Privacy/Confidentiality: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
No edit summary
Line 30: Line 30:
Policy No.: '''6045'''<br />
Policy No.: '''6045'''<br />
Effective Date: '''11/21/03'''<br />
Effective Date: '''11/21/03'''<br />
Revised Date: '''08/26/22 draft'''<br />
Revised Date: '''08/29/22 draft'''<br />
Reviewed Date: ''' '''<br />
Reviewed Date: ''' '''<br />
<br />
<br />
Line 39: Line 39:
It is the policy of Nebraska Medicine/UNMC to maintain strict confidentiality and security of protected health information (PHI) and proprietary information.
It is the policy of Nebraska Medicine/UNMC to maintain strict confidentiality and security of protected health information (PHI) and proprietary information.
==Procedures==
==Procedures==
#Records containing confidential information, in any form, are the property of Nebraska Medicine/UNMC. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena, or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.  
#Records containing confidential information, in any form, are the property of Nebraska Medicine/UNMC. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.  
#Individuals have the following rights with respect to their PHI:  
#Individuals have the following rights with respect to their PHI: </b
##Right to request access to inspect or to obtain a copy of their PHI in a designated record set and to receive such access (where granted) within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and & Amendment of Designated Record Set]);
##Right to request access to inspect or to obtain a copy of their PHI in a designated record set and to receive such access (where granted) within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and & Amendment of Designated Record Set]);
##Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use & Disclosure of Protected Health Information]);
##Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use & Disclosure of Protected Health Information]);
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]);  
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]);  
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices] and UNMC Policy No. UNMC Policy No. 6062, [[Patient/Consumer Complaints]] '''is Patient Complaint and Grievance Management a Nebr Medicine policy you'd like to reference here? If so, need the policy #'''<br />
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices], UNMC Policy No. UNMC Policy No. 6062, [[Patient/Consumer Complaints]] and '''Nebraska Medicine Patient Complaint and Grievance Management policy''' '''''policy #'''''<br /> '''Individuals shall not be asked to waive these rights as a condition of receiving treatment.'''
 
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
Individuals shall not be asked to waive these rights as a condition of receiving treatment.
#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering, and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
4#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
##Accessing confidential information, in any form, without a current "need to know" to perform assigned duties. Workforce members may not access their own records.  Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department or via the online patient portal.
##Accessing confidential information, in any form, without a current "need to know" to perform assigned duties. Workforce members may not access their own records.  Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department or via the online patient portal.
##Discussing or disclosing patient care events/PHI to individuals who do not have a “need to know” this information to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.   
##Discussing or disclosing patient care events/PHI to individuals who do not have a “need to know” this information to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.   
Disclosing confidential information without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Disclosing confidential information without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;  
##Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;  
Line 58: Line 56:
##Leaving confidential information unattended in a non-secure area;
##Leaving confidential information unattended in a non-secure area;
##Improper disposal of confidential information (see policy, “Destruction of Confidential Information”);
##Improper disposal of confidential information (see policy, “Destruction of Confidential Information”);
##Using another person's user ID, password, or other security codes;
##Using another person's user ID, password or other security codes;
##Assisting an unauthorized user to gain access to a secured information system;  
##Assisting an unauthorized user to gain access to a secured information system;  
##Transferring confidential information in any form without both parties having a need to know such confidential information.  
##Transferring confidential information in any form without both parties having a need to know such confidential information.  
##Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.  
#Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.  
#All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement upon initial employment/work/appointment/credentialing (see attachment at the end of this policy).  
#All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement upon initial employment/work/appointment/credentialing '''(need URL for attachment to link to the policy)'''.  
#Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
#Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer '''(how to contact that person??)'''.
#Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see policy, “Patient Privacy Investigations & Levels of Violation”). Civil and criminal fines and penalties can also be levied under HIPAA.
#Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 6302, [[Patient Privacy Investigations and Levels of Violation]]). Civil and criminal fines and penalties can also be levied under HIPAA.
#Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights.
#Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights (see [https://wiki.unmc.edu/index.php?title=Privacy/Confidentiality&action=edit#Procedures Procedures, Section 2.2]).
#Access to patient information via Health Information Exchange shall be conducted in accordance with UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].  
#Access to patient information via Health Information Exchange shall be conducted in accordance with UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].  
#Paper medical records shall be maintained in the Health Information Management Department.  
#Paper medical records shall be maintained in the Health Information Management Department.  
#Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
##Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
#Records of discharged patients will remain on the units until the Health Information Management Department picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to the morgue.  
##Records of discharged patients will remain on the units until the Health Information Management Department picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to the morgue.  
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
#Editing, authenticating and correcting the medical record.
#Editing, authenticating and correcting the medical record.
##Please reference, policy, “Contents of Medical Record”, for editing and authenticating the medical record.
##Please reference, policy, “Contents of Medical Record”, for editing and authenticating the medical record.'''(Nebraska Medicine Policy number??)'''
#Business Associate agreements/addenda shall be executed with each Business Associate (see policy, “Contract Management Policy”).  
#Business Associate agreements/addenda shall be executed with each Business Associate (see UNMC Policy No. 8009, [[Contracts]], ''' “Contract Management Policy”). Does Nebraska Medicine also have a policy to reference? If so, need policy #'''
#Human Subjects Research shall be conducted in accordance with UNMC’s Human Research Protection Program (HRPP) Policies and Procedures, including HRPP Policy 3.4, “Use of Protected Health Information in Research” and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
#Human Subjects Research shall be conducted in accordance with UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
#Retention of the designated record set and other protected health information shall be in accordance with federal, state, and local laws, and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.  
#Retention of the designated record set and other protected health information shall be in accordance with federal, state and local laws and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.  
== Definitions  ==
== Definitions  ==
===Business Associate===
===Business Associate===
A third party that performs services on behalf of Nebraska Medicine/UNMC (that involve the creation, receipt, maintenance, or transmission of protected health information). Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.  
A third party that performs services on behalf of Nebraska Medicine/UNMC (that involve the creation, receipt, maintenance or transmission of protected health information). Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.  
===Designated Record Set (DRS)===
===Designated Record Set (DRS)===
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.   
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS.   
Line 97: Line 95:
*employment records held by UNMC in its role as employer.
*employment records held by UNMC in its role as employer.
===Workforce===
===Workforce===
Employees, medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
<br />
In addition for purposes of this policy.
In addition for purposes of this policy.
===Information Security===
===Information Security===
The set of policies and practices designed to protect PHI from any unauthorized access, use, disclosure, modification, destruction, or loss.
The set of policies and practices designed to protect PHI from any unauthorized access, use, disclosure, modification, destruction or loss.
===Proprietary Information===
===Proprietary Information===
Information relating to Nebraska Medicine/UNMC business practices, including but not limited to financial statements, contracts, and business plans, employee records and meeting minutes.
Information relating to Nebraska Medicine/UNMC business practices, including but not limited to financial statements, contracts, and business plans, employee records and meeting minutes.
==Additional Information==
==Additional Information==
*Note: Corresponds to Nebraska Medicine Policy IM06
*Note: Corresponds to Nebraska Medicine Policy IM06
*Contact the [mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], 402-559-9576, or the UNMC Compliance Office at 402-559-6767
*Contact the [mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], 402-559-9576 or the UNMC Compliance Office at 402-559-6767
*Compliance Hotline - 800-822-8310
*Compliance Hotline - 800-822-8310
*Contact the [mailto:debrbishop@nebraskamed.com Privacy] or [mailto:libazis@nebraskamed.com Information Security] Officers  
*Contact the [mailto:debrbishop@nebraskamed.com Privacy] or [mailto:libazis@nebraskamed.com Information Security] Officers  
*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations  
*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations  
*[https://www.unmc.edu/academicaffairs/_documents/compliance/Statement_of_Understanding.pdf Statement of Understanding]  
*'''[https://www.unmc.edu/academicaffairs/_documents/compliance/Statement_of_Understanding.pdf Statement of Understanding] are these the same thing? if so, what is the correct name and URL?  Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement'''
*Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception]
*Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception]
*Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception]
*Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception]
Line 122: Line 121:
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]
*UNMC Policy No. 6085, [[Social Security Number]]
*UNMC Policy No. 6085, [[Social Security Number]]
*UNMC Policy No. 6302, [[Patient Privacy Investigations and Levels of Violation]]
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8009, [[Contracts]]
*UNMC Policy No. 8009, [[Contracts]]
*UNMC’s[https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research
*Nebraska Medicine Consents and Permits policy, MS14
*Nebraska Medicine Consents and Permits policy, MS14
*UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure]
*UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure]

Navigation menu