Policy Manual sample

MDT Home Health Care Agency, Inc. 1.2 Each user will sign a User and Confidentiality Access Agreement (Exhibit B). 1.3 Agency will issue passwords and user identification (“ID”) to access Agency’s IT system to each individual user once the completed forms are submitted. Such passwords and IDs may not be shared with any other individual or entity. 1.4 Re-authorization for access to the Agency’s EHR will be reviewed and re-authorized every two years along with the Agency Staff reappointment process. 1.5 Department Head will notify the Agency within three business days of the departure (employment relationship or otherwise) of Agency’s staff who has access to Agency’s EHR, so that the Agency may discontinue such access. 2. Permitted and Non-Permitted Uses 2.1 The Agency’s IT system to access EHR shall only be accessed and used solely for the ongoing treatment/care/data entry of Agency’s patients. 2.2 The Agency’s IT system shall not be used for any other purpose. Prohibited uses include but are not limited to: personal use, solicitation for outside business ventures, campaigns, and political or religious causes. 2.3 Staff is prohibited from storing, displaying, or disseminating obscene, offensive, harassing, or discriminatory textual or graphical materials on the Agency’s IT system. 2.4 Staff is not permitted to access his/her own or another individual’s health information because of a personal request, personal curiosity or personal reasons. 2.5 Staff will not permit any other person or entity to access, publish, or pass on User’s password to access the Agency’s IT system and EHR, whether in electronic, print, or other form. 3. Electronic Health Record IT 3.1 The Agency will provide Staff with access to Agency EHR subject to a licensing agreement with its IT vendors. 3.2 The Agency will assist a Staff with obtaining the necessary IT which is to be used solely to create, maintain, transmit, or receive EHR. 3.3 The Agency will provide Staff with minimum IT hardware requirement specifications in order for Staff to ensure Agency’s IT systems can support Agency’s EHR. Staff is responsible for acquiring IT hardware and ensuring IT hardware meets minimum requirements to access EHR. 3.4 Staff is responsible for installation, operation, and ongoing maintenance of the IT hardware associated with communications between Agency’s IT system and Agency’s IT system. 3.5 At times and manner convenient to the Agency, the Agency will provide Staff training for remote access of the Agency’ IT system (if applicable). Agency will not provide any support for hardware owned or used by a Staff. 3.6 Staff is responsible for HIPAA training and education, including appropriate access to EHR and the terms in the User and Confidentiality Agreement. Staff will provide evidence of training and education of its staff upon Agency request. 4. Confidentiality 4.1 All EHR available through the Agency’s IT system is confidential. 4.2 Staff shall only access the Agency IT system and EHR as permitted by this Policy. Agency’s use of and access to EHR is limited to the Agency’s treatment of mutual patients of the Agency and Staff. 4.3 Staff will only access Agency’s IT system in the minimal amount necessary to obtain EHR for the provision of health care/data entry services to the Agency’s patients. 4.4 Agency will routinely conduct random and targeted audits of access to Agency’s IT system. Staff shall cooperate with the Agency audits and any resulting investigation that may involve Agency’s access. 4.5 Agency may track and monitor Agency’s access into the Agency IT system. Staff and Users do Home Health Agency Policies A-173