Add to collection(s) Add to saved
  1. Business
  2. Management

HIPAA Code of Conduct and Confidentiality

advertisement 
Code of Conduct
Code number:
C-03
Code title:
HIPAA Code of Conduct and Confidentiality Agreement
Date issued:
9/6/12
Date last reviewed:
1/10/14
Version number:
1.1
Approval authority:
Associate Vice President for ITS
Responsible office:
Information and Infrastructure Assurance
I. Overview
University staff members may, in the course of performing authorized work, be granted access to
university information systems that maintain Protected Health Information (PHI) as defined by the Health
Information Portability and Accountability Act (HIPAA). Such access creates an obligation to treat PHI in
a confidential and secure manner.
This Code of Conduct affirms the commitment of staff to:
1. Understand their obligations to comply with all applicable policies, and statutory and
regulatory requirements;
2. Act in an ethical and compliant manner;
3. Understand the consequences of failure to comply with the Code of Conduct.
4. Take action to appropriately address violations and conflicts to the Code of Conduct.
Section I: Guiding U-M Policies
All staff members of the university community are expected to use U-M information resources properly
and to abide by all the requirements of SPG 601.07, Proper Use of Information Resources,
Information Technology, and Networks and the related “Guidelines for Implementing the Proper Use
Policy.” U-M staff members, however, have a unique and critical institutional role in supporting the
university’s academic, research, teaching, administrative, and clinical missions whereby they are
expected to hold to the highest standard of compliance with these policies and procedures.
Section II: Staff Responsibilities and Consequences for Non-Compliance
All staff are required to be knowledgeable of and follow this Code of Conduct. Staff that fail to exercise
appropriate ethical and professional conduct may be subject to disciplinary action up to and including
termination.1
1
Section IV, Sanctions, SPG 601.11, Privacy and the Need to Monitor and Access Records and SPG
201.12, Discipline (Performance and Conduct Standards).
Staff members are specifically responsible for the following:
 Knowledge of, and understanding and compliance with, the policies and procedures that apply to
their work, including U-M Standard Practice Guides and all unit policies and standards.
 Protecting the confidentiality and security of PHI in whatever format it is in.
 Only accessing, releasing, or sharing PHI sensitive information as necessary as a part of their
assigned duties.
 Understand that their access to U-M systems containing PHI is audited and may be reviewed at
any time, with or without cause.
 Protecting PHI by not sharing passwords or access to any U-M systems or applications with any
other person.
 Understand that when their employment, affiliation, or assignments with U-M ends, that they may
not take any institutional PHI with them.
Section III: Reporting Violations, Inappropriate Conduct, or Non-Compliance
Staff are obligated to report suspicious or illegal activities, including the unauthorized disclosure of PHI,
that violate University of Michigan policies or state and federal regulations. The responsibility of the staff
member ends with reporting the suspicious or illegal activity to an appropriate authority. Under no
circumstances should a staff member confront another staff member or other campus community member
or conduct any kind of investigation.
Staff members should immediately report any potential breach or unauthorized disclosure of PHI to
security@umich.edu, as detailed at Report an IT Security Incident on the SafeComputing website at
http://safecomputing.umich.edu/main/incident_report.html.
No staff should experience harassment or retribution when acting responsibly by reporting what they
believe to be a legitimate and serious concern. Staff that feel they have been harassed, punished, or
retaliated against for reporting a compliance concern should report this to University Human Resources
(UHR) or the U-M Compliance Hotline (compliance.umich.edu/report.html, 866-990-0111).
Section V: Training and Attestation Requirements
All staff must meet the following training and attestation requirements.
 Provide a signed copy of this attestation to their unit HR office within thirty (30) days to maintain
in their personnel file.
 Complete the ITS HIPAA Training My LINC module and pass the associated quiz at the 80%
level within the first 30 days after starting employment or being assigned job responsibilities that
require accessing PHI. Successful completion of the course on an annual basis will serve as a
renewal of this attestation.
 Sign or attest to service-specific codes of conduct where required.
2
HIPAA Code of Conduct and Confidentiality
Acknowledgement
I ______________________________, have read and received training on the HIPAA
Code of Conduct and Confidentiality Acknowledgement and will comply with the
requirements indicated in the Code. I also understand the need to:
1. Comply with all applicable University of Michigan policies, and state and federal laws
and regulations while performing my job;
2. Continue my training necessary to comply with the Code of Conduct and
Confidentiality Acknowledgement policy;
3. Maintain the highest ethical standards in the conduct of university business affairs in
a manner that represent integrity and compliance with applicable laws in which
personal advantage and gain are excluded;
4. Exercise due care to preserve the security, integrity and confidentiality of PHI;
5. Take reasonable precaution to ensure the protection of PHI from unauthorized
access, disclosure or destruction;
6. Report potential security violations including unauthorized access, loss, disclosure of
PHI; misuse, theft, or unauthorized modification of such information, including
information stolen in conjunction with the theft of a computer or any other device
containing PHI using the ITS Security Incident Response Procedure referred to in
Section III of the policy;
I will have thirty (30) days to provide a signed copy of my attestation to my unit’s HR office
to maintain in my file.
Employee Signature / Print Name
Date Signed
Job Title
Uniqname / UMID #
Department Name
Loc/Dept Number
Supervisor Signature
Date Signed
Related documents
Confidentiality Policy - Indiana University Kokomo
Confidentiality Policy - Indiana University Kokomo
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
G2Endo Endocrinology & Metabolism
G2Endo Endocrinology & Metabolism
Paired Learning Community
Paired Learning Community
Access Form
Access Form
Based on a study of 14000 Phi Theta Kappa members
Based on a study of 14000 Phi Theta Kappa members
Phi Coefficient Example
Phi Coefficient Example
Checklist for Determining Need for Business Associate Contracts
Checklist for Determining Need for Business Associate Contracts
Chapter 9.28.2009
Chapter 9.28.2009
Download
advertisement