Page 51 - Privacy_Program
P. 51

authorization/release of participant information form will be obtained. Forms
                                             expire one year from the date of participant’s signature.

                                             When responding to outside requests for access to PHI, staff members are
                                             responsible for ensuring that a signed authorization/release of participant
                                             information has not expired and must limit information shared as provided in
                                             the authorization form.
         Employees and others   DP102.5      The following physical and technical safeguards for participant PHI will apply:
         with Access to PHI
                                DP102.5a           Current Hard copy files. At 553 Fairview, current participant files
                                                   containing PHI (hard copy records) will be maintained in locked file
                                                   rooms, accessible by a card reader or key with access limited to
                                                   authorized users. At other off‐site S&P locations, current participant files
                                                   containing PHI will be maintained in locked file rooms or file cabinets.
                                                   Only staff members requiring access to provide services or perform other
                                                   assigned job duties requiring access will be granted access.

                                DP102.5b           Archived Files. Archived participant records will be kept in a secured
                                                   location and access limited to authorized staff.

                                DP102.5c           Electronic PHI. Electronic PHI on computers will be held in password
                                                   protected files with access allowed only by those staff members (which
                                                   herein includes contractors, interns and temporary employees) with
                                                   need for the information because their work requires it. Staff members
                                                   with computer access to participant information will log off when
                                                   leaving their computer unattended. Before transporting approved
                                                   mobile devices containing PHI, staff members must log off and shut
                                                   down the device to require encryption log on to open the device.

                                                   Staff members may only download PHI if authorized to do their jobs on
                                                   GESMN authorized devices. Examples are encrypted GESMN laptops or
                                                   encrypted non‐ Fairview desktops, and approved desktops at 553
                                                   Fairview. Downloading of PHI to smart phones, unencrypted jump drives
                                                   and disks, or other unauthorized devices is strictly prohibited. Staff will
                                                   use approved encryption software (i.e., ZixMail) when e‐mailing PHI
                                                   outside of the organization, even if e‐mailing the PHI is authorized by the
                                                   participant.
                                DP102.5d    Staff will make every effort to protect PHI from incidental disclosures or
                                            disclosures that violate the policies and procedures. Examples of methods
                                            designed to protect PHI from incidental disclosures are:
                                               •   Staff will not leave PHI in plain view. This includes cubicles, by mailboxes
                                                   or other common spaces.
                                               •   Visitors will be escorted when visiting secure areas containing PHI.

                                             Staff will not hold conversations involving PHI in public areas.

                               DP102.5e      Also see Privacy Policy Table of Contents and Data Security Policy Table of
                                             Contents for additional policies that safeguard participant PHI (including DP‐
                                             170 SECURE ACCESS TO PARTICIPANT RECORDS.








          GES CONFIDENTIAL                                                                                   47
   46   47   48   49   50   51   52   53   54   55   56