Access to Electronic Health Records Policy Franciscan Health System



Similar documents
ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Louisiana State University System

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Health Care Provider Guide

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

DATA SECURITY AGREEMENT. Addendum # to Contract #

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Authorized. User Agreement

Delaware State University Policy

Covered California. Terms and Conditions of Use

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

The Institute of Professional Practice, Inc. Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM

FirstCarolinaCare Insurance Company Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE

Disclaimer: Template Business Associate Agreement (45 C.F.R )

HIPAA Business Associate Agreement

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Business Associates Policy HS 9430

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

ACCEPTABLE USE POLICY

Sycamore Leaf Solutions LLC

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Business Associate Agreement

Business Associate Agreement Involving the Access to Protected Health Information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This form may not be modified without prior approval from the Department of Justice.

BLOOMFIELD COLLEGE ACCEPTABLE USE POLICY

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

MIDDLESEX SAVINGS BANK ONLINE BANKING AGREEMENT

Business Associate Agreement

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

BUSINESS ONLINE BANKING AGREEMENT

HIPAA BUSINESS ASSOCIATE ADDENDUM

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

BUSINESS ASSOCIATE AGREEMENT

Acceptable Use of Information Technology

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).

BUSINESS ASSOCIATE ADDENDUM

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Privacy and Business Associate Agreement

Kaiser Permanente Affiliate Link Provider Web Site Application

1. Computer and Technology Use, Cell Phones Information Technology Policy

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Exhibit 2. Business Associate Addendum

DIOCESE OF DALLAS. Computer Internet Policy

Transcription:

Access to Electronic Health Records Policy Franciscan Health System PURPOSE: The purpose of the Access to Electronic Health Records Policy ( EHR Policy ) is to establish processes and procedures for permitting medical staff members and their office staff access to and sharing of the Hospital s Electronic Health Records in order to enhance the continuum of health care to mutual patients. DEFINITIONS: 1. Clinic means a physician, practitioner, health care provider, group practice, partnership, or corporation of physicians and/or practitioners, health care providers, and its employees. 2. Disclose and Disclosure mean, with respect to Protected Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Protected Health Information outside Hospital internal operations. 3. Electronic Health Record ( EHR ) means a repository of consumer health status information in computer processable form used for clinical diagnosis and treatment for a broad array of clinical conditions. EHRs contain Protected Health Information. 4. Information Technology ( IT ) for purposes of obtaining access to Hospital EHR includes by way of example: rights, licenses, and intellectual property related to the EHR software; connectivity services, including broadband and wireless internet services; portals; secure messaging capabilities and related services that are used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, or transmission or reception of data or information in any electronic medium to any source. IT for purposes of EHR does not include hardware, including routers or modems necessary to access or enhance connectivity, and operating software that makes the hardware function; storage devices; software with core functionality other than EHR (such as human resources or payroll software or software packages for practice management or billing); or items used to conduct personal business or business unrelated to Clinic practice. 5. Protected Health Information ( PHI ) means information, including demographic information, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Hospital from or on behalf of Clinic, or is created by Hospital, or is made accessible to Hospital by Clinic. PHI may be contained in other mediums including without limitation, electronic PHI, EHR, paper records, audio, and video recording. 6. Use or Uses means, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Hospital s internal operations. Access to Electronic Health Records 8-11-09 Page 1 of 8

7. User means individual who will be accessing the electronic systems requested through a unique login and password. 8. Terms used, but not otherwise defined, in this Policy shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections 160.103 and 164.501; 42 C.F.R. Chapter IV, Section 411.351, and 411.357, and 42 C.F.R. Section 1001.952 POLICY: It is the policy of the Hospital to provide access to and share with each physician and/or practitioner from a Clinic who is a member of the Hospital s Medical Staff and participates in the Organized Health Care Arrangement with the Hospital ( OHCA ), the Hospital s EHR subject to the provisions and procedures outlined in this Policy. 1. Access 1.1 Each User shall sign and submit a Franciscan Access Request Form (Exhibit A). 1.2 Each user will sign a User and Confidentiality Access Agreement (Exhibit B). 1.3 Hospital will issue passwords and user identification ( ID ) to access Hospital s IT system to each individual user once the completed forms are submitted. Such passwords and IDs may not be shared with any other individual or entity. 1.4 Reauthorization for access to the Hospital s EHR will be reviewed and reauthorized every two years along with the Medical Staff reappointment process. 1.5 Clinic will notify the Hospital within three business days of the departure (employment relationship or otherwise) of Clinic s staff who has access to Hospital s EHR, so that the Hospital may discontinue such access. 2. Permitted and Non-Permitted Uses 2.1 The Hospital s IT system to access EHR shall only be accessed and used solely for the ongoing treatment of Clinic s patients. 2.2 The Hospital s IT system shall not be used for any other purpose. Prohibited uses include but are not limited to: personal use, solicitation for outside business ventures, campaigns, and political or religious causes. 2.3 Clinic is prohibited from storing, displaying, or disseminating obscene, offensive, harassing, or discriminatory textual or graphical materials on the Hospital s IT system. 2.4 Clinic is not permitted to access his/her own or another individual s health information because of a personal request, personal curiosity or personal reasons. 2.5 Clinic will not permit any other person or entity to access, publish, or pass on User s password to access the Hospital s IT system and EHR, whether in electronic, print, or other form. 3. Electronic Health Record IT 3.1 The Hospital will provide Clinic with access to Hospital EHR subject to a licensing agreement with its IT vendors. Access to Electronic Health Records 8-11-09 Page 2 of 8

3.2 The Hospital will assist a Clinic with obtaining the necessary IT which is to be used solely to create, maintain, transmit, or receive EHR. 3.3 The Hospital will provide Clinic with minimum IT hardware requirement specifications in order for Clinic to ensure Clinic s IT systems can support Hospital s EHR. Clinic is responsible for acquiring IT hardware and ensuring IT hardware meets minimum requirements to access EHR. 3.4 Clinic is responsible for installation, operation, and ongoing maintenance of the IT hardware associated with communications between Clinic s IT system and Hospital s IT system. 3.5 At times and manner convenient to the Hospital, the Hospital will provide Clinic training for remote access of the Hospital IT system. Hospital will not provide any support for hardware owned or used by a Clinic. 3.6 Clinic is responsible for HIPAA training and education, including appropriate access to EHR and the terms in the User and Confidentiality Agreement. Clinic will provide evidence of training and education of its staff upon Hospital request. 4. Confidentiality 4.1 All EHR available through the Hospital s IT system is confidential. 4.2 Clinic shall only access the Hospital IT system and EHR as permitted by this Policy. Clinic s use of and access to EHR is limited to the Clinic s treatment of mutual patients of the Hospital and Clinic. 4.3 Clinic will only access Hospital s IT system in the minimal amount necessary to obtain EHR for the provision of health care services to the Clinic s patients. 4.4 Hospital will routinely conduct random and targeted audits of access to Hospital s IT system. Clinic shall cooperate with the Hospital audits and any resulting investigation that may involve Clinic s access. 4.5 Hospital may track and monitor Clinic s access into the Hospital IT system. Clinic and Users do not have any personal privacy rights by utilizing Hospital s IT system. 4.6 Clinic shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by this Policy. These shall include administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it receives, maintains, or transmits from the Hospital and as required by law. 4.7 Clinic shall protect the Hospital IT system from viruses and similar program threats and manage logging and other data collection mechanisms. 5. Reporting Unauthorized Use or Disclosure. 5.1 Clinic shall report to the Hospital each unauthorized Use or Disclosure of PHI that is made by the Clinic that is not specifically permitted by this Policy. 5.2 Clinic shall report to the Hospital any security incident of which it becomes aware. Security Incident means the attempted or successful unauthorized access, use or disclosure, modification, or destruction of information, or interference with the system operations in the Hospital IT system. 5.3 The initial report shall be made by telephone call to the Hospital s Information Security Officer in the FHS Compliance Department 253-428-8353, within two business days from the time the Clinic becomes aware of an actual or apparent non-permitted Use or Access to Electronic Health Records 8-11-09 Page 3 of 8

Disclosure, followed by a full written report to the Hospital s Information Security Officer no later than ten business days from the date the Clinic becomes aware of the actual or apparent non-permitted Use or Disclosure of PHI. 5.4 Clinic shall provide in such notice the remedial or other actions undertaken to correct the unauthorized Use or Disclosure of PHI. 5.5 Clinic shall mitigate, to the extent practicable, any harmful effect that is known to the Clinic of a Use or Disclosure of PHI by the Clinic in violation of this Policy. 5.6 Clinic shall work cooperatively with the Hospital in mitigating and preventing any further unauthorized Use or Disclosure of PHI. 6. Violations 6.1 Clinic is responsible for ensuring compliance with the terms and conditions of this Policy. 6.2 Clinic s and User s unauthorized distribution of individual password, or information accessed from the Hospital s IT system shall result in immediate termination of the User s and potentially the Clinic s access to the Hospital s IT system, and may subject the Clinic physician or practitioner to loss of privileges with the Hospital and any other action and remedies available to the Hospital under law or equity. 6.3 Clinic will be responsible for any damages, including monetary damages, for the inappropriate use and/or disclosure of EHR, even if the inappropriate use and/or disclosure was made by Clinic s employee or another individual using the Clinic s User s passwords or IDs. 6.4 If a Clinic User suspects that his/her password or ID has been obtained by another individual, they will immediately change the password for the account and inform the Hospital s Information Security Officer so that appropriate action may be taken. Access to Electronic Health Records 8-11-09 Page 4 of 8

EXHIBIT A - Franciscan Access Request Form FRANCISCAN ACCESS REQUEST FORM St. Joseph Medical Center (HIM Department) Access Coordinator 253.426.4139 1717 South J Street, Tacoma, WA 98405 Complete this form for users who are not employed by Franciscan that will access Franciscan Electronic Health Records. Users may access systems via a web site link from outside Franciscan Health System facilities. Initial Access Request - Signed and Witnessed Confidentiality Agreement are also required with initial request. Addendum to Initial Access Request (additional access or changes in system access) USER NAME / INFORMATION (Required INFORMATION BELOW, if not applicable please mark N/A) Name / Professional Degree (First, Middle, Last, Degree) Specialty / Job Title (Check all that apply) Medical Provider (MD, PA, ARNP, Etc.) Complete highlighted section immediately below Office Staff (Office staff of Medical Provider) Other User Detailed reason for access requirements (Medical Providers only) NPI # Medicare UPIN # WA State License # Medicaid # Office Name Office Manager Name Office Address City State Zip Office Phone User Email Office Fax User Cell Phone User Pager EXTERNAL SOFTWARE ACCESS (Check system access below) Does your equipment currently meet the required specifications for each system? (See system specification sheet) YES - Meets or exceeds the standards Upgrades completed Unknown DI PACS - Diagnostic Imaging - Picture Archiving and Communication System CV PACS - Cardiovascular - Picture Archiving and Communication System ACIS - Advanced Clinical Information System (Cerner/PowerChart) FCM - Franciscan Clinical Messaging (Elysium/Axolotl) OrderNOW - Secure online orders to FHS for Outpatient Services OTHER Please list: Logins will be issued to each individual user and may not be shared. Passwords are issued to each user and must be changed at least every 180 days. System access can and will be audited. The user whose login is identified during an audit will be held accountable for access violations. Per policy, the individual authorizing access will be held accountable for the user s actions. I understand my responsibilities as outlined in the Access To Electronic Health Records policy. I have also signed a User and Confidentiality Agreement for Access to Franciscan Health System Electronic Health Records and understand my responsibilities as outlined in that agreement. User Signature: Date: Authorizing Provider: (Please print name) Authorizing Provider Signature: Internal Use Only: (Form dated 5-5-09 Version 2) Access to Electronic Health Records 8-11-09 Page 5 of 8

EXHIBIT B - User and Confidentiality Access Agreement ELECTRONIC HEALTH RECORD USER AND CONFIDENTIALITY ACCESS AGREEMENT WITH FRANCISCAN HEALTH SYSTEM This Agreement must be completed and signed by each individual requesting access to Franciscan Health System s (FHS) Electronic Health Records. The Agreement must be completed and returned to the FHS Health Information Management Department before access will be granted. Name of individual requesting access (please print): Clinic Name and Address: Please Print Name of Authorizing Physician: I am requesting access to FHS IT System(s) to obtain Electronic Health Records, and agree to the following terms and conditions: Clinic means a physician, practitioner, a health care provider, a group practice, partnership, or corporation of physicians and/or practitioners, health care providers and its employees. Disclose and Disclosure mean, with respect to Protected Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Protected Health Information outside FHS internal operations. Electronic Health Record ( EHR ) means a repository of consumer health status information in computer processable form used for clinical diagnosis and treatment for a broad array of clinical conditions. EHRs contain Protected Health Information. Information Technology ( IT ) for purposes of obtaining access to FHS EHR includes by way of example: rights, licenses, and intellectual property related to the EHR software; connectivity services, including broadband and wireless internet services; portals; secure messaging capabilities and related services that are used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, or transmission or reception of data or information in any electronic medium to any source. IT for purposes of EHR does not include hardware, including routers or modems necessary to access or enhance connectivity, and operating software that makes the hardware function; storage devices; software with core functionality other than EHR (such as human resources or payroll software or software packages for practice management or billing); or items used to conduct personal business or business unrelated to Clinic practice. Protected Health Information ( PHI ) means information, including demographic information, that (i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there Access to Electronic Health Records 8-11-09 Page 6 of 8

is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Hospital from or on behalf of Clinic, or is created by Hospital, or is made accessible to Hospital by Clinic. PHI may be contained in other mediums including without limitation, electronic PHI, EHR, paper records, audio, and video recording. Use or Uses means, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within FHS internal operations. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections 160.103 and 164.501; 42 C.F.R. Chapter IV, Section 411.351, and 411.357, and 42 C.F.R. Section 1001.952. I acknowledge that Hospital IT system is the property of FHS. I agree to use Hospital IT system solely for job-related purposes. I understand that all EHR available through Hospital IT system is confidential and is to be treated as such. I agree to access Hospital IT system only in the minimal amount necessary to obtain EHR for the provision of health care services to the Clinic patient(s). I understand that passwords and user identification ( ID ) are utilized to access Hospital IT system. I acknowledge that I may not divulge my password or ID to any other individual or entity. I understand that I am responsible for any damages, including monetary damages, for the inappropriate use and/or disclosure of PHI, even if such inappropriate use and/or disclosure was made by another individual using my password or ID. I agree that if I suspect that my password or ID has been obtained by another individual, I will immediately change the password for the account and inform FHS Security Officer (253-428-8353) so that appropriate action may be taken. I understand that I am not permitted to access the Hospital IT systems for anything other than my intended job-related purpose relating to patient treatment, payment or Hospital operations. Accordingly, I understand that I am not permitted access to my or another individual s health information because of a personal request, personal reasons or personal curiosity. I acknowledge that unauthorized access of EHR, confidential files, or Hospital IT system without the proper security clearance and/or access authorization, is for whatever reason, considered a violation of the Access to Electronic Health Records Policy. I understand that the Hospital IT systems are monitored by FHS Information Technology Department. I understand that IT security features, such as passwords and message deletion functions, do not remove the ability to archive messages, at any time, for future auditing. I understand that the Hospital IT system is subject to search, and that FHS is able to track and monitor my access into Hospital IT system. I understand that I do not have any personal privacy rights by utilizing Hospital IT system. Access to Electronic Health Records 8-11-09 Page 7 of 8

I agree that I will use FHS IT system only to access EHR for patient care purposes. I promise that I will not use Hospital IT system for any other purpose including personal use, solicitation for outside business ventures, campaigns, and political or religious causes. I understand that I am prohibited from storing, displaying, or disseminating obscene, offensive, harassing, or discriminatory textual or graphical materials on Hospital IT systems. I have read the Policy on Access to Electronic Health Records ( EHR Policy ) and agree to be bound by the terms and conditions of the EHR Policy. I understand that should I, or my employee, violate any provision of the EHR Policy, FHS will discontinue my access to Hospital IT system(s). Additionally, FHS may take legal action against me, including seeking monetary damages for inappropriate use and/or disclosure of PHI. I agree to indemnify, defend and hold harmless, Hospital and its affiliates, and their respective members, trustees, officers, directors, employees and agents, from and against any claim, cause of action, liability, damage, cost or expense, including without limitation, reasonable attorneys fees and costs, arising out of or in connection with any unauthorized or prohibited Use or Disclosure of Hospital IT system, PHI, or any other breach of the EHR Policy by myself or my employee. I acknowledge that I have read, understand, and agree with the conditions above. Further, I agree to immediately notify FHS of any conflict with or violation of the above conditions. User Signature Date Witness Signature Access to Electronic Health Records 8-11-09 Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information