Common use of Clerk Clause in Contracts

Clerk. Guess who I just saw being treated in the clinic downstairs? Coworker: Who? Clerk: It was TH, the guy who works in information systems! Coworker: I wonder what’s wrong with him? Clerk: Let’s see if I can find him in the electronic health information system so we can find out. I’ll keep you posted! Will the clerk violate the patient’s privacy? You are required to review and comply with the relevant privacy and IT security policies, including: • Acceptable Use Policy for County Information Technology Resources (DHS Policy 935.20) • Safeguards for Protected Health Information (DHS Policy 361.23) You are provided with these policies for acknowledgment during in-processing. These policies must also be reviewed each year as part of your Performance Evaluation. You are required to sign an agreement to abide by them. • The County’s information technology resources are the property of the County and are to be used for authorized business purposes only. • You are responsible for protecting all information created using County resources and your access is a privilege that may be modified or revoked at any time for abuse or misuse. • DHS may log, review, or monitor any data you have created, stored, accessed, sent, or received, and these activities may be subject to audit. Safeguards are actions that are taken to protect confidential information from accidental or intentional unauthorized viewing, acquisition, access, use, or disclosure. They can include administrative, physical, and technological steps to reduce the risk of improper access, use, or disclosure of PHI. Include the development of policies and procedures, providing privacy and security training, the development and implementation of a complaint and reporting process, and disciplinary actions for violations. Include securing buildings and equipment, as well as activities such as locking paper medical records in file cabinets or rooms, shredding paper records, and ensuring all exterior doors to buildings, other than designated entrances and exits are locked at all times. • Placing computers, copiers, and fax machines so they cannot be accessed or viewed by unauthorized persons. • Protecting computers and other electronic media and devices against theft or unauthorized access. • Maintaining servers and mainframes in a secure area where physical access is controlled. • Ensuring that all areas used to store PHI are properly secured and allow only authorized personnel to have access. • Limiting physical access to view or retrieve medical records or other patient information to authorized users. • Ensuring windows, all exterior doors, other than designated entrances and exits, and other building access points are secured or locked at all times. Protect PHI maintained in electronic form: • Always lock (press Ctrl-Alt-Del and select “Lock Workstation”) or log off when you leave the computer even if it is for a short period of time. • Require computers and other electronic devices to have a password-protected screen saver or other time-out feature. • Use strong passwords with at least 8 characters, such as a combination of upper/lower case letters, numbers, and/or special characters. • Keep computer passwords confidential, and do not leave them where they can be seen or accessed. • Do not use your password to provide access to another user. • Frequently change your password. • Be aware of your departmental system downtime procedure, should any automated systems such as patient care or billing become unavailable. • Laptops, thumbdrives, and other electronic devices containing PHI must be encrypted. • Keep electronic records related to patients, such as lab reports, correspondence, and other patient or confidential information out of publicly accessible areas or any place where it might be thrown in the trash. • Exercise caution when unauthorized persons are visiting or completing a temporary assignment in the workplace to protect PHI from inadvertently being viewed. Use caution to avoid inadvertently allowing access or viewing to individuals who do not have a business need to know. Is this ok? Why or why not? WFM: Hi ▇▇▇, I’ve been calling Information Systems to reactivate my account but they’re so busy they can’t get to me for another few days. Will you log in for me with your user name and password so I can get this high-priority assignment done? Coworker: Sure, let me do that for you right now. Just make sure to log off when you’re done with your assignment. What is wrong with this scenario? Safeguarding confidential or patient information is your responsibility. The policies described below must be followed to help safeguard confidential and patient information. • If you need to fax confidential or patient information, you must indicate on the fax that it is confidential (Use the fax cover sheet established by your facility.). • Call and advise the receiving party when the fax is ready to send and ask the individual to confirm receipt. • Use pre-programmed fax numbers as much as possible. • If the fax is sent to the wrong person by mistake, immediately inform your supervisor. • Misdirected faxes sent outside the facility must be investigated and reported to the facility Privacy Coordinator. If you receive a misdirected fax indicating it contains confidential information, do not read through it. Contact the sender and advise that you received the fax in error and destroy the information. All e-mail communications containing patient, confidential, and/or sensitive information to someone outside of the County’s e-mail system must be encrypted to comply with State and federal privacy laws and DHS policies. E-mail addresses outside of the County’s e-mail system that do not end with ”.▇▇▇▇▇▇▇▇.▇▇▇.” as for example: @▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇, @▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇, @▇▇.▇▇▇▇▇▇▇▇.▇▇▇, etc. • There must be a business need. • You must have specific authorization from your supervisor to send encrypted e-mails containing patient, confidential, and/or sensitive information. • Once you are authorized by your supervisor, you must contact your local IT Help Desk to be added to the e-mail encryption solution group. Must comply with the Minimum Necessary Requirements. • Send the recipient an un-encrypted e-mail notifying them they will be receiving an encrypted e-mail and instructions on how to open it. • Once you have been authorized and added to the e-mail encryption solution group, then you will have the ability to send a secure e-mail. You must add the word “Secure” in square brackets [Secure] in the subject line of the e-mail. Incoming e-mail containing ePHI, confidential, or sensitive information must be kept secure. E-mail must not be used for urgent communications; it may be used as follow-up after a phone call to document the discussion. Exercise care when discussing or providing patient information: • Use lowered voices. • Do not talk about patient care in public areas like elevators, the cafeteria, or public transportation. • In joint treatment areas, be mindful of what you say even when the curtain is closed. • Be careful when leaving a voice mail message. • On public transportation, make sure you use a security screen on your laptop, and keep paper materials out of public view. Doctor: ▇▇. ▇▇▇▇▇▇▇? Patient in middle bed: Yes, that’s me. Doctor (in a normal speaking voice, with curtains open): ▇▇. ▇▇▇▇▇▇▇, your lab results have come back and you have been diagnosed with cirrhosis of the liver. ▇▇. ▇▇▇▇▇▇▇: Oh my gosh, what does this mean? Doctor: Well ▇▇. ▇▇▇▇▇▇▇, this means that you have a scarred liver as a result of your chronic alcoholism. Question: Name four actions that can be done to comply with the HIPAA Privacy Rule and protect the patient’s privacy?