Skip to Content

N.Y. Comp. Codes R. & Regs. tit. 10 § 50-4.6 - Department and Operational Unit Protocol Regarding Intra-Agency (DoH) Access to and Disclosure of Personal Health-Related Information

Link to the law
This will open in a new window

The regulation requires that the Department of Health establish confidentiality protocols for use by all its operational units. The regulation requires that the supervisor of each operational unit in which employees have access to personal health-related information prepare a protocol for ensuring confidentiality.  The regulation further includes a list of 10 measures that such a protocol is required to include:

  1. Measures to ensure all correspondence and documents containing such information are only accessible by authorized personnel
  2. Measures to ensure that such information stored electronically is protected from access by unauthorized persons
  3. Measures to ensure that only information necessary to fulfill authorized duties is maintained
  4. Measures to ensure that the staff working with such information secure it from casual observance or loss, and that they return such documents back to their confidential storage once they finish using the information
  5. Measures to ensure that such information is not inappropriately copied or removed from the control of the department
  6. Measures to provide safeguards against discrimination or abuse based on such information
  7. Measures to ensure that such information is securely stored after working hours
  8. Measure to ensure that transmission of such information outside of the unit is authorized by the director of the unit or his/her designees
  9. Measures to ensure that the confidentiality of such information is protected when it is being transferred to someone within or outside the unit
  10.  Measures to ensure that files containing such information but are no longer needed are disposed off in a way that does not compromise their confidentiality

The regulation also requires that the units update their confidentiality whenever necessary.


Current as of June 2015