Current through Register Vol. 46, No. 43, October 23, 2024
Section 50-4.6 - Department and operational unit protocols(a) The Department will promulgate, for use and implementation by all its operational units, standard confidentiality protocols which meet the requirements of this section.(b) The supervisor of each operational unit, in which employees have access to personal health-related information, shall prepare protocols for ensuring confidentiality of such information. The protocols shall include as necessary: (1) measures to ensure that letters, memoranda and other documents containing personal health-related information are accessible only by authorized personnel;(2) measures to ensure that personal health-related information stored electronically is protected from access by unauthorized persons;(3) measures to ensure that only personal health-related information necessary to fulfill authorized functions is maintained in the unit;(4) measures to ensure that staff working with personal health-related information secure such information from casual observance or loss and that such documents or files are returned to confidential storage on termination of use;(5) measures to ensure that personal health-related information is not inappropriately copied or removed from control of the Department;(6) measures to provide safeguards to prevent discrimination, abuse or other adverse actions directed toward persons to whom personal health-related information applies;(7) measures to ensure that personal health-related information is adequately secured after working hours;(8) measures to ensure that transmittal of personal health related information outside of the unit is authorized only by the director of the unit, other persons designated by the director or in accordance with such protocol;(9) measures to protect the confidentiality of personal health-related information being transferred within the unit and to other units in the Department;(10) measures to ensure that documents or files that contain personal health-related information that are obsolete or no longer needed are promptly disposed of in such a manner so as to not compromise the confidentiality of the documents.(c) Unit protocols for ensuring confidentiality of personal health-related information are to be updated whenever a program activity change renders the established protocol obsolete or inadequate.N.Y. Comp. Codes R. & Regs. Tit. 10 §§ 50-4.6