Access to Electronic Health Records Policy Franciscan Health System

Transcription

1 Access to Electronic Health Records Policy Franciscan Health System PURPOSE: The purpose of the Access to Electronic Health Records Policy ( EHR Policy ) is to establish processes and procedures for permitting medical staff members and their office staff access to and sharing of the Hospital s Electronic Health Records in order to enhance the continuum of health care to mutual patients. DEFINITIONS: 1. Clinic means a physician, practitioner, health care provider, group practice, partnership, or corporation of physicians and/or practitioners, health care providers, and its employees. 2. Disclose and Disclosure mean, with respect to Protected Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Protected Health Information outside Hospital internal operations. 3. Electronic Health Record ( EHR ) means a repository of consumer health status information in computer processable form used for clinical diagnosis and treatment for a broad array of clinical conditions. EHRs contain Protected Health Information. 4. Information Technology ( IT ) for purposes of obtaining access to Hospital EHR includes by way of example: rights, licenses, and intellectual property related to the EHR software; connectivity services, including broadband and wireless internet services; portals; secure messaging capabilities and related services that are used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, or transmission or reception of data or information in any electronic medium to any source. IT for purposes of EHR does not include hardware, including routers or modems necessary to access or enhance connectivity, and operating software that makes the hardware function; storage devices; software with core functionality other than EHR (such as human resources or payroll software or software packages for practice management or billing); or items used to conduct personal business or business unrelated to Clinic practice. 5. Protected Health Information ( PHI ) means information, including demographic information, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Hospital from or on behalf of Clinic, or is created by Hospital, or is made accessible to Hospital by Clinic. PHI may be contained in other mediums including without limitation, electronic PHI, EHR, paper records, audio, and video recording. 6. Use or Uses means, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Hospital s internal operations. Access to Electronic Health Records Page 1 of 8

2 7. User means individual who will be accessing the electronic systems requested through a unique login and password. 8. Terms used, but not otherwise defined, in this Policy shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections and ; 42 C.F.R. Chapter IV, Section , and , and 42 C.F.R. Section POLICY: It is the policy of the Hospital to provide access to and share with each physician and/or practitioner from a Clinic who is a member of the Hospital s Medical Staff and participates in the Organized Health Care Arrangement with the Hospital ( OHCA ), the Hospital s EHR subject to the provisions and procedures outlined in this Policy. 1. Access 1.1 Each User shall sign and submit a Franciscan Access Request Form (Exhibit A). 1.2 Each user will sign a User and Confidentiality Access Agreement (Exhibit B). 1.3 Hospital will issue passwords and user identification ( ID ) to access Hospital s IT system to each individual user once the completed forms are submitted. Such passwords and IDs may not be shared with any other individual or entity. 1.4 Reauthorization for access to the Hospital s EHR will be reviewed and reauthorized every two years along with the Medical Staff reappointment process. 1.5 Clinic will notify the Hospital within three business days of the departure (employment relationship or otherwise) of Clinic s staff who has access to Hospital s EHR, so that the Hospital may discontinue such access. 2. Permitted and Non-Permitted Uses 2.1 The Hospital s IT system to access EHR shall only be accessed and used solely for the ongoing treatment of Clinic s patients. 2.2 The Hospital s IT system shall not be used for any other purpose. Prohibited uses include but are not limited to: personal use, solicitation for outside business ventures, campaigns, and political or religious causes. 2.3 Clinic is prohibited from storing, displaying, or disseminating obscene, offensive, harassing, or discriminatory textual or graphical materials on the Hospital s IT system. 2.4 Clinic is not permitted to access his/her own or another individual s health information because of a personal request, personal curiosity or personal reasons. 2.5 Clinic will not permit any other person or entity to access, publish, or pass on User s password to access the Hospital s IT system and EHR, whether in electronic, print, or other form. 3. Electronic Health Record IT 3.1 The Hospital will provide Clinic with access to Hospital EHR subject to a licensing agreement with its IT vendors. Access to Electronic Health Records Page 2 of 8

3 3.2 The Hospital will assist a Clinic with obtaining the necessary IT which is to be used solely to create, maintain, transmit, or receive EHR. 3.3 The Hospital will provide Clinic with minimum IT hardware requirement specifications in order for Clinic to ensure Clinic s IT systems can support Hospital s EHR. Clinic is responsible for acquiring IT hardware and ensuring IT hardware meets minimum requirements to access EHR. 3.4 Clinic is responsible for installation, operation, and ongoing maintenance of the IT hardware associated with communications between Clinic s IT system and Hospital s IT system. 3.5 At times and manner convenient to the Hospital, the Hospital will provide Clinic training for remote access of the Hospital IT system. Hospital will not provide any support for hardware owned or used by a Clinic. 3.6 Clinic is responsible for HIPAA training and education, including appropriate access to EHR and the terms in the User and Confidentiality Agreement. Clinic will provide evidence of training and education of its staff upon Hospital request. 4. Confidentiality 4.1 All EHR available through the Hospital s IT system is confidential. 4.2 Clinic shall only access the Hospital IT system and EHR as permitted by this Policy. Clinic s use of and access to EHR is limited to the Clinic s treatment of mutual patients of the Hospital and Clinic. 4.3 Clinic will only access Hospital s IT system in the minimal amount necessary to obtain EHR for the provision of health care services to the Clinic s patients. 4.4 Hospital will routinely conduct random and targeted audits of access to Hospital s IT system. Clinic shall cooperate with the Hospital audits and any resulting investigation that may involve Clinic s access. 4.5 Hospital may track and monitor Clinic s access into the Hospital IT system. Clinic and Users do not have any personal privacy rights by utilizing Hospital s IT system. 4.6 Clinic shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by this Policy. These shall include administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it receives, maintains, or transmits from the Hospital and as required by law. 4.7 Clinic shall protect the Hospital IT system from viruses and similar program threats and manage logging and other data collection mechanisms. 5. Reporting Unauthorized Use or Disclosure. 5.1 Clinic shall report to the Hospital each unauthorized Use or Disclosure of PHI that is made by the Clinic that is not specifically permitted by this Policy. 5.2 Clinic shall report to the Hospital any security incident of which it becomes aware. Security Incident means the attempted or successful unauthorized access, use or disclosure, modification, or destruction of information, or interference with the system operations in the Hospital IT system. 5.3 The initial report shall be made by telephone call to the Hospital s Information Security Officer in the FHS Compliance Department , within two business days from the time the Clinic becomes aware of an actual or apparent non-permitted Use or Access to Electronic Health Records Page 3 of 8

4 Disclosure, followed by a full written report to the Hospital s Information Security Officer no later than ten business days from the date the Clinic becomes aware of the actual or apparent non-permitted Use or Disclosure of PHI. 5.4 Clinic shall provide in such notice the remedial or other actions undertaken to correct the unauthorized Use or Disclosure of PHI. 5.5 Clinic shall mitigate, to the extent practicable, any harmful effect that is known to the Clinic of a Use or Disclosure of PHI by the Clinic in violation of this Policy. 5.6 Clinic shall work cooperatively with the Hospital in mitigating and preventing any further unauthorized Use or Disclosure of PHI. 6. Violations 6.1 Clinic is responsible for ensuring compliance with the terms and conditions of this Policy. 6.2 Clinic s and User s unauthorized distribution of individual password, or information accessed from the Hospital s IT system shall result in immediate termination of the User s and potentially the Clinic s access to the Hospital s IT system, and may subject the Clinic physician or practitioner to loss of privileges with the Hospital and any other action and remedies available to the Hospital under law or equity. 6.3 Clinic will be responsible for any damages, including monetary damages, for the inappropriate use and/or disclosure of EHR, even if the inappropriate use and/or disclosure was made by Clinic s employee or another individual using the Clinic s User s passwords or IDs. 6.4 If a Clinic User suspects that his/her password or ID has been obtained by another individual, they will immediately change the password for the account and inform the Hospital s Information Security Officer so that appropriate action may be taken. Access to Electronic Health Records Page 4 of 8

5 EXHIBIT A - Franciscan Access Request Form FRANCISCAN ACCESS REQUEST FORM St. Joseph Medical Center (HIM Department) Access Coordinator South J Street, Tacoma, WA Complete this form for users who are not employed by Franciscan that will access Franciscan Electronic Health Records. Users may access systems via a web site link from outside Franciscan Health System facilities. Initial Access Request - Signed and Witnessed Confidentiality Agreement are also required with initial request. Addendum to Initial Access Request (additional access or changes in system access) USER NAME / INFORMATION (Required INFORMATION BELOW, if not applicable please mark N/A) Name / Professional Degree (First, Middle, Last, Degree) Specialty / Job Title (Check all that apply) Medical Provider (MD, PA, ARNP, Etc.) Complete highlighted section immediately below Office Staff (Office staff of Medical Provider) Other User Detailed reason for access requirements (Medical Providers only) NPI # Medicare UPIN # WA State License # Medicaid # Office Name Office Manager Name Office Address City State Zip Office Phone User Office Fax User Cell Phone User Pager EXTERNAL SOFTWARE ACCESS (Check system access below) Does your equipment currently meet the required specifications for each system? (See system specification sheet) YES - Meets or exceeds the standards Upgrades completed Unknown DI PACS - Diagnostic Imaging - Picture Archiving and Communication System CV PACS - Cardiovascular - Picture Archiving and Communication System ACIS - Advanced Clinical Information System (Cerner/PowerChart) FCM - Franciscan Clinical Messaging (Elysium/Axolotl) OrderNOW - Secure online orders to FHS for Outpatient Services OTHER Please list: Logins will be issued to each individual user and may not be shared. Passwords are issued to each user and must be changed at least every 180 days. System access can and will be audited. The user whose login is identified during an audit will be held accountable for access violations. Per policy, the individual authorizing access will be held accountable for the user s actions. I understand my responsibilities as outlined in the Access To Electronic Health Records policy. I have also signed a User and Confidentiality Agreement for Access to Franciscan Health System Electronic Health Records and understand my responsibilities as outlined in that agreement. User Signature: Date: Authorizing Provider: (Please print name) Authorizing Provider Signature: Internal Use Only: (Form dated Version 2) Access to Electronic Health Records Page 5 of 8

6 EXHIBIT B - User and Confidentiality Access Agreement ELECTRONIC HEALTH RECORD USER AND CONFIDENTIALITY ACCESS AGREEMENT WITH FRANCISCAN HEALTH SYSTEM This Agreement must be completed and signed by each individual requesting access to Franciscan Health System s (FHS) Electronic Health Records. The Agreement must be completed and returned to the FHS Health Information Management Department before access will be granted. Name of individual requesting access (please print): Clinic Name and Address: Please Print Name of Authorizing Physician: I am requesting access to FHS IT System(s) to obtain Electronic Health Records, and agree to the following terms and conditions: Clinic means a physician, practitioner, a health care provider, a group practice, partnership, or corporation of physicians and/or practitioners, health care providers and its employees. Disclose and Disclosure mean, with respect to Protected Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Protected Health Information outside FHS internal operations. Electronic Health Record ( EHR ) means a repository of consumer health status information in computer processable form used for clinical diagnosis and treatment for a broad array of clinical conditions. EHRs contain Protected Health Information. Information Technology ( IT ) for purposes of obtaining access to FHS EHR includes by way of example: rights, licenses, and intellectual property related to the EHR software; connectivity services, including broadband and wireless internet services; portals; secure messaging capabilities and related services that are used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, or transmission or reception of data or information in any electronic medium to any source. IT for purposes of EHR does not include hardware, including routers or modems necessary to access or enhance connectivity, and operating software that makes the hardware function; storage devices; software with core functionality other than EHR (such as human resources or payroll software or software packages for practice management or billing); or items used to conduct personal business or business unrelated to Clinic practice. Protected Health Information ( PHI ) means information, including demographic information, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there Access to Electronic Health Records Page 6 of 8

7 is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Hospital from or on behalf of Clinic, or is created by Hospital, or is made accessible to Hospital by Clinic. PHI may be contained in other mediums including without limitation, electronic PHI, EHR, paper records, audio, and video recording. Use or Uses means, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within FHS internal operations. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections and ; 42 C.F.R. Chapter IV, Section , and , and 42 C.F.R. Section I acknowledge that Hospital IT system is the property of FHS. I agree to use Hospital IT system solely for job-related purposes. I understand that all EHR available through Hospital IT system is confidential and is to be treated as such. I agree to access Hospital IT system only in the minimal amount necessary to obtain EHR for the provision of health care services to the Clinic patient(s). I understand that passwords and user identification ( ID ) are utilized to access Hospital IT system. I acknowledge that I may not divulge my password or ID to any other individual or entity. I understand that I am responsible for any damages, including monetary damages, for the inappropriate use and/or disclosure of PHI, even if such inappropriate use and/or disclosure was made by another individual using my password or ID. I agree that if I suspect that my password or ID has been obtained by another individual, I will immediately change the password for the account and inform FHS Security Officer ( ) so that appropriate action may be taken. I understand that I am not permitted to access the Hospital IT systems for anything other than my intended job-related purpose relating to patient treatment, payment or Hospital operations. Accordingly, I understand that I am not permitted access to my or another individual s health information because of a personal request, personal reasons or personal curiosity. I acknowledge that unauthorized access of EHR, confidential files, or Hospital IT system without the proper security clearance and/or access authorization, is for whatever reason, considered a violation of the Access to Electronic Health Records Policy. I understand that the Hospital IT systems are monitored by FHS Information Technology Department. I understand that IT security features, such as passwords and message deletion functions, do not remove the ability to archive messages, at any time, for future auditing. I understand that the Hospital IT system is subject to search, and that FHS is able to track and monitor my access into Hospital IT system. I understand that I do not have any personal privacy rights by utilizing Hospital IT system. Access to Electronic Health Records Page 7 of 8

8 I agree that I will use FHS IT system only to access EHR for patient care purposes. I promise that I will not use Hospital IT system for any other purpose including personal use, solicitation for outside business ventures, campaigns, and political or religious causes. I understand that I am prohibited from storing, displaying, or disseminating obscene, offensive, harassing, or discriminatory textual or graphical materials on Hospital IT systems. I have read the Policy on Access to Electronic Health Records ( EHR Policy ) and agree to be bound by the terms and conditions of the EHR Policy. I understand that should I, or my employee, violate any provision of the EHR Policy, FHS will discontinue my access to Hospital IT system(s). Additionally, FHS may take legal action against me, including seeking monetary damages for inappropriate use and/or disclosure of PHI. I agree to indemnify, defend and hold harmless, Hospital and its affiliates, and their respective members, trustees, officers, directors, employees and agents, from and against any claim, cause of action, liability, damage, cost or expense, including without limitation, reasonable attorneys fees and costs, arising out of or in connection with any unauthorized or prohibited Use or Disclosure of Hospital IT system, PHI, or any other breach of the EHR Policy by myself or my employee. I acknowledge that I have read, understand, and agree with the conditions above. Further, I agree to immediately notify FHS of any conflict with or violation of the above conditions. User Signature Date Witness Signature Access to Electronic Health Records Page 8 of 8