Categories
Articles

SRHS Policy: Protection of Personal Information

SRHS Policy: Protection of Personal Information

Policy Number and Title:  SRHS-P-30 Protection of Personal Information

Effective Date:  October 1, 2008

Revision Dates:

Review Dates: 10/13/2009

I. SCOPE
This policy applies to all employees, vendors, outside contractors and members of the medical staff of the Saint Raphael Healthcare System (“SRHS”) and System affiliates.

II. EXCLUSIONS FROM SCOPE:  None

III. POLICY AUTHOR:  Corporate Compliance and Internal Audit, Finance and Information Services

IV. PURPOSE:  The purpose of this policy is to ensure that the personal information of individuals who disclose such information to employees of SRHS is appropriately protected from misuse by third parties.

V. POLICY:

As used in this policy, personal information is defined as information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, or a health insurance identification number.

Personal information does not include publicly available information that is lawfully made available to the general public from public, state or local government records or widely distributed media.

Personal information shall remain confidential and not be disclosed except as allowed by law and SRHS policy.

Data, computer files, and documents containing personal information shall be protected from misuse by third parties and shall be destroyed, erased or made unreadable prior to disposal.

PROCEDURE

l. Employees with access to SRHS clinical and administrative systems are assigned system access by job title and responsibility.  A system access form is completed for each employee and updated as responsibilities and job descriptions change.

2. SRHS employees complete yearly Corporate Compliance training that addresses access to personal information and an employee’s obligation to maintain the confidentiality of personal information.

3. Documents containing personal information shall be shredded according to SRHS internal policies, including SRHS Administrative Policy SRHS-R-10 Record Retention

4. Information Services regularly and routinely evaluates printed reports to ensure elimination of nonessential personal information.

5. Information Services conducts ongoing evaluations of electronic media to ensure the collection of personal information is limited.

6. SRHS patient identification policies define alternative identifiers for patients who choose not to reveal social security numbers.

7. Information Services regularly evaluates interfaces to other electronic media to ensure the removal of personal information whenever reasonable and possible.

8. Suspected breaches in confidentiality should be reported to Corporate Compliance and Internal Audit, the Healthcare ValuesLine, Risk Management, Patient Relations, or the Privacy or Security Officers.

9. This policy and information regarding SRHS protection of personal information shall be publicly displayed on the SRHS Internet.  The policy is also available to employees on the SRHS Intranet.

VI. REFERENCES
Connecticut Public Act 08-167, An Act Concerning the Confidentiality of Social Security Numbers


Page last updated on Oct. 28, 2009