You must be 18 years of age or older to volunteer in an Inland Imaging clinical facility. We would be happy to have you job shadow or observe one of our providers after your 18th birthday.

Please fill out the following sections of this form. By completing this form, you indicate that you wish to be considered for an unpaid job shadow, observership, or clinical rotation in an Inland Imaging healthcare setting. Before you begin:

• know the days/times you are available to observe,
• have your emergency contact information ready,
• have an e-copy of you immunization records,
• and allot around 1 hour to complete this form.

This form asks questions to determine your eligibility to shadow an Inland Imaging provider in a healthcare setting and takes you through some relevant policies that will apply during your job shadow, clinical rotation, or observership. Please fill out each of the following sections:

1. Observership/Job Shadow Application,

2. Inland Imaging Companies' Oberservership/Job Shadow Policy,

3. HIPAA and Patient Privacy Training & Test, and

4. Emergency Contact Information.

If you are not eligible to job shadow or observe at this time, you will receive a message indicating why you are ineligible and instructing you on how you may become eligible in the future. By completing this form, you agree to follow ALL relevant policies, procedures and laws as they apply to your time in a healthcare setting (even if those policies, procedures, and laws are not included in this form).

After completing this form and clicking submit, please allow 1 month before contacting Inland Imaging regarding your job shadow or rotation placement. Inland Imaging Human Resources can be contacted at (509)363-7305. Inland Imaging gives preference to students currently enrolled in a professional/technical healthcare program contracted with Inland Imaging. Eligible students applying for professional programs in the next year will be placed as job shadow opportunities become available. Even if you are determined to be eligible to job shadow, you may not be able to be placed if a mentor is not available. Please complete this form in its entirety, because this form will not be saved or reviewed until it is completed.

If you selected other, we cannot accommodate clinical rotations with students from schools where we do not have an active contract. You are welcome to conduct a job shadow at Inland Imaging, but we cannot guarantee that you will be able to receive school credit. Please go back in the form and enter your information as a job shadow student. If you believe you are receiving this message in error, please contact Inland Imaging Human Resources at (509)363-7305.

You must either be enrolled in an accredited healthcare professions program or preparing to enroll during the next admission cycle for your request to be considered.

We will be happy to accommodate your request once you are compliant with Inland Imaging's immunity requirements for job shadows.

PURPOSE:

The purpose of this policy is to support and provide valuable educational experience for students and other individuals specifically interested in healthcare operations while providing an environment that is safe for patients, office staff, medical trainees and medical staff; respectful of patients’ rights to privacy and confidentiality; and enhance the experience of the observers.

POLICY:

Inland Imaging, LLC; Integra Imaging, PS; Integra Imaging Business Associates, LLC; Nuvodia, LLC; Seattle Radiologists, APC and the members of their respective workforces (collectively “the Company”), wish to provide students and other individuals specifically interested in healthcare operations with observership/job shadow experiences.

An observership or job shadow is a voluntary experience.

All job shadow requests are coordinated through the Human Resources Department. Observer must provide a statement releasing liability for Company and be over the age of 18. When applicable, a school counselor, teacher or Company employee who is familiar with the observer’s academic background must refer observer to the Company.

Submission of an application is not a guarantee of placement. Human Resources makes final decisions on the ability to provide a shadow experience, and may not be able to accommodate all requests due to staffing.

PLACEMENT PROCESS

The following are the restrictions and/or requirements for shadowing:

• Observer must be 18 years of age or older
• Individuals are required to complete a job shadow application form including all materials within the form.
• All completed applications are to be received at least four (4) weeks prior to the requested date for approval and placement.
• Job shadows/observers are not to exceed 40 hours per calendar year.
• Job shadows/observers are required to provide immunity documentation including results from a TB test and documents demonstrating immunity against measles, mumps, rubella, COVID, Tdap, Hep B, and VZV.

Scheduling will be coordinated by the Human Resources Department with requested department or modality. Each observer shall be assigned to an HR designated supervising individual. Observers must be in the presence of and be directly supervised at all times by the HR designated supervising individual. The HR designated supervising individual will provide the observer with department/modality specific instructions. The observer is expected to follow all instructions regarding infection control, standard precautions, and safety precautions. If situations arise which necessitate the observer leave the observational setting, the HR designated supervisor will enforce removal of the observer.

Individuals requesting a second shadow experience will be expected to re-apply using the initial request process, this form.

Patients must be informed of the presence of observers. An observer’s presence is subject to permission granted by the patient. While an observer is participating in the learning experience, it is expected that the observer:

maintain appropriate behavior while in the facility,

wear visitor identification badge in a visible location on clothing, follow facility appearance/dress code standards.

respect patient’s right to privacy, and successfully pass the appropriate HIPAA training. Any students job shadowing in MRI will also be expected to successfully pass the

appropriate Radiation and MRI Safety training and test.

Since this experience is intended to be strictly observational, observers are not permitted to:

• examine or touch any patient
• interact with any patient independently
• provide medical care.
• conduct a patient interview.
• take a medical history.
• provide medical advice to a patient.
• assist in any procedure.
• handle patient care equipment and supplies as it relates to their care.
• make entries into patient medical records.
• participate in discussion of patient interactions, unless the patient has agreed and granted permission.
• discuss medical conditions with patients or their family members.
• make copies of any patient medical records or other materials identified with patient names or other patient information.

Questions pertaining to patient care are to be directed to the HR designated supervisor.

Violation of Company policies and procedures may constitute a criminal offense under HIPAA, other federal laws, or state laws. Any member of the workforce who violates a policy associated with a criminal law may expect that the Company will provide information concerning the violation to appropriate law enforcement personnel and will cooperate with any law enforcement investigation or prosecution. Violations of Company’s HIPAA-related policies and procedures may constitute violations

of professional ethics and be grounds for professional discipline. Any workforce member, including any observer or volunteer, subject to professional ethics guidelines and/or professional discipline should expect the Company to report such violations to appropriate licensure and/or accreditation agencies and to cooperate with any professional investigation or disciplinary proceedings.

In the event of a HIPAA violation, after final resolution, investigative information and written documentation relating to the violation shall be filed in the Company’s Privacy Official’s confidential files in order to identify the disclosure in any accounting of disclosure requested by the patient or the patient’s representative.

Please review the attached HIPAA training document, then answer the following test questions at the end of this section.

Building a Privacy Foundation

The information in this packet will focus on key concepts and terms included in the Health Insurance Portability and Accountability Act (HIPAA) privacy rule and discuss best practices in maintaining the confidentiality of patients’ health information.

Setting the Standard for Privacy

In section 3, we will be covering concepts that help us build a privacy foundation:

A. HIPAA

B. Patient Bill of Rights

C. Professional Standards of Practice

D. Protected Health Information (PHI)

E. Disclosure of PHI

F. Minimum Necessary Access

HIPAA stands for the “Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Administrative Simplification is intended to

1. Protect privacy of patient individually identifiable health information (IIHI).
2. Establish a patient’s right to access and amend their medical records.
3. Establish a patient's right to obtain a history of disclosures of their information.
4. Improve efficiencies and effectiveness of health care processes;
5. Safeguard data integrity and confidentiality; and
6. Establish security standards for protected information.

Failure to implement HIPAA standards may result in civil or criminal penalties. Health and Human Services (HHS) may impose a penalty not to exceed $100 per individual for one instance of a HIPAA violation. If an individual is found with multiple identical violations, then the penalty is capped at $25,000 during a single calendar year. Depending on the circumstances, criminal penalties may be levied. Healthcare organizations are governed by a variety of standards and regulations depending on the type of healthcare setting. HIPAA enacted sweeping changes by passing privacy standards that apply to most healthcare organizations around the country. HIPAA has placed a spotlight on privacy. However, privacy is not a new issue for healthcare. Maintaining the confidentiality of patient information has always been important.

The Patient Bill of Rights guarantees confidentiality of an individual’s health information. The Patient's Bill of Rights was created to try to reach 3 major goals:

1. To help patients feel more confident in the US health care system; the Bill of Rights: Assures that the health care system is fair and it works to meet patients' needs; Gives patients a way to address any problems they may have; Encourages patients to take an active role in staying or getting healthy.

2. To stress the importance of a strong relationship between patients and their health care Providers.

3. To stress the key role patients play in staying healthy by laying out rights and responsibilities for all patients and health care providers. This bill of rights focuses on hospitals and insurance plans.

Professional practice standards, such as those established by the American Health Information Management Association, outline the basic standards in protecting confidential information. Health information professionals are bound by a code of ethics that requires them to promote and protect the confidentiality and security of health information and health records.

What Must be Kept Confidential?

The HIPAA rules define the type of information that must be kept private by categorizing it as “Protected Health

Information” or PHI for short. Healthcare organizations must have policies in place that maintain the privacy of PHI. Confidential health information is created every time a person visits a doctor or clinic, fills a prescription, is admitted to a hospital, or submits a claim to a medical insurance company. Individually Identifiable Health Information (IIHI) is information that is a subset of health information, including demographic information collected from an individual: is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of

health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

The following information can be considered to be IIHI:

Names

All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code,

and their equivalent geocodes

All elements of dates (except year) for dates directly related to an individual, including birth date, admission

date, discharge date, date of death; all ages over 89

Telephone numbers

Fax numbers

Electronic mail addresses

Social security numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web Universal Resource Locators (URLs)

Internet Protocol (IP) address numbers

Biometric identifiers, including finger and voice prints

Full face photographic images and/or any comparable images

Any other unique identifying number, characteristic, or code

What is PHI?

PHI is any and all information about an individual’s physical or mental health that identifies the individual. This includes any type of information found in the medical and billing record, such as a history and physical exam, diagnoses, progress notes, etc. PHI includes demographic information such as name, address, phone/fax number, email address, date of birth, social security number, names of relatives, photographs and any type of information that could identify the individual. PHI exists in many forms. Traditionally, policies have been developed to protect written information such as the medical and billing records. There are policies covering security measures for electronic health records and databases. In addition, there are policies that address to written PHI and orally communicated PHI. As a rule of thumb, private information that you see, hear, or say must be kept in confidence. PHI should only be disclosed for specific purposes related to an individual’s treatment, payment for services they received or related to the operations of the healthcare organization.

Use of PHI

The terms “use” and “disclosure” are important in understanding how to appropriately protect an individual’s privacy while completing one’s job responsibilities. These terms are used frequently in the HIPAA Privacy Rule and may be referred to often. The term “use” refers to how confidential PHI is used within an organization to treat the patient, complete the billing function and support facility operations. You may use PHI in your job by sharing, applying, utilizing, examining or analyzing confidential information. Ready access to treatment and efficient payment for health care are essential to the effective operation of the health care system. Certain health care operations—such as administrative, financial, legal, and quality improvement activities are essential to support treatment and payment. Many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity’s health care

business. To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose PHI, with certain limits and protections, for treatment, payment, and health care operations activities.

Disclosure of PHI

When to release, transfer, access or divulge PHI to an outside person or entity: Whether the information is released orally, transferred via fax, accessed through the computer system, discretion must be used when disclosing information. The receiving party must be authorized and have a need to know. A covered entity may, without the individual’s authorization use or disclose PHI for its own treatment, payment, and health care operations activities. For example: to provide health care to the individual and may consult with other health care providers about the individual’s treatment; as part of a claim for payment to a health plan; to provide customer service. A covered entity may disclose PHI for the treatment activities of any health care provider (including providers not covered by the Privacy Rule). A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual. A hospital may send a patient’s health care instructions to a nursing home to which the patient is transferred. A covered entity may disclose PHI to another covered entity or a health care provider (including providers not covered by the Privacy Rule) for the payment activities of the entity that receives the information. A physician may send an individual’s health plan coverage information to a laboratory that needs the information to bill for services it provided to the physician with respect to the individual. A hospital emergency department may give a patient’s payment information to an ambulance service provider that transported the patient to the hospital in order for the ambulance provider to bill for its treatment services.

The type of information you need to access depends on what you “need to know” to do your job. Accessing, using or disclosing PHI on a need to know basis to accomplish your job responsibilities is an important concept under HIPAA. It is referred to as “minimum necessary information”. The HIPAA rule requires an organization to define who has access to PHI and identify what they can and cannot access. A covered entity must develop policies and procedures that reasonably limit its disclosures of and requests for PHI for payment and health care operations to the minimum necessary. A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to PHI for treatment, payment, and health care operations, based on those who need access to the information to do their jobs. However, covered entities are not required to apply the minimum necessary standard to disclosures to or requests by a health care provider for treatment purposes.

HIPAA requires organizations to do this by:

• Identifying members of the workforce who need access to confidential information.

• Identifying what information can be accessed.

• Limiting access when needed.

How do you know when information is considered private?

If you learned of the information through your job, it is considered private. When you work in a healthcare organization, you are exposed to confidential information all the time. What you do with the information is critical. How do you decide when information is considered private and when it is not? If you see, hear or read information through your job, it is considered confidential and you must keep it to yourself.

Scenario 1:

Q:In doing your job you find out that a friend has come to your facility for treatment. You would like to go see him/her and offer moral support. Can you do this?

A: No. You learned the information through your job and you should not use it for personal reasons.

Scenario 2:

Q:What if the sister of your friend calls you and tells you they are at your facility for treatment? Can you see your friend?

A: Yes. You have learned this outside of your job and can go see your friend to offer moral support.

HIPAA give individuals an array of privacy rights and more control over how their confidential information is used and

disclosed. Here are a couple of scenarios you may encounter.

1. How do I handle an individual asking for access to their records? Individuals have the right of access. You need to route the request to the imaging center’s core (front desk) staff or Medical Records Department. They are familiar with the rules and regulations regarding release of information.

2. How do I handle a parent wanting access to their child’s records? Parents have the right to access their children’s records with some exceptions. Each Imaging Center Core should have a reference list of when and how a minor’s information can be release. You need to route the request to the Core staff or Medical Records Department. They are familiar with the rules and regulations regarding release of information.

3. How do I handle a family member wanting access to the patients information? Where a patient is present and has the capacity to make health care decisions, health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object. A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made. Disclosures to family and personal representative:

Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with

family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider

determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when

someone other than a friend or family member is involved, the health care provider must be reasonably sure that the

patient asked the person to be involved in his or her care or payment for care. In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care. To release the patient’s medical records: the patient must sign an Authorization to Use and Disclose Protected Health Information or the receiving party must be declared a Personal Representative of the patient. A person with legal authority to make health care decisions on behalf of the individual.

Examples of individuals with legal authority to make healthcare decisions for another person:

Health care power of attorney

Court appointed legal guardian

General power of attorney

An unemancipated minor A parent, guardian, or other person acting as parent

with legal authority to make health care decisions on

behalf of the minor child

Deceased A person with legal authority to act on behalf of the

decedent or the estate (not restricted to health care

decisions)

Examples: Executor of the estate

Next of kin

Durable power of attorney

Individuals have the right to request changes be made to their medical records after they have read it. However, the

request will be reviewed or investigated to ensure it is appropriate. When an individual requests an amendment to their PHI, the request should be referred to the Medical Records Department.

What if a co-worker inquires about a patient condition or treatment?

• Determine if it is necessary to their position. Is the disclosure of PHI necessary for the co-worker to do their job? If so, disclose only the information the employee needs to do their job.

• Determine if it is related to the treatment of the patient. If so, disclose only that information that is necessary for treatment of the patient. If the patient’s PHI is not needed for the person to do their job or for treatment of the patient, the confidential information should not be disclosed to them.

There are everyday things you can do beyond the regulations and standards that will help protect patient privacy.

• Review the Notice of Privacy Practices given to each individual and abide by the content. (copy of NPP in packet.)

• Make sure any documents containing PHI are shredded or placed in the locked shred bin. Doing this will help to ensure that the patient’s confidential information is not inadvertently seen by unauthorized individuals.

• If fax and copy machines are used to send or copy PHI, make sure they are located away from public areas.

• Always consider where you are talking about confidential information. Are you in a public area where others can overhear your conversation? Whether you are talking to a patient, family member or other employees, try to keep your conversations from being overheard. If possible move to an unoccupied corner or another room to protect the privacy of PHI.

• Keep PHI out of public areas such as waiting rooms, conference rooms, the top of a nursing station or receptionist desk or on white boards viewable by the public.

• An important aspect of protecting patients’ privacy is keeping their records secure regardless of where they are kept. If a medical record is kept in an office and the office is unattended, how will the record be stored?

• Confidential information and records on computers are kept secure through adherence to facility policies such as

passwords protection. Passwords should be unique to each member of the workforce and never shared or easily

identified.

• Computer screens should be turned or positioned to prevent the public from viewing the information. Privacy screens could be placed over the computer screen so that no one but the person sitting in the chair directly in front of the computer can see what is on it.

• When providing treatment consider where you are and who is around the patient. Help protect the patient by giving them the opportunity for privacy when providing treatment or discussing their condition.

• Recognize the importance of providing quality healthcare with the maximum security of personal healthcare information. It takes all of us to make sure everyone’s PHI is secure.