S2AY Network Administrative Manual
Reviewed February 29, 2016
Reviewed February 28, 2017
CONFIDENTIALITY OF PROTECTED HEALTH INFORMATION (PHI)
POLICY:
The Agency will treat all protected health information as confidential.
PURPOSE:
To ensure confidentiality ofall protected healthinformation.
REFERENCE(S):
HIPAA Privacy and Security Standards 164
Public Health Law 2786, 206 subpart 50-4 Titled “Intra-agency access to and disclosure of Personal Health –Related information”
DEFINITION:
Protected Health Information (PHI) includes information:
- created or received by a health care provider, health plan, employer or health care clearinghouse (billing service); and
- related to the past, present or future physical or mental health or condition of an individual, the provision of health care to any individual, or the past, present or future payment for the provision of health care to an individual, and
- that identifies the individual, or
- when there is a reasonable basis to believe that the information can be used to identify the individual.
Privacy Officer: The HIPAA Privacy Officer is responsible for the oversight of Privacy Rule implementation by departments with HIPAA covered components. The Privacy Officer is responsible for:
- The implementation of the privacy policies and procedures of the Organization
- The receipt of privacy complaints
- The provision of further information about matters covered by the Notice of Privacy Practices
- To act as a single point of contact for all issues related to HIPAA privacy
- Monitors workforce compliance with Privacy Rule
Security Officer: The HIPAA Security Officer is responsible for the oversight of Security Rule implementation with HIPAA covered components. Responsibilities are:
- Monitor the administrative safeguards as outlined in the Confidentiality of PHI policy, and workforce compliance
- Verify that access to electronic protected information (HCS access, IT access) is terminated when a workforce member’s employment ends.
- Identify and respond to suspected or known security incidents.
GENERAL INFORMATION:
“Confidentiality” of individual information covers all means of communication and transmission: including, but not limited to, electronically stored, written, oral, original and copied information.
It is the responsibility of the Privacy Officer and the Security Officer to monitor compliance with the privacy and security of PHI.
Any breech in confidentiality may subject the offender to disciplinary action, civil and/or federal prosecution.
PROCEDURE:
The following safeguards will be instituted and monitored regularly to ensure confidentiality:
- All Agency workforce will either sign Agency Confidentiality Statement (see attached) upon hire and annually thereafter or abide by contractual requirements.
- Agency workforce will communicate and access only the minimum necessary information to perform the duties contained within their job responsibilities to provide care and services.
- Conversations that include sharing confidential information are not permitted any place where others may overhear.
- Allrequests for release of information will be directed to the Privacy Officer/Designee. (See Release of Information policy and procedure.)
- All Agency workforceare responsible to report any breaches of confidentiality to their Supervisor who will report to the Privacy Officer/Designee.
- All records containing PHI or pertaining to individuals served must be maintained in a secure area, accessible to employees or contractors authorized for such access.
- Records stored in general areas must be locked at all times when authorized employees are not in attendance.
- Information stored in offices or program areas must be secured and accessible to authorized personnel only.
- When it is necessary for documentation to be taken from the Agency or created in the field,the workforce is responsible for assuring all documentation remains in their direct control until brought back into the Agency.
- When documentation is retained in the individual’s home, Agency workforce is responsible to advise the individual that it is their responsibility to limit access to their own information.
COMPUTER USE and ACCESS
- Computer use and access is determined by job functions. Only authorized persons may access the Agency’s computers or network.
- Employees or contractors may not share passwords or identity with any other person or allow another person access to the computer with their password.
- Information Technology personnel must be notified immediately upon the decision to terminate an employee or contractor in order to initiate access restrictions.
- Information pertaining to individuals served may not be loaded onto other computer systems without the approval of the (identify county individual here)and the appropriate safeguards to prevent unauthorized access or disclosure.
- Computer screens should be shielded or located in a manner that prevents access by unauthorized personnel.
- Employees or contractors must exit any programs or files containing PHI before leaving the computer unattended. Password protected screensaver should be utilized when computers are unattended.
- All e-mail messages must contain a confidentiality statement and include the identity of the Agency employee or contractor sending the message.
- No PHI should be emailed outside of the Agency’s network unless it is encrypted.
- Missing or stolen laptops or other portable devices must be immediately reported to Information Technology personnel.
FAX:
- All fax transmissions must include a cover page including the name and phone number of both the sender and the recipient. All cover pages must include a confidentiality statement.
- Fax machines should be located in an area that prevents unauthorized access or disclosure of confidential information.
- Authorized personnel should remove faxes and deliver to the recipient directly or place the document in an interdepartmental envelope for delivery.
- Fax machines should be monitored on a routine basis for the receipt of messages.
PRINTERS:
- Employees or contractors are responsible for retrieving print jobs containing confidential information promptly upon printing.
- Authorized personnel who remove print jobs from a shared printer should deliver the material to the recipient directly or place the information in an interdepartmental envelope for delivery.
MAIL:
- Personnel are designated by job function to distribute mail within the Agency.
- All interagency mail must be placed in an interdepartmental envelope and include the name and department of the recipient.
- Employees and contractors are responsible to remove mail from mailboxes on a regular basis. During absences, other personnel should be assigned the responsibility for retrieving and securing the mail.
- Employees or contractors should not open the mail of others unless authorized to do so by the appropriate program administrator.
CELL PHONE and MOBILE DEVICES:
- Mobile devices should not be used to email PHI unless the device has been encrypted and the Agency has authorized such use. Email by its very nature uses an unsecure protocol. There are a number of risks, including the possibility of data interception.
- Texting of PHI is prohibited without a signed Email and Texting Consent (See Use of Email and Text Messaging Policy in the Administration Manual). Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages.
- Missing or stolen work related mobile devices must be reported immediately to your Supervisor who will notify the Privacy/Security Officer.
1
S2AY Network Administrative Manual
Reviewed February 29, 2016
Reviewed February 28, 2017
GUARANTEE OF WORKFORCE MEMBER RETAINING CONFIDENTIALITY
- It is your responsibility to know the agency’s administrative policies explaining confidentiality. The policies are titled:
Confidentiality of PHI
Access to Information
Disclosure of PHI
Breach Notification and Investigation
- The policy titled Release of Information is used by a Privacy Officer/Designee as a reference guide to release records. ONLY a Privacy Officer/Designee can release patient/client records.
WORKFORCE CONFIDENTIALITY STATEMENT
As an workforce member of: ______, I understand and agree to the following:
- I am required, when necessary to perform the specific tasks of my job, to have access to and am involved in the processing of personal health related information.
- I am obligated to maintain the confidentiality of this information at all times, both at work and off duty.
- I may not remove from the unit or copy documents or computer data containing health related information unless acting within the scope of my assigned duties.
- I may not discuss the content of such documents or computer data with any person unless that person is authorized to have said access. In addition, I will maintain my user ID and password against unauthorized use.
- I may not discriminate, abuse or take any adverse action directed toward a person to whom personal health related information applies.
I have read the above and understand my responsibilities in maintaining the confidentiality of personal health related information. I understand that violation of confidentiality statutes and rules may lead to disciplinary action or criminal prosecution.
Furthermore, I understand that this form will be placed in my personnel file.
WORKFORCE ATTESTATION OF HIV / AIDS CONFIDENTIALITY
As a Workforce Member of the ______, I hereby acknowledge that I have received and reviewed a copy of Public Health Law Title X Part 63 HIV/AIDS Testing, Reporting and Confidentiality of HIV-related Information. I will abide by the appropriate laws, regulations and agency protocols regarding the confidentiality of protected information. I further agree to respect the confidentiality and security measures that apply to HIV/AIDS surveillance and electronic records and will in no way jeopardize the security of the data collected.
I, swear, (or affirm) that I have read and do understand the Health Department Regulations 50-4.3 (b), 50-4.7 (b) and 50-4.8 of the New York State Department of Health titled “Intra-agency Access To and Disclosure of Personal Health Related Information”. I further understand that said regulations apply to any position(s) that I might hold with the Health Department.
Therefore, I do further swear and attest that I will faithfully adhere to the above regulations in the execution of my responsibilities as a workforce member of the ______I further attest that I understand that a violation of confidentiality statutes and rules may lead to disciplinary action, or criminal prosecution.
I further acknowledge review and understanding of code of ethics and Mission, Vision & Values Statement.
Name: Date:
Signature:
1