Changes

Jump to: navigation, search

Privacy/Confidentiality

14,641 bytes added, 19:12, July 16, 2021
no edit summary
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</table>
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
<br /><br />
Policy No.: '''6045'''<br />
Effective Date: '''11/21/03'''<br />
Revised Date: '''0807/2001/0719'''<br />Reviewed Date: '''0806/17/0819'''<br />
<br />
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Security Policy'''</big><br /><br /> '''NOTE''': These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.<br /><br />== Introduction ==University of Nebraska Medical Center (UNMC) workforce and business associates handle a variety of proprietary information concerning patients, colleagues, employees, students, alumni, donors or others associated with the University. This information includes, but may not be limited to: * Protected Health Information (PHI) as defined by [http://www.unmc.edu/hippa HIPAA]* Student Education Records as defined by [http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html FERPA]* Protected Student Financial Information (PSFI) as defined by [http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act GLBA]* Employee records* Research data* Business plans* Financial data It is the responsibility of all University workforce and business associates to respect the highest level of privacy for their patients, colleagues and other members of the University community. Disclosure and discussion of confidential information obtained from University records, either during or after employment or association with the University, is impermissible unless such disclosure is a normal requirement of a workforce position and has been authorized. UNMC shall require its workforce to adhere to another entity’s rules, regulations, policies and procedures while on the premises of the other entity as contracted workforce of that other entity. 
== Basis for Policy ==
 It is To maintain the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federalprivacy, state, local regulations and University policies and procedures governing confidentiality, privacy and security of patient information security. These regulations and guidelines include, but may not be limited to: * [http://www.unmc.edu/hipaa in compliance with the Health Insurance Portability and Accountability Act of 1996] (HIPAA)* [http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)* [http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA)* Nebraska Free Flow of Information Act (§ 20-144other proprietary, 20-145, 20-146, 20-147* Nebraska Rev. Statutes § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09* [http://www.nebraska.edu/bylaws-and-policies.html Board of Regents Bylaws]* [http://www.nebraska.edu/board/board_policies.shtml Board of Regents Policies]* [http://www.nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks]* [http://www.nebraska.edu/about/exec_memo22.pdf Executive Memorandum No. 22, Public Record Requests]* [http://www.nebraska.edu/about/exec_memo26.pdf Executive Memorandum No. 26, Information Security Plan]* [http://www.nebraska.edu/about/exec_memo27.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]* [http://wiki.unmc.edu/index.php?title=Compliance_Program UNMC Policy No. 8000, Compliance Program]* [http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]* [http://wiki.unmc.edu/index.php?title=Reproducing_Copyrighted_Materials UNMC Policy No. 6036, Reproduction of Copyrighted Materials Policy]* [http://wiki.unmc.edu/index.php?title=Student_Training_Agreement UNMC Policy No. 6052, Contract confidential or Agreement for Student Training Policy]* [http://info.unmc.edu/index.php?title=wiki/index.php/Faculty_Handbook UNMC Faculty Handbook]* [http://www.unmc.edu/studentservices/_documents/handbook.pdf UNMC Student Handbook]: Academic Policies* [http://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]* [http://www.unmc.edu/cctr/ Clinical Research Center Guidebook]* Eppley Cancer Center Scientific Review Committee Policies and Procedures* [http://www.unmc.edu/com/about/gme/gme-housestaff.pdf University of Nebraska Residency Program Policies and Procedures]* [http://www.unmc.edu/spa/ Sponsored Programs Administration Policies and Procedures]* [http://www.unmc.edu/irb/ Institutional Review Board Guidelines]* [http://www.unmcregulated information.edu/its/ Information Technology Services Procedures 
== Policy ==
It is the policy of UNMC to maintain the confidentiality of all regulated information, including but not limited to protected health information, controlled unclassified information and other regulated information, and all confidential proprietary information classified in accordance with UNMC's [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure].== Definitions (as defined by HIPAA 45 CFR 164.501) ==*'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center (, The Nebraska Medical Center, UNMC) Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA. ACE membership may change from time to protect confidentiality time. The Notice of Privacy Practices lists current ACE members.*'''Business Associate''' means a third party who performs services on behalf of UNMC and privacy through appropriate acquisitionhas access to protected health information (PHI) when performing services; or provides one of the following services for UNMC involving access to PHI: claims processing, storagedata analysis, maintenancedata processing, usepractice management, utilization review, quality assurance, billing, benefit management, and destruction repricing.*'''Designated Record Set''' is the medical record and billing record.*'''Individual''' means the person who is the subject of the protected health information gathered (including ACE workforce who are patients).*'''Protected Health Information (PHI)''' is individually identifiable health information. Health information means any information, whether oral or recorded in any medium that::*is created or received by ACE; and:*relates to the course past, present, or future physical or mental health or condition of employment an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.*'''Workforce''' means employees, the medical staff, volunteers, trainees, and other affiliation with persons whose conduct, in the performance of work for UNMC is under the direct control of UNMC, whether or entrusted to not they are paid by UNMC .==Other Definitions==*'''Controlled Unclassified Information (CUI)''' as defined by U.S. Presidential Executive Order 13556 is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.*'''Employee Records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for academicany University personnel position described in the Board of Regents Bylaws, research§ 3.1, patient careregardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.*'''Information Security''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or administrative purposesaccidental or intentional disclosure to unauthorized persons.*'''Proprietary Information''' is information relating to business practices, including but not limited to financial statements, contracts, and business plans; employee records; student records; and meeting minutes.*'''Student Education Records''' means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person who is employed by UNMC by virtue of his or her status as a student at UNMC (e.g. work study, assistantships, resident assistants), (iv) alumni record and (v) medical record that is part of the common medical record shared by the Affiliated Covered Entity. Student education records are covered by the Family Educational Rights and Privacy Act (FERPA).
Department administration ==Procedures=====Patient Information===*Records containing PHI, in any form, are the property of the ACE. The original medical record in any form shall determine what information entrusted not be released except in response to a valid search warrant, subpoena, or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.*Individuals have the following rights with respect to their department is private PHI::*Right to request access andobtain copies of their designated record set within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https:/or confidential/wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]); :*Right to request restrictions of how their PHI is used and shall communicate methods disclosed (see UNMC Policy No. 6057, [[Use and Disclosure of protecting that information from acquisition through destructionProtected Health Information]]);:*Right to request an accounting of disclosures (see UNMC Policy No. 6061, [[Accounting of PHI Disclosures]]);:*Right to appropriate persons associated receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [[Notice of Privacy Practices]];:*Right to file a complaint internally with their departmentthe Nebraska Medicine Patient Relations Department, the Office of the Assistant Dean for Patient Services (College of Dentistry), or with the U. S. Department of Health and Human Services Office for Civil Rights. (See UNMC workforce Policy Nos. 6058, [[Notice of Privacy Practices]] and business associates with access 6062, [[Patient/Consumer Complaints]]).*Individuals shall not be asked to private waive these rights as a condition of receiving treatment.*The ACE is responsible for safeguarding and protecting PHI against loss, tampering, and disclosure to unauthorized individuals. The safeguarding of PHI in any form includes when the information is stored and/or confidential information will be held accountable for maintaining confidentialitybeing transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]). *ACE workforce have a duty to protect PHI. Breach of this duty includes the following:For more detailed information:*Accessing PHI, in any form, without a "need to know" to perform assigned duties. Workforce members may not access their own records. Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department via the online patient portal. :*Discussing or disclosing patient care events to individuals who do not have a “need to know” to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.:*Disclosing PHI without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);:* PrivacyAccessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, Confidentiality [[Use and Disclosure of Protected Health Information Security Procedures]]);:* Discussing PHI in the presence of individuals who do not have the "need to know" to perform assigned duties;:*Disclosing that a patient is receiving care (except for authorized directory purposes);:*Leaving PHI unattended in a non-secure area;:*Improper disposal of PHI;:*Using another person's user ID, password, or other security codes;:*Assisting an unauthorized user to gain access to a secured information system;:*Transferring PHI in any form without both parties having a need to know.*The ACE shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches.*All employees, medical staff, allied health practitioners and members of the workforce with access to PHI shall sign UNMC [httphttps://www.unmc.edu/itsacademicaffairs/security_documents/procedurescompliance/infosecurity-planStatement_of_Understanding.html Information Security Planpdf Statement of Understanding]upon initial employment/work/appointment/credentialing.* UNMC Policy No. 6056, Retention Workforce members who suspect a privacy or information security violation must report it immediately to their respective manager and the Privacy and Destruction/Disposal or Information Security Office. A full investigation of Private the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 844-348-9548. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and Confidential Informationallied health practitioners shall report suspected violations to the System Chief Medical Officer. Breach *Sanctions for violations of confidentiality privacy or information security may result in sanctionsinclude revocation of medical staff privileges, allied health credentials, civil or employee corrective action up to and including termination of employment (see UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]). Civil and criminal prosecution fines and penaltiescan also be levied under HIPAA.*Workforce members may not intimidate, threaten, coerce, discriminate against, scholastic or employment corrective take other retaliatory action which could lead to dismissal against any individual for reporting a suspected privacy orinformation security violation, as it relates to health care professionals or others outside for filing of a complaint within the organization or to the Office for Civil Rights.*Access to patient information via Health Information Exchange shall be conducted in accordance with UNMCPolicy No. 6057, suspension or revocation [[Use and Disclosure of all access privilegesProtected Health Information]]. *Paper medical records shall be maintained in the Health Information Management Department.Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility :*Records sent to clinic areas shall be returned to report the breach Health Information Management Department within one working day.:*Records of discharged patients will remain on the units until Health Information Management picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to Financial Controls and Compliance the morgue.:*Records signed out to the attending physician's office or other authorized areas shall be returned to the Human Resources Employee Relations Health Information Management Departmentas soon as possible (preferably by 5:00 pm each working day). Employees should not confront *Editing, authenticating and correcting the medical record.:*Please contact the One Chart Resource team.*Business Associate agreements/addenda shall be established with any individual under suspicion or initiate investigations corporation who performs a function on their ownbehalf of UNMC involving the use or disclosure of PHI, other than as such actions could compromise any ensuing investigationa member of the workforce or a healthcare provider providing treatment (see UNMC Policy No. All individuals are to cooperate fully with those performing an investigation pursuant to this policy8009, [[Contracts]]).  New hires and volunteers and first year students *Human Subjects Research shall read this policy be conducted in accordance with UNMC Human Research Protection Program (HRPP) Policies and sign the Statement Procedures, including [https://net.unmc.edu/rss/ HRPP Policy 3.4, Use of UnderstandingProtected Health Information in Research and Registries] and with UNMC Policy No. Thereafter6057, all members [[Use and Disclosure of Protected Health Information]].*Retention of the workforce designated record set and other protected health information shall sign the agreement annuallybe in accordance with federal, state, and local laws, and regulatory association guidelines. The agreement is also available online through UNMC's Employee Self Service (ESS)Documents required to demonstrate HIPAA compliance shall be retained for a period of six years. *The original document should Privacy Officer shall be maintained designated in writing and shall be responsible for developing and implementing written policies and procedures necessary to comply with the department staff[https:/faculty/studentwww.hhs.gov/volunteer file if completed manually hipaa/index.html Health Insurance Portability and retained for six yearsAccountability Act of 1996 (HIPAA)]. *All members of the workforce shall receive training on privacy and security of confidential information upon hire, and when policies and procedures relevant to their position change.== Definitions =Business Information==='''Employee records''' refers *Members of the workforce have a duty to all protect proprietary business information. Breach of this duty includes, records and documents pertaining but may not be limited to any person who is an applicant or nominee for any University personnel position described , the following: :*Disclosure of confidential financial information :*Disclosure of confidential contract/agreement information :*Disclosure of confidential business plans :*Disclosure of fundraising information:*Disclosure of credit card information received in the Board course of Regents Bylawsbusiness, § 3.1, regardless of whether any or not such person credit card information is ever actually employed covered by the University, and all Gramm-Leach-Bliley Act (GLBA).*Workforce members who suspect a breach of confidentiality regarding proprietary information, records and documents pertaining shall report the breach to any person employed the Human Resources Employee Relations Department. *A full investigation of the breach shall be conducted by the UniversityHuman Resources Employee Relations Department, as appropriate.  '''===Student Education Record Information''' ===*Members of the workforce have a duty to maintain the confidentiality of student education records. Breach of this duty includes, but is data presented not limited to, release of student information that is not considered “directory information” under the guidelines of the Family Educational Rights and Privacy (FERPA) listed in readily comprehensible formthe Student Handbook. It also includes, but is not limited to, protection of confidential student financial information protected under the Gramm-Leach-Bliley Act (Whether GLBA). *Employees shall verify FERPA restrictions placed on student records prior to release of student information.*The social security number of a specific message student is informative or considered confidential information and must not depends be used to identify a student.*Information Technology Services (ITS) shall be available to assist in part on the subjective perceptions identifying alternatives to use of the person who receives itsocial security number.) Information may Alternatives which should be stored or transmitted via electronic mediaconsidered, on paper or other tangible mediainclude but are not limited to Student Number.*Use of a student’s social security number in databases is prohibited. In the event that the social security number of a student must be maintained, or an Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception] must be known by individuals or groupscompleted and submitted to Academic Affairs for approval. Information generated in If it must be used, the course use of University operations is the student’s social security number must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].*Workforce members who suspect a valuable asset breach of confidentiality regarding Student Education Records shall report the University and belongs breach to the UniversityCompliance Office or the Student Affairs Office. *The student may file a complaint with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave SW, Washington, DC 20202-4605. '''===Employee Information security''' is defined as ===*Employment records are confidential and will not be made publicly available, except upon written authorization signed by the ability individual to control access and protect information from accidental whom the records pertain or intentional disclosure in response to unauthorized persons and from alteration, destruction or lossa legal mandate.  '''Information technology''' resources include voiceIn this context, videoemployment records are those of persons who are employees of UNMC, data and network facilities and services and persons who are intended or have been either applicants or nominees for use in completing UNMC’s missionemployment. Their use is governed by Executive Memorandum No. 16Such records include the entire employment process beginning with application or nomination for appointment, Executive Memorandum No. 26search committee evaluation, Information Security Plan, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security)appointing authority evaluation, Information Technology Services policies through appointment and procedures and applicable federalemployment, state and local lawsending with separation from employment.  '''Job Shadowing''' *The social security number of an employee is considered confidential information and should not be used to identify an opportunity for an individualemployee unless legally mandated, age 16 and oldersee UNMC policy No. 6085, [[Social Security Number]].*ITS shall be available to observe and learn aspects about the world of work assist in a health care settingidentifying alternatives to use of social security number. The experience permits the program participant Alternatives which should be considered, include but are not limited to gain an understanding ::*Personnel (SAP) Number:*Last four digits of social security number *In the event that the social security number of a typical day for an employeemust be maintained, an Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception] must be completed and the skills necessary submitted to complete the work requiredHuman Resources for approval. The job shadow program is designed to promote In cases where the health care professions while safeguarding patients’ privacy. Participants employee social security number must be stored in a database, the job shadowing program database use must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures]. *The following are not confidential and are considered by UNMC workforce as directory information: :*Employee Name :*Gross salary :*Dates of hire and are subject to this policy separation :*Type of appointment(s) held and related procedures. term of each appointment :*Title or academic rank '''Privacy''' :*UNMC employment address :*Post-secondary education degrees earned :*Awards or honors*Employee information other than directory information is defined as accessible only to the right of individuals employee, the department administrative personnel, UNMC Human Resources, and other University offices with a need to keep know. Non-directory information about themselves should be released to others only with signed authorization from being disclosedthe employee or in response to a legal mandate. *Departments have three options for responding to requests for reference checks: '''Proprietary :*Refer to Human Resources – Records :*Provide directory information''' refers only :*With a signed release, respond to questions and provide information regarding business practicesbased only on what is documented in the employment file:*For more information about responding to reference checks, including inquire at UNMC Human Resources – Records at 402-559-8962. *Members of the workforce have a duty to protect employee information. Breach of this duty includes but is not limited to, financial statements, contracts, business plans, research data, the following: :*Disclosure of social security number :*Disclosure of Family Medical Leave information :*Disclosure of employee records corrective action*Workforce members who suspect a breach of confidentiality regarding Employment Records shall report the breach to the Human Resources Employee Relations Department. ===Controlled Unclassified Information (CUI)===Controlled Unclassified Information as defined by Executive Order 13556 and student recordsadministered by the National Archives includes several categories of information, as detailed in the CUI Registry (https://www. archives.gov/cui/registry/category-list). That list includes:*Personally Identifiable Information (PII)'''Protected *Personally Identifiable Health Information (PHI)''' is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that*Defense/Technology related research and development for the US GovernmentGuiding standards for the management and handling of CUI are: * is created or received by UNMC; [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final Protecting Controlled Unclassified Information in Nonfederal Information Systems andOrganizations] * relates to the past[https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Security and Privacy Controls for Federal Information Systems and Organizations] All personnel, presentincluding faculty, staff, research associates and fellows, visiting scholars, students, and all other persons retained by or future physical working at the University of Nebraska Medical Center and its affiliates will comply with all applicable U.S. laws and regulations while teaching, conducting research or mental health providing service activities at or condition on behalf of an individual; the provision university. As such, personnel are required to comply with the U.S. laws that regulate the transfer of health care items, information, technology, software, and funds to an individual; or destinations and persons outside of the pastU.S., presentas well as in some cases, or future payment for to non-U.S. citizens at the provision university.*Specific CUI are referenced elsewhere in this policy, reference applicable sections for additional information.*Workforce members who suspect a breach of health care confidentiality regarding controlled unclassified information shall report the breach to an individualthe Privacy Office and/or Information Security Office.===Research Information===Records containing *PHIand other sensitive data, in any formsuch as student information or business information, are the property may be elements of UNMCauthorized research. The PHI contained in the record is the property Members of the individual who is the subject of the recordworkforce have a duty to protect confidential information produced while performing research.  '''Protected Student Financial Information (PSFI)''' is information that UNMC has obtained *Health outcomes and quality improvement projects performed with data from a student in the process Nebraska Medicine enterprise may be exempt from IRB review and approval but publication of offering a financial product or servicethose results will require IRB approval. Any questions should be directed to the IRB, and questions of ethical access to the data to specific individuals or such information provided groups can be referred to UNMC by another financial institutionthe privacy officer or IRB. Offering a financial product *Research with PHI generated within Nebraska Medicine or service includes offering student loans to students, receiving tax information other UNMC affiliated entities or received by UNMC from a student’s parent when offering a financial aid package and other financial servicesentities. Examples Research personnel need to follow all relevant policies for use of student financial information include addressesthose records, phone numbers, bank including restrictions on sharing with any individuals that have not received human subjects training and credit account numbers, income /or authorization by IRB protocol. *De-identified data used for research is proprietary information and credit histories, should still be stored and social security numbers in both paper and electronic formatshared safely.  Student education records means any information recorded in any way which directly relates *Research PHI generated by other entities and sent to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include When UNMC receives data containing PHI from another or a (i) sole possession record, (ii) law enforcement record, (iii) employee record group of a person other than a student who is employed by UNMC by virtue institutions for the purposes of his analysis or her status storage, such as when UNMC serves as a coordinating center for a collaboration, a student at multicenter trial, or UNMCconducts data analysis, (iv) alumni record PHI received should be stored securely and (v) medical record that is part of the common medical record shared only with those individuals approved by UNMC, The Nebraska Medical Center, UMA the IRB protocol and UDAin accordance with the business contract. (NOTE*Breach of confidentiality includes the following: HIPAA and GLBA privacy regulations do not apply to education records covered by FERPA.)  Workforce refers :*Disclosure of PHI to faculty, staff, volunteers, trainees, students (including job shadowing participants), independent contractors and other unauthorized persons whose conduct, or entities not included in the performance of work Authorization for UNMC, is under the direct control Release of UNMCInformation, whether if requested for specific data sets OR:*Disclosure of research results linked to human subjects to persons or entities not they are paid by authorized in the Institutional Review Board (IRB) approved protocol*Workforce members who suspect a breach of confidentiality regarding human subjects’ research information shall report the breach to the IRB office for research data sets sent to UNMC.<br from outside entities and/>or the Privacy Office for data sets generated within Nebraska Medicine or affiliated entities. <br />==Additional Information==For more information*Note: Corresponds to Nebraska Medicine Policy IM06*Contact the [mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], contact 402-559-9576, or the UNMC Compliance Office at 402-559-6767*Contact the [mailto:debrbishop@nebraskamed.com Privacy ] or [mailto:libazis@nebraskamed.com Information Security ] Officers, *Contact Human Resources – Records at 402-559-8962 or see the following resourcesHuman Resources - Employee Relations *[https: //www.unmc.edu/academicaffairs/_documents/compliance/Statement_of_Understanding.pdf Statement of Understanding] * Exhibit B - [httphttps://www.unmc.edu/hipaa/_documents/6045-procedureExhibit-B-SSN-Student.doc docx Use of Student Social Security Number Exception]*Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception]*UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]*UNMC Policy No. 6036, [http://wiki.unmc.edu/index.php?title=Reproducing_Copyrighted_Materials Reproduction of Copyrighted Materials Policy]*UNMC Policy No. 6052, [http://wiki.unmc.edu/index.php?title=Student_Training_Agreement Contract or Agreement for Student Training Policy]*UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]*UNMC Policy No. 6058, [[Notice of PrivacyPractices]]*UNMC Policy No. 6059, Confidentiality [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]*UNMC Policy No. 6061, [[Accounting of PHI Disclosures]]*UNMC Policy No. 6062, [[Patient/Consumer Complaints]]*UNMC Policy No. 6073, [[Transporting Protected Health Information ]]*UNMC Policy No. 6085, [[Social Security ProceduresNumber]]* UNMC Policy No. 8000, [http[Compliance Program]]*UNMC Policy No. 8009, [[Contracts]]*UNMC [https://wwwinfo.unmc.edu/its/-security/policies/procedures/infosecuritydata-planclassification.html Data Classification Procedure]*[http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security PlanPolicies]* [http://infowiki.unmc.edu/mediaindex.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]*[https:/its/strohbenwiki.unmc.edu/HIPAAindex.php/UNMCHIPAACompliancePlan_05%20reviewJob_Shadowing_Procedure Job Shadowing Procedures]*[https://info.pdf HIPAA Compliance unmc.edu/its-security/policies/plan.html Information Security Plan]* [http://www.unmc.edu/hipaa/_documents/telehealth-final.pdf Telehealth Procedures]* [httphttps://www.unmc.edu/mediahipaa/compliance_documents/privacy_incident_response_and_breach_notification_proceduresprivacy-incident-response-and-breach-notification-procedures.pdf Privacy Incident Response and Breach Notification Procedures]* [httphttps://www.nebraska.edu/siteinfooffices-policies/index.shtml general-counsel/practice-areas/intellectual-property Copyright and Disclaimer]* [httphttps://wwwinfo.unmc.edu/its/-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]* [http://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]* [http://www.unmc.edu/hr/Proc/Procedures1097.pdf Human Resources Performance Management Procedures]* [http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures]* [http://catalog.unmc.edu/general-information/ Student Handbook]*[https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996 Health Insurance Portability and Accountability Act of 1996] (HIPAA)*[http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)*[http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA)*Nebraska Free Flow of Information Act (§ 20-144, 20-145, 20-146, 20-1470)*[http://nebraskalegislature.gov/laws/laws.php Nebraska Rev. Statutes] § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-bylaws.pdf?la=en Board of Regents Bylaws]*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-policies.pdf?la=en Board of Regents Policies]*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-for-responsible-use-of-university-computers-and-information-systems.pdf Executive Memorandum No. 16, Policy for Responsible Use of University Computers and Information Systems]*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/public-records-request.pdf Executive Memorandum No. 22, Public Record Requests]*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf Executive Memorandum No. 26, Information Security Plan - Gramm Leach Bliley Compliance]*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]*[https://www.unmc.edu/studentservicescom/_documentsabout/gme/housestaffmanual.pdf University of Nebraska Affiliated Hospital House Staff Manual 2018 – 2019]*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf UNMC Student Research Handbook]*[http: Academic Policies//www.unmc.edu/irb/ Institutional Review Board Guidelines]*[https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations] *[https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Security and Privacy Controls for Federal Information Systems and Organizations]
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Navigation menu