Office of Compliance Programs
Confidentiality and Security
(Security for the Electronic
Health Record or other Shared Systems)
- I understand that my institution participates in one or more
shared electronic health records systems and other patient information
“Shared Systems” that contain protected health information (PHI)
belonging to other hospitals/facilities and that my security access may
give me access to this PHI.
- I am the only person
authorized to use my password(s) and user ID(s).
- I will not attempt to access information by using a
password(s)/user ID(s) other than my own.
- If I have any reason to believe that the confidentiality of any
of my password(s)/user ID(s) has been compromised, I will contact the
Information Technology Department or Help Desk immediately.
- I understand that my password(s)/user ID(s) will be inactivated
in any Electronic Health Record or Shared Systems that I have access to
when I no longer have the same responsibilities or scope of services
that require access to these systems. I will immediately report any
such status change to the IT Department or Help Desk of my institution.
- I will abide by all required confidentiality and privacy policies
and maintain the confidentiality, privacy, and security of all
patients’ PHI and will not attempt to access, view, retrieve or
disclose any PHI, including PHI
belonging to another
hospital/facility in a Shared System, except as authorized
by each facility which owns the records, to perform my duties and
responsibilities with authorization from the patient or the patient’s
representative. I understand this includes improperly viewing, for
“curiosity” sake or otherwise, the PHI of family members, friends,
coworkers, or any third party, even if they are receiving treatment at
- I will, prior to accessing the PHI of any patient belonging to
another hospital/facility in a Shared System, follow the proper
procedure or action of that system/hospital or facility (for example:
utilizing the function of “break the glass” if it exists, obtaining
prior authorization, etc).
- I will not make any unauthorized copies of PHI nor will I email
any other hospital/facility PHI from the Shared Systems; I will only
email PHI from my institution if needed for operational purposes if my
facility allows it and I follow my institution’s procedure for secure
transmission of PHI via email.
- I agree to secure (log out or lock) the system before leaving my
workstation and will not leave a computer terminal to which I have
logged in unattended.
- I will protect the accuracy of the PHI I submit or retrieve.
- I understand that all handwritten or printed PHI is confidential
and I will dispose of properly, following required policy, so that the
PHI cannot be accidently disclosed.
- I will immediately report any known breach of the confidentiality
of the system or records/data obtained to my institution’s Privacy
- I understand that medical records confidentiality is required by
law, and that there are federal and state statutes specifically
mandating the confidentiality of, among other areas, mental health,
HIV, and drug and alcohol-related treatment records.
- I understand that in the event of any violation on my part of
confidentiality, or of the above provisions required by Privacy or
Security policies or by HIPAA, or fraudulent application of PHI, I may
be subject to civil or criminal liability and/or disciplinary action
ranging from immediate termination of access to the system, up to and
including termination of employment and/or medical staff privileges at
my home institution.
- I understand audit records exist in the EHR and other shared
systems and they will be monitored/audited; any findings regarding
unauthorized access on my part may lead to disciplinary action.
- I understand that hospital
affiliates should not be accessing
another facility’s records unless he or she has been authorized to
access these records by that facility and has a legitimate treatment,
payment or operations reason. Hospital employees may access another
facility’s records as long as they have a legitimate treatment, payment
or operations reason.
- I understand that if I do not accept these restrictions of
access, I will be denied access or have access terminated to relevant
systems and networks.