WOODS & WATER

Medical Center
Rice Lake, Wisconsin

SUBJECT: PATIENT INFORMATION AND CONFIDENTIALITY POLICY

POLICY: In keeping with the values in the WWMC Mission Statement, Woods & Water
Medical Center
respects and will protect every patients right to have all information they
share with healthcare professionals to be kept confidential. It presents
guidelines that can be used to determine what is confidential information,
what is a breach of confidentiality, and the disciplinary process for anyone
who breaches confidentiality.

AFFECTED PARTIES: All Woods & Water Medical Center Employees, Medical Staff,
Contract Staff, Students, Volunteers, and Board of Directors (hereafter
referred to as individuals).

DEFINITIONS:

A. Ownership of InformationWoods & Water Medical Center (WWMC) essentially

owns its medical databases. However, this ownership right is not absolute. In
something akin to a landlord/tenant relationship; WWMC owns the databases, but
the patient has a high-level right of access and control over distribution of their
identifiable information within the databases. Put another way, WWMC is free to
exert control over the physical document or records, but the information within the
health record belongs to the patient. Nevertheless, to the degree that it is a
business record, the providers database is owned by the provider. Both the
ownership and the access concept will be respected by Woods & Water Medical
Center.

B. Confidential Information is information derived from a relationship between

patients and Woods & Water Medical Center employees and medical staff.
Confidential information includes, but is not limited to:

1. Health/Clinical Informationdiagnosiss, treatments, test results, etc.

2. Demographic Informationname, age, address, phone number, etc.
3. Appointment Informationdate, time, reason for appointment and provider,
etc.
4. Insurance/Financial Informationsource of payment, account balance,
account for billing, etc.

C. Need-to-Know is defined as an employee having legal responsibility not to reveal

information about the patients. Employees must access patient information only
when it is necessary to perform and complete their job responsibilities. This
includes employees who are being treated as patients.

Original Date: 8/97 Reviewed/Revised: 11/03 Code GA

Page 1 of 5 Initials: HJ or DP
 D. PropertyHeath records, regardless of the media in which they are maintained,
paper or electronic, are the property of the health care provider, but the health
information contained in the records belongs to the patients, and the patients are
entitled to view the records upon request or can obtain copies. Disclosure of health
information must be done in accordance with the Release of Medical Information
Policy.

PROCEDURE:

I. ORIENTATION/EDUCATION OF EMPLOYEES:

A. Information and education regarding the Confidentiality Policy shall be given

upon General Orientation for new employees and annually for all employees
by their department manager.

B. An employer who needs clarification of the Confidentiality Policy should

speak with his or her manager.

C. In the event of short-term (one or two days) observing or shadowing of

various job/positions at WWMC, this confidentiality policy applies to those
individuals and must be reviewed with them by the appropriate manager.

D. Woods & Water Medical Center will engage in ongoing training for its
employees, medical staff, and vendors, as well as its providers of data,
regarding the importance of protecting privacy. Vendors having employees
within Woods & Water Medical Center will be informed of need for
confidentiality.

II. GUIDELINES

A. Patient information is in many forms: written, verbal, photograph, video, or

electronic format. In all these mediums, information may be used for a variety
of legitimate purposes. For example, patient care, quality review, education,
research, public health, legal and reimbursement. Regardless of its use,
patients must be assured the information they share with healthcare
professionals will remain confidential. Without such assurance, patients may
withhold critical information that could affect the quality and outcome of care,
as well as the reliability of the information. Woods & Water Medical Center may
face legal repercussions, and the bond of trust between patient and Woods &
Water Medical Center is broken. This policy presents guidelines that can be
used to determine what is confidential information, what a breach of
confidentiality is, and the disciplinary process for anyone who breaches
confidentiality.

1. Employees may access patient information only when it is necessary to

perform their job.

Original Date: 8/97 Reviewed/Revised: 11/03 Code GA

Page 2 of 5 Initials: HJ or DP
 2. Gossip, careless remarks, and idle chatter regarding patient information
obtained under 1 above are violations of trust and the patients right to
confidentiality.

3. Employees are not authorized to access medical records, regardless of

the medium in which they are maintained, paper or electronic, to obtain
information on themselves, their spouse, or their dependents. While this
information is about you and your family, and you may have a right to
know, information must be obtained through proper channels. Proper
channels include: calling the attending physician, healthcare provider, or
the Medical Records Department. The Release of Information Policy
outlines the steps required to retrieve information on you or your
dependents. Employees are expected to follow the same procedures as
non-employees.

4. Patient information must be disclosed only upon written authorization by

the patient or his/her legal representative or where such disclosure is
authorized by federal or state law, subpoena, or court order, and in
accordance with the Release of InformationPatient Confidentiality
Policy (GA-31).

5. Contractual arrangements will be made for release of information to any

organization associated with Woods & Water Medical Center and that
contractual arrangement will include a confidentiality clause.

6. Woods & Water Medical Center will assign a unique medical record
number for each patient for tracing purposes, so that the patient names
do not have to be used.

7. Audit trails, masking, passwords, encryption technology, data storage and

other policies at the technical level will be used to further protect patient
privacy.

8. Personnel policies at Woods & Water Medical Center will include

affirmative confidentiality requirements and applicable sanctions.

9. Employees of Woods & Water Medical Center will sign a statement of

confidentiality before receiving passwords to secure systems.

10. Woods & Water Medical Center will establish a structure for internal
monitoring and auditing to ensure that privacy, confidentiality, security
policies, and practices are followed.

11. Woods & Water Medical Center will maintain an audit trail of who
accesses information and any unauthorized access attempts.

12. Woods & Water Medical Center will only use or manipulate patient data
collected for the purpose for which that data was authorized to be
collected.
Original Date: 8/97 Reviewed/Revised: 11/03 Code GA
Page 3 of 5 Initials: HJ or DP
 13. Any information passed to agencies for statistical computations will not
contain any confidential patient record information.

III. MANAGEMENT OF INFORMATON TECHONOLOGY:

A. Computer systems at Woods & Water Medical Center will have a defined set
of users who will receive training on the importance of confidentiality; users
will receive policies and procedures regarding the protection and disclosure
of information.

B. Passwords will be changed periodically, and terminated employees will have

their password authorizations terminated immediately.

C. All computer terminals will automatically log off the system after a set period
of inactivity.

D. Each computer user will be assigned a security level specific to his or her
degree of access as developed by the Information Technology (IT)
Department.

E. All electronic media (tapes, floppies, discs, etc.) produced at Woods & Water
Medical Center will be catalogued and secured.

F. Long-term record management policies and procedures will be developed for

archiving, purging, destroying, sealing, or changing of records and reports.

G. A disaster recovery plan will be developed and tested to assure record

integrity.

H. Antivirus computer software will be implemented on all computer systems.

IV. VIOLATIONS:

A. Individuals observing others violating patient confidentiality in or outside of

the hospital are obligated to report the incident to their manager or the
HIPAA Privacy Officer.

B. Managers and/or appropriate personnel will investigate all alleged violations

of the Patient Information Confidentiality Policy.

C. Individuals found in violation of this policy are subject to disciplinary action,

up to, and including immediate termination. (See the WWMC Employee
HandbookDisciplinary Action.)

D. Physicians in violation will be dealt with by the Medical Staff Executive

Committee (See GA-16Mechanism to Deal with Communication Road
Blocks, Clinical Decisions, and/or Behavior Issues as They Relate to
Medical Staff or Other Credentialed Personnel).

Original Date: 8/97 Reviewed/Revised: 11/03 Code GA

Page 4 of 5 Initials: HJ or DP
APPROVALS:

President Date

Original Date: 8/97 Reviewed/Revised: 11/03 Code GA

Page 5 of 5 Initials: HJ or DP