Privacy/Confidentiality: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
No edit summary
Line 26: Line 26:
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
<br /><br />
<br /><br />
Policy No.: '''6045'''<br />
Policy No.: '''6045'''<br />
Effective Date: '''11/21/03'''<br />
Effective Date: '''11/21/03'''<br />
Revised Date: '''07/01/19'''<br />
Revised Date: '''08/26/22 draft'''<br />
Reviewed Date: '''06/17/19'''<br />
Reviewed Date: ''' '''<br />
<br />
<br />
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Policy'''</big><br /><br />
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Policy'''</big><br /><br />
== Basis for Policy ==
== Basis for Policy ==
To maintain the privacy, confidentiality and security of patient information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other proprietary, confidential or regulated information.  
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.
== Policy ==
== Policy ==
It is the policy of UNMC to maintain the confidentiality of all regulated information, including but not limited to protected health information, controlled unclassified information and other regulated information, and all confidential proprietary information classified in accordance with UNMC's [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure].
It is the policy of Nebraska Medicine/UNMC to maintain strict confidentiality and security of protected health information (PHI) and proprietary information.
== Definitions (as defined by HIPAA 45 CFR 164.501) ==
==Procedures==
*'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
#Records containing confidential information, in any form, are the property of Nebraska Medicine/UNMC. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena, or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.  
*'''Business Associate''' means a third party who performs services on behalf of UNMC and has access to protected health information (PHI) when performing services; or provides one of the following services for UNMC involving access to PHI: claims processing, data analysis, data processing, practice management, utilization review, quality assurance, billing, benefit management, and repricing.
#Individuals have the following rights with respect to their PHI:
*'''Designated Record Set''' is the medical record and billing record.
##Right to request access to inspect or to obtain a copy of their PHI in a designated record set and to receive such access (where granted) within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and & Amendment of Designated Record Set]);
*'''Individual''' means the person who is the subject of the protected health information (including ACE workforce who are patients).
##Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use & Disclosure of Protected Health Information]);
*'''Protected Health Information (PHI)'''  is individually identifiable health information. Health information means any information, whether oral or recorded in any medium that:
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]);
:*is created or received by ACE; and
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and
:*relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices] and UNMC Policy No. UNMC Policy No. 6062, [[Patient/Consumer Complaints]] '''is Patient Complaint and Grievance Management a Nebr Medicine policy you'd like to reference here? If so, need the policy #'''<br />
*'''Workforce''' means employees, the medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC is under the direct control of UNMC, whether or not they are paid by UNMC.
==Other Definitions==
*'''Controlled Unclassified Information (CUI)''' as defined by U.S. Presidential Executive Order 13556 is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
*'''Employee Records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
*'''Information Security''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.
*'''Proprietary Information''' is information relating to business practices, including but not limited to financial statements, contracts, and business plans; employee records; student records; and meeting minutes.
*'''Student Education Records''' means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person who is employed by UNMC by virtue of his or her status as a student at UNMC (e.g. work study, assistantships, resident assistants), (iv) alumni record and (v) medical record that is part of the common medical record shared by the Affiliated Covered Entity. Student education records are covered by the Family Educational Rights and Privacy Act (FERPA).


==Procedures==
Individuals shall not be asked to waive these rights as a condition of receiving treatment.
===Patient Information===
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering, and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*Records containing PHI, in any form, are the property of the ACE. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena, or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.
4#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
*Individuals have the following rights with respect to their PHI:
##Accessing confidential information, in any form, without a current "need to know" to perform assigned duties. Workforce members may not access their own records.  Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department or via the online patient portal.
:*Right to request access and obtain copies of their designated record set within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]);
##Discussing or disclosing patient care events/PHI to individuals who do not have a “need to know” this information to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient. 
:*Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
Disclosing confidential information without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
:*Right to request an accounting of disclosures (see UNMC Policy No. 6061, [[Accounting of PHI Disclosures]]);
##Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
:*Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [[Notice of Privacy Practices]];
##Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;
:*Right to file a complaint internally with the Nebraska Medicine Patient Relations Department, the Office of the Assistant Dean for Patient Services (College of Dentistry), or with the U.S. Department of Health and Human Services Office for Civil Rights. (See UNMC Policy Nos. 6058, [[Notice of Privacy Practices]] and 6062, [[Patient/Consumer Complaints]]).
##Disclosing that a patient is receiving care (except for authorized directory purposes);
*Individuals shall not be asked to waive these rights as a condition of receiving treatment.
##Leaving confidential information unattended in a non-secure area;
*The ACE is responsible for safeguarding and protecting PHI against loss, tampering, and disclosure to unauthorized individuals. The safeguarding of PHI in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
##Improper disposal of confidential information (see policy, “Destruction of Confidential Information”);
*ACE workforce have a duty to protect PHI. Breach of this duty includes the following:
##Using another person's user ID, password, or other security codes;
:*Accessing PHI, in any form, without a "need to know" to perform assigned duties. Workforce members may not access their own records. Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department via the online patient portal.
##Assisting an unauthorized user to gain access to a secured information system;
:*Discussing or disclosing patient care events to individuals who do not have a “need to know” to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.
##Transferring confidential information in any form without both parties having a need to know such confidential information.  
:*Disclosing PHI without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.
:*Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
#All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement upon initial employment/work/appointment/credentialing (see attachment at the end of this policy).
:*Discussing PHI in the presence of individuals who do not have the "need to know" to perform assigned duties;
#Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
:*Disclosing that a patient is receiving care (except for authorized directory purposes);
#Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see policy, “Patient Privacy Investigations & Levels of Violation”). Civil and criminal fines and penalties can also be levied under HIPAA.
:*Leaving PHI unattended in a non-secure area;
#Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights.
:*Improper disposal of PHI;
#Access to patient information via Health Information Exchange shall be conducted in accordance with UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
:*Using another person's user ID, password, or other security codes;
#Paper medical records shall be maintained in the Health Information Management Department.  
:*Assisting an unauthorized user to gain access to a secured information system;
#Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
:*Transferring PHI in any form without both parties having a need to know.
#Records of discharged patients will remain on the units until the Health Information Management Department picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to the morgue.  
*The ACE shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches.
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
*All employees, medical staff, allied health practitioners and members of the workforce with access to PHI shall sign UNMC [https://www.unmc.edu/academicaffairs/_documents/compliance/Statement_of_Understanding.pdf Statement of Understanding] upon initial employment/work/appointment/credentialing.
#Editing, authenticating and correcting the medical record.
*Workforce members who suspect a privacy or information security violation must report it immediately to their respective manager and the Privacy and/or Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 844-348-9548. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
##Please reference, policy, “Contents of Medical Record”, for editing and authenticating the medical record.
*Sanctions for violations of privacy or information security may include revocation of medical staff privileges, allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]). Civil and criminal fines and penalties can also be levied under HIPAA.
#Business Associate agreements/addenda shall be executed with each Business Associate (see policy, “Contract Management Policy”).  
*Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within the organization or to the Office for Civil Rights.
#Human Subjects Research shall be conducted in accordance with UNMC’s Human Research Protection Program (HRPP) Policies and Procedures, including HRPP Policy 3.4, “Use of Protected Health Information in Research” and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
*Access to patient information via Health Information Exchange shall be conducted in accordance with UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
#Retention of the designated record set and other protected health information shall be in accordance with federal, state, and local laws, and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.
*Paper medical records shall be maintained in the Health Information Management Department.
== Definitions  ==
:*Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
===Business Associate===
:*Records of discharged patients will remain on the units until Health Information Management picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to the morgue.
A third party that performs services on behalf of Nebraska Medicine/UNMC (that involve the creation, receipt, maintenance, or transmission of protected health information). Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.  
:*Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
===Designated Record Set (DRS)===
*Editing, authenticating and correcting the medical record.
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.  
:*Please contact the One Chart Resource team.
===Individual===
*Business Associate agreements/addenda shall be established with any individual or corporation who performs a function on behalf of UNMC involving the use or disclosure of PHI, other than as a member of the workforce or a healthcare provider providing treatment (see UNMC Policy No. 8009, [[Contracts]]).
The person who is the subject of the PHI. Personal representatives of the patient have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. Reference Nebraska Medicine Consents and Permits policy, MS14.
*Human Subjects Research shall be conducted in accordance with UNMC Human Research Protection Program (HRPP) Policies and Procedures, including [https://net.unmc.edu/rss/ HRPP Policy 3.4, Use of Protected Health Information in Research and Registries] and with UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
===Protected Health Information (PHI)===
*Retention of the designated record set and other protected health information shall be in accordance with federal, state, and local laws, and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*The Privacy Officer shall be designated in writing and shall be responsible for developing and implementing written policies and procedures necessary to comply with the [https://www.hhs.gov/hipaa/index.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)].
*is created or received by UNMC/Nebraska Medicine; and
*All members of the workforce shall receive training on privacy and security of confidential information upon hire, and when policies and procedures relevant to their position change.
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
===Business Information===
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*Members of the workforce have a duty to protect proprietary business information. Breach of this duty includes, but may not be limited to, the following:
*an Individual’s genetic tests; 
:*Disclosure of confidential financial information
*the genetic tests of an Individual’s family members; or
:*Disclosure of confidential contract/agreement information
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
:*Disclosure of confidential business plans
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
:*Disclosure of fundraising information
PHI excludes:
:*Disclosure of credit card information received in the course of business, whether or not such credit card information is covered by the Gramm-Leach-Bliley Act (GLBA).
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*Workforce members who suspect a breach of confidentiality regarding proprietary information shall report the breach to the Human Resources Employee Relations Department.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and
*A full investigation of the breach shall be conducted by the Human Resources Employee Relations Department, as appropriate. 
*employment records held by UNMC in its role as employer.
===Student Education Record Information===
===Workforce===
*Members of the workforce have a duty to maintain the confidentiality of student education records. Breach of this duty includes, but is not limited to, release of student information that is not considered “directory information” under the guidelines of the Family Educational Rights and Privacy (FERPA) listed in the Student Handbook.  It also includes, but is not limited to, protection of confidential student financial information protected under the Gramm-Leach-Bliley Act (GLBA).
Employees, medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
*Employees shall verify FERPA restrictions placed on student records prior to release of student information.
In addition for purposes of this policy.
*The social security number of a student is considered confidential information and must not be used to identify a student.
===Information Security===
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of social security number.  Alternatives which should be considered, include but are not limited to Student Number.
The set of policies and practices designed to protect PHI from any unauthorized access, use, disclosure, modification, destruction, or loss.
*Use of a student’s social security number in databases is prohibited. In the event that the social security number of a student must be maintained, an Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception] must be completed and submitted to Academic Affairs for approval. If it must be used, the use of the student’s social security number must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
===Proprietary Information===
*Workforce members who suspect a breach of confidentiality regarding Student Education Records shall report the breach to the Compliance Office or the Student Affairs Office.
Information relating to Nebraska Medicine/UNMC business practices, including but not limited to financial statements, contracts, and business plans, employee records and meeting minutes.
*The student may file a complaint with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave SW, Washington, DC 20202-4605.
===Employee Information===
*Employment records are confidential and will not be made publicly available, except upon written authorization signed by the individual to whom the records pertain or in response to a legal mandate. In this context, employment records are those of persons who are employees of UNMC, and persons who are or have been either applicants or nominees for employment. Such records include the entire employment process beginning with application or nomination for appointment, search committee evaluation, and appointing authority evaluation, through appointment and employment, and ending with separation from employment.
*The social security number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated, see UNMC policy No. 6085, [[Social Security Number]].
*ITS shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to:
:*Personnel (SAP) Number
:*Last four digits of social security number 
*In the event that the social security number of an employee must be maintained, an Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception] must be completed and submitted to Human Resources for approval. In cases where the employee social security number must be stored in a database, the database use must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
*The following are not confidential and are considered by UNMC as directory information:
:*Employee Name
:*Gross salary
:*Dates of hire and separation
:*Type of appointment(s) held and term of each appointment
:*Title or academic rank
:*UNMC employment address
:*Post-secondary education degrees earned
:*Awards or honors
*Employee information other than directory information is accessible only to the employee, the department administrative personnel, UNMC Human Resources, and other University offices with a need to know.  Non-directory information should be released to others only with signed authorization from the employee or in response to a legal mandate.
*Departments have three options for responding to requests for reference checks:
:*Refer to Human Resources – Records
:*Provide directory information only
:*With a signed release, respond to questions and provide information based only on what is documented in the employment file
:*For more information about responding to reference checks, inquire at UNMC Human Resources – Records at 402-559-8962.
*Members of the workforce have a duty to protect employee information. Breach of this duty includes but is not limited to the following:
:*Disclosure of social security number
:*Disclosure of Family Medical Leave information
:*Disclosure of employee corrective action
*Workforce members who suspect a breach of confidentiality regarding Employment Records shall report the breach to the Human Resources Employee Relations Department.
===Controlled Unclassified Information (CUI)===
Controlled Unclassified Information as defined by Executive Order 13556 and administered by the National Archives includes several categories of information, as detailed in the CUI Registry (https://www.archives.gov/cui/registry/category-list). That list includes:
*Personally Identifiable Information (PII)
*Personally Identifiable Health Information (PHI)
*Defense/Technology related research and development for the US Government
Guiding standards for the management and handling of CUI are:
*[https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Security and Privacy Controls for Federal Information Systems and Organizations]
All personnel, including faculty, staff, research associates and fellows, visiting scholars, students, and all other persons retained by or working at the University of Nebraska Medical Center and its affiliates will comply with all applicable U.S. laws and regulations while teaching, conducting research or providing service activities at or on behalf of the university. As such, personnel are required to comply with the U.S. laws that regulate the transfer of items, information, technology, software, and funds to destinations and persons outside of the U.S., as well as in some cases, to non-U.S. citizens at the university.
*Specific CUI are referenced elsewhere in this policy, reference applicable sections for additional information.
*Workforce members who suspect a breach of confidentiality regarding controlled unclassified information shall report the breach to the Privacy Office and/or Information Security Office.
===Research Information===
*PHI and other sensitive data, such as student information or business information, may be elements of authorized research. Members of the workforce have a duty to protect confidential information produced while performing research.
*Health outcomes and quality improvement projects performed with data from the Nebraska Medicine enterprise may be exempt from IRB review and approval but publication of those results will require IRB approval. Any questions should be directed to the IRB, and questions of ethical access to the data to specific individuals or groups can be referred to the privacy officer or IRB.
*Research with PHI generated within Nebraska Medicine or other UNMC affiliated entities or received by UNMC from other entities. Research personnel need to follow all relevant policies for use of those records, including restrictions on sharing with any individuals that have not received human subjects training and/or authorization by IRB protocol.
*De-identified data used for research is proprietary information and should still be stored and shared safely.
*Research PHI generated by other entities and sent to UNMC. When UNMC receives data containing PHI from another or a group of institutions for the purposes of analysis or storage, such as when UNMC serves as a coordinating center for a collaboration, a multicenter trial, or UNMC conducts data analysis, PHI received should be stored securely and shared only with those individuals approved by the IRB protocol and in accordance with the business contract.
*Breach of confidentiality includes the following:
:*Disclosure of PHI to unauthorized persons or entities not included in the Authorization for Release of Information, if requested for specific data sets OR
:*Disclosure of research results linked to human subjects to persons or entities not authorized in the Institutional Review Board (IRB) approved protocol
*Workforce members who suspect a breach of confidentiality regarding human subjects’ research information shall report the breach to the IRB office for research data sets sent to UNMC from outside entities and/or the Privacy Office for data sets generated within Nebraska Medicine or affiliated entities.  
==Additional Information==
==Additional Information==
*Note: Corresponds to Nebraska Medicine Policy IM06
*Note: Corresponds to Nebraska Medicine Policy IM06
*Contact the [mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], 402-559-9576, or the UNMC Compliance Office at 402-559-6767
*Contact the [mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], 402-559-9576, or the UNMC Compliance Office at 402-559-6767
*Compliance Hotline - 800-822-8310
*Contact the [mailto:debrbishop@nebraskamed.com Privacy] or [mailto:libazis@nebraskamed.com Information Security] Officers  
*Contact the [mailto:debrbishop@nebraskamed.com Privacy] or [mailto:libazis@nebraskamed.com Information Security] Officers  
*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations  
*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations  
Line 179: Line 124:
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8009, [[Contracts]]
*UNMC Policy No. 8009, [[Contracts]]
*Nebraska Medicine Consents and Permits policy, MS14
*UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure]
*UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure]
*[http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*[http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
Line 203: Line 149:
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf Executive Memorandum No. 26, Information Security Plan - Gramm Leach Bliley Compliance]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf Executive Memorandum No. 26, Information Security Plan - Gramm Leach Bliley Compliance]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]
*[https://www.unmc.edu/com/about/gme/housestaffmanual.pdf University of Nebraska Affiliated Hospital House Staff Manual 2018 2019]
*[https://www.unmc.edu/com/about/gme/housestaffmanual.pdf University of Nebraska Affiliated Hospital House Staff Manual 2022 202319]
*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook]
*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook]
*[http://www.unmc.edu/irb/ Institutional Review Board Guidelines]
*[http://www.unmc.edu/irb/ Institutional Review Board Guidelines]

Navigation menu