Page 51 - Privacy_Program
P. 51
authorization/release of participant information form will be obtained. Forms
expire one year from the date of participant’s signature.
When responding to outside requests for access to PHI, staff members are
responsible for ensuring that a signed authorization/release of participant
information has not expired and must limit information shared as provided in
the authorization form.
Employees and others DP102.5 The following physical and technical safeguards for participant PHI will apply:
with Access to PHI
DP102.5a Current Hard copy files. At 553 Fairview, current participant files
containing PHI (hard copy records) will be maintained in locked file
rooms, accessible by a card reader or key with access limited to
authorized users. At other off‐site S&P locations, current participant files
containing PHI will be maintained in locked file rooms or file cabinets.
Only staff members requiring access to provide services or perform other
assigned job duties requiring access will be granted access.
DP102.5b Archived Files. Archived participant records will be kept in a secured
location and access limited to authorized staff.
DP102.5c Electronic PHI. Electronic PHI on computers will be held in password
protected files with access allowed only by those staff members (which
herein includes contractors, interns and temporary employees) with
need for the information because their work requires it. Staff members
with computer access to participant information will log off when
leaving their computer unattended. Before transporting approved
mobile devices containing PHI, staff members must log off and shut
down the device to require encryption log on to open the device.
Staff members may only download PHI if authorized to do their jobs on
GESMN authorized devices. Examples are encrypted GESMN laptops or
encrypted non‐ Fairview desktops, and approved desktops at 553
Fairview. Downloading of PHI to smart phones, unencrypted jump drives
and disks, or other unauthorized devices is strictly prohibited. Staff will
use approved encryption software (i.e., ZixMail) when e‐mailing PHI
outside of the organization, even if e‐mailing the PHI is authorized by the
participant.
DP102.5d Staff will make every effort to protect PHI from incidental disclosures or
disclosures that violate the policies and procedures. Examples of methods
designed to protect PHI from incidental disclosures are:
• Staff will not leave PHI in plain view. This includes cubicles, by mailboxes
or other common spaces.
• Visitors will be escorted when visiting secure areas containing PHI.
Staff will not hold conversations involving PHI in public areas.
DP102.5e Also see Privacy Policy Table of Contents and Data Security Policy Table of
Contents for additional policies that safeguard participant PHI (including DP‐
170 SECURE ACCESS TO PARTICIPANT RECORDS.
GES CONFIDENTIAL 47