no edit summary
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
Policy No.: '''6045'''<br />
Effective Date: '''11/21/03'''<br />
Revised Date: '''07/
25/ 17 DRAFT'''<br />Reviewed Date: ''' 07/20/17'''<br />
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Policy'''</big><br /><br />
== Basis for Policy ==
To maintain the privacy, confidentiality and security of patient
and proprietary information and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA ). UNMC workforce and business associates have access to individually identifiable health information (protected health information) and proprietary information. For purposes of this policy, confidential information means protected health information and proprietary information.
== Policy ==
It is the policy of UNMC to maintain
strict confidentiality and security of protected health information and proprietary information.
== Definitions (as defined by HIPAA 45 CFR 164.501) ==
*'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
*'''Business Associate''' means a third party who performs services on behalf of UNMC and has access to protected health information (PHI) when performing services; or provides one of the following services for UNMC involving access to PHI: claims processing, data analysis, data processing, practice management, utilization review, quality assurance, billing, benefit management, and repricing.
*'''Designated Record Set''' is the medical record and billing record.
*'''Individual''' means the person who is the subject of the protected health information (including ACE workforce who are patients).
:*is created or received by ACE; and
:*relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
*'''Workforce''' means employees, the medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC is under the direct control of UNMC, whether or not they are paid by UNMC.
*'''Employee Records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
*'''Student Education Records''' means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person
other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by the Affiliated Covered Entity. Student education records are covered by the Family Educational Rights and Privacy Act (FERPA).
confidential information, in any form, are the property of the ACE. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena, or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.
*Individuals have the following rights with respect to their PHI:
:*Right to request access and obtain copies of their designated record set within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]);
:*Right to file a complaint internally with the Nebraska Medicine Patient Relations Department, the Office of the Assistant Dean for Patient Services (College of Dentistry), or with the U.S. Department of Health and Human Services Office for Civil Rights. (See UNMC Policy Nos. 6058, [[Notice of Privacy Practices]] and 6062, [[Patient/Consumer Complaints]]).
*Individuals shall not be asked to waive these rights as a condition of receiving treatment.
*The ACE is responsible for safeguarding and protecting
confidential information against loss, tampering, and disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).*ACE workforce have a duty to protect confidential information. Breach of this duty includes the following::*Accessing confidential information, in any form, without a "need to know" to perform assigned duties. Workforce members with medical information system access may view their own individual medical records. Workforce members may not print copies of their own records nor access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department . Workforce may not alter their own medical record.
:*Discussing or disclosing patient care events to individuals who do not have a “need to know” to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.
confidential information without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
:*Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;
:*Disclosing that a patient is receiving care (except for authorized directory purposes);
confidential information unattended in a non-secure area;:*Improper disposal of confidential information;
:*Using another person's user ID, password, or other security codes;
:*Assisting an unauthorized user to gain access to a secured information system;
confidential information in any form without both parties having a need to know.
*The ACE shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches.
*All employees, medical staff, allied health practitioners and members of the workforce with access to
confidential information shall sign a [https://www.unmc.edu/ hipaa/ policies/ 6045-exhibit-a-statement-of-understanding.pdf Statement of Understanding , Exhibit A] upon initial employment/work/appointment/credentialing.*Workforce members who suspect a privacy or information security violation must report it immediately to their respective manager and the Privacy and/or Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 866- 568- 5430. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
*Sanctions for violations of privacy or information security may include revocation of medical staff privileges, allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]). Civil and criminal fines and penalties can also be levied under HIPAA.
*Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within the organization or to the Office for Civil Rights.
*Access to patient information via Health Information Exchange shall be conducted in accordance with
“Uses and Disclosure of Protected Health Information” policy.
*Paper medical records shall be maintained in the Health Information Management Department.
:*Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
:*Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
*Editing, authenticating and correcting the medical record.
reference, Nebraska Medicine Contents of the Medical Record policy for editing and authenticating the medical record.
*Business Associate agreements/addenda shall be established with any individual or corporation who performs a function on behalf of UNMC involving the use or disclosure of PHI, other than as a member of the workforce or a healthcare provider providing treatment (see UNMC Policy No. 8009, [[Contracts]]).
*Human Subjects Research shall be conducted in accordance with Human Research Protection Program (HRPP) Policies and Procedures, including HRPP Policy 3.4, Use of Protected Health Information in Research and Registries and Use and Disclosure of Protected Health Information
*Retention of the designated record set and other protected health information shall be in accordance with federal, state, and local laws, and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.
*The Privacy Officer shall be designated in writing and shall be responsible for developing and implementing written policies and procedures necessary to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
*All members of the workforce shall receive training on privacy and security of confidential information upon hire, and when policies and procedures relevant to their position change.
:*Disclosure of fundraising information
:*Disclosure of credit card information received in the course of business, whether or not such credit card information is covered by the Gramm-Leach-Bliley Act (GLBA).
*Workforce members who suspect a breach of confidentiality regarding proprietary
business information shall report the breach to the Human Resources Employee Relations Department. *A full investigation of the breach shall be conducted by the Human Resources Employee Relations Department, as appropriate.
===Student Education Record Information===
*Members of the workforce have a duty to maintain the confidentiality of student education records. Breach of this duty includes, but is not limited to, release of student information that is not considered “directory information” under the guidelines of the Family Educational Rights and Privacy (FERPA) listed in the Student Handbook. It also includes, but is not limited to, protection of confidential student financial information protected under the Gramm-Leach-Bliley Act (GLBA).
*Employees shall verify FERPA restrictions placed on student records prior to release of student information.
*The social security number of a student is considered confidential information and must not be used to identify a student.
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to Student Number.*Use of a student’s social security number in databases is prohibited. In the event that the social security number of a student must be maintained, an
Exception Form [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception , Exhibit B] must be completed and submitted to Academic Affairs for approval. If it must be used, the use of the student’s social security number must comply with ITS Database Security Procedures.
*Workforce members who suspect a breach of confidentiality regarding Student Education Records shall report the breach to the Compliance Office or the Student Affairs Office.
*The student may file a complaint with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave SW, Washington, DC 20202-4605.
*Employment records are confidential and will not be made publicly available, except upon written authorization signed by the individual to whom the records pertain or in response to a legal mandate. In this context, employment records are those of persons who are employees of UNMC, and persons who are or have been either applicants or nominees for employment. Such records include the entire employment process beginning with application or nomination for appointment, search committee evaluation, and appointing authority evaluation, through appointment and employment, and ending with separation from employment.
*The social security number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated, see UNMC
Policy No. 6085, [[Social Security Number]].
*ITS shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to:
:*Personnel (SAP) Number
:*Last four digits of social security number *In the event that the social security number of an employee must be maintained, an
Exception Form, [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception , Exhibit C] , must be completed and submitted to Human Resources for approval. In cases where the employee social security number must be stored in a database, the database use must comply with ITS Database Security Procedures.
*The following are not confidential and are considered by UNMC as directory information:
:*Post-secondary education degrees earned
:*Awards or honors
*Employee information other than directory information is accessible only to the employee, the department administrative personnel, UNMC Human Resources, and other University offices with a need to know. Non-directory information should be released to others only with signed authorization from the employee or in response to a legal mandate.
*Departments have three options for responding to requests for reference checks:
:*Refer to Human Resources – Records
:*Provide directory information only
:*With a signed release, respond to questions and provide information based only on what is documented in the employment file
:*For more information about responding to reference checks, inquire at UNMC Human Resources – Records at 402
*Members of the workforce have a duty to protect employee information. Breach of this duty includes but is not limited to the following:
:*Disclosure of social security number
:*Disclosure of employee corrective action
*Workforce members who suspect a breach of confidentiality regarding Employment Records shall report the breach to the Human Resources Employee Relations Department.
*Members of the workforce have a duty to protect confidential information produced while performing research. Breach of
this duty includes the following: :*Disclosure of PHI to unauthorized persons or entities not included in the Authorization for Release of Information
:*Disclosure of research results linked to human subjects to persons or entities not authorized in the Institutional Review Board (IRB) approved protocol
*Workforce members who suspect a breach of confidentiality regarding human
subjects research information shall report the breach to the IRB office and/or the Privacy Office.
*Contact the [mailto:email@example.com Privacy] or [mailto:
swelna@ unmc. edu Information Security] Officers *Contact Human Resources – Records at 402 /559-8962* Exhibit A - [https://www.unmc.edu/ hipaa/ policies/ 6045-exhibit-a-statement-of-understanding.pdf Statement of Understanding]
*Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception]
*Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception]
*UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action
*UNMC Policy No. 6036, [http://wiki.unmc.edu/index.php?title=Reproducing_Copyrighted_Materials Reproduction of Copyrighted Materials Policy]
*UNMC Policy No. 6052, [http://wiki.unmc.edu/index.php?title=Student_Training_Agreement Contract or Agreement for Student Training Policy]
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8009, [[Contracts]]
*[http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*[http://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]
*[https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
*[http://www.unmc.edu/hipaa/_documents/telehealth-final.pdf Telehealth Procedures]
http://www.unmc.edu/ media/ compliance/ privacy_incident_response_and_breach_notification_procedures.pdf Privacy Incident Response and Breach Notification Procedures]*[https://nebraska.edu/ site- information.html?redirect=true Copyright and Disclaimer]
*[https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
*[http://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
*[http://www.unmc.edu/hr/Proc/Procedures1097.pdf Human Resources Performance Management Procedures]
*[http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures]
www.unmc.edu/ studentservices/ _documents/handbook.pdf UNMC Student Handbook : Academic Policies]
*[https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996 Health Insurance Portability and Accountability Act of 1996] (HIPAA)
*[http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)
*Nebraska Free Flow of Information Act (§ 20-144, 20-145, 20-146, 20-1470)
*[http://nebraskalegislature.gov/laws/laws.php Nebraska Rev. Statutes] § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09
http:// www.nebraska.edu/ bylaws-and-policies. html Board of Regents Bylaws and Policies]*[ http:// www.nebraska.edu/docs/ president/ 16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks]*[https://nebraska.edu/docs/ president/ 22%20Public%20Record%20Requests.pdf Executive Memorandum No. 22, Public Record Requests]*[https://nebraska.edu/docs/ president/ 26%20Information%20Security%20Plan%20%28GLB%20Compliance%29.pdf Executive Memorandum No. 26, Information Security Plan]*[https://nebraska.edu/docs/ president/ 27%20HIPAA%20Compliance.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]*[ http://www.unmc.edu/com/about/gme/ gme-housestaff.pdf University of Nebraska Residency Program Policies and Procedures]
*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook]
*[http://www.unmc.edu/irb/ Institutional Review Board Guidelines]