photocopier or fax machine.
Form No.: 04/2014 40-59-01
Updated 03/05/2014 Kimberley Noon, Compliance Officer
5) Confidential client information (including PHI) must be discarded in the appropriate secure
container or immediately shredded.
6) Client listings are not readily visible by clients or visitors.
7) All employees are required to wear an ID badge when in the building. Those people not
recognized in restricted areas should be asked for identification.
8) All client files are filed in locked storage cabinets or rooms that are locked.
9) Only authorized staff has access to confidential client information (including PHI) and use
only the minimum amount necessary to accomplish their duties.
Reporting Concerns and Sanctions
1) Individuals should feel comfortable and obligated to report all suspected security and
privacy breaches to their supervisor, any Clinical Information staff, IT staff, to the Privacy
Officer-Alex Chou, the Security Officer-David Jones, the Director of Compliance-Julie Van
Alstine or via the anonymous hotline.
2) All supervisors regularly review procedures and work instructions that are applicable for
their area work assignments with their staff to ensure that current practices and
procedures protect client privacy and security.
3) Violations of HIPAA, HITECH and FERPA statutes may result in disciplinary action for
employees, fines and/or criminal prosecution to the agency or individual.
Employee Name: ___________________________________________________
Employee Signature: ________________________________________________
Date Reviewed: _________________________________________
Form No.: 04/2014 40-59-01
Updated 03/05/2014 Kimberley Noon, Compliance Officer
Download