Protecting Hospital PHI When It's Shared With Independent Practices

By HCCA Staff

These templates can help hospitals develop remote user system access request forms and confidentiality agreements for independent physician practices that are allowed to access the hospital’s electronic health record systems for patients they share, says Alexander Laham, information security manager at Lawrence General Hospital in Massachusetts. Contact him at alexander.laham@lawrencegeneral.org.

REMOTE OFFICE USER

CONFIDENTIALITY AGREEMENT

I understand that {COMPANY} has a legal and ethical responsibility to safeguard the privacy of all patients and to protect the confidentiality of their health information. Additionally, {COMPANY} must assure the confidentiality of its human resources, clinical, payroll, fiscal, computer systems, and management information (collectively, “Confidential Information”).

In the course of my duties, as a remote user of {COMPANY} systems, I understand that I may come into the possession of Confidential

Information while accessing designated computerized information systems.

I further understand that I must sign and comply with this agreement to get authorization for access to any of {COMPANY} Confidential Information.

  1. I will not disclose or discuss any Confidential Information with others, including friends or family, who do not have a need to know it. In addition, I understand that my personal access code, user ID(s), and password(s) used to access computer systems are also an integral aspect of this Confidential Information.

  2. I will not access or view any Confidential Information, or utilize equipment, other than what is required to do my job.

  3. I will not access my own patient account/medical record or that of family or friends. I understand I have a right as a patient to view this information but must do so through the proper channels via the medical records department or my physician for the medical record, and patient accounting for billing information.

  4. I will not discuss Confidential Information where others can overhear the conversation (for example, in hallways, elevators, in the cafeteria, on public transportation, in restaurants, and at social events). It is not acceptable to discuss Confidential Information in public areas even if a patient’s name is not used. Such a discussion may raise doubts among patients and visitors about our respect for their privacy.

  5. I will not make inquiries about Confidential Information on behalf of other personnel who do not have proper authorization to access such Confidential Information.

  6. I will not willingly share my computer password or knowingly use another person’s computer password instead of my own for any reason.

  7. I will not make any unauthorized transmissions, inquiries, modifications, or purging of Confidential Information in {COMPANY} computer system. Such unauthorized transmissions include, but are not limited to, removing and/or transferring Confidential Information from {COMPANY} computer system to unauthorized locations using any type of portable media.

  8. I will log off any computer or terminal prior to leaving it unattended as to prevent unauthorized use of my user account.

  9. I will comply with any security and privacy standards outlined in this agreement promulgated by {COMPANY} to protect the security and privacy of Confidential Information.

  10. I will immediately report to my supervisor and/or {COMPANY} Information Services any activity, by any person, including myself, that is a violation of this Agreement. The transgression must be reported to the Information Security Manager for review.

  11. I agree that my privacy obligations under this Agreement will continue after the termination of my employment/services.

  12. I understand that my account will be disabled after 60 days of inactivity. Re-activation will require validation of identity via my supervisor and the {COMPANY} Information Services department.

  13. I understand the violation of this Agreement may result in adverse action up to and including termination of my ability to work at or on behalf of {COMPANY}, and/or suspension and loss of privileges, in accordance with {COMPANY} Policies and Procedures. In addition, under applicable law, I may be subject to criminal or civil penalties.

  14. I further understand that all computer access activity is subject to audit and the status of my employment with the remote office will be validated periodically.

By signing this document, I understand and agree to the following:

I have read the above agreement and agree to comply with all its terms.

Signature of remote user: _______ ________

Print Name: _________________________________ Date:

Company (Office): __________________________________

Please return to {COMPANY} Information Systems Rev 1.2018

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings