Privacy/Confidentiality: Difference between revisions

m
minor revisions
m (updated links)
m (minor revisions)
Line 35: Line 35:
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Policy'''</big><br /><br />
<big>'''Privacy, Confidentiality and Security of Patient and Proprietary Information Policy'''</big><br /><br />
== Basis for Policy ==
== Basis for Policy ==
To maintain the privacy, confidentiality and security of patient and proprietary information and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations. For purposes of this policy, confidential information means protected health information and proprietary information. 
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.   
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.   
== Policy ==
== Policy ==
Line 45: Line 47:
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]);  
##Right to request an accounting of disclosures (see UNMC Policy No. 6061, [https://wiki.unmc.edu/index.php/Accounting_of_PHI_Disclosures Accounting of Protected Health Information Disclosures]);  
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and
##Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices]); and
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices], UNMC Policy No. 6062, [[Patient/Consumer Complaints]] and '''Nebraska Medicine Patient Complaint and Grievance Management policy''' ''''' needpolicy #'''''<br /> '''Individuals shall not be asked to waive these rights as a condition of receiving treatment.'''
##Right to file a complaint internally with the Patient Relations Department or with the U.S. Department of Health and Human Services Office for Civil Rights (see UNMC Policy No. 6058, [https://wiki.unmc.edu/index.php/Notice_of_Privacy_Practices Notice of Privacy Practices], UNMC Policy No. 6062, [[Patient/Consumer Complaints]] and Nebraska Medicine Patient Complaint and Grievance Management policy ''RI23''.                                                                                    '''Individuals shall not be asked to waive these rights as a condition of receiving treatment.'''
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
#Nebraska Medicine/UNMC is responsible for safeguarding and protecting confidential information against loss, tampering and use by or disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
#Nebraska Medicine/UNMC workforce has a duty to protect confidential information. Breach of this duty includes but is not limited to the following:
Line 60: Line 62:
##Transferring confidential information in any form without both parties having a need to know such confidential information.  
##Transferring confidential information in any form without both parties having a need to know such confidential information.  
#Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.  
#Nebraska Medicine/UNMC shall mitigate or reduce, to the extent practicable, any harmful effects of a use or disclosure of PHI in violation of its policies and procedures that is known to Nebraska Medicine/UNMC.  
#All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement upon initial employment/work/appointment/credentialing '''(need URL for attachment to link to the policy)'''.  
#All employees, the medical staff, allied health practitioners and members of the Workforce with access to confidential information shall sign Nebraska Medicine/UNMC Information Privacy, Confidentiality and Security Agreement or [https://www.unmc.edu/academicaffairs/_documents/compliance/statement_of_understanding.pdfv Statement of Understanding] upon initial employment/work/appointment/credentialing.  
#Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer '''(how to contact that person??)'''.
#Workforce members who suspect a privacy or information security violation must report it immediately. Such reports may be made to their respective manager and the Privacy and/or Information Security Office. Alternatively, staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 800-822-8310. A full investigation of the suspected violation shall be conducted. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the [https://now.nebraskamed.com/leadership/ System Chief Medical Officer].
#Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 6302, [[Patient Privacy Investigations and Levels of Violation]]). Civil and criminal fines and penalties can also be levied under HIPAA.
#Sanctions for violations of privacy or information security may include revocation of medical staff privileges or allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 6302, [[Patient Privacy Investigations and Levels of Violation]]). Civil and criminal fines and penalties can also be levied under HIPAA.
#Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights (see [https://wiki.unmc.edu/index.php?title=Privacy/Confidentiality&action=edit#Procedures Procedures, Section 2.2]).
#Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within Nebraska Medicine/UNMC or to the Office for Civil Rights (see [https://wiki.unmc.edu/index.php?title=Privacy/Confidentiality&action=edit#Procedures Procedures, Section 2.2]).
Line 70: Line 72:
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
##Records signed out to the attending physician's office or other authorized areas shall be returned to the Health Information Management Department as soon as possible (preferably by 5:00 pm each working day).
#Editing, authenticating and correcting the medical record.
#Editing, authenticating and correcting the medical record.
##See Nebraska Medicine Policy, “Contents of Medical Record”, for editing and authenticating the medical record.'''(Nebraska Medicine Policy number??)'''
##See Nebraska Medicine Policy, “Contents of Medical Record”, MS22, for editing and authenticating the medical record.
#[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures A Business Associate Agreement or Addenda] shall be executed with each Business Associate
#[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures A Business Associate Agreement or Addenda] shall be executed with each Business Associate
#Human Subjects Research shall be conducted in accordance with UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
#Human Subjects Research shall be conducted in accordance with UNMC’s [https://guides.unmc.edu/books/hrpp-policies-and-procedures Human Research Protection Program (HRPP) Policies and Procedures], including HRPP Policy 3.4, “Use of Protected Health Information in Research" and UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]].
Line 130: Line 132:
*[https://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*[https://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*[https://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]
*[https://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]
*[https://wiki.unmc.edu/index.php/Job_Shadowing_Procedure Job Shadowing Procedures]
*[https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
*[https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
*[https://nebraska.edu/offices-policies/general-counsel/practice-areas/intellectual-property Copyright and Disclaimer]
*[https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
*[https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
*[https://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
*[https://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
Line 141: Line 141:
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996] (HIPAA)
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996] (HIPAA)
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
*[https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act] (GLBA)
*[https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA)
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-bylaws.pdf?la=en Board of Regents Bylaws]
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-bylaws.pdf?la=en Board of Regents Bylaws]
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-policies.pdf?la=en Board of Regents Policies]
*University of Nebraska [https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/board-governing-documents/board-of-regents-policies.pdf?la=en Board of Regents Policies]
Line 154: Line 152:
*[https://guides.unmc.edu/books/research-handbook Research Handbook]
*[https://guides.unmc.edu/books/research-handbook Research Handbook]
*[https://www.unmc.edu/irb/ Institutional Review Board Guidelines]
*[https://www.unmc.edu/irb/ Institutional Review Board Guidelines]
*[https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information/sp-800-171 Protecting Controlled Unclassified Information] (CUI)
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Security and Privacy Controls for Information Systems and Organizations]  
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Security and Privacy Controls for Information Systems and Organizations]  


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:mhurlocker@unmc.edu mh].