Section XIII - Confidentiality Agreement
CONFIDENTIALITY AND COMPLIANCE AGREEMENT FOR PROVIDERS

This Confidentiality and Compliance Agreement applies to all Provider OnBoarding employees, volunteers, students, trainees, job shadowers, and other members of MedStream's respective workforces, including all members of the Provider OnBoarding Staff, who require access to patients' protected health information ("PHI) or other business, proprietary, financial, human resources or other confidential information, data or electronic information systems (collectively, "Confidential Information") of Provider OnBoarding in order to perform their respective work-related or contractual obligations. As a Provider OnBoarding contractor, you are expected to maintain the highest standards of professional and ethical conduct in the course of carrying out your contractual responsibilities. Consistent with such standards, you are ethically and legally bound to protect the confidentiality of any PHI or other Confidential Information to which you have access in the course of performing your contractual or work-related responsibilities.

Confidentiality Requirements. As a Provider OnBoarding contractor, I understand and agree:

  1. To preserve, protect and conscientiously safeguard any and all PHI or other Confidential Information to which I am or become privy in the course of carrying out my responsibilities to Provider OnBoarding.
  2. To respect and maintain the confidentiality of all discussions, deliberations, PHI and any other Confidential Information generated in connection with individual patient care, risk management, and/or performance improvement activities.
  3. That access to all PHI and other Confidential Information is granted to me on a need-to-know basis. A need-to-know is defined as access to information only as it is required to perform my assigned professional duties related to treatment, payment and healthcare operations, or to perform other designated work-related or contractual responsibilities.
  4. To only access or disseminate PHI or other Confidential Information in the performance of my assigned work-related or contractual duties and where required or permitted by law, and in a manner that is consistent with officially adopted policies of Provider OnBoarding. I shall make no disclosure of any discussion, deliberations, patient care records or any other patient care, performance improvement activities or risk management information, except to authorized persons with a 'need to know' in the conduct of Provider OnBoarding’s affairs.
  5. To discuss PHI only for purposes related to treatment, payment, or healthcare operations, or for other lawful purposes, and to not discuss such information with those who do not have a 'need to know' the information. All oral communication of PHI must be communicated in appropriate tones and contain the minimum amount of information needed to accomplish the desired task.
  6. That all references to HIV testing, such as any clinical test or laboratory test used to identify HN, a component of HN, or antibodies or antigens to HIV are specifically protected under law and unauthorized release of confidential HIV information may make me subject to legal and/or disciplinary action.
  7. That the law specifically protects mental health and substance abuse information and that unauthorized release of such information may make me subject to legal and/or disciplinary action.
  8. That I may not remove any PHI or other Confidential Information from Provider OnBoarding or its’ clients except as permitted by Provider OnBoarding or its’ clients policies or specific agreements or arrangements applicable to my situation.
  9. To immediately contact Provider OnBoarding’s Compliance Officer (999-999-9999) if I become aware of any violation of this policy or have any questions about the use or disclosure of PHI or other Confidential Information.
  10. To ensure that all PHI and Confidential Information is kept safe from unauthorized access and locked in desks or file cabinets when not in use.
  11. That my obligation to safeguard PHI and other Confidential Information continues after my duties to Provider OnBoarding or its’ clients conclude.

Information Systems Requirements. As a Provider OnBoarding contractor, I understand and agree:

  1. That I will be given access to Provider OnBoarding or its’ clients Information Systems (collectively, "MIS") to perform my duties and responsibilities related to the services I provide to Provider OnBoarding or its’ clients, and that I may be subject to legal action for any damages resulting from my willful unauthorized access to or use of PHI or other Confidential Information accessed via MIS.
  2. That for purposes of providing care and treatment to Provider OnBoarding or its’ clients patients, to exercise clinical privileges, or for legitimate purposes related to treatment, payment or health care operations, I may access PHI and other Confidential Information via the MIS. I will not access, obtain or use such information unless I need to do so for purposes of patient care or treatment, payment or health care operations, or for other lawful purposes, pursuant to my professional obligations.
  3. To access the minimum amount of information required to perform a legitimate purpose related to treatment, payment or healthcare operations, or other lawful activities, and will sign off from MIS access (on-site or remote) at all other times.
  4. That all required conditions to access information using MIS have been met and that my access is necessary to accomplish my duties for Provider OnBoarding or its’ clients and that I will not make any unauthorized access, use or disclosure of PHI or other Confidential Information.
  5. To not attempt to gain access to PHI or other Confidential Information of any other patients, including patients who are my friends or my relatives, nor will I attempt to gain access to my own PHI.
  6. To be bound by the terms of all applicable confidentiality, privacy and information security policies ("Provider OnBoarding or its’ clients Policies").
  7. To not share my MIS user names and passwords with any other person. I understand that I am responsible for all actions by anyone else using my user name(s) and password(s). I will contact Provider OnBoarding or its’ clients Information Security immediately if I have reason to believe that (i) someone else knows my password(s), (ii) my user name(s) or password(s) have been compromised, or (iii) any MedStream or its’ clients asset has been lost or compromised in any way.
  8. I understand that I can have no expectation of privacy in connection with my use of MIS. I acknowledge that I am responsible for ensuring the confidentiality of MIS materials and will ensure their proper use in a manner that does not compromise the confidentiality of PHI and other Confidential Information. I agree not to download information obtained from MIS to any portable or remote devices.
  9. To complete all assigned training regarding use of MIS, information privacy, HIPAA requirements, confidentiality, and security.

I understand that failure to comply with Provider OnBoarding or its’ clients Policies or my commitments set forth in this Agreement may: (i) be cause for discipline up to and including termination by my employer, (ii) subject me to legal action and/or penalties for improper disclosure of PHI or other Confidential Information, including damages incurred by Provider OnBoarding or its’ clients, and (iii) be cause for termination of access to MIS. I understand that signing this agreement and complying with its terms are requirements for me to provide any services to Provider OnBoarding or its’ clients hereby acknowledge that I have read and understand the foregoing information and agree to be bound by it.