Privacy, Confidentiality, and Information Security Procedures Please see: UNMC Policy No. 6045, Privacy, Confidentiality, and Information Security, Privacy Incident Response Plan Procedures, and Information Security Incident Reporting and Response Procedures. UNMC Responsibilities General 1. Records containing confidential information, in any form, are the property of UNMC 2. UNMC is responsible for safeguarding confidential information against loss, tampering, and disclosure to unauthorized individuals 3. UNMC faculty, staff, volunteers, trainees, students and independent contractors (“workforce” as defined in UNMC Policy No. 6045) have a duty to protect confidential information. (See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information) Breach of this duty includes the following: a. Using another person’s user ID, password, or other security codes b. Assisting an unauthorized user to gain access to a secured information system c. Leaving confidential information unattended in a non-secure area d. Falsifying information e. Disclosing confidential information without proper authorization (See UNMC Policy No. 6045, Privacy, Confidentiality and Information Security) f. Improper disposal of confidential information (See UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information) 4. UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy or security breaches 5. UNMC shall respond in a timely manner to all reports of suspected privacy or security breaches. UNMC shall make all efforts to resolve the suspected breach internally. 6. Department administration will ensure that, in accordance with UNMC Policy No. 6045, all UNMC workforce sign the UNMC Privacy and Confidentiality Agreement annually. 7. Sanctions will be imposed for substantial breaches. Sanctions for breach of privacy and confidentiality may include revocation of medical staff privileges and employee or student disciplinary action, up to and including termination. (See UNMC Policy No. 1098, Performance Management). 8. Workforce members who suspect a breach of confidentiality regarding the general responsibilities listed above shall report the breach to Budget, Analysis and Financial Compliance or to the Human Resources Employee Relations Department. HIPAA 1. UNMC faculty, staff, volunteers, trainees, students and independent contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy, Confidentiality and Information Security) have a duty to protect Protected Health Information (PHI). Breach of this duty includes the following: a. Accessing PHI information, in any form, without a “need to know” to perform assigned duties. Workforce members are prohibited from accessing their own records and records of family members, relatives, and friends, unless access is necessary to perform assigned duties b. Disclosing PHI information in the presence of individuals who do not have “need to know” to perform assigned duties c. Disclosing that a patient is receiving information (except for authorized directory purposes) d. Transferring confidential information in any form without both parties having a “need to know” 2. Business Associate agreements/addenda shall be established with any individual or corporation who performs a function on behalf of UNMC involving the use or disclosure of PHI, other than as faculty, staff, house officer or student (See UNMC Policy No. 6060, Business Associate Agreements) 3. Individuals have the following rights with respect to their PHI: a. Right to request access and obtain copies of their designated record set within a reasonable amount of time and to request amendment (See UNMC Policy No 6059, Access and Amendment to Designated Record Set) b. Right to request restrictions of how their PHI is used c. Right to request an accounting of disclosures (See UNMC Policy 6061, Accounting of Protected Health Information Disclosures) d. Right to receive a Notice of Privacy Practices (See UNMC Policy 6058, Notice of Privacy Practices) e. Right to file a complaint internally with the Patient Relations Department with response or with the Department of Health and Human Services in Washington DC (See UNMC Policy 6058, Notice of Privacy Practices and UNMC Policy No. 6062, Patient/Consumer Complaints) Individuals shall not be asked to waive these rights as a condition of receiving treatment. 4. Retention of the designated record set or other protected health information shall be in accordance with federal, state, and local laws, and regulatory association guidelines. Documents required to demonstrate HIPAA compliance shall be retained for a period of six years. (See UNMC Policy No. 6056, Retention and Destruction/Disposal of Private and Confidential Information) 5. The UNMC Privacy and Information Security Officers shall be designated in writing and shall be responsible for coordinating the development and implementation of UNMC policy and procedures necessary to comply with HIPAA 6. All UNMC workforce shall receive training on privacy and security of confidential information upon hire, and when policies and procedures relevant to their individual position change. UNMC students shall receive similar training at a time designated by UNMC Student Services. 7. Compliance with these procedures will be assessed through periodic audits of access to confidential information, physical inspection of work areas, analysis of privacy-related complaints, and other monitoring 8. Workforce members who suspect a breach of confidentiality regarding Protected Health Information (PHI) shall report the breach to the Human Resources Employee Relations Department. Those who wish to remain anonymous may report the suspected breach of HIPAA compliance requirements to The Nebraska Medical Center Compliance Hotline at 800822-8310. Medical Staff shall report breaches to the Medical Records Director at 402/559-4891 9. A full investigation of the breach shall be conducted, in coordination with the UNMC/The Nebraska Medical Center Security and Privacy Officers, the Human Resources Employee Relations Department, and The Nebraska Medical Center Patient Relations Department as appropriate 10. Civil and criminal fines and penalties can also be sanctioned under HIPAA. Business Information 1. UNMC faculty, staff, volunteers, trainees, students and independent contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy, Confidentiality and Information Security) have a duty to protect proprietary business information. Breach of this duty includes, but may not be limited to, the following: a. Disclosure of confidential financial statement information b. Disclosure of confidential contract/agreement information c. Disclosure of confidential business plans d. Disclosure of University of Nebraska Foundation (a private entity) transaction information e. Disclosure of credit card information received in the course of business by the University, whether or not such credit card information is covered by the Gramm-Leach-Bliley Act (GLBA). Executive Memoranda No. 26 provides a model contract for Service Providers who maintain or regularly access covered data and information, which includes credit card information. Contact Student Services for additional information about Service Provider contracts and contract addenda. 2. Workforce members who suspect a breach of confidentiality regarding proprietary business information shall report the breach to Budget, Analysis and Financial Compliance or the Human Resources Employee Relations Department . 3. A full investigation of the breach shall be conducted by Budget, Analysis and Financial Compliance and the Human Resources Employee Relations Department, as appropriate. Student Information 1. UNMC faculty, staff, volunteers, trainees, students and independent contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy, Confidentiality and Information Security) have a duty to maintain the confidentiality of student education records. Breach of this duty includes, but is not limited to, release of student information that is not considered “directory information” under the guidelines of the Family Educational Rights and Privacy (FERPA) listed in the Student Handbook. It also includes, but is not limited to, protection of confidential student financial information protected under the Gramm-Leach-Bliley Act (GLBA). Executive Memoranda No. 26 defines “Student Financial Information” as: That information that the university has obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 C.F.R §225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security number, in both paper and electronic format. Executive Memoranda No. 26 also provides a model contract for Service Providers who maintain or regularly access covered data and information. Contact Student Services for additional information about contracts and contract addenda. 2. The social security number of a student is considered confidential information and must not be used to identify a student. 3. Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to: a. Student Number 4. Use of a student’s social security number in databases is prohibited unless legally required. If it must be used, the use of the student’s social security number must comply with ITS Database Security Procedures.. 5. Workforce members who suspect a breach of confidentiality regarding Student Education Records shall report the breach to Budget, Analysis and Financial Compliance or the Human Resources Employee Relations Department. 6. The student can file a complaint with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave SW, Washington, DC 20202-4605. 7. A full investigation of the breach shall be conducted by Budget, Analysis and Financial Compliance, Human Resources Employee Relations Department and the Vice Chancellor for Academic Affairs, as appropriate. Employee Information 1. Because UNMC is a public body, its records are available for public inspection. However, UNMC employment records are confidential and will not be made available, except upon written authorization signed by the individual to whom the records pertain or in response to a legal mandate. In this context, employment records are those of persons who are employees of UNMC, and persons who are or have been either applicants or nominees for employment at UNMC. Such records include the entire employment process beginning with application or nomination for appointment, search committee evaluation, and appointing authority evaluation, through appointment and employment, and ending with separation from employment. 2. The social security number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated. 3. ITS shall be available to assist in identifying alternatives to use of social security number. Alternatives which should be considered, include but are not limited to: 1. Personnel (SAP) Number 2. Last four digits of social security number 4. In cases where the employee social security number must be stored in a database, the database use must comply with ITS Database Security Procedures. 5. The following are not confidential and are considered by UNMC as directory information: a. Employee’s Name b. Gross salary c. Dates of hire and separation d. Type of appointment(s) held and term of each appointment e. Title or academic rank f. UNMC employment address g. Post secondary education degrees earned h. Awards or honors 6. Information other than directory information is accessible only to the employee, the department administrative personnel, UNMC Human Resources, and other University offices with a need to know. Nondirectory information should be released to others only with signed authorization from the employee or in response to a legal mandate. 7. Departments have three options for responding to requests for reference checks: a. Refer to Human Resources – Records b. Provide directory information only c. With a signed release, respond to questions and provide information based only on what is documented in the employment file 8. UNMC faculty, staff, volunteers, trainees, students and independent contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy, Confidentiality and Information Security) have a duty to protect confidential information. Breach of this duty includes but is not limited to the following: a. Disclosure of social security number b. Disclosure of Family Medical Leave information 9. Workforce members who suspect a breach of confidentiality regarding Employment Records shall report the breach to Budget, Analysis and Financial Compliance or the Human Resources Employee Relations Department. 10. A full investigation of the breach shall be conducted by the Human Resources Employee Relations Department. 11. For more information about responding to reference checks, inquire at UNMC Human Resources – Records at 402/559-8962. Research Information 1. UNMC faculty, staff, volunteers, trainees, students and independent contractors (“workforce” as defined in UNMC Policy No. 6045, Privacy, Confidentiality and Information Security) have a duty to protect confidential information produced while performing research. Breach of this duty includes the following: a. Disclosure of PHI to unauthorized persons or entities not included in the HIPAA authorization b. Disclosure of research results linked to human subjects to persons or entities not authorized in the Institutional Review Board (IRB) approved protocol 2. Workforce members who suspect a breach of confidentiality regarding Research information shall report the breach to the IRB, the Office of the Vice Chancellor for Research or to the Human Resources Employee Relations Department. 3. A full investigation of the breach shall be conducted, in coordination with Budget, Analysis and Financial Compliance, the IRB, the Office of the Vice Chancellor for Research and the Human Resources Employee Relations Department, as appropriate For more information, see UNMC Policy 6045, Privacy, Confidentiality and Information Security or contact the Security Officer. Policies Home Page / Intranet Home Page / Top of this Page This page updated on , by dkp.