Cerner Corporation
   Home | Contact Cerner | Harbour
Cerner Corporation
Harbour

Responsible Associates:     All Associates
Reference:

   Source References, 01LT012200

General:

As a manufacturer of clinical and management information systems, Cerner assists its clients in the implementation and support of Cerner solutions in their healthcare institution(s).   Cerner systems are designed to automate the process of healthcare by accumulating data on patient care, maintaining this data in a central repository and providing access to data for users of clinical and management information across a healthcare system. 

As privacy regulations become effective in the United States as well as in   countries outside of the United States, our clients will be required to protect the privacy of patient information.  Since Cerner provides implementation and support for different healthcare institutions, Cerner supports the requirement to protect patient privacy. In addition, Cerner also provides managed services such as remote hosting, remote system monitoring, disaster recovery, data warehousing and Application Management Services, in which we may act as the custodian of the protected health information for certain clients.  With these offerings Cerner not only has access to provider-based personal health information, but also performs many of a provider’s custodial duties as well.  It is imperative to provide standards that all Cerner Associates and our Consultants must follow in order to protect the privacy of patient health information they may come into contact with through the services Cerner provides.

Policy:

Cerner Corporation and its controlled affiliates (“Cerner”) require that all associates in all Cerner locations comply with this Protection of Patient Information Policy. It is mandatory for associates to ensure the proper use of this protected health information as we assist our clients in implementing and supporting their information systems. No Cerner Associate or Consultant should engage in any activity that may inappropriately use or disclose patient information.  Inappropriate use or disclosure of patient information is defined by Cerner and includes any action taken that is outside of the user’s role or is not necessary in order to perform their job duties. 

Cerner Corporation also relies on its clients to assume responsibility for the protection of patient information.  Clients are responsible for informing patients about the purpose for which information about them is collected and used, for protecting that information once it has been collected, and for not disclosing that information without providing clear notice to the patient. Additionally, clients should give patients the opportunity to choose whether their personal medical or health information is to be disclosed to Cerner.  Clients should also have a mechanism in place for patients to inquire or complain regarding how information about them is collected and used.

Cerner Corporation also relies on its clients to assume responsibility for the protection of patient information. Clients are responsible for informing patients about the purpose for which information about them is collected and used, for protecting that information once it has been collected, and for not disclosing that information without providing clear notice to the patient. Additionally, clients should give patients the opportunity to choose whether their personal medical or health information is to be disclosed to Cerner. Clients should also have a mechanism in place for patients to inquire or complain regarding how information about them is collected and used.

Method of Enforcement:

Reports of misuse or review of patient information that is not applicable to an associate’s job duties should be reported.
Any Associate or Consultant that is aware of any violation of this policy for handling patient identifiable information should report the violation.  Any Associate or Consultant that violates this policy, or who fails to report a violation of this policy, will be subject to appropriate disciplinary actions, which may include termination.

In addition, periodic assessments of associate training records will be reviewed to ensure that associates have attended the required training (see the corporate Training Policy in the Quality Manual).  Review of these training records as well as verification that procedures are in place for a group’s processes in support of this policy will be reviewed as part of Cerner’s internal audit process.

Cerner Obligations

It is Cerner’s responsibility to:

  • Take reasonable precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
  • Take reasonable steps to ensure that no personal information is processed in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.
  • Take reasonable steps to ensure that data is reliable, accurate, complete and current, to the extent necessary for its intended use.
  • Disclose information to a third party only if it first ascertains that the third party will provide at least the same level of privacy protection as is required of Cerner.

Cerner Associate/Consultant Obligations

It is the Associate’s/Consultant’s responsibility to:

  • Understand and comply with Cerner’s Rules of the Road, which are located on Cerner’s Knowledge Repository and also viewable upon entering Cerner’s network.  
  • Know and understand the importance of maintaining the privacy of patient health information. 
  • Know and understand what data should be considered confidential.
  • Shred any patient information that has been printed in hard copy form once it is no longer needed.
  • Transmit patient information by secure means only. 
  • Enroll in the appropriate training required for all Associates (see the Training Policy in the Quality Manual), as well as any additional training required for their specific role.
  • Comply with this policy and other Cerner policies and procedures.
  • Discourage and report behavior that may be a violation of this policy.
  • Adhere to client policies regarding access, protection, and disclosure of patient information.

Management Responsibility

It is Management’s responsibility to:

  • Ensure that the Associates in your group know and understand the importance of maintaining the privacy of patient health information.
  • Ensure that the Associates in your group know and understand the importance of following client policies and Cerner policies regarding the access, protection, and disclosure of patient information.  
  • Ensure Associates and Consultants enroll in the necessary training and ensure all Associates and Consultants understand the importance of the required training. 
  • Know, understand, comply with and enforce this policy for all Associates and Consultants.
  • Discourage and report behavior that may be a violation of this policy.

Client Responsibility

Cerner will advise its clients located in the European Union that they must do the following (among other obligations each client may have):

  • Inform every individual patient about the purpose for which information about them is collected and used.
  • Inform every individual patient how to contact the client or Cerner with any inquiries or complaints regarding how information about them is collected and used.
  • Inform every individual patient as to the types of third parties to which their information will be disclosed.
  • Inform every individual patient as to the choices and means available to them for limiting the use and disclosure of their information.  This notice to the patient should be provided in clear and conspicuous language when patients are first asked to provide personal information, or as soon thereafter as is practicable.  If such notice to the individual is not given, the individual’s personal data will not be used for a purpose other than that for which it was originally collected or processed.
  • Offer individuals the opportunity to choose (opt in) whether their personal medical or health information is to be disclosed to Cerner. The client should provide clear and conspicuous, readily available, and affordable mechanisms to exercise choice.
  • Clearly inform Cerner (i.e. providing applicable training for Cerner associates and consultants if necessary) as to the client’s policies regarding access, protection, and disclosure of patient information.
  • Provide individuals with access to their personal information held by such client and provide the ability to correct, amend, or delete that information where it is inaccurate, except in the case where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated.

Safe Harbor Contacts:

Cerner Corporation:
Brian Dahlin
Director, GRID Security
2800 Rockcreek Parkway
Kansas City, MO 64117-2551
(816) 201-2441 Direct
(816) 571-2441 FAX

BBBOnLine Privacy Program
BBBOnLine, Inc.
4200 Wilson Boulevard, Suite 800
Arlington, VA 22203, USA
(703) 276-8112 FAX
Copyright © 2010 Cerner Corporation. All rights reserved.
Terms of Use | Privacy Policy | EEA and Swiss Safe Harbor Privacy Guidelines | Contact Us
Copyright © 2010 Cerner Corporation. All rights reserved.