eft.allina.com Open in urlscan Pro
167.177.40.202  Public Scan

Submitted URL: https://eft.allina.com/anonymous/bde9caa4-cc54-41d6-94b3-debd76828b14/
Effective URL: https://eft.allina.com/messageportal
Submission: On December 11 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form _ngcontent-mop-c121="" novalidate="" class="flex-form ng-untouched ng-pristine ng-valid">
  <div _ngcontent-mop-c121="" class="checkboxes"><!---->
    <div _ngcontent-mop-c121="" class="ng-star-inserted"><mat-checkbox _ngcontent-mop-c121="" formcontrolname="privacyPolicyCheckbox" class="mat-checkbox mat-accent ng-untouched ng-pristine ng-valid" id="mat-checkbox-1"><label
          class="mat-checkbox-layout" for="mat-checkbox-1-input"><span class="mat-checkbox-inner-container"><input type="checkbox" class="mat-checkbox-input cdk-visually-hidden" id="mat-checkbox-1-input" tabindex="0" aria-checked="false"><span
              matripple="" class="mat-ripple mat-checkbox-ripple mat-focus-indicator"><span class="mat-ripple-element mat-checkbox-persistent-ripple"></span></span><span class="mat-checkbox-frame"></span><span class="mat-checkbox-background"><svg
                version="1.1" focusable="false" viewBox="0 0 24 24" xml:space="preserve" class="mat-checkbox-checkmark">
                <path fill="none" stroke="white" d="M4.1,12.7 9,17.6 20.3,6.3" class="mat-checkbox-checkmark-path"></path>
              </svg><span class="mat-checkbox-mixedmark"></span></span></span><span class="mat-checkbox-label"><span style="display: none;">&nbsp;</span><span _ngcontent-mop-c121="">I consent to the Privacy Policy</span></span></label></mat-checkbox>
    </div><!----><!----><!---->
  </div><button _ngcontent-mop-c121="" mat-raised-button="" color="primary" type="submit" class="mat-focus-indicator continue-button mat-raised-button mat-button-base mat-primary mat-button-disabled" disabled="true"><span class="mat-button-wrapper">
      Continue </span><span matripple="" class="mat-ripple mat-button-ripple"></span><span class="mat-button-focus-overlay"></span></button>
</form>

Text Content

Pickup
account_boxProfile



Privacy Policy

Allina Health will implement appropriate safeguards to protect Protected Health
Information (PHI) and Personally Identifiable Information (PII) in accordance
with applicable federal and state laws and regulations, and professional
standards. Protected Health Information includes Personally Identifiable
Information, and as such, this policy will use the term PHI to apply to both.

Prepared at the direction, request and in furtherance of the purposes of a
review organization and should not be shared outside of Allina Health or its
Affiliates. Protected under Wis. Stat. 146.38 and Minn. Stat. 145.61 et
seq.Allina Health workforce members and others who access Allina Health PHI or
PII will use appropriate administrative, physical and technical safeguards to
protect against improper use, access, or disclosure of PHI as necessary to
maintain and protect again threats to the integrity and security of the
information. Business Units within Allina Health are responsible to evaluate the
necessary safeguards to protect the privacy and security of PHI that is created,
displayed, stored, accessed or used, and to consult with the Privacy Officer
and/or Chief Information Security Officer, or their delegate, to determine
appropriate safeguards for the PHI.

Allina Health workforce members are required to ensure appropriate agreements
exist with business associates of Allina Health that create, display, store,
access or process PHI for Allina Health. See Business Associate Contracting
Policy.

Allina Health will perform a Risk Analysis and establish a Risk Management Plan
as appropriate to address identified risks to PHI and identify appropriate
safeguards for protection of the PHI, and will periodically review and update
the Risk Analysis and Risk Management Plan.

Allina Health will take reasonable steps to verify the identity and authority of
individuals before allowing the individuals to access PHI or disclosing PHI to
those individuals.

All physical documents or media containing PHI, including patient charts and
other records, billing records, reports, images (scanned, electronic, film,
etc.) must be stored securely (e.g., locked in file cabinets, drawers, or
rooms). Individuals and leaders responsible for the documents and media should
consider the location and accessibility of the PHI in determining the best
manner in which to secure it.

Generally, Allina Health PHI (including charts, files, daily work assignments,
other printed documents, equipment, computer disks, tapes or other records or
media) should not be removed from Allina Health facilities except by individuals
authorized to remove PHI for specific work-related purposes, such as to work at
home, transport the information to another Allina Health site for work purposes,
or to provide patient care at a different location

PHI removed from an Allina Health premises or that can be accessed remotely
isAllina Health property and appropriate safeguards must be used to protect the
privacy and security of the PHI according to this policy and other applicable
Information Security policies. The PHI must be returned to Allina Health when
the off-site business purpose is complete.

Allina Health prohibits sharing any patient information on social media unless
approved by Allina Health Marketing and Communications, including audio, video,
photographs, written comments, live streaming and so on. This includes, but is
not limited to, posting or uploading to social media applications like

Prepared at the direction, request and in furtherance of the purposes of a
review organization and should not be shared outside of Allina Health or its
Affiliates. Protected under Wis. Stat. 146.38 and Minn. Stat. 145.61 et seq.

Facebook, Instagram, Snapchat, Twitter, YouTube and “closed/private” forums
(e.g., non-public Facebook page), “private” group pages, professional
organization pages, and commenting on existing posts.

This policy is not intended to prohibit communications necessary to facilitate
the delivery of timely, efficient, and high-quality patient care. Workforce
members may make reasonable judgements when they believe urgent care-related
considerations require a temporary exception to these requirements. Where an
exception to one of the standards described in this policy is needed for an
urgent care-related need, the scope of the exception should not be any broader
than necessary to meet the legitimate patient care need. Contact the Privacy
Office, or Information Security, for assistance after applying an exception in
these circumstances.

For exceptions to, or situations not covered by the procedures associated with
this policy, Allina Health staff or other system user must consult with the
Privacy Office and/or Information Security to determine which safeguards are
feasible and appropriate to protect the privacy and security of Allina Health
PHI.

Each employee or system user is responsible to understand this policy and to use
the safeguard procedures as described below. Allina Health will apply
appropriate sanctions for violations by employee or other system users, as
described in the Reporting and Responding to Potential PHI and PII Privacy &
Security Incidents.

Allina Health is not established in the European Union (“EU”), and does not
offer goods and services to individuals in the EU or monitor individuals in the
EU, therefore Allina Health’s current operations do not subject it to the
territorial reach of the General Data Protection Regulation (“GDPR”).


DEFINITIONS: Privacy & Security Glossary of Terms
PROCEDURES:
I. Safeguards when communicating, using and storing PHI

A. Verbal Communications about Patients


 * Minimize discussions about patients when within hearing distance of visitors,
   other patients, providers and/or others who are present but are not involved
   in the patients’ care. To the extent practical, avoid use of patient
   identifiers (such as the patient’s name or address) during the conversation.
 * Avoid discussion of identifiable patient characteristics in public elevators,
   cafeterias or other public areas whenever possible.
 * When possible, use consultation rooms, close doors or step away to a more
   private space to prevent others from overhearing conversations about
   patients.
 * When necessary to discuss patient information in a waiting room or other area
   within hearing distance of others, speak in quiet tonesand to the extent
   possible, avoid use of patient identifiers.
 * Avoid announcements (e.g., intercom or overhead paging) revealing the
   patient’s identity together with the nature of a patient’s condition (e.g.,
   “Mrs. Brown, the psychiatrist is ready to see younow”).
 * Limit discussions of PHI in front of visitors or other patients to
   information necessary to facilitate the patient’s care.
 * When an individual has accompanied the patient or is visiting the patient:
    * If it appears from the circumstances that the patient agrees or does not
      object to the person remaining in the room, it is okay to proceed.
    * If the patient’s wishes are not apparent, notify the patient that you will
      be discussing PHI or ask the visitor to step out of the room during the
      conversation (e.g., “I’d like to talk with Joe about his care. Would you
      like to take a seat in the waiting room?”)

B. Paper Documents, Printed Photos, and other Non-Electronic Media that include
PHI

Take reasonable steps to secure paper records containing PHI from access or
viewing by individuals who do not have a need to see or know the information,
including but not limited to the following:

 * Lock cabinets, drawers, closets and offices containing the documents or media
   when feasible.
 * Store documents in monitored or secured areas, such as behind a desk.
 * Use cover sheets, place documents in file folders or face down.
 * File documents as soon as possible when finished with them.
 * Route to printers, copiers and fax machines shielded from publicview or
   located in secured or regularly monitored areas.
 * Remove documents promptly from printers, copiers and faxmachines.
 * Dispose of the documents or media properly as described below.
 * Do not remove documents from Allina Health premises unless necessary and
   permitted to perform your job duties.

C. Displays or Postings

Displays of PHI should be limited to those needed to provide timely, efficient,
and high-quality care, or where the patient has granted permission for the
posting. The following are examples of displays which may be needed to support
patient care:

 * Posting of precautions on a hospital patient’s door
 * Patient care plan on white board in patient’s room
 * Track Board in the ED and Surgery
 * Track Boards at a nursing station
 * Sign-In Sheets




Reasonable measures should be taken to use only the necessary information for
the display. For example, sign in sheets and track boards that may be viewed by
visitors generally should not include the patient’s condition or diagnosis, and
should only include the patient identifiers needed to support patient care.

Reasonable measures should also be taken to reduce the likelihood that
unauthorized individuals will view the information, such as placement of track
boards behind a desk or in an area with less visitor traffic.

If a patient has granted permission for a posting, the information may be
displayed as described in the permission granted by the patient.

D. Telephone & Voice Messages

Verify the identity of the caller or person who answered the phone before
beginning the conversation.

Use established department verification procedures that have been developed in
consultation with the Privacy Office.If a person other than the patient answers,
use established procedures for determining whether the person is involved in the
patient’s care and whether the patient has agreed to this person’s involvement.
In those cases, limited information may be provided to individuals involved in
the patient’s care.

When it may be helpful or necessary to leave detailed PHI in voice messages,
confirm with the patient or legal representative the phone number and the
patient’s agreement to receive these detailed messages. Document this discussion
and agreement by the patient or legal representative. If you are unsure whether
the patient would agree to have detailed PHI in the voice message, leave only
the minimum necessary information needed to assure the patient returns the call
or if needed to assure the provision of timely, efficient and high quality care.

Do not leave PII in voice messages.

E. Digital Pages & Text Messages

In general, pages and texting should not be used to send PHI, however, where
communication of PHI by page or text supports the provision of timely,
efficient, and high-quality care limited PHI may be sent to accomplish this
purpose.

Paging and texts should not be used as the primary method for managing or
maintaining information related to patient care processes, such as patient
scheduling or treatment notes. If patient care relatedcontent is exchanged by
page or text, the user must ensure thatappropriate information from the
communication is documented in thepatient’s medical record.

Digital pages and texts should include only the information needed to
communicate to the provider or other recipient. It may include description of
the patient’s condition or treatment if needed to support treatment.

When PHI is used in pages or texts, the following safeguards should be used:

 * Use the minimum amount of identifiers that are necessary to accomplish the
   purpose.
 * Delete all pages and texts as soon as you have acted on them and no longer
   need the information contained in the page or text.
 * Verify the pager or text number before sending the page or text.
 * If you use page-copy functionality to receive copies of pages or texts on
   your personal smart phone, delete the message from the device and any backup
   or cloud storage as soon as work related to the page or text is completed

F. Copiers and Facsimile (FAX)

Generally, faxing of PHI should be limited to circumstances where other delivery
methods are not feasible or the need to deliver the information is urgent or
time sensitive.

When a fax is received or stored as an electronic document, follow the
appropriate safeguards for electronic documents that store PHI.

When technically possible, a cover sheet must be faxed with the PHI for both
external and internal faxes. The cover sheet should include the following
information:

 * recipient’s name;
 * sender’s name;
 * date;
 * number of pages;
 * a statement that the information is confidential and should be read only by
   the identified recipient; and
 * instructions for any unintended recipient who receives the fax.

The sender must verify that the number entered matches the intended number
before sending the fax.

Allina Health owned or managed machines should be used to fax or copy PHI as fax
or copy machines may store copies of the images on the machine hard drive.

Copies and faxes should be removed from the machine and work area as promptly as
possible to avoid inadvertent viewing or pick up by others.

G. Email

Email of PHI
Email may be used to send PHI to carry out Allina Health business or for other
permitted purposes (including to patients as described below). Emails with PHI
are subject to all Allina Health email policies and procedures, as described in
Information Security policies. Email containing PHI must be sent securely
following the Secure Email Procedure.

Additional safeguards that should be used whenever emailing PHI include:

 * Validate the email address before sending the message.
 * Verify that no additional email addresses are included.
 * Limit the number of recipients to those who need to receive the information.
 * Include only the PHI necessary to carry out the task.
 * When forwarding emails with PHI consider whether the recipients will need all
   of the PHI included in an email string; remove PHI in the string if not
   needed by the new recipients.
 * Never forward or send an email containing PHI to user’s own
   nonbusiness/personal email account.
 * Do not send an email containing PHI to an email account which isknown to be
   accessible by someone who is not authorized to view the PHI, except that an
   account specifically identified by patient for email communication of PHI may
   be used, even if the account may be a jointly used account.
 * After completion of the task(s) relating to an email containing PHI, remove
   the email from the inbox by either deleting it or storing it in a secure file
   when it is necessary to retain the email, e.g., limited access shared drive
   or L drive.

Encryption when sending outside Allina HealthEncryption must be used when
sending any PII outside of AllinaHealth, which includes emails that are sent to
any email address that is not an Allina issued and managed email account.

If a patient requests that Allina Health communicate PHI by email without
encryption, staff should consult with the Privacy Office to address the request.
Health Information Management (“HIM”) has a process in place to respond to
patient requests that PHI be sent unencrypted by email.

Special Instructions for Email of PHI between Allina Health and thepatient or
patient’s legal representativeEmails between Allina Health and a patient or a
patient’s legal representative are subject to the general rules for email of
PHI. In addition, the following requirements apply:

 * Electronic medical record messaging functionality, such as Excellian
   MyAccount (MyChart) medical messaging, should be used to electronically send
   PHI to patients, whenever available. In other situations, email may be used
   to send PHI to patients, the patient’s legal representative or to others
   involved in the patient’s care when needed to help carry out treatment,
   payment and health care operations related to the patient’s care at Allina
   Health. Before sending PHI to the patient by email, users should confirm the
   patient’s agreement to receive PHI by email which may include a direct
   request by the patient, an email initiated by the patient or legal
   representative, or the patient’s response to a request for their agreement to
   use email to communicate about their care and services.
 * Any department that routinely uses email to communicate PHI with patients or
   legal representatives should work with the Privacy Office, who, in
   consultation with Information Security will determine procedures for staff to
   follow when emailing patients or legal representatives.
 * E-mail should not be used as the primary method for managing or maintaining
   information related to delivery of patient care, such as patient scheduling
   or treatment documentation. If emailis used by providers to exchange
   care-related information with apatient, the provider must ensure that
   appropriate informationfrom the communication also is documented in the
   patient’smedical record.

H. Outlook & Electronic Calendars

Events in Allina Health approved electronic calendars that are potentially
shared with others should not contain PII and should contain PHI only if
necessary to support the delivery of patient care. PHI never should be included
in shared calendars solely for convenience.

In cases where it is necessary to include PHI, consult with the Privacy Office.
The calendar should include only the minimum necessary information to accomplish
the purpose. Avoid use of diagnosis or patient condition (reason for visit or
visit type may be used when necessary.)

PHI should never be included in online calendars outside of AllinaHealth’s
Outlook, including those linked to personal email or accounts.

I. Electronic Transmissions or Uploads of PHI

Employees must follow Allina Health Information Security requirements for
electronic transmissions or uploads of PHI. When entering or uploading PHI on to
websites, ensure secure methods are used (e.g.,ensure “https:” appears in the
web address or the lock symbol is present). Consult with the IS Service Desk for
further instructions to send a file containing PHI outside of the Allina Health
system and when use of secure email or a secure website is not available. All
electronic transmissions of PHI must follow the Secure Electronic Data Transfer
Policy.

J. Portable Electronic Media and Mobile Devices

Mobile devices, including laptops, smartphones, tablets, and flash drives used
to access, store or transmit PHI must follow safeguards for preventing theft or
unauthorized use of the devices or media described in the Information Security
requirements for these devices. See the Mobile Device Security Policy, Portable
Electronic Media Policy and Workstation Security Policy.

Local drives (e.g., C drive, desktop, Outlook emails, documents library)PHI
should be placed and stored on local drives only when needed to accomplish a
business purpose and must be moved to a more secure location (generally, system
drives such as restricted access folder area of the S Drive), or entered into
the patient chart if the information is part of the medical record, as soon as
possible.

K. Workstations

Workstations where PHI are accessed should be located away from high traffic or
public areas whenever possible.

Monitors used to access PHI should be positioned or shielded (e.g., privacy
screens) so that information on the screen is not easily viewed by unauthorized
persons.

Users must log out or lock any application that allow access to PHI before
leaving the workstation unattended. Users must secure workstations (e.g.,
activate the password-protected screen-saver or log out of all applications and
the network) as necessary to avoid access to PHI by an unauthorized person.
Workstations that provide access to PHI must use password-enabled screen-savers
or time out after a period of inactivity. See Workstation Security Policy.

Mobile workstations (e.g., workstation on wheels or computer on wheels) and
devices must be secured when not in use and not left unattended in areas where
they could be accessed or removed by unauthorized individuals.

Local drives (e.g., C drive, desktop, Outlook emails, documents library)PHI
should be placed and stored on local drives only when needed to accomplish a
business purpose and must be moved to a more secure location (generally, system
drives such as restricted access folder area of the S Drive), or entered into
the patient chart if the information is part of the medical record, as soon as
possible.

Additional standards relating to the management of workstations are documented
in the Workstation Security Policy.

L. Medical Devices

Each medical device has its own safeguarding and security standards. See the
specifics for the medical device and/or reach out to Information Security’s
Medical Device Security team




 I consent to the Privacy Policy
Continue