Privacy/Confidentiality: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 28: Line 28:
Effective Date: '''11/21/03'''<br />
Effective Date: '''11/21/03'''<br />
Revised Date: '''08/20/07'''<br />
Revised Date: '''08/20/07'''<br />
Reviewed Date: '''08/17/08'''<br />
Reviewed Date: '''DRAFT'''<br />
<br />
<br />
<big>'''Privacy, Confidentiality and Information Security Policy'''</big><br /><br />
<big>'''Privacy, Confidentiality and Information Security Policy'''</big><br /><br />
== Basis for Policy ==
To maintain the privacy, confidentiality and security of patient and proprietary information and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). UNMC workforce and business associates have access to individually identifiable health information (protected health information) and proprietary information. For purposes of this policy, confidential information means protected health information and proprietary information.
== Policy ==
It is the policy of UNMC to maintain strict confidentiality and security of protected health information and proprietary information.
== Definitions (as defined by HIPAA 45 CFR 164.501) ==
*Affiliated Covered Entity (ACE) means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.
*Business Associate means a third party who performs services on behalf of UNMC and has access to protected health information (PHI) when performing services; or provides one of the following services for UNMC involving access to PHI: claims processing, data analysis, data processing, practice management, utilization review, quality assurance, billing, benefit management, and repricing.
*Designated record set is the medical record and billing record.
*Individual means the person who is the subject of the protected health information (including UNMC employees who are patients).
*Information Security is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.
*Protected health information (PHI) is individually identifiable health information. Health information means any information, whether oral or recorded in any medium that:
:*is created or received by UNMC; and
:*relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
*Proprietary Information is information relating to business practices, including but not limited to financial statements, contracts, and business plans; employee records; and meeting minutes.
*Workforce means employees, the medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC is under the direct control of UNMC, whether or not they are paid by UNMC.
*Employee records refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
*Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by the Affiliated Covered Entity. Student education records are covered by the Family Educational Rights and Privacy Act (FERPA).


'''NOTE''': These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of  The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.<br />
<br />
== Introduction ==
University of Nebraska Medical Center (UNMC) workforce and business associates handle a variety of proprietary information concerning patients, colleagues, employees, students, alumni, donors or others associated with the University. This information includes, but may not be limited to:   
* Protected Health Information (PHI) as defined by [http://www.unmc.edu/hippa HIPAA]
* Student Education Records as defined by [http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html FERPA]
* Protected Student Financial Information (PSFI) as defined by [http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act GLBA]
* Employee records
* Research data
* Business plans
* Financial data


It is the responsibility of all University workforce and business associates to respect the highest level of privacy for their patients, colleagues and other members of the University community.  Disclosure and discussion of confidential information obtained from University records, either during or after employment or association with the University, is impermissible unless such disclosure is a normal requirement of a workforce position and has been authorized.


UNMC shall require its workforce to adhere to another entity’s rules, regulations, policies and procedures while on the premises of the other entity as contracted workforce of that other entity.
==Additional Information==
<br />
For more information, contact the Privacy or Information Security Officers, or see the following resources: 
* [http://www.unmc.edu/hipaa/_documents/6045-procedure.doc Privacy, Confidentiality and Information Security Procedures]
* [https://wiki.unmc.edu/index.php/Job_Shadowing_Procedure Job Shadowing Procedures]
* [https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
* [http://info.unmc.edu/media/its/strohben/HIPAA/UNMCHIPAACompliancePlan_05%20review.pdf HIPAA Compliance Plan]
* [http://www.unmc.edu/hipaa/_documents/telehealth-final.pdf Telehealth Procedures]
* [http://www.unmc.edu/media/compliance/privacy_incident_response_and_breach_notification_procedures.pdf Privacy Incident Response and Breach Notification Procedures]
* [https://nebraska.edu/site-information.html?redirect=true Copyright and Disclaimer]
* [https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
* [http://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
* [http://www.unmc.edu/hr/Proc/Procedures1097.pdf Human Resources Performance Management Procedures]
* [http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures]
* [http://www.unmc.edu/studentservices/_documents/handbook.pdf UNMC Student Handbook: Academic Policies]


== Basis for Policy ==
It is the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federal, state, local regulations and University policies and procedures governing confidentiality, privacy and information security.  These regulations and guidelines include, but may not be limited to:   
* [http://www.unmc.edu/hipaa Health Insurance Portability and Accountability Act of 1996] (HIPAA)
* [http://www.unmc.edu/hipaa Health Insurance Portability and Accountability Act of 1996] (HIPAA)
* [http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)
* [http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)
Line 76: Line 92:
* [http://www.unmc.edu/its/ Information Technology Services Procedures]
* [http://www.unmc.edu/its/ Information Technology Services Procedures]


== Policy ==
It is the policy of University of Nebraska Medical Center (UNMC) to protect confidentiality and privacy through appropriate acquisition, storage, maintenance, use, and destruction of information gathered in the course of employment or other affiliation with UNMC or entrusted to UNMC for academic, research, patient care, or administrative purposes.
Department administration shall determine what information entrusted to their department is private and/or confidential; and shall communicate methods of protecting that information from acquisition through destruction, to appropriate persons associated with their department. UNMC workforce and business associates with access to private and/or confidential information will be held accountable for maintaining confidentiality.
For more detailed information, see   
* Privacy, Confidentiality and Information Security Procedures
* [https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
* UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information
Breach of confidentiality may result in sanctions, civil or criminal prosecution and penalties, scholastic or employment corrective action which could lead to dismissal or, as it relates to health care professionals or others outside of UNMC, suspension or revocation of all access privileges.
Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to Financial Controls and Compliance or to the Human Resources Employee Relations Department.  Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.
New hires and volunteers and first year students shall read this policy and sign the Statement of Understanding.  Thereafter, all members of the workforce shall sign the agreement annually.  The agreement is also available online through UNMC's Employee Self Service (ESS). The original document should be maintained in the department staff/faculty/student/volunteer file if completed manually and retained for six years.
== Definitions ==
'''Employee records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
'''Information''' is data presented in readily comprehensible form.  (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media, on paper or other tangible media, or be known by individuals or groups.  Information generated in the course of University operations is a valuable asset of the University and belongs to the University.
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
'''Information technology''' resources include voice, video, data and network facilities and services and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, Executive Memorandum No. 26, Information Security Plan, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security), Information Technology Services policies and procedures and applicable federal, state and local laws.
'''Job Shadowing'''  is an opportunity for an individual, age 16 and older, to observe and learn aspects about the world of work in a health care setting. The experience permits the program participant to gain an understanding of a typical day for an employee, and the skills necessary to complete the work required. The job shadow program is designed to promote the health care professions while safeguarding patients’ privacy. Participants in the job shadowing program are considered UNMC workforce and are subject to this policy and related [https://wiki.unmc.edu/index.php/Job_Shadowing_Procedure procedures].
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records and student records.
'''Protected Health Information (PHI)''' is individually identifiable health information.  Health information means any information, whether oral or recorded in any medium, that:   
* is created or received by UNMC; and
* relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Records containing PHI, in any form, are the property of UNMC.  The PHI contained in the record is the property of the individual who is the subject of the record.
'''Protected Student Financial Information (PSFI)''' is information that UNMC has obtained from a student in the process of offering a financial product or service, or such information provided to UNMC by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving tax information from a student’s parent when offering a financial aid package and other financial services.  Examples of student financial information include addresses, phone numbers, bank and credit account numbers, income and credit histories, and social security numbers in both paper and electronic format.
Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UMA and UDA. (NOTE: HIPAA and GLBA privacy regulations do not apply to education records covered by FERPA.)
Workforce refers to faculty, staff, volunteers, trainees, students (including job shadowing participants), independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
<br />
For more information, contact the Privacy or Information Security Officers, or see the following resources: 
* [http://www.unmc.edu/hipaa/_documents/6045-procedure.doc Privacy, Confidentiality and Information Security Procedures]
* [https://wiki.unmc.edu/index.php/Job_Shadowing_Procedure Job Shadowing Procedures]
* [https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
* [http://info.unmc.edu/media/its/strohben/HIPAA/UNMCHIPAACompliancePlan_05%20review.pdf HIPAA Compliance Plan]
* [http://www.unmc.edu/hipaa/_documents/telehealth-final.pdf Telehealth Procedures]
* [http://www.unmc.edu/media/compliance/privacy_incident_response_and_breach_notification_procedures.pdf Privacy Incident Response and Breach Notification Procedures]
* [https://nebraska.edu/site-information.html?redirect=true Copyright and Disclaimer]
* [https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
* [http://wiki.unmc.edu/index.php?title=Informed_Consent_for_UNMC_Media_Production_and_Distribution_Procedures Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
* [http://www.unmc.edu/hr/Proc/Procedures1097.pdf Human Resources Performance Management Procedures]
* [http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures]
* [http://www.unmc.edu/studentservices/_documents/handbook.pdf UNMC Student Handbook: Academic Policies]


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].