Add to collection(s) Add to saved
  1. Business
  2. Finance

Confidentiality Policy

advertisement 
RIVER HILLS COMMUNITY HEALTH CENTER
POLICY
ON
CONFIDENTIALITY OF INFORMATION
Submitted by: Curt Meeks, CO
Policy #
Approved By:
Policy Supersedes:
Date:
Revised/Reviewed:
Policy
It shall be the policy of River Hills CHC that all workforce members shall treat all Protected
Health Information (PHI/ePHI) as confidential. Violations or breaches of patient confidentiality
by workforce members is subject to formal discipline up to and including termination. Sanctions
may be established in a tiered structure, based on the severity of the breach; they will be
administered fairly and consistently to all individuals that are in violation of established policies.
Purpose
The purpose of this policy is to comply with the HIPAA Privacy Rule and HIPAA Security
Rule’s requirements pertaining to the acceptable use of River Hills CHC IT resources regarding
protected health information (PHI) and electronic protected health information (EPHI).
River Hills CHC policies regarding privacy and security of PHI/EPHI reflect its commitment to
protecting the confidentiality of patients’ medical records, patient accounts, clinical information
from management information systems, confidential conversations, and any other sensitive
material as a result of doing business. While a commitment to privacy and security of PHI/EPHI
is the expectation, there remains a possibility that an inappropriate or unintended disclosure of
PHI/EPHI may result in a privacy breach. This policy outlines the procedure to mitigate
breaches, both willful violations and unintended actions, consistent with guidance described by
the HIPAA and HITECH laws.
Overview
River Hills CHC’s intention for publishing this HIPAA Confidentiality Policy is not to impose
restrictions that are contrary to River Hills CHC’s established culture of openness, trust and
integrity. River Hills CHC is committed to protecting employees, patients, partners and itself
from illegal or damaging actions by individuals, either knowingly or unknowingly.
Effective HIPAA security is a team effort involving the participation and support of every River
Hills CHC employee and affiliate that interacts with information and/or information systems. It
is the responsibility of every computer user to know these guidelines, and to conduct their
activities accordingly.
Any time that protected health information (PHI) is referenced in this policy, it is referencing the
HIPAA Privacy Rule; when electronic protected health information (EPHI) is referenced in this
policy, it is referencing the HIPAA Security Rule.
Scope
This policy applies organization-wide.
Procedures
1. Prohibitions of Access to PHI
1.1 This policy prohibits confidential information, as defined by Federal law (such as
HIPAA and HITECH) or Iowa law (such as Open Records Law under Iowa Code
§22.1 to 14 et seq), from being accessed, disclosed or released, in any format, to
or by any person/business that does not have a need to know, without the proper
consent of the individual/patient involved and/or River Hills CHC leadership.
1.2 Certain information considered confidential by River Hills CHC may be subject
to State of Iowa Open Records Law but should not be released before obtaining
specific authorizations from the appropriate level of River Hills CHC
management. Formal Freedom of Information requests for confidential
information should be sent to the Privacy Officer.
2. Conduct of Personnel
2.1 All workforce members must be professional and maintain PHI/EPHI
confidentiality at all times, whether dealing with actual records, projects, or
conversations, and abide by the obligations of contractual confidentiality
agreements.
2.2 Situations in violation of this policy include, but are not limited to:
a. Gossip style discussions among healthcare workers regarding medical
information about any patient or fellow workforce member.
b. Allowing unauthorized access to confidential patient information,
financial data, or employee personal information stored on River Hills
CHC assets.
c. Sharing information accessed by authorized users, in the course of their
work, to others who don’t have a need for access to the information.
d. Accessing information that the workforce member doesn’t have
authorization to access in the course of their work, and doesn't have a need
to know to perform their job duties.
Page 2 of 4
e. Sharing information related to confidential Human Resources actions.
f. Breach of confidentiality agreements regarding the disclosure of
confidential information that is subject to a duly signed confidentiality
agreement.
g. Discarding PHI and confidential documents in non-secured trash;
immediate shredding or secured shredder bins must be used.
3. Examples of Types of Patient Information that Must Be Protected Include:
3.1 Patient information must not be accessed, removed, discussed with or disclosed to
unauthorized persons, either inside or outside of the organization, without the
proper consent of the patient.
3.2 All individuals having access to confidential information are bound by strict
ethical and legal restrictions on the release of medical data.
3.3 Workforce members may not disclose to a third party, including his/her own
family, information learned from medical records, patient encounters, patient
accounts, management information systems, or any other confidential sources
during the course of his/her work.
3.4 No individual may access confidential information that they do not have a need to
know to carry out their job duties.
3.5 Employees may not access, release or discuss the medical information of other
employees without proper consent, unless the employee must do so to carry out
specific assigned job functions.
3.6 Workforce member patient information should never be accessed for employment
reasons.
3.7 Workforce members may not access their own, or their families, medical, billing
or scheduling information.
4. Examples of Types of River Hills CHC Information that Must be Protected include:
4.1 Ongoing business or contractual negotiations (contracts, leases, purchases).
4.2 Pending litigation and/or investigations (personnel, compliance, etc)
4.3 Proprietary information (e.g., information that allows River Hills CHC to be more
competitive in the marketplace; an innovative approach that is described in a grant
proposal)
4.4 Confidential commercial or financial information
Page 3 of 4
4.5 River Hills CHC information may not be accessed, removed, altered or disclosed
unless River Hills CHC management has given proper authorization
5. Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
6. Reference(s)
6.1 Health Insurance Portability and Accountability Act of 1996 (HIPAA) at 45
C.F.R. § 164.308; § 164.530
6.2 The American Recovery and Reinvestment Act of 2009 (ARRA) Division A,
Title XIII, Part 2, Subtitle D-Privacy Sec. 13400; Sec. 13402 of the HITECH Act
Page 4 of 4
Related documents
InfoSec Acceptable Use Policy
InfoSec Acceptable Use Policy
Confidentiality Agreement
Confidentiality Agreement
Presentation (powerpoint file)
Presentation (powerpoint file)
CONFIDENTIALITY AGREEMENT CASE STUDY
CONFIDENTIALITY AGREEMENT CASE STUDY
G2Endo Endocrinology & Metabolism
G2Endo Endocrinology & Metabolism
Employee Confidentiality Agreement
Employee Confidentiality Agreement
Sample Oath of Confidentiality
Sample Oath of Confidentiality
Download
advertisement