SCHUYLER COUNTY HOSPITAL DISTRICT AND AFFILIATED ENTITIES
EMPLOYEE HIPAA PRIVACY AND SECURITY AGREEMENT
Sarah D. Culbertson Memorial Hospital (SDCMH) has Privacy and Security Policies to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Department of Health and Human Services (“DHHS”) security and privacy regulations, our duty to protect the confidentiality and integrity of confidential medical information as required by law, and professional ethics.
READ CAREFULLY: As a system user and a hospital employee you hold a position of trust. Any information pertaining to patients and other sensitive information must be held in strict confidence. As an employee of Schuyler District Hospital you are responsible for obeying all local, state, federal, and international laws regarding the use of our network computers. Any attempt to break those laws through the use of the company’s computers or network may result in sanctions along with charges and fines being levied against you through these government entities.
All employees of Schuyler County Hospital District and its entities (for the purposes of this agreement referred to as SDCMH) are required to read the following agreement and acknowledge acceptance of the terms herein by signing where indicated.
1. I understand that my computer sign-on (user ID) is my own individual identification code for gaining access to the SDCMH Computer System. I understand that my computer sign-on acts as my personal signature when performing all computer activities and is legally binding. I agree that I will not share my login ID and/or password with anyone. In the event that I do share my user ID with another person I will be solely responsible for the other person’s actions.
2. I must sign off or lock the computer system whenever I leave my computer workstation. I understand that failure to sign off or lock the computer system is a violation of the SDCMH Security Policy and that I am responsible for any and all information accessed with my sign-on.
3. Any unauthorized deliberate action which damages or disrupts a computer system, alters its normal performance, or causes it to malfunction is a violation regardless of system location. Downloading or copying copyrighted materials, such as third-party software without the express written permission of the owner or the proper license is prohibited. I understand that I am prohibited from utilizing my computer access for entertainment, commercial, illegal, immoral, and/or unethical purposes. In addition, I understand that the hospital’s e-mail, internet access, and voice mail (which are provided for my use) are for business use only. I hereby agree and understand that the hospital may monitor both e-mails and internet access at will, including the full content therein, without further disclosure to me.
4. Deletion, examination, copying, or modification of files and/or data belonging to other users without their prior consent is prohibited.
5. Any attempt to read, delete, copy, or modify electronic mail of other users is prohibited. Any attempt to secure a higher level of network systems access is punishable by disciplinary offenses up to and including termination per the SDCMH Sanctions Policy.
6. I will notify Information Technology (IT) if I have reason to believe there may have been a breach of confidentiality and/or I have reason to believe someone has accessed or is using my password.
7. I understand that I am responsible for notifying Information Technology (IT) should I ever undergo a name change.
8. Any employee (i.e. staff, student, CMH Friend), or vendor (i.e. Business Associate), viewing any patient information or transporting information outside the facility in the course of their job duties must obtain prior approval from the Privacy Officer and agree to maintain confidentiality.
9. I understand that the information I access through the hospital system is confidential and is to be used only in the performance of my job or patient related activities. I agree that I will not divulge confidential information unless requested to do so by my supervisor in the performance of my job duties or as required by law.
10. I understand that it is the responsibility of each employee to understand HIPAA Privacy and Security Regulations regarding any release of protected health information (PHI). Protected Health Information (PHI) includes, but is not limited to, a patient’s name, address, birth date, admission and discharge dates, date of death, telephone number, FAX number, e-mail address, social security number, medical records number, health plan beneficiary number, vehicle identification number, finger prints, full face photographic & comparable images or any identifying number, characteristic or code I have reason to believe may be available to an anticipated recipient of the information.
11. I will not discuss PHI or confidential information where others can overhear (for example, in hallways, elevators, in the cafeteria and lounges, at social events, and areas of public assembly including areas outside the workplace such as public transportation, restaurants, etc). I will not disclose or discuss any PHI or Confidential Information with others, including friends or family, who do not have a need to know it. It is not acceptable to discuss PHI or Confidential Information in public areas even if the patient’s name is omitted. Such a discussion may raise doubts among patients, visitors, and the community about our respect for their privacy.
12. Each employee must agree to use a patient’s protected health information only for reasons necessary to the function of their position within SDCMH. Each employee must understand the term “minimum necessary” in relation to his/her job. Any information obtained or used, which is outside the scope of an employee’s job duties is prohibited and will result in disciplinary action up to and including termination.
13. I shall not access my patient record or that of a family member or employee unless expressly asked to do so within the scope of my job duties. Failure to comply will result in disciplinary action up to and including termination.
14. I understand that, as an employee of SDCMH, it is my responsibility to report any violations I witness to the Privacy and/or Security Officer.
15. Upon terminating my employment, I will immediately return any documents or other media containing confidential information to SDCMH.
16. I agree to and understand that my obligations will continue after termination of my employment.
I have read the above policy and by signing below agree to comply with the policy as stated. I understand if I share my password, use someone else’s sign-on, or fail to comply with the aforementioned policies, I will be committing a breach of hospital policy and a violation of HIPAA Privacy and Security Regulations. I understand that I must not disclose PHI or Confidential Information, except as such disclosure is part of the performance of my job duties. I further understand that inappropriate disclosure and/or access in any form of confidential information or any breach of Schuyler County Hospital District and its entities confidentiality, privacy, and security policies will result in disciplinary action. I understand that any breach described herein may involve the loss of access to the Hospital Computer System and disciplinary action up to and including termination as per the SDCMH Sanction Policy.
User’s Signature: ______Date: ______
User’s Name & Title (Print): ______Dept.: ______
**Organization (please circle 1): Community Medical Clinic, Elmer Hugh Taylor Clinic, Beardstown Therapy Clinic, Rushville Family Practice, Schuyler County Hospital District (Culbertson Memorial Hospital).
Rev 092613/skl