Form 0195 (08/21) Page 1 of 2

CONFIDENTIALITY AGREEMENT
For protection and to respect the privacy, confidentiality and security of all confidential information ("CI"), this Confidentiality
Agreement ("Agreement") is entered into by and between all employees, medical staff, students, volunteers, vendors, and any others
who are permitted access,
and Munson Healthcare (defined as the following entities, subsidiaries and/or affiliates: Munson Healthcare; Kalkaska
Memorial Health Center; Munson Healthcare Foundations; Munson Dialysis Center; Munson Healthcare Cadillac; Munson Healthcare
Charlevoix Hospital; Munson Healthcare Grayling Hospital; Munson Healthcare Manistee Hospital; Munson Healthcare Otsego
Memorial Hospital; Munson Home Care; Munson Home Services; Munson Medical Center; Munson Medical Group; Munson Mobile
Imaging, Inc.; Munson Services, Inc.; Munson Support Services; North Flight, Inc.; Paul Oliver Memorial Hospital; Sixth Street Drugs,
Inc.) which shall be collectively referred to as "Munson".
CI includes: 1) Patient information (such as, medical records, billing records, and conversations about patients) and
2) confidential business information of Munson (such as, information concerning employees, physicians, hospital
contracts, financial operations, quality improvement, peer review, utilization reports, risk management
information, survey results, and research).
l understand and agree to only access, use or disclose CI for job related purposes, and will limit access, use
or disclosure to the minimal amount necessary to perform my job.
Further, l agree that:
1. I will protect the privacy and security of Munson information, including the electronic medical record (EMR) in
accordance with all Munson policies.
2. I will not access the EMR out of curiosity or concern (for example, when a patient is a family member, friend, child,
ex-spouse, co-worker, neighbor or VIP), but only for a job related need.
3. I will not visit patients socially, for non-work related reasons, without first obtaining their permission.
4. I will complete all required privacy and security training and annual HIPAA Healthstream training.
5. I will not maintain CI on a personal mobile device that is not encrypted and/or password protected.
6. I will not send CI by email unless properly encrypted.
7. I will not share passwords or allow EMR access to a computer under my login credentials.
8. I will not enter a restricted area in hospital without an official job related need or authorization.
9. I will not dispose of any paper or media with identifiable CI on it in the regular trash, but will use shredders, confidential
bins or Information Systems to destroy materials.
10. I will immediately report to my supervisor any suspected privacy or security breach, or privacy error made in the course
of normal scope of work.
11. I will safeguard all Munson and personal equipment from theft and improper use.
12. I understand that any Munson device may be audited, including access to medical records, use of email and websites,
and that there is no expectation of privacy.
13. I understand that I am responsible for complying with all Munson privacy and security policies.
14. I understand that all privacy and security breaches are investigated, documented and reported and that disciplinary
consequences apply, up to and including termination. Civil fines or criminal penalties may also apply.
15. I understand that my duty to maintain the confidentiality of information as described here remains in effect even after
my relationship with Munson, and/or access to Munson systems has ended.
I have read and understand the information noted above.

08/16/2024
Signature Date

Printed Name Sri Mitali Choudhry Employee ID 107469

Do:
1. You must have a work related need-to-know, prior to accessing a medical record and your manager must
agree on this job related need.
2. Do utilize the patient portal for all medical information needs for yourself and others when there is no work
related need.
3. Do use confidential trash bins, or shredder, when disposing of any identifiable patient information.
4. Do use extra care when handing out or mailing PHI to make sure all paperwork does not go to wrong
patient.
5. Do always use a fax cover sheet when faxing PHI and be sure to double check the fax number for accuracy
prior to faxing.
6. Do ask patient permission prior to discussion of any medical information in front of visitors.

Do Not:
1. Do Not disclose patient information to anyone who does not have a job related need - whether at work or at
home, verbally or in writing, by text, photo or email or especially, by social media.
2. Do Not use the medical record to seek information on family, friends, spouses, children, ex-spouses or co-
workers even if doing so is out of curiosity or concern. Remember that audits occur daily.
3. Do Not access the EMR using another's password, or access computer when another is logged on.
4. Do Not use the EMR to check on condition of patient transferred from your department, floor, or facility
unless you have a valid job related need to know - and your manager agrees.
5. Do Not verbally disclose lab results to anyone who does not have a work related need to know.
6. Do Not ask patients or coworkers you see at hospital why they are in the hospital, unless you have a work
related need to know.
7. Do Not visit patients, including co-workers (as patients), in the hospital unless they have invited you to, or
you know with certainty they welcome visitors. It could be interpreted as an invasion of privacy.
8. Do Not access census sheets or patient lists where you are not currently assigned.
9. Do Not acknowledge the presence in the hospital of a patient who is opted out, (unless the patient has given
out their privacy code to that person.)
10. Do Not leave PHI in boxes or in unsecured areas such as public hallways, restrooms, unprotected storage,
or other public areas.
11. Do Not discuss patients in public areas, such as the cafeteria or hallways, where conversations can be
easily over heard.

Form 0195 (08/21) Page 2 of 2