Privacy/Confidentiality: Difference between revisions

no edit summary
(Created page with "POLICY NO: 6045<br /> EFFECTIVE DATE: 11/21/03<br /> REVISED DATE: 08/17/07<br /> REVIEWED DATE: 08/20/08<br /> <big>'''Privacy, Confidentiality and Information Security ...")
 
No edit summary
Line 1: Line 1:
POLICY NO: 6045<br />
[[Human Resources]] | [[Safety/Security]] | [[Research Compliance]] | [[Compliance]] | '''[[Privacy/Information Security]]''' | [[Business Operations]] | [[Intellectual Property]]
 
<br /><br />
EFFECTIVE DATE: 11/21/03<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]
 
<br /><br />POLICY NO: '''6045'''<br />
REVISED DATE: 08/17/07<br />
EFFECTIVE DATE: '''11/21/03'''<br />
 
REVISED DATE: '''08/17/07'''<br />
REVIEWED DATE: 08/20/08<br />
REVIEWED DATE: '''08/20/08'''<br />
 
<br />
 
<big>'''Privacy, Confidentiality and Information Security Policy'''</big><br /><br />
<big>'''Privacy, Confidentiality and Information Security Policy'''</big><br />


'''NOTE''': These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of  The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.<br />
'''NOTE''': These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of  The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.<br />
<br />
<br />
 
== Introduction ==
 
University of Nebraska Medical Center (UNMC) workforce and business associates handle a variety of proprietary information concerning patients, colleagues, employees, students, alumni, donors or others associated with the University. This information includes, but may not be limited to:  
=== Introduction ===
* Protected Health Information (PHI) as defined by [http://www.unmc.edu/hippa HIPAA]
<br />
* Student Education Records as defined by [http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html FERPA]
<br />
* Protected Student Financial Information (PSFI) as defined by [http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act GLBA]
* Employee records
 
* Research data
University of Nebraska Medical Center (UNMC) workforce and business associates handle a variety of proprietary information concerning patients, colleagues, employees, students, alumni, donors or others associated with the University. This information includes, but may not be limited to:
* Business plans
 
* Financial data
   
* Protected Health Information (PHI) as defined by HIPAA
*     Student Education Records as defined by FERPA
*     Protected Student Financial Information (PSFI) as defined by GLBA
*     Employee records
*     Research data
*     Business plans
*     Financial data<br />
 


It is the responsibility of all University workforce and business associates to respect the highest level of privacy for their patients, colleagues and other members of the University community.  Disclosure and discussion of confidential information obtained from University records, either during or after employment or association with the University, is impermissible unless such disclosure is a normal requirement of aworkforce position and has been authorized.
It is the responsibility of all University workforce and business associates to respect the highest level of privacy for their patients, colleagues and other members of the University community.  Disclosure and discussion of confidential information obtained from University records, either during or after employment or association with the University, is impermissible unless such disclosure is a normal requirement of aworkforce position and has been authorized.


UNMC shall require itsworkforce to adhere to another entity’s rules, regulations, policies and procedures while on the premises of the other entity as contracted workforce of that other entity. <br />
UNMC shall require itsworkforce to adhere to another entity’s rules, regulations, policies and procedures while on the premises of the other entity as contracted workforce of that other entity.  
<br />
== Basis for Policy ==
=== Basis for Policy ===<br />
<br />
 
 
It is the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federal, state, local regulations and University policies and procedures governing confidentiality, privacy and information security.  These regulations and guidelines include, but may not be limited to: <br />


 
It is the policy of the University of Nebraska Medical Center (UNMC) to comply with all applicable federal, state, local regulations and University policies and procedures governing confidentiality, privacy and information security.  These regulations and guidelines include, but may not be limited to:      
      
* [http://www.unmc.edu/hipaa Health Insurance Portability and Accountability Act of 1996] (HIPAA)
* [http://www.unmc.edu/hipaa Health Insurance Portability and Accountability Act of 1996] (HIPAA)
*     [http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)
* [http://www.ftc.gov/privacy/privacyinitiatives/glbact.html Gramm-Leach-Bliley Act] (GLBA)
*     [http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA)
* [http://www.ed.gov/offices/OM/fpco/ferpa/index.html Family Educational Rights and Privacy Act] (FERPA)
*     Nebraska Free Flow of Information Act (§ 20-144, 20-145, 20-146, 20-147
* Nebraska Free Flow of Information Act (§ 20-144, 20-145, 20-146, 20-147
*     Nebraska Rev. Statutes § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09
* Nebraska Rev. Statutes § 84-712, 84-712.01, 84-712.02, 84-712.03, 84-712.04, 84-712.05, 84-712.06, 84-712.07, 84-712.08, 84-712.09
*     [http://www.nebraska.edu/bylaws-and-policies.html Board of Regents Bylaws]
* [http://www.nebraska.edu/bylaws-and-policies.html Board of Regents Bylaws]
*     [http://www.nebraska.edu/board/board_policies.shtml Board of Regents Policies]
* [http://www.nebraska.edu/board/board_policies.shtml Board of Regents Policies]
*     [http://www.nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks]
* [http://www.nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Executive Memorandum No. 16, Responsible Use of Information Resources, Technology and Networks]
*     [http://www.nebraska.edu/about/exec_memo22.pdf Executive Memorandum No. 22, Public Record Requests]
* [http://www.nebraska.edu/about/exec_memo22.pdf Executive Memorandum No. 22, Public Record Requests]
*     [http://www.nebraska.edu/about/exec_memo26.pdf Executive Memorandum No. 26, Information Security Plan]
* [http://www.nebraska.edu/about/exec_memo26.pdf Executive Memorandum No. 26, Information Security Plan]
*     [http://www.nebraska.edu/about/exec_memo27.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]
* [http://www.nebraska.edu/about/exec_memo27.pdf Executive Memorandum No. 27, HIPAA Compliance Policy]
*     [http://www.unmc.edu/policy/index.cfm?conref=3 UNMC Policy No. 8000, Compliance Program]
* [http://www.unmc.edu/policy/index.cfm?conref=3 UNMC Policy No. 8000, Compliance Program]
*     [http://unmc.edu/policy/index.cfm?CONREF=13#privacy UNMC Privacy and Information Security Policies]
* [http://unmc.edu/policy/index.cfm?CONREF=13#privacy UNMC Privacy and Information Security Policies]
*     [http://unmc.edu/policy/index.cfm?CONREF=78 UNMC Policy No. 6036, Reproduction of Copyrighted Materials Policy]
* [http://unmc.edu/policy/index.cfm?CONREF=78 UNMC Policy No. 6036, Reproduction of Copyrighted Materials Policy]
*     [http://unmc.edu/policy/index.cfm?CONREF=80 UNMC Policy No. 6052, Contract or fAgreement for Student Training Policy]
* [http://unmc.edu/policy/index.cfm?CONREF=80 UNMC Policy No. 6052, Contract or Agreement for Student Training Policy]
*     [http://info.unmc.edu/fachandbook/operating%20procedures.htm UNMC Faculty Handbook]
* [http://info.unmc.edu/fachandbook/operating%20procedures.htm UNMC Faculty Handbook]
*     [http://net.unmc.edu/care/docs/handbook.pdf UNMC Student Handbook]: Academic Policies
* [http://net.unmc.edu/care/docs/handbook.pdf UNMC Student Handbook]: Academic Policies
*     [http://www.unmc.edu/hr/Guidelines.htm UNMC Human Resources Procedures]
* [http://www.unmc.edu/hr/Guidelines.htm UNMC Human Resources Procedures]
*     [http://www.unmc.edu/crc/CoordinatorBookChanges0202.pdf Clinical Research Center Guidebook]
* [http://www.unmc.edu/crc/CoordinatorBookChanges0202.pdf Clinical Research Center Guidebook]
*     Eppley Cancer Center Scientific Review Committee Policies and Procedures
* Eppley Cancer Center Scientific Review Committee Policies and Procedures
*     [http://www.unmc.edu/com/docs/GME_Policies.pdf University of Nebraska Residency Program Policies and Procedures]
* [http://www.unmc.edu/com/docs/GME_Policies.pdf University of Nebraska Residency Program Policies and Procedures]
*     [http://www.unmc.edu/spa/index.cfm?L1_ID=12&CONREF=139 Sponsored Programs Administration Policies and Procedures]
* [http://www.unmc.edu/spa/ Sponsored Programs Administration Policies and Procedures]
*     [http://www.unmc.edu/irb/index.cfm?L1_ID=6&CONREF=7 Institutional Review Board Guidelines]
* [http://www.unmc.edu/irb/ Institutional Review Board Guidelines]
*     [http://app1.unmc.edu/its/index.cfm?dummyvar=-1&webtype=graphics&CONREF=dummyvar=-1&webtype=graphics&L2_ID=11&L1_ID=67&CONREF=6 Information Technology Services Procedures]<br />
* [http://www.unmc.edu/its/ Information Technology Services Procedures
<br />
== Policy ==
 
It is the policy of University of Nebraska Medical Center (UNMC) to protect confidentiality and privacy through appropriate acquisition, storage, maintenance, use, and destruction of information gathered in the course of employment or other affiliation with UNMC or entrusted to UNMC for academic, research, patient care, or administrative purposes.  
=== Policy ===
<br />
<br />
 
 
It is the policy of University of Nebraska Medical Center (UNMC) to protect confidentiality and privacy through appropriate acquisition, storage, maintenance, use, and destruction of information gathered in the course of employment or other affiliation with UNMC or entrusted to UNMC for academic, research, patient care, or administrative purposes.
 
 
Department administration shall determine what information entrusted to their department is private and/or confidential; and shall communicate methods of protecting that information from acquisition through destruction, to appropriate persons associated with their department. UNMC workforce and business associates with access to private and/or confidential information will be held accountable for maintaining confidentiality.
 
 
For more detailed information, see<br />


Department administration shall determine what information entrusted to their department is private and/or confidential; and shall communicate methods of protecting that information from acquisition through destruction, to appropriate persons associated with their department. UNMC workforce and business associates with access to private and/or confidential information will be held accountable for maintaining confidentiality.


   
For more detailed information, see   
* Privacy, Confidentiality and Information Security Procedures
* Privacy, Confidentiality and Information Security Procedures
*     UNMC Information Security Plan
* UNMC Information Security Plan
*     UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information<br />
* UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information
<br />
 
 
Breach of confidentiality may result in sanctions, civil or criminal prosecution and penalties, scholastic or employment corrective action which could lead to dismissal or, as it relates to health care professionals or others outside of UNMC, suspension or revocation of all access privileges.
 
Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to Financial Controls and Compliance or to the Human Resources Employee Relations Department.  Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.
 
New hires and volunteers and first year students shall read this policy and sign the Statement of Understanding.  Thereafter, all members of the workforce shall sign the agreement annually.  The agreement is also available online through UNMC's Employee Self Service (ESS). The original document should be maintained in the department staff/faculty/student/volunteer file if completed manually and retained for six years.<br />
 
 
 
=== Definitions ===
<br />
<br />


Breach of confidentiality may result in sanctions, civil or criminal prosecution and penalties, scholastic or employment corrective action which could lead to dismissal or, as it relates to health care professionals or others outside of UNMC, suspension or revocation of all access privileges.


'''Employee records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to Financial Controls and Compliance or to the Human Resources Employee Relations Department. Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.  


   
New hires and volunteers and first year students shall read this policy and sign the Statement of Understanding. Thereafter, all members of the workforce shall sign the agreement annually.  The agreement is also available online through UNMC's Employee Self Service (ESS). The original document should be maintained in the department staff/faculty/student/volunteer file if completed manually and retained for six years.


'''Information''' is data presented in readily comprehensible form.  (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media, on paper or other tangible media, or be known by individuals or groups.  Information generated in the course of University operations is a valuable asset of the University and belongs to the University.
== Definitions ==
'''Employee records''' refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.  


   
'''Information''' is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media, on paper or other tangible media, or be known by individuals or groups.  Information generated in the course of University operations is a valuable asset of the University and belongs to the University.


'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.  


'''Information technology''' resources include voice, video, data and network facilities and services and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, Executive Memorandum No. 26, Information Security Plan, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security), Information Technology Services policies and procedures and applicable federal, state and local laws.


'''Information technology''' resources include voice, video, data and network facilities and services and are intended for use in completing UNMC’s mission. Their use is governed by Executive Memorandum No. 16, Executive Memorandum No. 26, Information Security Plan, all applicable UNMC policies (see especially Policy No. 6051, Computer Use and Information Security), Information Technology Services policies and procedures and applicable federal, state and local laws.
'''Job Shadowing''' is an opportunity for an individual, age 16 and older, to observe and learn aspects about the world of work in a health care setting. The experience permits the program participant to gain an understanding of a typical day for an employee, and the skills necessary to complete the work required. The job shadow program is designed to promote the health care professions while safeguarding patients’ privacy. Participants in the job shadowing program are considered UNMC workforce and are subject to this policy and related procedures.  


'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.


'''Job Shadowing''' is an opportunity for an individual, age 16 and older, to observe and learn aspects about the world of work in a health care setting. The experience permits the program participant to gain an understanding of a typical day for an employee, and the skills necessary to complete the work required. The job shadow program is designed to promote the health care professions while safeguarding patients’ privacy. Participants in the job shadowing program are considered UNMC workforce and are subject to this policy and related procedures.
'''Proprietary information''' refers toinformation regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records and student records.  


'''Protected Health Information (PHI)''' is individually identifiable health information.  Health information means any information, whether oral or recorded in any medium, that:  
 
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.
 
 
'''Proprietary information''' refers toinformation regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records and student records.
 
 
'''Protected Health Information (PHI)''' is individually identifiable health information.  Health information means any information, whether oral or recorded in any medium, that:
 
   
* is created or received by UNMC; and
* is created or received by UNMC; and
*     relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
* relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.


Records containing PHI, in any form, are the property of UNMC.  The PHI contained in the record is the property of the individual who is the subject of the record.
Records containing PHI, in any form, are the property of UNMC.  The PHI contained in the record is the property of the individual who is the subject of the record.  


   
'''Protected Student Financial Information (PSFI)''' is information that UNMC has obtained from a student in the process of offering a financial product or service, or such information provided to UNMC by another financial institution. Offering a financial product or service includes offering student loans to students, receiving tax information from a student’s parent when offering a financial aid package and other financial services.  Examples of student financial information include addresses, phone numbers, bank and credit account numbers, income and credit histories, and social security numbers in both paper and electronic format.


'''Protected Student Financial Information (PSFI)''' is information that UNMC has obtained from a student in the process of offering a financial product or service, or such information provided to UNMC by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving tax information from a student’s parent when offering a financial aid package and other financial services.  Examples of student financial information include addresses, phone numbers, bank and credit account numbers, income and credit histories, and social security numbers in both paper and electronic format.
Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UMA and UDA. (NOTE: HIPAA and GLBA privacy regulations do not apply to education records covered by FERPA.)  
 
 
Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UMA and UDA. (NOTE: HIPAA and GLBA privacy regulations do not apply to education records covered by FERPA.)
 


Workforce refers to faculty, staff, volunteers, trainees, students (including job shadowing participants), independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
Workforce refers to faculty, staff, volunteers, trainees, students (including job shadowing participants), independent contractors and other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.<br />
<br />
<br />
For more information, contact the Privacy or Information Security Officers, or see the following resources:<br />
For more information, contact the Privacy or Information Security Officers, or see the following resources:  
 
 
   
* [http://unmc.edu/policy/index.cfm?CONREF=101 Privacy, Confidentiality and Information Security Procedures]
* [http://unmc.edu/policy/index.cfm?CONREF=101 Privacy, Confidentiality and Information Security Procedures]
*     [http://info.unmc.edu/media/its/strohben/HIPAA/UNMCHIPAACompliancePlan_05%20review.pdf HIPAA Compliance Plan]
* [http://info.unmc.edu/media/its/strohben/HIPAA/UNMCHIPAACompliancePlan_05%20review.pdf HIPAA Compliance Plan]
*     [http://info.unmc.edu/media/its/strohben/Security/Information%20Security%20Plan-UNMC-FINAL.pdf Information Security Plan]
* [http://info.unmc.edu/media/its/strohben/Security/Information%20Security%20Plan-UNMC-FINAL.pdf Information Security Plan]
*     [http://unmc.edu/policy/index.cfm?CONREF=102 Job Shadowing Procedures]
* [http://unmc.edu/policy/index.cfm?CONREF=102 Job Shadowing Procedures]
*     [http://www.unmc.edu/media/compliance/privacy_incident_response_and_breach_notification_procedures.pdf Privacy Incident Response and Breach Notification Procedures]
* [http://www.unmc.edu/media/compliance/privacy_incident_response_and_breach_notification_procedures.pdf Privacy Incident Response and Breach Notification Procedures]
*     [http://info.unmc.edu/media/its/strohben/Policies/IncidentResponse_FINAL.pdf UNMC Information Security Incident Response Procedures]
* [http://info.unmc.edu/media/its/strohben/Policies/IncidentResponse_FINAL.pdf UNMC Information Security Incident Response Procedures]
*     [http://www.nebraska.edu/siteinfo/index.shtml Copyright and Disclaimer]
* [http://www.nebraska.edu/siteinfo/index.shtml Copyright and Disclaimer]
*     Destruction of Private and Confidential Information Procedures
* Destruction of Private and Confidential Information Procedures
*     [http://unmc.edu/policy/index.cfm?CONREF=90 Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
* [http://unmc.edu/policy/index.cfm?CONREF=90 Procedures for Obtaining Informed Consent for UNMC Audio-Visual Media Production and Distribution]
*     [http://www.unmc.edu/hr/Guidelines.htm Human Resources Performance Management Procedures]
* [http://www.unmc.edu/hr/Guidelines.htm Human Resources Performance Management Procedures]
*     [http://info.unmc.edu/fachandbook/operating%20procedures.htm UNMC Faculty Handbook: Operating Procedures]
* [http://info.unmc.edu/fachandbook/operating%20procedures.htm UNMC Faculty Handbook: Operating Procedures]
*     [http://net.unmc.edu/care/docs/handbook.pdf UNMC Student Handbook: Academic Policies]
* [http://net.unmc.edu/care/docs/handbook.pdf UNMC Student Handbook: Academic Policies]
*     Web Publishing Procedures
* Web Publishing Procedures
<br />
<br />
 


Privacy, Confidentiality and Information Security Procedures / Privacy Incident Response and Breach Notification Procedures /
Privacy, Confidentiality and Information Security Procedures / Privacy Incident Response and Breach Notification Procedures /
Statement of Understanding<br />
Statement of Understanding<br />  
 
 


This page maintained by dkp.
This page maintained by [mailto:dpanowic@unmc.edu dkp].