STATEMENT OF PURPOSE:



Similar documents
BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Technical Assistance Document 5

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

ADMINISTRATIVE POLICY #45-11(2015) COMMUNICATION VIA ELECTRONIC MAIL

By the end of this course you will demonstrate:

Pacific Medical Centers HIPAA Training for Residents, Fellows and Others

HIPAA Information Security Overview

Gaston County HIPAA Manual

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

PHI- Protected Health Information

COUNCIL POLICY NO. C-13

Managing the Privacy and Security of Patient Portals

Managing Privacy and Security Challenges of Patient EHR Portals

GUIDANCE October 31, 2008

HIPAA Compliance Policies and Procedures. Privacy Standards:

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Procedure Title: TennDent HIPAA Security Awareness and Training

Montclair State University. HIPAA Security Policy

How To Use The Health Information System Of Michigan Health Insurance Company (Umhs)

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

Forrestville Valley School District #221

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA? 6/28/2012

U.S. Bank Secure Mail

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

Nursing Home Facility Implementation Overview

PATIENT REGISTRATION FORM

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions 10210

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

MCCP Online Orientation

Glenmeadow, Inc. Terms and Conditions of Use Legal Notices/ Privacy Policy

Directory and Messaging Services Enterprise Secure Mail Services

Ability to view, download, or print a "Continuity of Care Document" or "Health Summary".

UC Irvine Health Secure Mail Message Center

SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY

Secure Management Guide. June 2008

Assistant Director of Facilities

General Department Policies & Procedures

HIPAA Security Education. Updated May 2016

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

HIPAA Notice of Privacy Practices - Sample Notice. Disclaimer: Template Notice of Privacy Practices (45 C.F.R )

Clear Creek ISD CQ (REGULATION) Business and Support Services: Electronic Communications

ARKANSAS OFFICE OF HEALTH INFORMATION TECHNOLOGY (OHIT) PRIVACY POLICIES

MEDICAL OFFICE COMPLIANCE TOOLKIT. The Complete Medical Practice Compliance Resource HIPAA HITECH OSHA CLIA

ACCEPTABLE USE OF TECHNOLOGY

Subscription Administrator Guide. For GS1 Canada Services

NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY

Business Associate Agreement

meridianemr PATIENT PORTAL Release Notes

COLUMBIA UNIVERSITY USAGE POLICY

Portal User Guide. Customers. Version 1.1. May of 5

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

CARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES

Using the PeaceHealth Secure System

Wakefield Council Secure and file transfer User guide for customers, partners and agencies

Receiving Secure Customer Support frequently asked questions

NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019

Protection of Clients' Personal Health Information G & G LIVING CENTERS, INC.'s Privacy Practices

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT

GME Policy #: PURPOSE

Health Insurance Portability and Accountability Act (HIPAA)

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records.

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

HIPAA and You The Basics

Health Information Privacy Refresher Training. March 2013

PRIVACY AND INFORMATION SECURITY WORKFORCE TRAINING

HIPAA Compliance Annual Mandatory Education

SECURE User Guide

Please Note: Please send all documentation related to the credentialing portion of this documentation to:

Protecting Privacy & Security in the Health Care Setting

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Matrix Technical Support Mailer - 72 Procedure for Image Upload through Server in SATATYA DVR,NVR & HVR

Authorized. User Agreement

Background Information

Riverside Community College District Policy No General Institution

AR (a) Students SEXUAL HARASSMENT

Keeps a physician up to date on all laws and regulations affecting medical practice.

PROGRAM R 2361/Page 1 of 12 ACCEPTABLE USE OF COMPUTERS NETWORKS/COMPUTERS AND RESOURCES

Information Technology Acceptable Use Policy

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM

A common sense guide to the Data Protection Act 1998 for volunteers

Additional Information

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

The College ofBergen Online - Acceptable Use and Disposal

Mervine, Richard B [Richard.B.Mervine@unistarnuclear.com] Wednesday, November 10, :47 PM Quinn, Laura. image001.jpg; image002.png; image003.

Electronic Medical Records Private. Secure. Practical.

Statement of Policy. Reason for Policy

HIPAA Privacy Overview

Updated as of 05/15/13-1 -

BUSINESS ASSOCIATE AGREEMENT. Recitals

Exhibit 2. Business Associate Addendum

HIPAA Business Associate Contract. Definitions

Glasgow Kelvin College. Disciplinary Policy and Procedure

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Counseling Center Policies and Procedures

Practice Name: Brief overview of your intended scope of practice at Anna Jaques Hospital:

Transcription:

Policy Number: Page: Page 1 of 5 STATEMENT OF PURPOSE: The purpose of this policy is to provide guidelines on the appropriate use of Secure Email for patient/physician communications and transmission of Protected Health Information via the OUHSC Exchange email system. OU Physicians Clinics should use Secure Messaging via the IDX Centricity Electronic Medical Record (EMR). DEFINITIONS: (1) Secure Email - an application that allows messages sent via OUHSC Exchange email system to be delivered to an email recipient in the form of a URL. The message resides on a secure server through a logon with a username and password. (2) Expired Message - a message that has been delivered to the recipient s email address and has not been accessed via the URL link within the specified time (14 days), after which the URL and the message become inaccessible. (3) Patient Reply - patient email response to the message. (4) Critical Results - results that require immediate intervention or are lifethreatening. (5) Protected Health Information (PHI) - any information about health status, medical treatment, or payment for health care that can be linked to an individual. (6) Release of Information: a signed authorization is required if the patient requests a copy of their medical record. A physician may release a patient s medical record / information directly to the patient without a signed authorization form, if it is the physician s desire (versus the patient s request) that the patient have the information. (7) Sender - the provider or designee who initiates the secure message. SCOPE: This policy addresses the Secure Email functionality available in the OUHSC MS Exchange/Proofpoint system. It is not intended to provide direction regarding any other messaging application.

Policy Number: Page: Page 2 of 5 POLICY: The primary contact email address for the patient will be maintained by the sending department. Secure Email will not be utilized for: Advertising and marketing Release of personal health information / medical records Recruiting of patients Dismissal of patients (1) Communication: a) A number of types of Secure Email communication are allowed, such as typical test results, appointment reminders, etc. (If results are abnormal but acceptable, this should be reflected in the communication.) b) Critical Results shall not be communicated electronically until the patient has already had contact via another form of communication or all other methods of communication have been exhausted. c) All patient/physician communications sent via Secure Email should be included in the patient medical record. The MS Exchange email system is a transport system and not designed to be an EMR or to store Protected Health Information. d) Certain results should be communicated only in person and should not be communicated via Secure Message; i.e., new cancer diagnosis, new HIV diagnosis. e) Personnel with the need to send or receive PHI should request approval from their supervisor or the clinic medical director / clinic administrator. f) Providers should respond to a patient message within 5 days of receipt. A disclaimer must accompany secure messages advising the patient to contact the clinic by other means if concern is warranted. If a provider is unavailable to respond in a reasonable time, a designee must be identified. g) Grammar and content should reflect the professional clinic conversation that would be used with the patient in person. Grammar shortcuts are not acceptable. Only approved abbreviations should be used. Expletive or derogatory comments are not to be included.

Policy Number: Page: Page 3 of 5 h) No PHI may be included in the subject line of a message. i) The default setting must include the following language in all email messages in accordance with OUHSC policy: Confidentiality Notice This email, including any attachments, contains information from clinic name, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this is prohibited. If you have received this email in error, please notify the sender immediately by a reply to sender only message and destroy all electronic and hard copies of the communication, including attachments. (2) Message Expiration: a) Secure Messages will expire in 14 days. Once expired: b) Notification will be given to the sender that the message has not been retrieved, with the option to manually resend. c) Documentation in the chart will be retained to show the message was not retrieved. (3) Attachments: An attachment may be sent via Secure Email, with the following guidelines: Records should not be attached as a mechanism for release of information (see Definition 6, Page 1) Only signed test results may be attached. For any abnormal result attached, the message must contain in narrative an explanation / interpretation of the abnormal results and any follow-up action needed. Attachments may originate only from the patient s chart.

Policy Number: Page: Page 4 of 5 (4) Referrals: Information on referral appointments may be sent via secure message if the appointment is greater than 14 days out. If the appointment is less than 14 days out, another form of notification must be used. (5) Inappropriate use of Secure Messaging: a) By Patients: Inappropriate use is to be identified by the clinic staff or provider and includes, but is not limited to: inappropriate language threatening language requesting release of information requesting medication / treatment without a recent visit i. Response to inappropriate use shall be via one or more of the following: Email: Redirect to the appropriate entity, i.e. (release of information requests are referred to Medical Records) Notify the patient of inappropriate use Disable Secure Messaging Account Phone: Redirect to the appropriate entity, i.e. (release of information requests are referred to Medical Records) Notify the patient of inappropriate use Disable Secure Messaging Account

Policy Number: Page: Page 5 of 5 b) By OU Staff: Written Response: Necessary if the patient is going to be dismissed Inappropriate use is to be identified by the Clinic Management. The incident shall be reviewed by the Medical Records Committee. Recommended action shall be carried out by Clinic Management. Disciplinary action may include, but is not limited to: verbal warning written warning performance improvement plan suspension termination Depending upon the severity of the incident, immediate termination may be appropriate. (8) Patient Passwords: Patients who are unable to remember their secure messaging password and/or remember the two security questions to reset/change their password must complete a Secure Messaging Password Reset form. LEGAL/CONTRACT/OUHSC REFERENCE: Consent for Electronic Communication via Email 45 CFR Parts 160 & 164 Staff Handbook Section 3.22 OUHSC HIPAA Privacy-18, Safeguards

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information