COMPLIANCE WITH CONE HEALTH Patient Privacy and Confidentiality As an employee providing care, treatment and health care services at Cone Health, I understand and agree that I must keep Cone Health information and all medical and patient information confidential. I am not allowed to access any confidential information or medical record on any information system unless necessary to perform my job duties. I will not access or ask someone to obtain for me my medical information or that of my family or others, unless needed to perform my job duties. I will not discuss, review and/or reveal in any way confidential information that I may have as a result of my employment with Cone Health unless to do so is within my assigned job duties. It has been explained to me and I understand that I am fully accountable for my actions. Further, I understand that violation of Cone Health policies regarding privacy and confidentiality or any other breach of confidentiality will result in immediate corrective action, up to and including termination as a Cone Health employee. I further understand that I can report any concerns to the Compliance and Privacy Help Line (855-809- 3042) or I may also report online at www.ConeHealth. Both methods of communication can be anonymous if I choose and Cone Health has a policy of non-retaliation. Health Information Portability and Accountability Act (HIPAA) Cone Health has a moral and legal responsibility to protect the confidential information of patients and employees. In compliance with its accrediting agencies, state and federal regulations, Cone Health requires that all affiliates providing care, treatment and services must protect confidentiality. Failure to do so could result in loss of ability to provide services, care or treatment, one to ten years’ imprisonment, fines from $100,000 to $250,000, or all of the aforementioned as outlined by the Health Information Portability and Accountability Act (HIPAA). HIPAA requires that we keep Protected Health Information (PHI) secure (this includes oral, written, printed and electronic reports). All hardcopy reports including electronic reports are NOT to leave the department. Patient names or other identifying information must be removed from papers prior to disposal (e.g., shredded, made unreadable with a heavy black marker, or placed in assigned containers/locations). Sometimes PHI is communicated without intent while performing other normal and permitted activities in our roles and is thus called incidental disclosures. These are things such as semi-private rooms and telephone conversations with other departments and cannot be prevented using reasonable measures such as using a lowered voice. So how can you prevent violations? What do you do if there is a violation? Refer questions about a patient to the nurse. Don’t review charts of patients if you are not involved in their care. Prevent public view of information by closing walleroos and placing charts/ records face down. Avoid discussing patients in public areas such as the cafeteria and always be aware of who can hear you. Clearly state, “I can’t talk about it, it’s private” or “we are required to protect the confidentiality of our patients.” To report violations follow the chain of command. Talk with the nursing instructor and the patient’s nurse. Unless a patient objects, we can share name, room number with anyone who comes to or calls Cone Health asking for the patient by name. The chart should always be reviewed for restrictions prior to giving out any information including the fact that the patient is in our facility. If the patient has requested restrictions and you are asked if they are in our facility, simply say, “We have no information about such patient.” Please talk with your preceptor, supervisor or the patient’s nurse if you have any questions about what information can and cannot be shared. EMPLOYEE WELCOME GUIDE 9