SubPart 50-4 - Intra-Agency Access to and Disclosure of Personal Health-Related Information

Doc Status: 
Complete
Statutory Authority: 
Public Health Law 2786, 206

Section 50-4.1 - Statement of purpose

Section 50-4.1 Statement of purpose.

The purpose of this Subpart is to set forth methods and controls to restrict dissemination and maintain control of confidential personal health-related information within the Department of Health.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.2 - Definition

50-4.2 Definition.

For the purpose of this Subpart, Personal Health Related Information means any information concerning the health of a person which identifies or could reasonably be used to identify a person.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.3 - Access

50-4.3 Access.

(a) Employees or agents of the Department of Health are not to have access to personal health-related information except as part of their official duties.

(b) Access to personal health-related information by an employee is to be authorized by supervisors only after such employee has been trained in the responsibilities associated with access to the information, and has read this Subpart and Public Officers Law Section 74(3)(c).

(c) Agents of the Department may be authorized to have access to specific personal health-related information only when reasonably necessary to perform the specific activities for which they have been designated as agents of the Department of Health.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.4 - Disclosure

50-4.4 Disclosure.

No employee or agent of the Department who has knowledge of personal health-related information in the course of employment shall disclose such information to any other person unless such person is officially authorized access to the information and requires the information to perform an officially designated function.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.5 - Disposition

50-4.5 Disposition.

Documents containing personal health-related information shall be disposed of in a manner in which the confidentiality will not be compromised. Supervisors of units are responsible for control and security of documents until destroyed or control is transferred to an appropriate disposal service.

Records scheduled for long term storage by the Department of Education shall be subject to special provisions in the inter-agency records disposition document for security during storage and ultimate transfer to the archives or destruction.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.6 - Department and operational unit protocols

50-4.6 Department and operational unit protocols.

(a) The Department will promulgate, for use and implementation by all its operational units, standard confidentiality protocols which meet the requirements of this section.

(b) The supervisor of each operational unit in which employees have access to personal health-related information shall prepare protocol s for ensuring confidentiality of such information. The protocols shall include as necessary:

(1) measures to ensure that letters, memoranda and other documents containing personal health-related information are accessible only by authorized personnel;

(2) measures to ensure that personal health-related information stored electronically is protected from access by unauthorized persons;

(3) measures to ensure that only personal health-related information necessary to fulfill authorized functions is maintained in the unit;

(4) measures to ensure that staff working with personal health-related information secure such information from casual observance or loss and that such documents or files are returned to confidential storage on termination of use;

(5) measures to ensure that personal health-related information is not inappropriately copied or removed from control of the Department;

(6) measures to provide safeguards to prevent discrimination, abuse or other adverse actions directed toward persons to whom personal health related information applies;

(7) measures to ensure that personal health-related information is adequately secured after working hours;

(8) measures to ensure that transmittal of personal health-related information outside of the unit is authorized only by the director of the unit, other persons designated by the director or in accordance with such protocol;

(9) measures to protect the confidentiality of personal health-related information being transferred within the unit and to other units in the Department;

(10) measures to ensure that documents or files that contain personal health-related information that are obsolete or no longer needed are promptly disposed of in such a manner so as to not compromise the confidentiality of the documents.

(c) Unit protocols for ensuring confidentiality of personal health-related information are to be updated whenever a program activity change renders the established protocol obsolete or inadequate.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.7 - Employee training

50-4.7 Employee training.

(a) Department employees are to be trained with respect to responsibilities and authorization to access personal health related information.

(b) Employees authorized by supervisors to access personal health-related information are to be advised in writing that they shall not:

(1) examine documents or computer data containing personal health related information unless required in the course of official duties and responsibilities;

(2) remove from the unit or copy such documents or computer data unless acting within the scope of assigned duties;

(3) discuss the content of such documents or computer data with any person unless that person has authorized access and the need to know the information discussed;

(4) illegally discriminate, abuse or harass a person to whom personal health-related information applies.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete

Section 50-4.8 - Employee attestation

50-4.8 Employee attestation.

Each employee, upon receiving training, in conformance with 50-4.7 of this section, shall sign a statement acknowledging receipt of sections 50-4.3(b) and 50-4.7(b) and acknowledging that violation of confidentiality statutes and rules may lead to disciplinary action, including suspension or dismissal from employment and criminal prosecution. Each employee's signed attestation is to be centrally maintained in the employee's personal history file.
 

Effective Date: 
Tuesday, July 4, 1989
Doc Status: 
Complete