WOODS & WATER MEDICAL CENTER

Rice Lake, Wisconsin

SUBJECT: PATIENT INFORMATION AND CONFIDENTIALITY POLICY

POLICY: In keeping up with the values in the WWMC Mission Statement, Woods & Water Medical
Center respects, and will protect every patients right, to have all information they share with healthcare
professionals to be kept confidential. It presents guidelines that can be used to determine what is confidential
information, what a breach of confidentiality is, and the disciplinary process for anyone who breaches
confidentially.

EFFECTED PARTIES: All Woods & Water Medical Center Employees, Medical Staff, Contract Staff, Students,
Volunteers, and Board of Directors (hereafter referred to as individuals).

DEFINITIONS:

A. Ownership of InformationWoods and Water Medical Center (WWMC) essentially owns its medical
databases. Once again, this ownership right is not absolute, and something like a landlord/tenant
relationship. WWMC owns the databases, but the patient has a high-level right of access and control
over distribution of their identifiable information within the databases. To put this another way,
WWMC is free to exert control over the physical document or records, but the information with the
health record belongs to the patient. Ownership and the access concept will be respected by Woods &
Water Medical Center.

B. Confidential Information- is information derived from a relationship between patients and Woods &
Water Medical Center employees and medical staff. Confidential information includes, but is not
limited to:

1. Health/Clinical Informationdiagnosiss, treatments, test results, etc.

2. Demographic Informationname, age, address, phone number, etc.
3. Appointment Informationdate, time, reason for appointment and provider, etc.
4. Insurance/Financial Informationsource of payment, account balance, account for billing, etc.

C. Need-to-Know- is defined as an employee having legal responsibility not to reveal information about
the patients. Employees must access patient information only when it is necessary to perform and
complete their job responsibilities. This includes employees who are being treated as patients.

D. PropertyHeath records, regardless of the media in which they are maintained, paper or electronic,
are the property of the health care provider. The health information contained in the records belongs
to the patients, and the patients are entitled to view the records upon request or are able to obtain
copies. Disclosure of health information must be done in accordance with the release of medical
information policy.

PROCEDURE:
Original Date: 8/97 Reviewed/Revised: 11/03 Code GA
Page 1 of 5 Initials: HJ or DP
 I. ORIENTATION/EDUCATION OF EMPLOYEES:

A. Information and education regarding the Confidentiality policy, shall be given upon general
orientation for new employees, and annually for all employees by their department manager.

B. An employer who needs clarification of theConfidentiality policy, should speak with his or her
manager.

C. In the event of short-term (one or two days), observing or shadowing, of various job/positions
at WWMC, this confidentiality policy applies to those individuals and must be reviewed with
them by the appropriate manager.

D. Woods & Water Medical Center will engage in ongoing training for their employees, medical
staff, and vendors, as well as their providers of data, regarding the importance of protecting
privacy. Vendors having employees within Woods & Water Medical Center will be informed of
need for confidentiality.

II. GUIDELINES

A. Patient information is in many forms: written, verbal, photograph, video, or electronic

format. In these, information may be used for a variety of legitimate purposes, for example,
patient care, quality review, education, research, public health, legal,and reimbursement.
Regardless of its use, patients must be assured the information they share with healthcare
professionals, will remain confidential. Without such assurance, patients may withhold
critical information that could affect the quality and outcome of care, as well as the
reliability of the information. Wood & Water Medical Center may face legal aspects, and
bond of trust between patient and Woods & Water Medical Center may be broken. This
policy presents guidelines that can be used to determine what is confidential information,
what a breach of confidentiality is, and the disciplinary process for anyone who breaches
confidentiality.

B. Employees, may access patient information only when it is necessary to perform their job.

C. Gossip, careless remarks, and idle chatter, regarding patient information, obtained under
I above are violations of trust and the patients right to confidentiality.

D. Employees are not authorized to access medical records, regardless of the media in which
they are maintained. While this information may be about you and your family, and you
may have a right to know, information must be obtained through proper channels. Proper
channels include calling the attending physician, healthcare provider, or the Medical
Records Department. The Release of Information Policy outlines the steps required to
retrieve information on you or your dependents. Employees are expected to follow the
same procedures as non-employees.

E. Patient information must be disclosed only upon written authorization by the patient or
his/her legal representative or where such disclosures are authorized by federal or state

Original Date: 8/97 Reviewed/Revised: 11/03 Code GA

Page 2 of 5 Initials: HJ or DP
 law, subpoena, or court order, and in accordance with the Release of InformationPatient
Confidentiality Policy (GA-31).

1. Contractual arrangements will be made for release of information to any organization

associated with Woods & Water Medical Center and that contractual arrangement will
include a confidentiality clause.

2. Woods & Water Medical Center will assign a unique medical record number for each
patient for tracking purposes, so that the patient names do not have to be used.

3. Audit trails, masking, passwords, encryption technology, data storage, and other policies at
the technical level, will be used to further protect patient privacy.

4. Personnel policies at Woods & Water Medical Center will include affirmative confidentiality
requirements and applied sanctions.

5. Employees of Woods & Water Medical Center will have signed a statement of
confidentiality, before receiving password to secure systems.

6. Wood & Water Medical Center will establish a structure for internal monitoring and
auditing to ensure that privacy, confidentiality, and security policies and practices, are
followed.

7. Wood & Water Medical Center will maintain an audit trail of who accesses what
information and any unauthorized access attempts.

8. Wood & Water Medical Center will only use or manipulate patient data collected for the
purpose for which that data was authorized to be collected.

9. Any information passed to agencies for statistical computations will not contain any
confidential patient record information.

II. MANAGEMENT OF INFORMATON TECHONOLOGY:

A. Computer systems at Woods & Water Medical Center, will have a defined set of users who will
receive training on the importance of confidentiality; users will receive policies and procedures
regarding the protection and disclosure of information.

B. Passwords will be changed periodically, and terminated employees will have their password
authorizations terminated immediately.

C. All computer terminals will automatically log off the system, after a set period of inactivity.

D. Each computer user will be assigned a security level specific to his or her degree of access as
developed by the Information Technology (IT) Department.

E. All electronic media (tapes, floppies, discs, etc.) produced at Woods & Water Medical Center
will be catalogued and secured.
Original Date: 8/97 Reviewed/Revised: 11/03 Code GA
Page 3 of 5 Initials: HJ or DP
 F. Long-term record management policies and procedures will be developed for archiving,
purging, destroying, sealing, or changing of records and reports.

G. A disaster recovery plan will be developed and tested to assure record integrity.

H. Antivirus computer software will be implemented on all computer systems.

III. VIOLATIONS:

A. Individuals observing others violating patient confidentiality in or outside of the hospital, are
obligated to report the incident to their manager or the HIPPA Privacy Officer.

B. Managers and/or appropriate personnel will investigate all alleged violations of the Patient
Information Confidentiality Policy.

C. Individuals found in violation of this policy are subject to disciplinary action, up to and including
immediate termination. (See the WWMC Employee HandbookDisciplinary Action.)

D. Physicians in violation will be dealt with by the Medical Staff Executive Committee (See GA-
16Mechanism to Deal with Communication Road Blocks, Clinical Decisions, and/or Behavior
Issues as They Relate to Medical Staff or Other Credentialed Personnel).

APPROVALS:

President Date

Original Date: 8/97 Reviewed/Revised: 11/03 Code GA

Page 4 of 5 Initials: HJ or DP