Human Resources | Safety/Security | Research Compliance | Compliance | Privacy/Information Security | Business Operations | Intellectual Property
Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Confidential Information | Protected Health Information (PHI) | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information
POLICY NO: 6045
EFFECTIVE DATE: 11/21/03
REVISED DATE: 08/17/07
REVIEWED DATE: 08/20/08
Privacy, Confidentiality and Information Security Policy
NOTE: These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.
University of Nebraska Medical Center (UNMC) workforce and business associates handle a variety of proprietary information concerning patients, colleagues, employees, students, alumni, donors or others associated with the University. This information includes, but may not be limited to:
- Protected Health Information (PHI) as defined by HIPAA
- Student Education Records as defined by FERPA
- Protected Student Financial Information (PSFI) as defined by GLBA
- Employee records
- Research data
- Business plans
- Financial data
It is the responsibility of all University workforce and business associates to respect the highest level of privacy for their patients, colleagues and other members of the University community. Disclosure and discussion of confidential information obtained from University records, either during or after employment or association with the University, is impermissible unless such disclosure is a normal requirement of aworkforce position and has been authorized.
UNMC shall require itsworkforce to adhere to another entity’s rules, regulations, policies and procedures while on the premises of the other entity as contracted workforce of that other entity.
Basis for Policy
It is the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federal, state, local regulations and University policies and procedures governing confidentiality, privacy and information security. These regulations and guidelines include, but may not be limited to:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Family Educational Rights and Privacy Act (FERPA)
- Nebraska Free Flow of Information Act (§ 20-144, 20-145, 20-146, 20-147
- Nebraska Rev. Statutes § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09
- Board of Regents Bylaws
- Board of Regents Policies
- Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks
- Executive Memorandum No. 22, Public Record Requests
- Executive Memorandum No. 26, Information Security Plan
- Executive Memorandum No. 27, HIPAA Compliance Policy
- UNMC Policy No. 8000, Compliance Program
- UNMC Privacy and Information Security Policies
- UNMC Policy No. 6036, Reproduction of Copyrighted Materials Policy
- UNMC Policy No. 6052, Contract or Agreement for Student Training Policy
- UNMC Faculty Handbook
- UNMC Student Handbook: Academic Policies
- UNMC Human Resources Procedures
- Clinical Research Center Guidebook
- Eppley Cancer Center Scientific Review Committee Policies and Procedures
- University of Nebraska Residency Program Policies and Procedures
- Sponsored Programs Administration Policies and Procedures
- Institutional Review Board Guidelines
- [http://www.unmc.edu/its/ Information Technology Services Procedures
It is the policy of University of Nebraska Medical Center (UNMC) to protect confidentiality and privacy through appropriate acquisition, storage, maintenance, use, and destruction of information gathered in the course of employment or other affiliation with UNMC or entrusted to UNMC for academic, research, patient care, or administrative purposes.
Department administration shall determine what information entrusted to their department is private and/or confidential; and shall communicate methods of protecting that information from acquisition through destruction, to appropriate persons associated with their department. UNMC workforce and business associates with access to private and/or confidential information will be held accountable for maintaining confidentiality.
For more detailed information, see
- Privacy, Confidentiality and Information Security Procedures
- UNMC Information Security Plan
- UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information
Breach of confidentiality may result in sanctions, civil or criminal prosecution and penalties, scholastic or employment corrective action which could lead to dismissal or, as it relates to health care professionals or others outside of UNMC, suspension or revocation of all access privileges.
Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to Financial Controls and Compliance or to the Human Resources Employee Relations Department. Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.
New hires and volunteers and first year students shall read this policy and sign the Statement of Understanding. Thereafter, all members of the workforce shall sign the agreement annually. The agreement is also available online through UNMC's Employee Self Service (ESS). The original document should be maintained in the department staff/faculty/student/volunteer file if completed manually and retained for six years.
Employee records refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
Information is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media, on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and belongs to the University.
Information security is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
Information technology resources include voice, video, data and network facilities and services and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, Executive Memorandum No. 26, Information Security Plan, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security), Information Technology Services policies and procedures and applicable federal, state and local laws.
Job Shadowing is an opportunity for an individual, age 16 and older, to observe and learn aspects about the world of work in a health care setting. The experience permits the program participant to gain an understanding of a typical day for an employee, and the skills necessary to complete the work required. The job shadow program is designed to promote the health care professions while safeguarding patients’ privacy. Participants in the job shadowing program are considered UNMC workforce and are subject to this policy and related procedures.
Privacy is defined as the right of individuals to keep information about themselves from being disclosed.
Proprietary information refers toinformation regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records and student records.
Protected Health Information (PHI) is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that:
- is created or received by UNMC; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Records containing PHI, in any form, are the property of UNMC. The PHI contained in the record is the property of the individual who is the subject of the record.
Protected Student Financial Information (PSFI) is information that UNMC has obtained from a student in the process of offering a financial product or service, or such information provided to UNMC by another financial institution. Offering a financial product or service includes offering student loans to students, receiving tax information from a student’s parent when offering a financial aid package and other financial services. Examples of student financial information include addresses, phone numbers, bank and credit account numbers, income and credit histories, and social security numbers in both paper and electronic format.
Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UMA and UDA. (NOTE: HIPAA and GLBA privacy regulations do not apply to education records covered by FERPA.)
Workforce refers to faculty, staff, volunteers, trainees, students (including job shadowing participants), independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.
For more information, contact the Privacy or Information Security Officers, or see the following resources:
- Privacy, Confidentiality and Information Security Procedures
- HIPAA Compliance Plan
- Information Security Plan
- Job Shadowing Procedures
- Privacy Incident Response and Breach Notification Procedures
- UNMC Information Security Incident Response Procedures
- Copyright and Disclaimer
- Destruction of Private and Confidential Information Procedures
- Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution
- Human Resources Performance Management Procedures
- UNMC Faculty Handbook: Operating Procedures
- UNMC Student Handbook: Academic Policies
- Web Publishing Procedures
Privacy, Confidentiality and Information Security Procedures / Privacy Incident Response and Breach Notification Procedures /
Statement of Understanding
This page maintained by dkp.