Privacy, Confidentiality, and Information Security
Procedures
Please see: UNMC Policy No. 6045, Privacy, Confidentiality, and
Information Security, Privacy Incident Response Plan Procedures, and
Information Security Incident Reporting and Response Procedures.
UNMC Responsibilities
General
1. Records containing confidential information, in any form, are the property
of UNMC
2. UNMC is responsible for safeguarding confidential information against
loss, tampering, and disclosure to unauthorized individuals
3. UNMC faculty, staff, volunteers, trainees, students and independent
contractors (“workforce” as defined in UNMC Policy No. 6045) have a duty
to protect confidential information. (See UNMC Policy No. 6057, Use and
Disclosure of Protected Health Information) Breach of this duty includes
the following:
a. Using another person’s user ID, password, or other security codes
b. Assisting an unauthorized user to gain access to a secured
information system
c. Leaving confidential information unattended in a non-secure area
d. Falsifying information
e. Disclosing confidential information without proper authorization
(See UNMC Policy No. 6045, Privacy, Confidentiality and
Information Security)
f. Improper disposal of confidential information (See UNMC Policy
No. 6056, Retention and Destruction/Disposal of Private and
Confidential Information)
4. UNMC shall reasonably mitigate or reduce any harmful effects that may
result from privacy or security breaches
5. UNMC shall respond in a timely manner to all reports of suspected privacy
or security breaches. UNMC shall make all efforts to resolve the
suspected breach internally.
6. Department administration will ensure that, in accordance with UNMC
Policy No. 6045, all UNMC workforce sign the UNMC Privacy and
Confidentiality Agreement annually.
7. Sanctions will be imposed for substantial breaches. Sanctions for breach
of privacy and confidentiality may include revocation of medical staff
privileges and employee or student disciplinary action, up to and including
termination. (See UNMC Policy No. 1098, Performance Management).
8. Workforce members who suspect a breach of confidentiality regarding the
general responsibilities listed above shall report the breach to Budget,
Analysis and Financial Compliance or to the Human Resources Employee
Relations Department.
HIPAA
1. UNMC faculty, staff, volunteers, trainees, students and independent
contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy,
Confidentiality and Information Security) have a duty to protect Protected
Health Information (PHI). Breach of this duty includes the following:
a. Accessing PHI information, in any form, without a “need to know” to
perform assigned duties. Workforce members are prohibited from
accessing their own records and records of family members,
relatives, and friends, unless access is necessary to perform
assigned duties
b. Disclosing PHI information in the presence of individuals who do
not have “need to know” to perform assigned duties
c. Disclosing that a patient is receiving information (except for
authorized directory purposes)
d. Transferring confidential information in any form without both
parties having a “need to know”
2. Business Associate agreements/addenda shall be established with any
individual or corporation who performs a function on behalf of UNMC
involving the use or disclosure of PHI, other than as faculty, staff, house
officer or student (See UNMC Policy No. 6060, Business Associate
Agreements)
3. Individuals have the following rights with respect to their PHI:
a. Right to request access and obtain copies of their designated
record set within a reasonable amount of time and to request
amendment (See UNMC Policy No 6059, Access and Amendment
to Designated Record Set)
b. Right to request restrictions of how their PHI is used
c. Right to request an accounting of disclosures (See UNMC Policy
6061, Accounting of Protected Health Information Disclosures)
d. Right to receive a Notice of Privacy Practices (See UNMC Policy
6058, Notice of Privacy Practices)
e. Right to file a complaint internally with the Patient Relations
Department with response or with the Department of Health and
Human Services in Washington DC (See UNMC Policy 6058,
Notice of Privacy Practices and UNMC Policy No. 6062,
Patient/Consumer Complaints)
Individuals shall not be asked to waive these rights as a condition of receiving
treatment.
4. Retention of the designated record set or other protected health
information shall be in accordance with federal, state, and local laws, and
regulatory association guidelines. Documents required to demonstrate
HIPAA compliance shall be retained for a period of six years. (See UNMC
Policy No. 6056, Retention and Destruction/Disposal of Private and
Confidential Information)
5. The UNMC Privacy and Information Security Officers shall be designated
in writing and shall be responsible for coordinating the development and
implementation of UNMC policy and procedures necessary to comply with
HIPAA
6. All UNMC workforce shall receive training on privacy and security of
confidential information upon hire, and when policies and procedures
relevant to their individual position change. UNMC students shall receive
similar training at a time designated by UNMC Student Services.
7. Compliance with these procedures will be assessed through periodic
audits of access to confidential information, physical inspection of work
areas, analysis of privacy-related complaints, and other monitoring
8. Workforce members who suspect a breach of confidentiality regarding
Protected Health Information (PHI) shall report the breach to the Human
Resources Employee Relations Department. Those who wish to remain
anonymous may report the suspected breach of HIPAA compliance
requirements to The Nebraska Medical Center Compliance Hotline at 800822-8310. Medical Staff shall report breaches to the Medical Records
Director at 402/559-4891
9. A full investigation of the breach shall be conducted, in coordination with
the UNMC/The Nebraska Medical Center Security and Privacy Officers,
the Human Resources Employee Relations Department, and The
Nebraska Medical Center Patient Relations Department as appropriate
10. Civil and criminal fines and penalties can also be sanctioned under
HIPAA.
Business Information
1. UNMC faculty, staff, volunteers, trainees, students and independent
contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy,
Confidentiality and Information Security) have a duty to protect proprietary
business information. Breach of this duty includes, but may not be limited
to, the following:
a. Disclosure of confidential financial statement information
b. Disclosure of confidential contract/agreement information
c. Disclosure of confidential business plans
d. Disclosure of University of Nebraska Foundation (a private entity)
transaction information
e. Disclosure of credit card information received in the course of
business by the University, whether or not such credit card
information is covered by the Gramm-Leach-Bliley Act (GLBA).
Executive Memoranda No. 26 provides a model contract for
Service Providers who maintain or regularly access covered data
and information, which includes credit card information. Contact
Student Services for additional information about Service
Provider contracts and contract addenda.
2. Workforce members who suspect a breach of confidentiality regarding
proprietary business information shall report the breach to Budget,
Analysis and Financial Compliance or the Human Resources Employee
Relations Department .
3. A full investigation of the breach shall be conducted by Budget, Analysis
and Financial Compliance and the Human Resources Employee Relations
Department, as appropriate.
Student Information
1. UNMC faculty, staff, volunteers, trainees, students and independent
contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy,
Confidentiality and Information Security) have a duty to maintain the
confidentiality of student education records. Breach of this duty includes,
but is not limited to, release of student information that is not considered
“directory information” under the guidelines of the Family Educational
Rights and Privacy (FERPA) listed in the Student Handbook. It also
includes, but is not limited to, protection of confidential student financial
information protected under the Gramm-Leach-Bliley Act (GLBA).
Executive Memoranda No. 26 defines “Student Financial Information” as:
That information that the university has obtained from
a student in the process of offering a financial product
or service, or such information provided to the
University by another financial institution. Offering a
financial product or service includes offering student
loans to students, receiving income tax information
from a student’s parent when offering a financial aid
package, and other miscellaneous financial services
as defined in 12 C.F.R §225.28. Examples of student
financial information include addresses, phone
numbers, bank and credit card account numbers,
income and credit histories and Social Security
number, in both paper and electronic format.
Executive Memoranda No. 26 also provides a model contract for Service
Providers who maintain or regularly access covered data and information.
Contact Student Services for additional information about contracts and
contract addenda.
2. The social security number of a student is considered confidential
information and must not be used to identify a student.
3. Information Technology Services (ITS) shall be available to assist in
identifying alternatives to use of social security number. Alternatives
which should be considered, include but are not limited to:
a. Student Number
4. Use of a student’s social security number in databases is prohibited
unless legally required. If it must be used, the use of the student’s social
security number must comply with ITS Database Security Procedures..
5. Workforce members who suspect a breach of confidentiality regarding
Student Education Records shall report the breach to Budget, Analysis
and Financial Compliance or the Human Resources Employee Relations
Department.
6. The student can file a complaint with the Family Policy Compliance Office,
U.S. Department of Education, 400 Maryland Ave SW, Washington, DC
20202-4605.
7. A full investigation of the breach shall be conducted by Budget, Analysis
and Financial Compliance, Human Resources Employee Relations
Department and the Vice Chancellor for Academic Affairs, as appropriate.
Employee Information
1. Because UNMC is a public body, its records are available for public
inspection. However, UNMC employment records are confidential and will
not be made available, except upon written authorization signed by the
individual to whom the records pertain or in response to a legal mandate.
In this context, employment records are those of persons who are
employees of UNMC, and persons who are or have been either applicants
or nominees for employment at UNMC. Such records include the entire
employment process beginning with application or nomination for
appointment, search committee evaluation, and appointing authority
evaluation, through appointment and employment, and ending with
separation from employment.
2. The social security number of an employee is considered confidential
information and should not be used to identify an employee unless legally
mandated.
3. ITS shall be available to assist in identifying alternatives to use of social
security number. Alternatives which should be considered, include but are
not limited to:
1. Personnel (SAP) Number
2. Last four digits of social security number
4. In cases where the employee social security number must be stored in a
database, the database use must comply with ITS Database Security
Procedures.
5. The following are not confidential and are considered by UNMC as
directory information:
a. Employee’s Name
b. Gross salary
c. Dates of hire and separation
d. Type of appointment(s) held and term of each appointment
e. Title or academic rank
f. UNMC employment address
g. Post secondary education degrees earned
h. Awards or honors
6. Information other than directory information is accessible only to the
employee, the department administrative personnel, UNMC Human
Resources, and other University offices with a need to know. Nondirectory information should be released to others only with signed
authorization from the employee or in response to a legal mandate.
7. Departments have three options for responding to requests for reference
checks:
a. Refer to Human Resources – Records
b. Provide directory information only
c. With a signed release, respond to questions and provide
information based only on what is documented in the employment
file
8. UNMC faculty, staff, volunteers, trainees, students and independent
contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy,
Confidentiality and Information Security) have a duty to protect confidential
information. Breach of this duty includes but is not limited to the following:
a. Disclosure of social security number
b. Disclosure of Family Medical Leave information
9. Workforce members who suspect a breach of confidentiality regarding
Employment Records shall report the breach to Budget, Analysis and
Financial Compliance or the Human Resources Employee Relations
Department.
10. A full investigation of the breach shall be conducted by the Human
Resources Employee Relations Department.
11. For more information about responding to reference checks, inquire at
UNMC Human Resources – Records at 402/559-8962.
Research Information
1. UNMC faculty, staff, volunteers, trainees, students and independent
contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy,
Confidentiality and Information Security) have a duty to protect confidential
information produced while performing research. Breach of this duty
includes the following:
a. Disclosure of PHI to unauthorized persons or entities not included
in the HIPAA authorization
b. Disclosure of research results linked to human subjects to persons
or entities not authorized in the Institutional Review Board (IRB)
approved protocol
2. Workforce members who suspect a breach of confidentiality regarding
Research information shall report the breach to the IRB, the Office of the
Vice Chancellor for Research or to the Human Resources Employee
Relations Department.
3. A full investigation of the breach shall be conducted, in coordination with
Budget, Analysis and Financial Compliance, the IRB, the Office of the Vice
Chancellor for Research and the Human Resources Employee Relations
Department, as appropriate
For more information, see UNMC Policy 6045, Privacy, Confidentiality and Information Security or
contact the Security Officer.
Policies Home Page / Intranet Home Page / Top of this Page
This page updated on
, by dkp.