1 Northwestern Memorial Hospital DEPARTMENTAL POLICY Subject: DEPARTMENTAL ADMINISTRATION Title: 1 of 11 Revision of: NEW Effective Date: 01/09/03 I. PURPOSE: This policy defines general behavioral guidelines to safeguard and control the dissemination of patient information and defines procedures for access and use of electronic patient information contained in our Clinical Information Systems (CIS) and, specifically, the Electronic Medical Record (EMR). This policy outlines appropriate behaviors and expectations for use of patient information contained in any CIS application at Northwestern Memorial Hospital (NMH) and provides specific procedures on how to access to electronic patient information contained in our Cerner PowerChart Electronic Medical Record (EMR). II. DEFINITIONS: A. Appropriate Access: Providing an Eligible User timely access to patient specific information that is necessary to perform his or her professional responsibilities. B. CIS: A collection of Clinical Information System (CIS) applications that maintain patient health information at Northwestern Memorial Hospital (NMH). Currently our CIS includes the PowerChart application. The CIS Department is an entity within Information Services which develops and maintains the Electronic Medical Record (EMR). C. Consultants: External Consultants to NMH will be granted access to the CIS/EMR based on Need to Know as determined by a Manager or Director in the NMH department that is responsible for the work performed. For Consultants providing patient care services, access will be granted and managed by the appropriate Patient Care Department. For Information Services Consultants who provide systems and technical support to our CIS, access will be granted and managed by the CIS Department in Information Services. D. Eligible Individual of the EMR: Access to the Clinical Information Systems is limited to individuals performing specific patient care processes that require a Need to Know. E. EMR: Electronic Medical Record. The electronic medical record is defined as any form of patient information that is maintained electronically by our Clinical Information System Applications (CIS). F. Patient information: Any patient identifiable medical data that can be viewed through an application within the Clinical Information Systems. Patient identifiable medical data includes: clinical results, patient demographics, procedures, and encounter information. G. Position: An application system term, the position defines the type and amount of access a user has within the CIS. H. Need to Know: Information needed to provide and/or support quality patient care processes that are directed at the provision of health care to an individual; the past, present, or future payment for the provision of health care to an individual; or health care operational activities, as defined by an individual s professional responsibilities to the patient and/or the facility. Health care operational activities would include compliance, accreditation, licensing, certification and all other administrative activities. I. Regulatory Reviewers: Regulatory reviewers will be granted access to the CIS based on Need to Know as determined by a Manager or Director in the Medical Records Department. The Medical Records Department will grant and manage access for regulatory reviewers performing or supporting health care operational activities.
2 2 of 11 J. Remote Access: Application used to provide access to clinical applications through external Internet connections outside of the organization. Data viewed through Remote Access is 128 bit encrypted, complying with current industry best practices and legal standards. K. Secure ID: Secure Identification (ID) is a physical token used for access authentication in the Remote Access application. Secure ID is changed every 60 seconds with a randomly selected 6-digit number. L. Security Model: The technical structure which provides ease and timely access to patient health information, through the EMR, without compromising patient s privacy or care through inappropriate use or inadequate information. M. Vendors: Any organization providing goods or services to NMH, not in a consultative capacity, will be granted access to the CIS based on Need to Know as determined by a Manager or Director in the Medical Records Department. Access will be granted based on the specific job function defined in the signed NMH Purchase Order or Vendor Agreement. III. POLICY: A. Security of Electronic Patient Information: Data security is an important consideration for everyone who utilizes the Clinical Information Systems at NMH. The electronic patient information access policy, standards and procedures specifically address confidentiality, security and protection of our clinical information. This policy applies to any individual that is granted electronic access (including remote access) to our clinical information systems and EMR at Northwestern Memorial Hospital. NMH has a legal and ethical obligation to ensure the confidentiality and security of Patient Information and individuals granted access to patient information are personally responsible for ensuring that the privacy of our patients is always protected. B. Individual Responsibilities to Ensure Confidentiality and Security: To ensure protection of our patient s privacy, individuals granted access to electronic patient information are required to demonstrate behavior that supports patient confidentiality at all times. Many of these behaviors are outlined in the Confidentiality Policy 1.46, our NMH Confidentiality Agreement as well as the Patient Care Policy Medical Records Personal obligations in this area are explained below and individuals are required to read and to abide by these duties. The violation of any of these duties will subject an individual to discipline or termination from NMH. Disciplinary action may include, but is not limited to, loss of privileges to remote access of patient information, loss of privileges at NMH, and to civil fines, penalties, judgments, and/or criminal sanctions, including imprisonment. 1. The medical record is the property of the Hospital and is maintained for the benefit of the patient, the Medical Staff and the Hospital. The information contained within the record, including all forms of electronic patient information, is the property of the patient and cannot be released to individuals not otherwise authorized, without the written consent of the patient, a subpoena, court order or statute. 2. Only authorized users with a Need to Know should access clinical data on an individual patient. 3. Individuals will not misuse or carelessly care for confidential patient information or in any way use, divulge, copy, release, sell, loan, review, alter or destroy any confidential patient information. This includes, but is not limited to, non-irb approved research or third party marketing activities, except as authorized within the scope of their professional activities as a member of the NMH medical staff for patient treatment, billing or healthcare operations; as authorized by the patient or his or her legal representative; or as required or permitted by law.
3 3 of Individuals will safeguard and will not disclose their personal access code or any other access device that permits access to confidential patient information, e.g., never share personal access codes, passwords or devices with any other person; or allow anyone else to access or alter confidential patient information under their identity. To report any lost or stolen access code or device contact the Help Desk at HELP so it may be deactivated. Individuals accept personal responsibility for all activities undertaken using assigned access codes or devices and will be responsible for misuse or wrongful disclosure of confidential patient information and for failure to safeguard access codes or devices. 5. For individuals who are Non-NMH personnel that directly support Physicians, the Physician or the Physician s Practice assumes responsibility for ensuring their support staff fully comply with this policy and the behaviors specifically outlined in this policy. 6. NMH has the right to monitor and audit the activities undertaken through the use of personal access codes or devices and users agree to cooperate with any investigations regarding unauthorized or improper use of confidential patient information accessed using personal access codes or devices. 7. Activities by any individual or entity that are suspected of compromising the confidentiality or security of confidential patient information must be reported. Reports made in good faith about suspect activities will be held in confidence to the extent permitted by law, including the name of the individual reporting the activities. 8. Personal obligations to protect our confidential information under this Agreement will continue after termination of privileges to access of patient information or loss of privileges as a member of the NMH medical staff. Access privileges hereunder are subject to periodic review, revision and if appropriate renewal. 9. Individuals have no right or ownership interest in any confidential patient information referred to in this Agreement. NMH may at any time revoke personal access codes, devices, or access to confidential patient information. At all times while exercising privileges individuals will safeguard and maintain the confidentiality of all patient information. C. Eligibility: Access to electronic patient information will be granted to an individual on a Need to Know basis. Eligible Users must only access/view information that they have a legitimate Need to Know, regardless of the extent of access provided. Need to Know is information needed to provide and/or support quality patient care processes that are directed at the provision of health care to an individual or the past, present, or future payment for the provision of health care to an individual. These processes are defined by an individual s professional responsibilities to the patient and the facility as noted below: 1. Northwestern Memorial Hospital Employees 2. Volunteers, Students, Nursing, Allied Health 3. Physicians (Attendings, Resident/House staff and Medical 3 rd or 4 th year Students) 4. Non-NMH Personnel (For Physician Staff support, Physicians must determine eligibility for their support staff) 5. Patient Care Consultants 6. Information System Consultants
4 4 of Regulatory Reviewers 8. Vendors For individuals not listed above who do require access to meet specific job requirements such as research, a specific patient authorization or IRB waiver must be obtained in order to establish a Need to Know and obtain access to the EMR. Refer to the Approval to Conduct Research patient care policy 5.43 for further information. For our patients and legal guardians of patients who have the right to review their own Medical Record, these groups may access the paper Medical Record in accordance with the Patient Care D. Right to Audit NMH believes auditing is an essential function of safeguarding the confidential patient data from inappropriate use. Through the use of system tools and technical functionality NMH has the right, without prior notice, to conduct system audits to ensure a secure environment in which patient information is stored. The CIS Department within Information Services is responsible for the technical and physical aspects of securing patient information. NMH Medical Leadership and the Medical Records Committee are responsible for the management of processes related to auditing the EMR and reporting violations to the appropriate parties as necessary. E. Reporting Breaches of Security It is every employee s duty to report suspected or known instances of wrongdoing. Prompt, accurate and thorough disclosure of these occurrences is not only an expectation of employees but is an obligation and a requirement of any employed position. Below are the two methods by which an instance of wrongdoing may be reported: 1. An individual may report an instance of wrongdoing by contacting and reporting full details to their immediate Manager in accordance with the NMH Corporate Integrity Reporting Wrongdoing Policy Managers will then assess the report and contact Corporate Integrity and other appropriate departments for assistance as outlined in the Reporting Wrongdoing policy. 2. To anonymously report a breach in security and confidentially at any time, an individual may contact Corporate Integrity Action Line at F. Sanctions for Breach of Security Disciplinary action will occur in accordance to Human Resources 4.65 or the Medical Staff bylaws. Corporate Integrity may involve Senior Management, Office of the General Counsel and the Director of Human Resources if necessary to facilitate an investigation. IV. ACCESS PROCEDURE: A. Granting Access (for Cerner Powerchart EMR): 1. Sign Appropriate Access and Confidentiality Agreement. The review and signature of an agreement outlining the basic principles of this policy and key confidentiality statements will be required in order to obtain access to NMH s clinical information systems as well as remote access. The form necessary will depend upon the individual s function or job responsibility (See instructions in #3-7 below). Agreement Applicable Party/ Responsibility NMH Confidentiality Agreement All individuals granted CIS/EMR access NMH Remote Access and Confidentiality Physicians
5 5 of 11 Agreement Confidentiality Contract Regarding Access to Patient Information Vendor Access and Confidentiality Agreement Non-NMH Personnel who support Physicians. Note: Physicians will be required to sign this agreement on behalf of their staff. Vendors, Patient Care and Information System Consultants, Regulatory Reviewers 2. Complete Training. In general, there are two avenues through which an individual (user) may receive EMR Access. All eligible users are able to utilize either of these options: a) Training Course: This course would be available after signing the NMH Confidentiality Agreement. (Refer to General Administration Confidentiality policy #1.46.) This course will teach the new user how to use the Clinical Information System as well as the importance of viewing patient data on a Need to Know basis only. After completing the course the user will need to pass Competency Test. b) Computer Based Training: This will be available to the user after signing the NMH Confidentiality Agreement. This CBT will teach the user how to use the Clinical Information System as well as the importance of viewing patient data on a Need to Know basis only. After completing the course the user will be required to pass a Competency Test. 3. Departmental User Access to CIS: Submit Computer Access Request Form. The department manager (Level one or above) is the data gatekeeper for his/her department and is responsible for ensuring this policy is applied to all individuals in the department using Clinical Information Systems. Therefore, it is the responsibility of Management to determine what kind of access the employees will granted. Once an access need is identified by the department Manager, the attached Computer Access Request Form must be completed and sent to the IS Customer Response Unit (CRU) System Administrator by the Manager. This form is also located on the NMH Intranet in the Forms folder. Access to specific system functions will then be provided based on a predefined role-based security access model. 4. Physician Access to CIS: Physicians will obtain, from the Medical Staff Office (MSO), a standard NMH Confidentiality Agreement and the Computer Access Request Form to review and sign. Both signed forms be completed and sent to the CRU System Administrator. The CRU will then contact the Physician with the user login name and password. 5. Medical Students and Residents Access to CIS: Medical Students will gain access to NMH s CIS through submission of a student list generated annually by the Associate Dean. A list of all students requiring access for the year is submitted to NMH s Customer Response Unit (CRU) for ID generation and the access codes are then distributed to all students. For Residents, Medical Affairs obtains a list of Fellows and Residents requiring access to the CIS from the University Office of Graduate Medical Education. This list is submitted to NMH s Customer Response Unit (CRU) for ID generation and the final list of access codes is distributed during Resident s Orientation or PowerChart Training Class.
6 6 of Physician Remote Access: Submit Physician Remote Access Request Form (for SecureID). Remote Access will provide the ability for a selected group of NMH clinical personnel to access patient information contained in the CIS through external Internet connections. To gain access to the applications, a Secure ID card is required. The username and PIN provide the first level of security. The Secure ID attached to the PIN to create the password for logging into Remote Access is a second level of security. The Medical Staff Office will distribute the Secure ID after a signed Remote Access and Confidentiality Agreement and Physician Remote Access Request Form has been obtained. The Secure ID card can only be obtained in person. 7. Physician Staff Remote Access: Physician will obtain, from the Medical Staff Office (MSO), a packet of information including the NMH Confidentiality Contract Regarding Access to Patient Information, NMH Confidentiality Policy and the SecureID Card. The Physician will complete the NMH Confidentiality Contract along with a list of each staff person s name, social security number and position required and return the documents to the MSO. The Medical Staff Office will then send the Powerchart ID information with the Contract to the IS CRU ( address name: CRU System Admin ) for processing and will send the SecureID card information to IS Security Administration ( address name: Secure ID Admin ). The CRU will the Physician requesting access for his/her staff the individual staff passwords. Each staff member will then read and sign the NMH Confidentiality Contract and the Physician will file and maintain this information in individual personnel files. B. Termination of User In the event that a user either leaves NMH, or a job change occurs where it is determined that the individual no longer needs access to electronic patient information it is the employee s Manager Responsibility to assure the user will be inactivated from all clinical information systems. (Refer to Human Resources Policy 4.77). For Physicians, the Medical Staff Office will assure that access to all clinical information systems is no longer available. C. Transferring of NMH Roles If a user obtains a different Human Resource position within NMH, it is the responsibility of the user s manager to verify he/she has the appropriate access needed to perform the job function.
7 7 of 11 RESPONSIBLE PARTY: Jody Arnoult Project Director, Clinical Information Systems Electronically Approved: October 30, 2002 REVIEWERS: Information Services Vice President and Directors Corporate Integrity Executive Medical Affairs Medical Records Director Office of the General Counsel COMMITTEES IT Policy Committee APPROVAL PARTIES: Tim Zoph Vice President, Information Services Electronically Approved: October 30, 3002 Dean M. Harrison President & CEO, Northwestern Memorial Hospital Electronically Approved: January 9, 2003
8 8 of 11 REMOTE ACCESS AND CONFIDENTIALITY AGREEMENT Security and confidentiality is a matter of concern for all persons who have access to Northwestern Memorial Hospital s ( NMH ) information systems. Each person accessing NMH data and resources holds a position of trust relative to this information and must recognize the responsibilities entrusted in preserving the security and confidentiality of this information. Therefore, all persons who are authorized to access data and resources, both through enterprise information systems and through individual department local area networks and databases, must read and comply with NMH policies. Patient information is valuable and sensitive and is protected by federal and state laws and by strict NMH policies. The intent of these laws and policies is to assure that patient information will remain confidential - that is, that it will be used only as necessary to accomplish the organization's mission. In that you have requested that NMH permit you to have remote access to confidential patient information for the purpose of patient care, you agree to conduct yourself in strict conformance to applicable state and federal laws and NMH policies governing confidential patient information. Your principal obligations in this area are explained below. You are required to read and to abide by these duties. The violation of any of these duties will subject you to discipline, which might include, but is not limited to, loss of privileges to remote access of patient information, loss of privileges at NMH, and to civil fines, penalties, judgments, and/or criminal sanctions, including imprisonment. Accordingly, as a condition of and in consideration of NMH s provision of your remote access to confidential patient information, you promise that: 1. You will use confidential information only as needed to perform your legitimate duties as a physician of patients or a clinician in direct support of a physician affiliated with NMH. This means, among other things, that: A. You will only access confidential patient information for which you have a need to know; and B. You will not in any way use, divulge, copy, release, sell, loan, review, alter or destroy any confidential patient information, including but not limited to third party marketing activities, except as authorized within the scope of your professional activities as a member of the NMH medical staff for patient treatment, billing or healthcare operations; as authorized by the patient or his or her legal representative; or as required or permitted by law; and C. You will only use confidential patient information for research purposes in accordance with an IRB waiver or with prior written patient authorization. D. You will not misuse or carelessly care for confidential patient information. 2. You will safeguard and will not disclose your access code or any other access device that allows you to access confidential patient information, e.g., never share your access code or device with any other person; or allow anyone else to access or alter confidential patient information under your identity. You accept responsibility for all activities undertaken using your access code or device. You agree to report any lost or stolen access code or device to the Help Desk at HELP so it may be deactivated. 3. You understand and acknowledge that NMH has the right to monitor and audit the activities undertaken through the use of your access code or device and agree to cooperate with any investigations regarding unauthorized or improper use of confidential patient information accessed using your access code or device 4. You will report activities by any individual or entity that you suspect may compromise the confidentiality or security of confidential patient information. Reports made in good faith about suspect activities will be held in confidence to the extent permitted by law, including the name of the individual reporting the activities. 5. You understand that your obligations under this Agreement will continue after termination of your privileges to remote access of patient information or loss of privileges as a member of the NMH medical staff. You understand that your remote access privileges hereunder are subject to periodic review, revision and if appropriate renewal. Initial
9 9 of You understand that you have no right or ownership interest in any confidential patient information referred to in this Agreement. NMH may at any time revoke your access code, device, or access to confidential patient information. At all times during your privileges as a member of the NMH medical staff, you will safeguard and maintain the confidentiality of all patient information. 7. You will be responsible for your misuse or wrongful disclosure of confidential patient information and for your failure to safeguard your access code or device. You understand that your failure to comply with this Agreement may also result in loss of privileges to remote access of confidential patient information, loss of privileges, legal liability and disciplinary action or corrective action with accordance to hospital and Medical Staff policies. Physician Signature Date Printed Name
10 10 of 11 NORTHWESTERN MEMORIAL HOSPITAL CONFIDENTIALITY CONTRACT REGARDING ACCESS TO PATIENT INFORMATION INTRODUCTION: This Confidentiality Contract has been established to ensure that access by non-nmh employees to patient information is protected and is in compliance with NMH policies, state and federal laws, and accrediting agencies. This contract is to ensure that individuals requesting access to information have been authorized and need access in order to perform their duties for patient care, continuity of care and/or administrative review. CONTRACT PROVISIONS: In that I have requested that NMH permit the designated staff members listed in Exhibit A to have access to patient information for the purpose of (please check all that apply): ρ ρ ρ Patient care/continuing care Benefits/utilization/quality review Billing ρ Other (Specify) 1. I agree to maintain the confidentiality of patient information in accordance with the NMH Confidentiality Policy, as amended from time to time, attached hereto as Exhibit B. I agree to keep a copy of such polices available to my staff at all times. 2. I agree to review the NMH patient information policies with my staff and instruct them as follows: υ υ They are to access information only as necessary to carry out the responsibilities of their employment. They are to maintain the confidentiality of patient information in accordance with the NMH Confidentiality Policy. υ Violation of patient confidentiality may be subject to corrective action up to and including termination of employment and/or suspension and loss of privileges. 3. I agree to obtain from each one of my staff members who uses or has access to patient information a signed NM Confidentiality Statement, in the same form as that of Exhibit C, stating that he or she has been informed and understands the NMH Confidentiality Policy and will comply with such policy. I will maintain that statement in the employee s file and update it annually. 4. I agree that NMH may, at its sole discretion, revoke access to patient information at any time. I understand that access may be revoked in the event of a breach of patient confidentiality by me or any of my employees. I agree to immediately suspend or terminate further access to information by any employee if so requested. 5. I agree to adopt policies and procedures that meet the NMH standard with regard to maintaining patient information in a secure manner and properly disposing of any information which is no longer needed and which has been converted to another media, e.g., paper, tape, etc. 6. I agree that NMH may audit access to and use of its patient information by me and my staff at any time or on an ongoing basis and may ask for and receive copies of the signed employee confidentiality statement described in paragraph 3, above. 7. Special condition(s) that apply to this contract, if any, are described here: 8. This contract is effective as of the date signed and shall continue in effect for ( ) year(s) subject to earlier revocation as described above or replacement by a revised contract.
11 11 of I understand and agree that I shall be responsible for any violations of this Agreement by a staff member listed in Exhibit A and that I may be subject to disciplinary or corrective action in accordance with Hospital or Medical Staff policies. 10. My signature below indicates that I have read, understand and agree to the above provisions. Northwestern Memorial Hospital Signed By: Signed By: Title: Title: Date: Date:
12 12 of 11 NORTHWESTERN MEMORIAL HOSPITAL COMPUTER ACCESS REQUEST FORM FORM INSTRUCTIONS 1. Complete the Employee Information Section. 2. Complete any other sections for which the staff member will need access. (I.e. if a Powerchart account is needed complete the Powerchart section otherwise leave this section blank.) 3. Cut and the paste the completed form into the message. The form should not be ed as an attachment or sent from the Intranet. 4. the completed form to "CRU System Admin" The form must be ed by the staff member s Level One Manager. If the staff member is a Level One Manager the Key Manager must e- mail the form. If the staff member is a Key Manager, the Senior Manager must the form. 5. For help in completing the form, please call the Customer Response Unit at 6-HELP. EMPLOYEE INFORMATION 1. Employee's Name (Name should match Human Resource File) 2. Employee's Social Security Number (Social Security Number should match Human Resource File) 3. Employee's Cost Center Number (Cost Center Should match Human Resource File) 4. Employee's Job Title (Job Title should match Human Resource File) 5. Employee's Campus Address (Building, Room, Suite or Office Number and Floor) 6. Employee's Campus Phone Number (If number not yet known enter Manager s Phone Number) 7. Employee s Start Date (The Date the Employee will start in the Department) NETWORK ACCOUNT INFORMATION 1. Server Name (i.e. Prentice. Enter the Name of a person in your department with an account to refer to if the server is not known) 2. Directory or file access (Enter the entire path name, i.e. (Passavant/Sys2:/Common/Bloodflow, if not known enter the name of a person in your department who has this access to refer to) Drive letters are not valid. The form may be returned if the path is not included. ACCESS 1. Please indicate the type of this staff member will be use: Web Mail (NMCONNECT) or Regular Mail (Users that have their own PC) 2. Distribution List: ( Group(s) Employee should be a member of)
13 13 of 11 APPLICATION ACCESS (USERS WHO USE MY APPLICATIONS ONLY) 1. Microsoft Office (Enter Yes or No) 2. MAR (Enter Yes or No) 3. MSMEDS (Enter Yes or No) POWERCHART ACCESS 1. Computer Based Training Score (This is a requirement) 2. Name of Powerchart Position (Refer to the position chart for your Cost Center)
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered
PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment
Caldwell Community College and Technical Institute Employee Computer Usage Policies and Procedures I. PURPOSE: The purpose of this section is to define the policies and procedures for using the administrative
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
Wellesley College Whistleblower Policy Adopted April 2009 1. General Wellesley College (the "College") requires all employees (including faculty) to observe high standards of business and personal ethics
HIPAA Privacy & Security Training for Clinicians Agenda This training will cover the following information: Overview of Privacy Rule and Security Rules Using and disclosing Protected Health Information
Document Title: System REVISION HISTORY Effective Date:15-Nov-2015 Page 1 of 5 Revision No. Revision Date Author Description of Changes 01 15-Oct-2015 Terry Butcher Populate into Standard Template Updated
1 By the end of this course you will demonstrate: 1. that HIPAA privacy rules protect privacy and security of confidential information. 2. your responsibility for use and protection of protected health
Clinical Observership Program PROGRAM APPLICATION (Please type or print) Please place a checkmark (X) indicating the primary campus you prefer to spend your clinical observership experience: Weill Cornell
Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not
MEDITECH ACCESS REQUEST PHYSICIAN OFFICE STAFF This box is for IT use only. Lisa Linda Prov Dict Access Dictionaries PACS E-Sig agreement E-Sig PIN PD PIN 3-4 ID Emailed PK Emailed MUST sign: I have read
Oregon Prescription Drug Monitoring Program Terms & Conditions of Account Use Agreement Statutory Authority: The Oregon Health Authority (OHA) was given authority under ORS 431.962 to establish and maintain
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
University of California Policy HIPAA Uses and Disclosures Responsible Officer: Senior Vice President/Chief Compliance and Audit Officer Responsible Office: Ethics, Compliance and Audit Services Effective
HIPAA COMPLIANCE PLAN For CHARLES RETINA INSTITUTE (Practice Name) Date of Adoption 1/02/2003 Review/Update 10/25/2012 Review/Update 4/01/2014 I. COMPLIANCE PLAN A. Introduction This HIPAA Compliance Plan
I. Purpose. PC CONNECTION, INC. CODE OF BUSINESS CONDUCT AND ETHICS Applicable to All Subsidiaries To establish uniform standards of conduct under which each of the PC Connection, Inc. family of companies
Ur-Energy Inc. Code of Business Conduct and Ethics As Amended Effective February 5, 2014 2957409.2 TABLE OF CONTENTS INTRODUCTION... 3 CONFLICTS OF INTEREST... 3 GIFTS, INVITATIONS AND ENTERTAINMENT GUIDELINES...
- 1 BLOOMFIELD COLLEGE ACCEPTABLE USE POLICY Summary of Acceptable Use Policy Bloomfield College provides technology resources to the College Community, including students, faculty, administration, alumni,
Corporate Compliance and HIPAA Security for New Hires GOALS OF SESSION Review Northside s Compliance Program and Code of Conduct Emphasize the importance of Northside s Compliance Program Review the role
COMPUTER USE POLICY 1.0 Purpose and Summary 1. This document provides guidelines for appropriate use of the wide variety of computing and network resources at Methodist University. It is not an all-inclusive
Dear Colleague, This notice is to share some recent changes we ve made with our Student Onboarding Process. Effective October 1, 2014, our onboarding process is migrating from Public Safety to our Human
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
California Mutual Insurance Company Code of Business Conduct and Ethics This Code of Business Conduct and Ethics (the Code ) applies to all officers, employees, and directors of California Mutual Insurance
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...
Information Security Policy Policy Title Responsible Executive Responsible Office Information Security Policy Vice President for Information Technology and CIO, Jay Dominick Office of Information Technology,
Health Insurance Portability and Accountability Act HIPAA Privacy Standards Healthcare Provider Training Module Copyright 2003 University of California Click the arrow to start the YouTube video in a separate
Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan Adopted: January 2, 2007 Revised by Board of Directors on September 4, 2007 Revised and Amended
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
Hope In-Home Care CODE OF CONDUCT AND ETHICS September 2014 Table of Contents A MESSAGE FROM OUR DIRECTOR... 3 INTRODUCTION TO THE CODE OF CONDUCT AND ETHICS... 4 ELEMENT 1: QUALITY OF CARE... 5 ELEMENT
HIPAA Orientation Health Insurance Portability and Accountability Act HIPAA Federal legislation enacted in 1996 to improve the efficiency and effectiveness of electronic information transfers used in the
ORVANA MINERALS CORP CODE OF BUSINESS CONDUCT AND ETHICS ADOPTED BY THE BOARD OF DIRECTORS October 2, 2013 -2- CODE OF BUSINESS CONDUCT AND ETHICS Orvana Minerals Corp is a publicly-traded Canadian company
KESWICK MULTI-CARE CENTER, INC. NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
APPENDIX 1: Frequently Asked Questions Practice Name Q: What is the HIPAA Privacy Rule? A: The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI).
To: From: Researchers Legal Services and Research Services Date: May 21, 2013 Subject: Research and the New Personal Health Information Act On June 1, 2013, the Personal Health Information Act ( PHIA )
Information Technology Management Procedure June 1, 2015 Information Technology Management, page 1 of 7 Contents Responsibility for Local Information Technology Policies 3 Responsibility to Maintain Functionality
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: To introduce the staff of Munson Healthcare to the concepts
CUBIC ENERGY, INC. Code of Business Conduct and Ethics Introduction Our Company s reputation for honesty and integrity is the sum of the personal reputations of our directors, officers and employees. To
MICHIGAN JEWISH INSTITUTE Policy and Procedure Manual ב "ה Functional Area: ELECTRONIC ASSETS MANAGEMENT Policy No. EAM 1020 Title: IT Security, A Manual Effective Date: January 1, 2013 Page No. 1 of 1
NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:
ALEXANDRA MARINE AND GENERAL HOSPITAL 120 Napier Street, GODERICH, ON N7A 1W5 (519) 524-8689 ext. 5712 Fax: (519) 524-5579 Email: email@example.com MEDICAL TRAINEE DATA FORM (This information
Protecting Patient Privacy It s Everyone s Responsibility Observation & Student Learning Packet 1. Read packet Instructions for Self-Study Module 2. Complete post-test. A score of 80% must be achieved.
TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE
DISTRIBUTION: ALL PAGE: 1 of 9 1. SCOPE AND PURPOSE NVR, Inc. and its subsidiaries ( NVR or the Company ) are committed to the highest level of ethical behavior. NVR s business success depends upon the
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
Privacy and Information Security Awareness Training Health Insurance Portability & Accountability Act of 1996 -- HIPAA Objectives Understand basic HIPAA requirements Understand how the MCG Health System
DORCHESTER COUNTY, MARYLAND Fiscal Policies and Procedures Fraud, Waste & Abuse Adopted August 11, 2009 SECTION I - INTRODUCTION The County Council of Dorchester County, Maryland approved on August 11,
The Claremont Colleges Policy Regarding Appropriate Use of Campus Computing and Network Resources Approved by the Council of The Claremont Colleges on 08/20/04 An overall guiding mission of The Claremont
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability
INTRODUCTION This (this Code ) is designed to reaffirm and promote Hyatt Hotels Corporation s compliance with laws and ethical standards applicable in all jurisdictions in which Hyatt Hotels Corporation
Integrity and Compliance Description Approved by the Audit Committee of the Providence Health & Services Board of Directors December 7, 2009 Contents: Introduction Page 1 Purpose Page 2 Compliance Administration
Online Account Management Broker s User Guide TABLE OF CONTENTS BROKER SINGLE SIGN-ON ACTIVATION ------------------------------------------------------------------- 3 BROKER SINGLE SIGN-ON REQUEST FORM
NORTHEAST COMMUNITY COLLEGE ADMINISTRATIVE PROCEDURE NUMBER: AP-5250.0 FOR POLICY NUMBER: BP 5250 ACCEPTABLE USE PROCEDURES ELECTRONIC RESOURCES 1. PROCEDURE SUMMARY STATEMENT To establish procedures relating
Compliance Policy Number 1 POLICY SUBJECT: EFFECTIVE DATE: 5/31/2013 Compliance Plan To be reviewed at least annually by the Ethics & Compliance Committee COMPLIANCE PLAN OVERVIEW Sound Inpatient Physicians,
North American Partners in Anesthesia Corporate Compliance Plan VERSION EFFECTIVE: JANUARY 2015 CONTENTS Introduction and Mission 1. Corporate Commitment to Compliance: Code of Conduct 2. Written Compliance
Denver Public Schools - East High School Return this page to the Technology Department in room 230 Electronic Web Access Agreement for Viewing Student Information via DPS Infinite Campus Parent/Student
SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy
INSTITUTIONAL COMPLIANCE PLAN Responsible Party: Board of Trustees Contact: Institutional Compliance Office Original Effective Date: 02/16/2012 Last Revised Date: 10/13/2014 Contents I. SCOPE OF THE PLAN...
SM ENERGY COMPANY CODE OF BUSINESS CONDUCT AND CONFLICT OF INTEREST POLICY We at SM Energy Company are committed to compliance with applicable laws, rules and regulations and to conducting our business
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
Use of ESF Computing and Network Resources Introduction: The electronic resources of the State University of New York College of Environmental Science and Forestry (ESF) are powerful tools, shared among
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
Delaware State University Policy Title: Delaware State University Acceptable Use Policy Board approval date: TBD Related Policies and Procedures: Delaware State University Acceptable Use Policy A Message
USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY CONDITIONS OF USE FOR ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY Between: the Commonwealth of Australia, acting
PAGE 1 of 6 UNIVERSITY GUIDEBOOK Title of Policy: Acceptable Use of University Technology Resources Responsible Division/Office: Information Technology Approving Officer: Vice President for Finance and
Health Management Annual Compliance Training 2011 1 Introduction Welcome to 2011 Annual Compliance Training! The purpose of Annual Compliance Training is to: 1. Remind all associates of the elements of