HIPAA Privacy & Security

Transcription

1 POWERCHART ACCESS REQUEST FORM Instructions: Complete this form for users who are not employed by St. Dominic-Jackson Memorial Hospital that will access St. Dominic Hospital s electronic health record. INITIAL ACCESS REQUEST RENEWAL REQUEST I. USER & CLINIC INFORMATION User Name, including credentials: Job Title: (secure will be sent once access is granted) Check All that Apply: Medical Provider (MD, PA, ARNP, Etc ) Office Staff Other User Clinic/Office Name: Clinic Number Provided by St. Dominic s Address: City, State, Zip Phone number II. EXTERNAL SOFTWARE ACCESS Cerner Powerchart Other III. ACCESS JUSTIFICATION HIPAA allows a provider to access a patient s health information (without a patient signed authorization) for Treatment, Payment, and Healthcare Operations. Even with these exceptions, only the minimum amount of information necessary to complete a job duty should be accessed. Please select the reason below for your access. Check all that apply. Then provide a more detailed response. Treatment Payment Healthcare operations Please describe the reason for requesting access to the System s above: (Describe the purpose of access; Does the activity support official business functions of department; Is the activity critical to department) View Lab Results Only View Radiology Reports Only Other (describe below) 1 June 2017

2 IV. REMOTE ACCESS REQUIREMENTS You will be granted access to Citrix Gateway which will be the way through which you access the EHR. Citrix Gateway is the mechanism through which the remote device you will use attaches to the St. Dominic network allowing you to login to the EHR. St. Dominic s security policy sets minimum security criteria for all PCs that attach to St. Dominic networks. This means that remote clients must also meet the relevant security criteria. The Remote Access device may run hostchecker software to check for the presence of operating system patches, firewall, and anti-virus programs. As a user you are still obligated to follow and confirm that you will follow St Dominic security policies and procedures. Please attest to these security requirements by checking the boxes below. Strong passwords are enforced for all accounts capable of logging into the remote device that will be used to access our network. Sharing of passwords are strictly prohibited. Administrative access granted only to individuals who need it to perform official job functions. Remote device is protected by active filters of firewalls Device is protected by active anti-virus software that updates its virus definition files at least daily. V. USER RESPONSIBILITY System access can be audited. The user whose login is identified during an audit will be held accountable for access violations. If not logged in within 6 months, user account can be disabled. By my signature below, I understand my responsibilities as outlined in the Security Access Guidelines for EHR Use in Non-Hospital Clinics policy. I attest that the information provided in this form is accurate to the best of my knowledge. I have also signed a Nondisclosure Agreement and understand my responsibilities as outlined in that agreement. I understand that providing access to remote users and devices exposes St. Dominic to certain security risks. I will not conduct any activity that is considered high risk. I agree to notify the St. Dominic Security Group when this account is no longer needed so the access can be disabled. I will also notify the St. Dominic Security Group if I become aware of any security problems or threats related to this remote access. User Name (Print): User Signature: Date: Security Administrator Signature: Date: Internal Use Only 2

3 Security Access Guidelines for Electronic Health Record (EHR) Use in Non-Hospital Clinics Applicability Medical Staff members and their office staff who wish to access St. Dominic Hospital s electronic health records in order to enhance the continuum of healthcare to mutual patients. Policy As a courtesy, credentialed providers (and their staff if warranted) and reference laboratory clients are permitted access to St. Dominic s electronic health record or EHR to view pertinent medical record information as it pertains to the functionality of the user s job description. Establishing a Security Administrator The System Administrator will be the primary contact related to the clinic s use of St. Dominic s EHR. This individual s responsibilities include: 1. Ensuring users who gain access to St. Dominic s electronic medical record system have received HIPAA privacy and security training. 2. Training users on St. Dominic s electronic medical record system. 3. *Submitting to St. Dominic s IT Department all requests for access to EHR. 4. Keeping an up to date log of all users with access to St. Dominic s electronic medical record. 5. Notifying St. Dominic s of a user s change of employment status immediately for deactivation purposes. (Termination, Retirement, etc) 6. Reporting any and all known or suspected unauthorized uses and disclosures to St. Dominic s Privacy Officer within 5 business days of the disclosure. *St. Dominic Medical Staff Services will submit to St. Dominic s IT Department all requests for access to EHR related to medical staff members. Access Procedure The following procedures should be followed to acquire EHR access. 1. For each clinic, a Security Administrator must be established. The clinic Office Manager is most commonly delegated this responsibility. Once it is decided who will serve as Security Administrator, a Security Administrator establishment form should be completed and submitted. See Attachment St. Dominic s IT Security Group will provide via a confirmation of System Administrator setup including an assigned clinic number.

4 3. Once a System Administrator has been established, each clinic staff member who is requesting access to St. Dominic s electronic health record must complete an Access Request Form (See Attachment 2) and Nondisclosure Form (See Attachment 3). 4. These forms must be submitted to the St. Dominic s Information Technology Department by the Security Administrator. 5. After verification and *approval, the IT Security group or delegate will assign user credentials. 6. Login information and URL will only be sent to individual users. 7. Security Administrator will be notified that access has been granted. All questions should be directed to the Help Desk at EHR users who fail to log on for a period of six months will automatically be deactivated. *Not all requests for access are guaranteed to be approved. St. Dominic s may limit the number of clinic users who gain access to the EHR. Permitted and Non-Permitted Uses 1. The Hospitals EHR shall only be accessed and used solely for the ongoing treatment of Clinic s patients. 2. The Hospital s EHR shall not be used for any other purpose. Prohibited uses include but are not limited to: personal use, solicitation for outside business ventures, campaigns, and political or religious causes. 3. Clinic user(s) are prohibited from accessing his/her own or another individual s health information because of a personal request, personal curiosity or personal reasons. 4. Clinic user(s) are prohibited from password sharing. Training Clinic is responsible for providing HIPAA training and education to all affiliated users of St. Dominic s EHR. This training should include appropriate access to the EHR and the terms in the Nondisclosure Agreement. Clinic will provide evidence of training and education of its staff upon Hospital request. Confidentiality 1. Clinic shall only access the EHR as permitted by this Policy. Clinic s use of and access to EHR is limited to the Clinic s treatment of mutual patients of the Hospital and Clinic. 2. Security access will be granted to individuals while adhering to the minimal necessary standard. 3. Hospital will routinely conduct random and targeted audits of access to Hospital s EHR system. Clinic shall cooperate with the Hospital audits and any resulting investigation that may involve clinic s access.

5 4. It is the responsibility of Clinic to ensure that unauthorized users are not allowed access to Hospital EHR. 5. Access levels will be established for physicians, clinical staff and office staff respectively, with the understanding while one level may be more extensive than another, user ids and passwords will not be shared between levels. Monitoring of EHR activity will be constant, and those found in violation of this policy will be deactivated. 6. Clinic shall implement and maintain appropriate safeguards to prevent the Use of Disclosure of PHI in any manner other than as permitted by this Policy. These shall include administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it receives, maintains, or transmits from the Hospital and as required by law. Unauthorized Uses and Disclosures Clinic agrees to abide by HIPAA privacy and security regulations with regards to protection of PHI, and must report any and all unauthorized uses and disclosures to the St. Dominic s HIPAA Officer via phone within 5 business days of the known disclosure and via written notice within 10 business days. Attn: HIPAA Officer 969 Lakeland Drive, Jackson, MS Clinic shall provide in such notice the remedial or other actions undertaken to correct the unauthorized Use or Disclosure of PHI. 2. Clinic shall mitigate any harmful effect that is known to the Clinic of a Use or Disclosure of PHI by the Clinic in violation of this Policy. 3. Clinic shall work cooperatively with the Hospital in mitigating and preventing any further unauthorized Use or Disclosure of PHI. Enforcement Violations of this Policy may result in deactivation of all EHR accounts assigned to the violating client.