Patient Privacy And Confidentiality Rules

1. Confidentiality Duty

Patient information is confidential and may only be accessed or used for legitimate care, operations, or legally authorized purposes.

Curiosity access and unauthorized disclosure are prohibited.

2. Minimum Necessary Access

Consultants must access the minimum PHI required for the task and avoid unnecessary collection or retention.

Data exports, downloads, and sharing must follow approved controls and audit requirements.

3. Secure Handling

PHI must only be handled in approved systems with encryption, access controls, session protections, and secure transport.

Storing PHI on personal devices or unapproved messaging platforms is prohibited.

4. Patient Rights And Transparency

Patients are entitled to clear information on data use, consent boundaries, and correction pathways where applicable.

Consultants must respect consent directives and escalate privacy-related concerns promptly.

5. Incident Reporting

Suspected privacy incidents, credential compromise, or unauthorized access must be reported immediately through incident channels.

Intentional non-reporting of known privacy incidents is a policy breach.

6. Compliance

Consultants must comply with NDPR-aligned safeguards and local healthcare privacy obligations in all patient interactions.