2,654
edits
Privacy/Confidentiality: Difference between revisions
Jump to navigation
Jump to search
no edit summary
mNo edit summary |
No edit summary |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 30: | Line 30: | ||
Policy No.: '''6045'''<br /> | Policy No.: '''6045'''<br /> | ||
Effective Date: '''11/21/03'''<br /> | Effective Date: '''11/21/03'''<br /> | ||
Revised Date: ''' | Revised Date: '''11/29/22 draft'''<br /> | ||
Reviewed Date: ''' '''<br /> | Reviewed Date: ''' '''<br /> | ||
<br /> | <br /> | ||
| Line 45: | Line 45: | ||
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]); | ##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]); | ||
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and | ##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and | ||
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices], | ##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices], UNMC Policy No. 6062, [[Patient/Consumer Complaints]] and '''Nebraska Medicine Patient Complaint and Grievance Management policy''' ''''' needpolicy #'''''<br /> '''Individuals shall not be asked to waive these rights as a condition of receiving treatment.''' | ||
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]). | #Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]). | ||
#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following: | #Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following: | ||
| Line 70: | Line 70: | ||
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day). | ##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day). | ||
#Editing, authenticating and correcting the medical record. | #Editing, authenticating and correcting the medical record. | ||
## | ##See Nebraska Medicine Policy, “Contents of Medical Record”, for editing and authenticating the medical record.'''(Nebraska Medicine Policy number??)''' | ||
#Business Associate | #[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures A Business Associate Agreement or Addenda] shall be executed with each Business Associate | ||
#Human Subjects Research shall be conducted in accordance with UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]. | #Human Subjects Research shall be conducted in accordance with UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]. | ||
#Retention of the designated record set and other protected health information shall be in accordance with federal, state and local laws and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years. | #Retention of the designated record set and other protected health information shall be in accordance with federal, state and local laws and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years. | ||
== Definitions == | == Definitions == | ||
===Affiliated Covered Entity (ACE)=== | |||
Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE. | |||
===Business Associate=== | ===Business Associate=== | ||
A third party | A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI. Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing. | ||
===Designated Record Set (DRS)=== | ===Designated Record Set (DRS)=== | ||
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS. | Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by an ACE entity to make decisions about Individuals. Exact duplicates of records maintained by business associates are not considered part of the DRS. | ||
===Individual=== | ===Individual=== | ||
The person who is the subject of the PHI. Personal representatives of the patient have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. | The person who is the subject of the PHI. Personal representatives of the patient have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14). | ||
===Protected Health Information (PHI)=== | ===Protected Health Information (PHI)=== | ||
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that: | Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that: | ||
*is created or received by UNMC/ | *is created or received by UNMC/ACE; and | ||
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. | *relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. | ||
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age): | PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age): | ||
| Line 95: | Line 97: | ||
*employment records held by UNMC in its role as employer. | *employment records held by UNMC in its role as employer. | ||
===Workforce=== | ===Workforce=== | ||
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br /> | Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.<br /> | ||
<br /> | <br /> | ||
In addition for purposes of this policy. | '''''In addition for purposes of this policy.''''' | ||
===Information Security=== | ===Information Security=== | ||
The set of policies and practices designed to protect PHI from any unauthorized access, use, disclosure, modification, destruction or loss. | The set of policies and practices designed to protect PHI from any unauthorized access, use, disclosure, modification, destruction or loss. | ||
| Line 124: | Line 126: | ||
*UNMC Policy No. 8000, [[Compliance Program]] | *UNMC Policy No. 8000, [[Compliance Program]] | ||
*UNMC Policy No. 8009, [[Contracts]] | *UNMC Policy No. 8009, [[Contracts]] | ||
*UNMC’s[https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research | *[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures Business Associate Agreements and Addendums Procedures] | ||
*UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research | |||
*Nebraska Medicine Consents and Permits policy, MS14 | *Nebraska Medicine Consents and Permits policy, MS14 | ||
*UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure] | *UNMC [https://info.unmc.edu/its-security/policies/procedures/data-classification.html Data Classification Procedure] | ||
| Line 139: | Line 142: | ||
*[http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures] | *[http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures] | ||
*[http://catalog.unmc.edu/general-information/ Student Handbook] | *[http://catalog.unmc.edu/general-information/ Student Handbook] | ||
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] | |||
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996] (HIPAA) | *[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996] (HIPAA) | ||
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] | *[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] | ||
*[http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA) | *[http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA) | ||
*[http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA) | *[http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA) | ||
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-bylaws.pdf?la=en Board of Regents Bylaws] | *University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-bylaws.pdf?la=en Board of Regents Bylaws] | ||
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-policies.pdf?la=en Board of Regents Policies] | *University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-policies.pdf?la=en Board of Regents Policies] | ||
| Line 151: | Line 153: | ||
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf Executive Memorandum No. 26, Information Security Plan - Gramm Leach Bliley Compliance] | *[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/university-of-nebraska-information-security-plan.pdf Executive Memorandum No. 26, Information Security Plan - Gramm Leach Bliley Compliance] | ||
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy] | *[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy] | ||
*Executive Memorandum No. 41, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-research-and-data-security.pdf Policy on Research Data and Security] | |||
*Executive Memorandum No. 42, [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/policy-on-risk-classification-and-minimum-security-standards.pdf Policy on Risk Classification and Minimum Security Standards] | |||
*[https://www.unmc.edu/com/about/gme/housestaffmanual.pdf University of Nebraska Affiliated Hospital House Staff Manual 2022 – 2023] | *[https://www.unmc.edu/com/about/gme/housestaffmanual.pdf University of Nebraska Affiliated Hospital House Staff Manual 2022 – 2023] | ||
*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook] | *[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook] | ||
*[http://www.unmc.edu/irb/ Institutional Review Board Guidelines] | *[http://www.unmc.edu/irb/ Institutional Review Board Guidelines] | ||
*[https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information/sp-800-171 Protecting Controlled Unclassified Information (CUI) | *[https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information/sp-800-171 Protecting Controlled Unclassified Information] (CUI) | ||
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Security and Privacy Controls for Information Systems and Organizations] | *[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Security and Privacy Controls for Information Systems and Organizations] | ||
This page maintained by [mailto:dpanowic@unmc.edu dkp]. | This page maintained by [mailto:dpanowic@unmc.edu dkp]. | ||