Privacy/Confidentiality: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 53: Line 53:
*Individuals have the following rights with respect to their PHI:
*Individuals have the following rights with respect to their PHI:
:*Right to request access and obtain copies of their designated record set within a reasonable amount of time and to request amendment (see Access and Amendment policy):
:*Right to request access and obtain copies of their designated record set within a reasonable amount of time and to request amendment (see Access and Amendment policy):
:*Right to request restrictions of how their PHI is used and disclosed (see Use & Disclosure of PHI policy);
:*Right to request restrictions of how their PHI is used and disclosed (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
:*Right to request an accounting of disclosures (see Accounting of Disclosures policy);
:*Right to request an accounting of disclosures (see UNMC Policy No. 6061, [[Accounting of PHI Disclosures]]);
:*Right to receive a Notice of Privacy Practices (see Notice of Privacy Practices policy);
:*Right to receive a Notice of Privacy Practices (see UNMC Policy No. 6058, [[Notice of Privacy Practices]];
:*Right to file a complaint internally with the Nebraska Medicine Patient Relations Department, the Office of the Assistant Dean for Patient Services (College of Dentistry), or with the U.S. Department of Health and Human Services Office for Civil Rights. (See Notice of Privacy Practices and Patient/Consumer Complaints policies).
:*Right to file a complaint internally with the Nebraska Medicine Patient Relations Department, the Office of the Assistant Dean for Patient Services (College of Dentistry), or with the U.S. Department of Health and Human Services Office for Civil Rights. (See UNMC Policy Nos. 6058, [[Notice of Privacy Practices]] and 6062, [[Patient/Consumer Complaints]]).
*Individuals shall not be asked to waive these rights as a condition of receiving treatment.
*Individuals shall not be asked to waive these rights as a condition of receiving treatment.
*The ACE is responsible for safeguarding and protecting confidential information against loss, tampering, and disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see Transporting Protected Health Information policy).
*The ACE is responsible for safeguarding and protecting confidential information against loss, tampering, and disclosure to unauthorized individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*ACE workforce have a duty to protect confidential information. Breach of this duty includes the following:
*ACE workforce have a duty to protect confidential information. Breach of this duty includes the following:
:*Accessing confidential information, in any form, without a "need to know" to perform assigned duties. Workforce members with medical information system access may view their own individual medical records. Workforce members may not print copies of their own records nor access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department. Workforce may not alter their own medical record.
:*Accessing confidential information, in any form, without a "need to know" to perform assigned duties. Workforce members with medical information system access may view their own individual medical records. Workforce members may not print copies of their own records nor access records of family members (including children), relatives, friends and others, unless access is necessary to perform assigned duties. Workforce members may obtain a copy of their medical records from the Health Information Management Department. Workforce may not alter their own medical record.
:*Discussing or disclosing patient care events to individuals who do not have a “need to know” to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.
:*Discussing or disclosing patient care events to individuals who do not have a “need to know” to perform assigned duties, even if the patient’s name is not mentioned. The facts surrounding patient care are confidential and can lead to the identity of the patient.
:*Disclosing confidential information without proper authorization (see Use & Disclosure of Protected Health Information policy);
:*Disclosing confidential information without proper authorization (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
:*Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see Use & Disclosure of Protected Health Information policy);
:*Accessing patient information via Health Information Exchange in a manner or for a purpose not permitted (see UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]);
:*Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;
:*Discussing confidential information in the presence of individuals who do not have the "need to know" to perform assigned duties;
:*Disclosing that a patient is receiving care (except for authorized directory purposes);
:*Disclosing that a patient is receiving care (except for authorized directory purposes);
Line 72: Line 72:
:*Transferring confidential information in any form without both parties having a need to know.
:*Transferring confidential information in any form without both parties having a need to know.
*The ACE shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches.
*The ACE shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches.
*All employees, medical staff, allied health practitioners and members of the workforce with access to confidential information shall sign UNMC Statement of Understanding upon initial employment/work/appointment/credentialing (see attachment).
*All employees, medical staff, allied health practitioners and members of the workforce with access to confidential information shall sign a[https://www.unmc.edu/hipaa/policies/6045-exhibit-a-statement-of-understanding.pdf Statement of Understanding, Exhibit A] upon initial employment/work/appointment/credentialing.
*Workforce members who suspect a privacy or information security violation must report it immediately to their respective manager and the Privacy and/or Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 866-568-5430. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
*Workforce members who suspect a privacy or information security violation must report it immediately to their respective manager and the Privacy and/or Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 866-568-5430. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations. The Medical Staff and allied health practitioners shall report suspected violations to the System Chief Medical Officer.
*Sanctions for violations of privacy or information security may include revocation of medical staff privileges, allied health credentials, or employee corrective action up to and including termination of employment (see Corrective and Disciplinary Action policy). Civil and criminal fines and penalties can also be levied under HIPAA.
*Sanctions for violations of privacy or information security may include revocation of medical staff privileges, allied health credentials, or employee corrective action up to and including termination of employment (see UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]). Civil and criminal fines and penalties can also be levied under HIPAA.
*Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within the organization or to the Office for Civil Rights.
*Workforce members may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for reporting a suspected privacy or information security violation, or for filing of a complaint within the organization or to the Office for Civil Rights.
*Access to patient information via Health Information Exchange shall be conducted in accordance with “Uses and Disclosure of Protected Health Information” policy.
*Access to patient information via Health Information Exchange shall be conducted in accordance with “Uses and Disclosure of Protected Health Information” policy.
Line 102: Line 102:
*The social security number of a student is considered confidential information and must not be used to identify a student.
*The social security number of a student is considered confidential information and must not be used to identify a student.
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to Student Number.
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to Student Number.
*Use of a student’s social security number in databases is prohibited. In the event that the social security number of a student must be maintained, an Exception Form (Exhibit B) must be completed and submitted to Academic Affairs for approval. If it must be used, the use of the student’s social security number must comply with ITS Database Security Procedures.
*Use of a student’s social security number in databases is prohibited. In the event that the social security number of a student must be maintained, an Exception Form [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception, Exhibit B] must be completed and submitted to Academic Affairs for approval. If it must be used, the use of the student’s social security number must comply with ITS Database Security Procedures.
*Workforce members who suspect a breach of confidentiality regarding Student Education Records shall report the breach to the Compliance Office or the Student Affairs Office.  
*Workforce members who suspect a breach of confidentiality regarding Student Education Records shall report the breach to the Compliance Office or the Student Affairs Office.  
*The student may file a complaint with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave SW, Washington, DC 20202-4605.  
*The student may file a complaint with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave SW, Washington, DC 20202-4605.  
===Employee Information===
===Employee Information===
*Employment records are confidential and will not be made publicly available, except upon written authorization signed by the individual to whom the records pertain or in response to a legal mandate. In this context, employment records are those of persons who are employees of UNMC, and persons who are or have been either applicants or nominees for employment. Such records include the entire employment process beginning with application or nomination for appointment, search committee evaluation, and appointing authority evaluation, through appointment and employment, and ending with separation from employment.  
*Employment records are confidential and will not be made publicly available, except upon written authorization signed by the individual to whom the records pertain or in response to a legal mandate. In this context, employment records are those of persons who are employees of UNMC, and persons who are or have been either applicants or nominees for employment. Such records include the entire employment process beginning with application or nomination for appointment, search committee evaluation, and appointing authority evaluation, through appointment and employment, and ending with separation from employment.  
*The social security number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated, see UNMC policy 6085.
*The social security number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated, see UNMC Policy No. 6085, [[Social Security Number]].
*ITS shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to:
*ITS shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to:
:*Personnel (SAP) Number
:*Personnel (SAP) Number
:*Last four digits of social security number  
:*Last four digits of social security number  
*In the event that the social security number of an employee must be maintained, an Exception Form (Exhibit C) must be completed and submitted to Human Resources for approval. In cases where the employee social security number must be stored in a database, the database use must comply with ITS Database Security Procedures.  
*In the event that the social security number of an employee must be maintained, an Exception Form, [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception, Exhibit C], must be completed and submitted to Human Resources for approval. In cases where the employee social security number must be stored in a database, the database use must comply with ITS Database Security Procedures.  
*The following are not confidential and are considered by UNMC as directory information:  
*The following are not confidential and are considered by UNMC as directory information:  
:*Employee Name  
:*Employee Name  
Line 143: Line 143:
*Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception]
*Exhibit B - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-B-SSN-Student.docx Use of Student Social Security Number Exception]
*Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception]
*Exhibit C - [https://www.unmc.edu/hipaa/_documents/6045-Exhibit-C-SSN-Employee.docx Use of Employee Social Security Number Exception]
*[http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action
*UNMC Policy No. 6036, [http://wiki.unmc.edu/index.php?title=Reproducing_Copyrighted_Materials Reproduction of Copyrighted Materials Policy]
*UNMC Policy No. 6036, [http://wiki.unmc.edu/index.php?title=Reproducing_Copyrighted_Materials Reproduction of Copyrighted Materials Policy]
*UNMC Policy No. 6052, [http://wiki.unmc.edu/index.php?title=Student_Training_Agreement Contract or Agreement for Student Training Policy]
*UNMC Policy No. 6052, [http://wiki.unmc.edu/index.php?title=Student_Training_Agreement Contract or Agreement for Student Training Policy]
*UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6061, [[Accounting of PHI Disclosures]]
*UNMC Policy No. 6062, [[Patient/Consumer Complaints]]
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]
*UNMC Policy No. 6085, [[Social Security Number]]
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8009, [[Contracts]]
*UNMC Policy No. 8009, [[Contracts]]
*[http://wiki.unmc.edu/index.php?title=Privacy/Information_Security UNMC Privacy and Information Security Policies]
*[http://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]
*[http://wiki.unmc.edu/index.php?title=Human_Resources_-_Procedures UNMC Human Resources Procedures]
*[https://wiki.unmc.edu/index.php/Job_Shadowing_Procedure Job Shadowing Procedures]
*[https://wiki.unmc.edu/index.php/Job_Shadowing_Procedure Job Shadowing Procedures]
Line 172: Line 179:
*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook]
*[https://www.unmc.edu/vcr/about/research-handbook-web.pdf Research Handbook]
*[http://www.unmc.edu/irb/ Institutional Review Board Guidelines]
*[http://www.unmc.edu/irb/ Institutional Review Board Guidelines]
*[https://info.unmc.edu/its-security/policies/procedures/index.html Information Technology Services Procedures]




This page maintained by [mailto:dpanowic@unmc.edu dkp].
 
Technology Services Procedures]This page maintained by [mailto:dpanowic@unmc.edu dkp].