eft.allina.com
Open in
urlscan Pro
167.177.40.202
Public Scan
Submitted URL: https://eft.allina.com/anonymous/bde9caa4-cc54-41d6-94b3-debd76828b14/
Effective URL: https://eft.allina.com/messageportal
Submission: On December 11 via manual from US — Scanned from DE
Effective URL: https://eft.allina.com/messageportal
Submission: On December 11 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOM<form _ngcontent-mop-c121="" novalidate="" class="flex-form ng-untouched ng-pristine ng-valid">
<div _ngcontent-mop-c121="" class="checkboxes"><!---->
<div _ngcontent-mop-c121="" class="ng-star-inserted"><mat-checkbox _ngcontent-mop-c121="" formcontrolname="privacyPolicyCheckbox" class="mat-checkbox mat-accent ng-untouched ng-pristine ng-valid" id="mat-checkbox-1"><label
class="mat-checkbox-layout" for="mat-checkbox-1-input"><span class="mat-checkbox-inner-container"><input type="checkbox" class="mat-checkbox-input cdk-visually-hidden" id="mat-checkbox-1-input" tabindex="0" aria-checked="false"><span
matripple="" class="mat-ripple mat-checkbox-ripple mat-focus-indicator"><span class="mat-ripple-element mat-checkbox-persistent-ripple"></span></span><span class="mat-checkbox-frame"></span><span class="mat-checkbox-background"><svg
version="1.1" focusable="false" viewBox="0 0 24 24" xml:space="preserve" class="mat-checkbox-checkmark">
<path fill="none" stroke="white" d="M4.1,12.7 9,17.6 20.3,6.3" class="mat-checkbox-checkmark-path"></path>
</svg><span class="mat-checkbox-mixedmark"></span></span></span><span class="mat-checkbox-label"><span style="display: none;"> </span><span _ngcontent-mop-c121="">I consent to the Privacy Policy</span></span></label></mat-checkbox>
</div><!----><!----><!---->
</div><button _ngcontent-mop-c121="" mat-raised-button="" color="primary" type="submit" class="mat-focus-indicator continue-button mat-raised-button mat-button-base mat-primary mat-button-disabled" disabled="true"><span class="mat-button-wrapper">
Continue </span><span matripple="" class="mat-ripple mat-button-ripple"></span><span class="mat-button-focus-overlay"></span></button>
</form>
Text Content
Pickup account_boxProfile Privacy Policy Allina Health will implement appropriate safeguards to protect Protected Health Information (PHI) and Personally Identifiable Information (PII) in accordance with applicable federal and state laws and regulations, and professional standards. Protected Health Information includes Personally Identifiable Information, and as such, this policy will use the term PHI to apply to both. Prepared at the direction, request and in furtherance of the purposes of a review organization and should not be shared outside of Allina Health or its Affiliates. Protected under Wis. Stat. 146.38 and Minn. Stat. 145.61 et seq.Allina Health workforce members and others who access Allina Health PHI or PII will use appropriate administrative, physical and technical safeguards to protect against improper use, access, or disclosure of PHI as necessary to maintain and protect again threats to the integrity and security of the information. Business Units within Allina Health are responsible to evaluate the necessary safeguards to protect the privacy and security of PHI that is created, displayed, stored, accessed or used, and to consult with the Privacy Officer and/or Chief Information Security Officer, or their delegate, to determine appropriate safeguards for the PHI. Allina Health workforce members are required to ensure appropriate agreements exist with business associates of Allina Health that create, display, store, access or process PHI for Allina Health. See Business Associate Contracting Policy. Allina Health will perform a Risk Analysis and establish a Risk Management Plan as appropriate to address identified risks to PHI and identify appropriate safeguards for protection of the PHI, and will periodically review and update the Risk Analysis and Risk Management Plan. Allina Health will take reasonable steps to verify the identity and authority of individuals before allowing the individuals to access PHI or disclosing PHI to those individuals. All physical documents or media containing PHI, including patient charts and other records, billing records, reports, images (scanned, electronic, film, etc.) must be stored securely (e.g., locked in file cabinets, drawers, or rooms). Individuals and leaders responsible for the documents and media should consider the location and accessibility of the PHI in determining the best manner in which to secure it. Generally, Allina Health PHI (including charts, files, daily work assignments, other printed documents, equipment, computer disks, tapes or other records or media) should not be removed from Allina Health facilities except by individuals authorized to remove PHI for specific work-related purposes, such as to work at home, transport the information to another Allina Health site for work purposes, or to provide patient care at a different location PHI removed from an Allina Health premises or that can be accessed remotely isAllina Health property and appropriate safeguards must be used to protect the privacy and security of the PHI according to this policy and other applicable Information Security policies. The PHI must be returned to Allina Health when the off-site business purpose is complete. Allina Health prohibits sharing any patient information on social media unless approved by Allina Health Marketing and Communications, including audio, video, photographs, written comments, live streaming and so on. This includes, but is not limited to, posting or uploading to social media applications like Prepared at the direction, request and in furtherance of the purposes of a review organization and should not be shared outside of Allina Health or its Affiliates. Protected under Wis. Stat. 146.38 and Minn. Stat. 145.61 et seq. Facebook, Instagram, Snapchat, Twitter, YouTube and “closed/private” forums (e.g., non-public Facebook page), “private” group pages, professional organization pages, and commenting on existing posts. This policy is not intended to prohibit communications necessary to facilitate the delivery of timely, efficient, and high-quality patient care. Workforce members may make reasonable judgements when they believe urgent care-related considerations require a temporary exception to these requirements. Where an exception to one of the standards described in this policy is needed for an urgent care-related need, the scope of the exception should not be any broader than necessary to meet the legitimate patient care need. Contact the Privacy Office, or Information Security, for assistance after applying an exception in these circumstances. For exceptions to, or situations not covered by the procedures associated with this policy, Allina Health staff or other system user must consult with the Privacy Office and/or Information Security to determine which safeguards are feasible and appropriate to protect the privacy and security of Allina Health PHI. Each employee or system user is responsible to understand this policy and to use the safeguard procedures as described below. Allina Health will apply appropriate sanctions for violations by employee or other system users, as described in the Reporting and Responding to Potential PHI and PII Privacy & Security Incidents. Allina Health is not established in the European Union (“EU”), and does not offer goods and services to individuals in the EU or monitor individuals in the EU, therefore Allina Health’s current operations do not subject it to the territorial reach of the General Data Protection Regulation (“GDPR”). DEFINITIONS: Privacy & Security Glossary of Terms PROCEDURES: I. Safeguards when communicating, using and storing PHI A. Verbal Communications about Patients * Minimize discussions about patients when within hearing distance of visitors, other patients, providers and/or others who are present but are not involved in the patients’ care. To the extent practical, avoid use of patient identifiers (such as the patient’s name or address) during the conversation. * Avoid discussion of identifiable patient characteristics in public elevators, cafeterias or other public areas whenever possible. * When possible, use consultation rooms, close doors or step away to a more private space to prevent others from overhearing conversations about patients. * When necessary to discuss patient information in a waiting room or other area within hearing distance of others, speak in quiet tonesand to the extent possible, avoid use of patient identifiers. * Avoid announcements (e.g., intercom or overhead paging) revealing the patient’s identity together with the nature of a patient’s condition (e.g., “Mrs. Brown, the psychiatrist is ready to see younow”). * Limit discussions of PHI in front of visitors or other patients to information necessary to facilitate the patient’s care. * When an individual has accompanied the patient or is visiting the patient: * If it appears from the circumstances that the patient agrees or does not object to the person remaining in the room, it is okay to proceed. * If the patient’s wishes are not apparent, notify the patient that you will be discussing PHI or ask the visitor to step out of the room during the conversation (e.g., “I’d like to talk with Joe about his care. Would you like to take a seat in the waiting room?”) B. Paper Documents, Printed Photos, and other Non-Electronic Media that include PHI Take reasonable steps to secure paper records containing PHI from access or viewing by individuals who do not have a need to see or know the information, including but not limited to the following: * Lock cabinets, drawers, closets and offices containing the documents or media when feasible. * Store documents in monitored or secured areas, such as behind a desk. * Use cover sheets, place documents in file folders or face down. * File documents as soon as possible when finished with them. * Route to printers, copiers and fax machines shielded from publicview or located in secured or regularly monitored areas. * Remove documents promptly from printers, copiers and faxmachines. * Dispose of the documents or media properly as described below. * Do not remove documents from Allina Health premises unless necessary and permitted to perform your job duties. C. Displays or Postings Displays of PHI should be limited to those needed to provide timely, efficient, and high-quality care, or where the patient has granted permission for the posting. The following are examples of displays which may be needed to support patient care: * Posting of precautions on a hospital patient’s door * Patient care plan on white board in patient’s room * Track Board in the ED and Surgery * Track Boards at a nursing station * Sign-In Sheets Reasonable measures should be taken to use only the necessary information for the display. For example, sign in sheets and track boards that may be viewed by visitors generally should not include the patient’s condition or diagnosis, and should only include the patient identifiers needed to support patient care. Reasonable measures should also be taken to reduce the likelihood that unauthorized individuals will view the information, such as placement of track boards behind a desk or in an area with less visitor traffic. If a patient has granted permission for a posting, the information may be displayed as described in the permission granted by the patient. D. Telephone & Voice Messages Verify the identity of the caller or person who answered the phone before beginning the conversation. Use established department verification procedures that have been developed in consultation with the Privacy Office.If a person other than the patient answers, use established procedures for determining whether the person is involved in the patient’s care and whether the patient has agreed to this person’s involvement. In those cases, limited information may be provided to individuals involved in the patient’s care. When it may be helpful or necessary to leave detailed PHI in voice messages, confirm with the patient or legal representative the phone number and the patient’s agreement to receive these detailed messages. Document this discussion and agreement by the patient or legal representative. If you are unsure whether the patient would agree to have detailed PHI in the voice message, leave only the minimum necessary information needed to assure the patient returns the call or if needed to assure the provision of timely, efficient and high quality care. Do not leave PII in voice messages. E. Digital Pages & Text Messages In general, pages and texting should not be used to send PHI, however, where communication of PHI by page or text supports the provision of timely, efficient, and high-quality care limited PHI may be sent to accomplish this purpose. Paging and texts should not be used as the primary method for managing or maintaining information related to patient care processes, such as patient scheduling or treatment notes. If patient care relatedcontent is exchanged by page or text, the user must ensure thatappropriate information from the communication is documented in thepatient’s medical record. Digital pages and texts should include only the information needed to communicate to the provider or other recipient. It may include description of the patient’s condition or treatment if needed to support treatment. When PHI is used in pages or texts, the following safeguards should be used: * Use the minimum amount of identifiers that are necessary to accomplish the purpose. * Delete all pages and texts as soon as you have acted on them and no longer need the information contained in the page or text. * Verify the pager or text number before sending the page or text. * If you use page-copy functionality to receive copies of pages or texts on your personal smart phone, delete the message from the device and any backup or cloud storage as soon as work related to the page or text is completed F. Copiers and Facsimile (FAX) Generally, faxing of PHI should be limited to circumstances where other delivery methods are not feasible or the need to deliver the information is urgent or time sensitive. When a fax is received or stored as an electronic document, follow the appropriate safeguards for electronic documents that store PHI. When technically possible, a cover sheet must be faxed with the PHI for both external and internal faxes. The cover sheet should include the following information: * recipient’s name; * sender’s name; * date; * number of pages; * a statement that the information is confidential and should be read only by the identified recipient; and * instructions for any unintended recipient who receives the fax. The sender must verify that the number entered matches the intended number before sending the fax. Allina Health owned or managed machines should be used to fax or copy PHI as fax or copy machines may store copies of the images on the machine hard drive. Copies and faxes should be removed from the machine and work area as promptly as possible to avoid inadvertent viewing or pick up by others. G. Email Email of PHI Email may be used to send PHI to carry out Allina Health business or for other permitted purposes (including to patients as described below). Emails with PHI are subject to all Allina Health email policies and procedures, as described in Information Security policies. Email containing PHI must be sent securely following the Secure Email Procedure. Additional safeguards that should be used whenever emailing PHI include: * Validate the email address before sending the message. * Verify that no additional email addresses are included. * Limit the number of recipients to those who need to receive the information. * Include only the PHI necessary to carry out the task. * When forwarding emails with PHI consider whether the recipients will need all of the PHI included in an email string; remove PHI in the string if not needed by the new recipients. * Never forward or send an email containing PHI to user’s own nonbusiness/personal email account. * Do not send an email containing PHI to an email account which isknown to be accessible by someone who is not authorized to view the PHI, except that an account specifically identified by patient for email communication of PHI may be used, even if the account may be a jointly used account. * After completion of the task(s) relating to an email containing PHI, remove the email from the inbox by either deleting it or storing it in a secure file when it is necessary to retain the email, e.g., limited access shared drive or L drive. Encryption when sending outside Allina HealthEncryption must be used when sending any PII outside of AllinaHealth, which includes emails that are sent to any email address that is not an Allina issued and managed email account. If a patient requests that Allina Health communicate PHI by email without encryption, staff should consult with the Privacy Office to address the request. Health Information Management (“HIM”) has a process in place to respond to patient requests that PHI be sent unencrypted by email. Special Instructions for Email of PHI between Allina Health and thepatient or patient’s legal representativeEmails between Allina Health and a patient or a patient’s legal representative are subject to the general rules for email of PHI. In addition, the following requirements apply: * Electronic medical record messaging functionality, such as Excellian MyAccount (MyChart) medical messaging, should be used to electronically send PHI to patients, whenever available. In other situations, email may be used to send PHI to patients, the patient’s legal representative or to others involved in the patient’s care when needed to help carry out treatment, payment and health care operations related to the patient’s care at Allina Health. Before sending PHI to the patient by email, users should confirm the patient’s agreement to receive PHI by email which may include a direct request by the patient, an email initiated by the patient or legal representative, or the patient’s response to a request for their agreement to use email to communicate about their care and services. * Any department that routinely uses email to communicate PHI with patients or legal representatives should work with the Privacy Office, who, in consultation with Information Security will determine procedures for staff to follow when emailing patients or legal representatives. * E-mail should not be used as the primary method for managing or maintaining information related to delivery of patient care, such as patient scheduling or treatment documentation. If emailis used by providers to exchange care-related information with apatient, the provider must ensure that appropriate informationfrom the communication also is documented in the patient’smedical record. H. Outlook & Electronic Calendars Events in Allina Health approved electronic calendars that are potentially shared with others should not contain PII and should contain PHI only if necessary to support the delivery of patient care. PHI never should be included in shared calendars solely for convenience. In cases where it is necessary to include PHI, consult with the Privacy Office. The calendar should include only the minimum necessary information to accomplish the purpose. Avoid use of diagnosis or patient condition (reason for visit or visit type may be used when necessary.) PHI should never be included in online calendars outside of AllinaHealth’s Outlook, including those linked to personal email or accounts. I. Electronic Transmissions or Uploads of PHI Employees must follow Allina Health Information Security requirements for electronic transmissions or uploads of PHI. When entering or uploading PHI on to websites, ensure secure methods are used (e.g.,ensure “https:” appears in the web address or the lock symbol is present). Consult with the IS Service Desk for further instructions to send a file containing PHI outside of the Allina Health system and when use of secure email or a secure website is not available. All electronic transmissions of PHI must follow the Secure Electronic Data Transfer Policy. J. Portable Electronic Media and Mobile Devices Mobile devices, including laptops, smartphones, tablets, and flash drives used to access, store or transmit PHI must follow safeguards for preventing theft or unauthorized use of the devices or media described in the Information Security requirements for these devices. See the Mobile Device Security Policy, Portable Electronic Media Policy and Workstation Security Policy. Local drives (e.g., C drive, desktop, Outlook emails, documents library)PHI should be placed and stored on local drives only when needed to accomplish a business purpose and must be moved to a more secure location (generally, system drives such as restricted access folder area of the S Drive), or entered into the patient chart if the information is part of the medical record, as soon as possible. K. Workstations Workstations where PHI are accessed should be located away from high traffic or public areas whenever possible. Monitors used to access PHI should be positioned or shielded (e.g., privacy screens) so that information on the screen is not easily viewed by unauthorized persons. Users must log out or lock any application that allow access to PHI before leaving the workstation unattended. Users must secure workstations (e.g., activate the password-protected screen-saver or log out of all applications and the network) as necessary to avoid access to PHI by an unauthorized person. Workstations that provide access to PHI must use password-enabled screen-savers or time out after a period of inactivity. See Workstation Security Policy. Mobile workstations (e.g., workstation on wheels or computer on wheels) and devices must be secured when not in use and not left unattended in areas where they could be accessed or removed by unauthorized individuals. Local drives (e.g., C drive, desktop, Outlook emails, documents library)PHI should be placed and stored on local drives only when needed to accomplish a business purpose and must be moved to a more secure location (generally, system drives such as restricted access folder area of the S Drive), or entered into the patient chart if the information is part of the medical record, as soon as possible. Additional standards relating to the management of workstations are documented in the Workstation Security Policy. L. Medical Devices Each medical device has its own safeguarding and security standards. See the specifics for the medical device and/or reach out to Information Security’s Medical Device Security team I consent to the Privacy Policy Continue