Privacy/Confidentiality: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
(Created page with "POLICY NO: 6045<br /> EFFECTIVE DATE: 11/21/03<br /> REVISED DATE: 08/17/07<br /> REVIEWED DATE: 08/20/08<br /> <big>'''Privacy, Confidentiality and Information Security ...")
 
(→‎Additional Information: University of Nebraska Affiliated Hospital House Staff Manual 2022 – 2023 to 2023-2024)
 
(93 intermediate revisions by 4 users not shown)
Line 1: Line 1:
POLICY NO: 6045<br />
<table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0">
 
<tr>
EFFECTIVE DATE: 11/21/03<br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
 
width="20">[[Human Resources]]</td>
REVISED DATE: 08/17/07<br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
 
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
REVIEWED DATE: 08/20/08<br />
width="20">[[Safety/Security]] </td>
 
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
 
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
<big>'''Privacy, Confidentiality and Information Security Policy'''</big><br />
width="20">[[Research Compliance]] </td>
 
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
'''NOTE''': These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of  The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.<br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Compliance]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Business Operations]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</table>
<br />
<br />
 
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
 
<br /><br />
=== Introduction ===
Policy No.: '''6045'''<br />
Effective Date: '''11/21/03'''<br />
Revised Date: '''08/01/23'''<br />
Reviewed Date: 08/01/23''' '''<br />
<br />
<br />
<br />
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Policy'''</big><br /><br />
   
== Basis for Policy ==
To maintain the privacy, confidentiality and security of patient and proprietary information and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations. For purposes of this policy, confidential information means protected health information and proprietary information.  


University of Nebraska Medical Center (UNMC) workforce and business associates handle a variety of proprietary information concerning patients, colleagues, employees, students, alumni, donors or others associated with the University. This information includes, but may not be limited to:
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls. 
 
== Policy ==
   
It is the policy of Nebraska Medicine/UNMC to maintain strict confidentiality and security of protected health information (PHI) and proprietary information.
* Protected Health Information (PHI) as defined by HIPAA
==Procedures==
*    Student Education Records as defined by FERPA
#Records containing confidential information, in any form, are the property of Nebraska Medicine/UNMC. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.
*    Protected Student Financial Information (PSFI) as defined by GLBA
#Individuals have the following rights with respect to their PHI: </b
*    Employee records
##Right to request access to inspect or to obtain a copy of their PHI in a designated record set and to receive such access (where granted) within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and & Amendment of Designated Record Set]);
*    Research data
##Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use & Disclosure of Protected Health Information]);
*    Business plans
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]);
*    Financial data<br />
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and
 
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices], UNMC Policy No. 6062, [[Patient/Consumer Complaints]] and Nebraska Medicine Patient Complaint and Grievance Management policy ''RI23''.                                                                                    '''Individuals shall not be asked to waive these rights as a condition of receiving treatment.'''
 
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
It is the responsibility of all University workforce and business associates to respect the highest level of privacy for their patients, colleagues and other members of the University community. Disclosure and discussion of confidential information obtained from University records, either during or after employment or association with the University, is impermissible unless such disclosure is a normal requirement of aworkforce position and has been authorized.
#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
 
##Accessing confidential information, in any form, without a current "need to know" to perform assigned duties. Workforce members may not access their own records.  Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department or via the online patient portal.
UNMC shall require itsworkforce to adhere to another entity’s rules, regulations, policies and procedures while on the premises of the other entity as contracted workforce of that other entity. <br />
##Discussing or disclosing patient care events/PHI to individuals who do not have a “need to know” this information to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient. 
##Disclosing confidential information without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
##Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;
##Disclosing that a patient is receiving care (except for authorized directory purposes);
##Leaving confidential information unattended in a non-secure area;
##Improper disposal of confidential information (see policy, “Destruction of Confidential Information”);
##Using another person's user ID, password or other security codes;
##Assisting an unauthorized user to gain access to a secured information system;
##Transferring confidential information in any form without both parties having a need to know such confidential information.
#Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.
#All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement or [https://www.unmc.edu/academicaffairs/_documents/compliance/statement_of_understanding.pdfv Statement of Understanding] upon initial employment/work/appointment/credentialing.
#Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the [https://now.nebraskamed.com/leadership/ System Chief Medical Officer].
#Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 6302, [[Patient Privacy Investigations and Levels of Violation]]). Civil and criminal fines and penalties can also be levied under HIPAA.
#Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights (see [https://wiki.unmc.edu/index.php?title=Privacy/Confidentiality&action=edit#Procedures Procedures, Section 2.2]).
#Access to patient information via Health Information Exchange shall be conducted in accordance with UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
#Paper medical records shall be maintained in the Health Information Management Department.
##Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
##Records of discharged patients will remain on the units until the Health Information Management Department picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to the morgue.
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
#Editing, authenticating and correcting the medical record.
##See Nebraska Medicine Policy, “Contents of Medical Record”, MS22, for editing and authenticating the medical record.
#[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures A Business Associate Agreement or Addenda] shall be executed with each Business Associate
#Human Subjects Research shall be conducted in accordance with UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
#Retention of the designated record set and other protected health information shall be in accordance with federal, state and local laws and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.
== Definitions  ==
===Affiliated Covered Entity (ACE)===
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. 
===Business Associate===
A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
===Designated Record Set (DRS)===
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by the ACE to make decisions about Individuals.   
===Individual===
The person who is the subject of the PHI. Personal representatives of the patient have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14).
===Protected Health Information (PHI)===
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. 
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests; 
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and
*employment records held by UNMC in its role as employer.
===Workforce===
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.<br />
<br />
<br />
=== Basis for Policy ===<br />
'''''In addition for purposes of this policy.'''''
<br />
===Information Security===
 
Policies and practices designed to control access and protect information from unauthorized access, alteration, destruction, loss or disclosure.
 
===Proprietary Information===
It is the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federal, state, local regulations and University policies and procedures governing confidentiality, privacy and information security. These regulations and guidelines include, but may not be limited to: <br />
Information relating to Nebraska Medicine/UNMC business practices, including but not limited to financial statements, contracts, and business plans, employee records and meeting minutes.
 
==Additional Information==
 
*Note: Corresponds to Nebraska Medicine Policy IM06
   
*Contact the [mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], 402-559-9576 or the UNMC Compliance Office at 402-559-6767
* [http://www.unmc.edu/hipaa Health Insurance Portability and Accountability Act of 1996] (HIPAA)
*Compliance Hotline - 800-822-8310
*    [http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)
*Contact the [mailto:debrbishop@nebraskamed.com Privacy] or [mailto:libazis@nebraskamed.com Information Security] Officers
*     [http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA)
*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations
*     Nebraska Free Flow of Information Act (§ 20-144, 20-145, 20-146, 20-147
*[https://www.unmc.edu/academicaffairs/_documents/compliance/statement_of_understanding.pdf Statement of Understanding]
*     Nebraska Rev. Statutes § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09
*UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]
*    [http://www.nebraska.edu/bylaws-and-policies.html Board of Regents Bylaws]
*UNMC Policy No. 6036, [https://wiki.unmc.edu/index.php?title=Reproducing_Copyrighted_Materials Reproduction of Copyrighted Materials Policy]
*     [http://www.nebraska.edu/board/board_policies.shtml Board of Regents Policies]
*UNMC Policy No. 6052, [https://wiki.unmc.edu/index.php?title=Student_Training_Agreement Contract or Agreement for Student Training Policy]
*     [http://www.nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks]
*UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]
*     [http://www.nebraska.edu/about/exec_memo22.pdf Executive Memorandum No. 22, Public Record Requests]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*     [http://www.nebraska.edu/about/exec_memo26.pdf Executive Memorandum No. 26, Information Security Plan]
*UNMC Policy No. 6059, [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set Access and Amendment of Designated Record Set]
*     [http://www.nebraska.edu/about/exec_memo27.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]
*UNMC Policy No. 6061, [[Accounting of PHI Disclosures]]
*     [http://www.unmc.edu/policy/index.cfm?conref=3 UNMC Policy No. 8000, Compliance Program]
*UNMC Policy No. 6062, [[Patient/Consumer Complaints]]
*     [http://unmc.edu/policy/index.cfm?CONREF=13#privacy UNMC Privacy and Information Security Policies]
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]
*     [http://unmc.edu/policy/index.cfm?CONREF=78 UNMC Policy No. 6036, Reproduction of Copyrighted Materials Policy]
*UNMC Policy No. 6085, [[Social Security Number]]
*     [http://unmc.edu/policy/index.cfm?CONREF=80 UNMC Policy No. 6052, Contract or fAgreement for Student Training Policy]
*UNMC Policy No. 6302, [[Patient Privacy Investigations and Levels of Violation]]
*     [http://info.unmc.edu/fachandbook/operating%20procedures.htm UNMC Faculty Handbook]
*UNMC Policy No. 8000, [[Compliance Program]]
*     [http://net.unmc.edu/care/docs/handbook.pdf UNMC Student Handbook]: Academic Policies
*UNMC Policy No. 8009, [[Contracts]]
*     [http://www.unmc.edu/hr/Guidelines.htm UNMC Human Resources Procedures]
*[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures Business Associate Agreements and Addendums Procedures]
*     [http://www.unmc.edu/crc/CoordinatorBookChanges0202.pdf Clinical Research Center Guidebook]
*UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research
*     Eppley Cancer Center Scientific Review Committee Policies and Procedures
*Nebraska Medicine Consents and Permits policy, MS14
*    [http://www.unmc.edu/com/docs/GME_Policies.pdf University of Nebraska Residency Program Policies and Procedures]
*UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure]
*     [http://www.unmc.edu/spa/index.cfm?L1_ID=12&CONREF=139 Sponsored Programs Administration Policies and Procedures]
*[https://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*     [http://www.unmc.edu/irb/index.cfm?L1_ID=6&CONREF=7 Institutional Review Board Guidelines]
*[https://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]
*     [http://app1.unmc.edu/its/index.cfm?dummyvar=-1&webtype=graphics&CONREF=dummyvar=-1&webtype=graphics&L2_ID=11&L1_ID=67&CONREF=6 Information Technology Services Procedures]<br />
*[https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
<br />
*[https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
 
*[https://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
=== Policy ===
*[https://www.unmc.edu/human-resources/_documents/procedures/Procedures1097.pdf Human Resources Performance Management Procedures]
<br />
*[https://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures]
<br />
*[https://catalog.unmc.edu/general-information/ Student Handbook]
 
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996] (HIPAA)
 
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
It is the policy of University of Nebraska Medical Center (UNMC) to protect confidentiality and privacy through appropriate acquisition, storage, maintenance, use, and destruction of information gathered in the course of employment or other affiliation with UNMC or entrusted to UNMC for academic, research, patient care, or administrative purposes.
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-bylaws.pdf?la=en Board of Regents Bylaws]
 
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-policies.pdf?la=en Board of Regents Policies]
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-for-responsible-use-of-university-computers-and-information-systems.pdf Executive Memorandum No. 16, Policy for Responsible Use of University Computers and Information Systems]
 
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/public-records-request.pdf Executive Memorandum No. 22, Public Record Requests]
Department administration shall determine what information entrusted to their department is private and/or confidential; and shall communicate methods of protecting that information from acquisition through destruction, to appropriate persons associated with their department. UNMC workforce and business associates with access to private and/or confidential information will be held accountable for maintaining confidentiality.
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf Executive Memorandum No. 26, Information Security Plan - Gramm Leach Bliley Compliance]
 
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]
*Executive Memorandum No. 41, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-research-and-data-security.pdf Policy on Research Data and Security]
 
*Executive Memorandum No. 42, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-risk-classification-and-minimum-security-standards.pdf Policy on Risk Classification and Minimum Security Standards]
For more detailed information, see<br />
*[https://www.unmc.edu/com/_documents/ho_manual.pdf University of Nebraska Affiliated Hospital House Staff Manual 2023 – 2024]
 
*[https://guides.unmc.edu/books/research-handbook Research Handbook]
 
*[https://www.unmc.edu/irb/ Institutional Review Board Guidelines]
   
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Security and Privacy Controls for Information Systems and Organizations]
* Privacy, Confidentiality and Information Security Procedures
*    UNMC Information Security Plan
*    UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information<br />
<br />
 
 
Breach of confidentiality may result in sanctions, civil or criminal prosecution and penalties, scholastic or employment corrective action which could lead to dismissal or, as it relates to health care professionals or others outside of UNMC, suspension or revocation of all access privileges.
 
Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to Financial Controls and Compliance or to the Human Resources Employee Relations Department.  Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.
 
New hires and volunteers and first year students shall read this policy and sign the Statement of Understanding. Thereafter, all members of the workforce shall sign the agreement annually. The agreement is also available online through UNMC's Employee Self Service (ESS). The original document should be maintained in the department staff/faculty/student/volunteer file if completed manually and retained for six years.<br />
 
 
 
=== Definitions ===
<br />
<br />
 
 
'''Employee records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
 
 
'''Information''' is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media, on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and belongs to the University.
 
 
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
 
 
'''Information technology''' resources include voice, video, data and network facilities and services and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, Executive Memorandum No. 26, Information Security Plan, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security), Information Technology Services policies and procedures and applicable federal, state and local laws.
 
 
'''Job Shadowing'''  is an opportunity for an individual, age 16 and older, to observe and learn aspects about the world of work in a health care setting. The experience permits the program participant to gain an understanding of a typical day for an employee, and the skills necessary to complete the work required. The job shadow program is designed to promote the health care professions while safeguarding patients’ privacy. Participants in the job shadowing program are considered UNMC workforce and are subject to this policy and related procedures.
 
 
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.
 
 
'''Proprietary information''' refers toinformation regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records and student records.
 
 
'''Protected Health Information (PHI)''' is individually identifiable health information.  Health information means any information, whether oral or recorded in any medium, that:
 
   
* is created or received by UNMC; and
*    relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
 
Records containing PHI, in any form, are the property of UNMC.  The PHI contained in the record is the property of the individual who is the subject of the record.
 
 
'''Protected Student Financial Information (PSFI)''' is information that UNMC has obtained from a student in the process of offering a financial product or service, or such information provided to UNMC by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving tax information from a student’s parent when offering a financial aid package and other financial services.  Examples of student financial information include addresses, phone numbers, bank and credit account numbers, income and credit histories, and social security numbers in both paper and electronic format.
 
 
Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UMA and UDA. (NOTE: HIPAA and GLBA privacy regulations do not apply to education records covered by FERPA.)
 
 
Workforce refers to faculty, staff, volunteers, trainees, students (including job shadowing participants), independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
<br />
For more information, contact the Privacy or Information Security Officers, or see the following resources:<br />
 
 
   
* [http://unmc.edu/policy/index.cfm?CONREF=101 Privacy, Confidentiality and Information Security Procedures]
*    [http://info.unmc.edu/media/its/strohben/HIPAA/UNMCHIPAACompliancePlan_05%20review.pdf HIPAA Compliance Plan]
*    [http://info.unmc.edu/media/its/strohben/Security/Information%20Security%20Plan-UNMC-FINAL.pdf Information Security Plan]
*    [http://unmc.edu/policy/index.cfm?CONREF=102 Job Shadowing Procedures]
*    [http://www.unmc.edu/media/compliance/privacy_incident_response_and_breach_notification_procedures.pdf Privacy Incident Response and Breach Notification Procedures]
*    [http://info.unmc.edu/media/its/strohben/Policies/IncidentResponse_FINAL.pdf UNMC Information Security Incident Response Procedures]
*    [http://www.nebraska.edu/siteinfo/index.shtml Copyright and Disclaimer]
*    Destruction of Private and Confidential Information Procedures
*    [http://unmc.edu/policy/index.cfm?CONREF=90 Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
*    [http://www.unmc.edu/hr/Guidelines.htm Human Resources Performance Management Procedures]
*    [http://info.unmc.edu/fachandbook/operating%20procedures.htm UNMC Faculty Handbook: Operating Procedures]
*    [http://net.unmc.edu/care/docs/handbook.pdf UNMC Student Handbook: Academic Policies]
*    Web Publishing Procedures
<br />
<br />
 
 
Privacy, Confidentiality and Information Security Procedures / Privacy Incident Response and Breach Notification Procedures /
Statement of Understanding<br />
 
 


This page maintained by dkp.
This page maintained by [mailto:mhurlocker@unmc.edu mh].

Latest revision as of 07:40, May 29, 2024

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6045
Effective Date: 11/21/03
Revised Date: 08/01/23
Reviewed Date: 08/01/23

Privacy, Confidentiality and Security of Patient and Proprietary Information Policy

Basis for Policy

To maintain the privacy, confidentiality and security of patient and proprietary information and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations. For purposes of this policy, confidential information means protected health information and proprietary information.

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

It is the policy of Nebraska Medicine/UNMC to maintain strict confidentiality and security of protected health information (PHI) and proprietary information.

Procedures

  1. Records containing confidential information, in any form, are the property of Nebraska Medicine/UNMC. The original medical record in any form shall not be released except in response to a valid search warrant, subpoena or court order requiring the release of the original record. A copy of the medical record should be offered first in such circumstances. If the original medical record must be released, a copy should be made prior to release if possible.
  2. Individuals have the following rights with respect to their PHI: </b
    1. Right to request access to inspect or to obtain a copy of their PHI in a designated record set and to receive such access (where granted) within a reasonable amount of time and to request amendment (see UNMC Policy No. 6059, Access and & Amendment of Designated Record Set);
    2. Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, Use & Disclosure of Protected Health Information);
    3. Right to request an accounting of disclosures (see UNMC Policy No. 6061, Accounting of Protected Health Information Disclosures);
    4. Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, Notice of Privacy Practices); and
    5. Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, Notice of Privacy Practices, UNMC Policy No. 6062, Patient/Consumer Complaints and Nebraska Medicine Patient Complaint and Grievance Management policy RI23. Individuals shall not be asked to waive these rights as a condition of receiving treatment.
  3. Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, Transporting Protected Health Information).
  4. Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
    1. Accessing confidential information, in any form, without a current "need to know" to perform assigned duties. Workforce members may not access their own records. Workforce members may not access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department or via the online patient portal.
    2. Discussing or disclosing patient care events/PHI to individuals who do not have a “need to know” this information to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.
    3. Disclosing confidential information without proper authorization (see UNMC Policy No. 6057, Use and Disclosure of Protected Health Information);
    4. Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, Use and Disclosure of Protected Health Information);
    5. Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;
    6. Disclosing that a patient is receiving care (except for authorized directory purposes);
    7. Leaving confidential information unattended in a non-secure area;
    8. Improper disposal of confidential information (see policy, “Destruction of Confidential Information”);
    9. Using another person's user ID, password or other security codes;
    10. Assisting an unauthorized user to gain access to a secured information system;
    11. Transferring confidential information in any form without both parties having a need to know such confidential information.
  5. Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.
  6. All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement or Statement of Understanding upon initial employment/work/appointment/credentialing.
  7. Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
  8. Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 6302, Patient Privacy Investigations and Levels of Violation). Civil and criminal fines and penalties can also be levied under HIPAA.
  9. Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights (see Procedures, Section 2.2).
  10. Access to patient information via Health Information Exchange shall be conducted in accordance with UNMC Policy No. 6057, Use and Disclosure of Protected Health Information.
  11. Paper medical records shall be maintained in the Health Information Management Department.
    1. Records sent to clinic areas shall be returned to the Health Information Management Department within one working day.
    2. Records of discharged patients will remain on the units until the Health Information Management Department picks them up. Medical records of deceased patients scheduled for an autopsy may be sent to the morgue.
    3. Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
  12. Editing, authenticating and correcting the medical record.
    1. See Nebraska Medicine Policy, “Contents of Medical Record”, MS22, for editing and authenticating the medical record.
  13. A Business Associate Agreement or Addenda shall be executed with each Business Associate
  14. Human Subjects Research shall be conducted in accordance with UNMC’s Human Research Protection Program (HRPP) Policies and Procedures, including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, Use and Disclosure of Protected Health Information.
  15. Retention of the designated record set and other protected health information shall be in accordance with federal, state and local laws and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Business Associate

A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.

Designated Record Set (DRS)

Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by the ACE to make decisions about Individuals.

Individual

The person who is the subject of the PHI. Personal representatives of the patient have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14).

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
  • any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

In addition for purposes of this policy.

Information Security

Policies and practices designed to control access and protect information from unauthorized access, alteration, destruction, loss or disclosure.

Proprietary Information

Information relating to Nebraska Medicine/UNMC business practices, including but not limited to financial statements, contracts, and business plans, employee records and meeting minutes.

Additional Information

This page maintained by mh.