Handbook of Operating Procedures > Series 700 Information Resources > 7.5.2 Confidential Information

7.5.2 Confidential Information

A. Purpose

To provide guidance for accessing confidential information, including Protected Health Information (PHI).

B. Persons Affected

All University of Texas at Tyler (the "University") faculty, staff, students, volunteers, and any other contractors or agents granted access to confidential information.

C. Definitions

N/A

D. Policy

There may be times when University employees, contractors, consultants, students, interns, volunteers or others have knowledge of confidential information regarding patients, fellow employees, passwords or other sensitive information. Confidential information regarding patients includes, but is not limited to, all PHI, medical records, personal data and/or health status data (see HIPAA Privacy section below.). The privacy of others must be respected and, except in the line of duty, this information must not be discussed.

Sharing of computer passwords and/or IT data, as outlined in the Information Resources Acceptable Use policy, is prohibited. All employees, contractors, consultants, students and volunteers are required to comply with any departmental policies related to protection of confidential information. Unauthorized release of confidential or sensitive information will result in disciplinary action, including termination. For contractors and consultants, this may include termination of the work engagement. For interns and volunteers, this may include dismissal. Any student violating this policy will be referred to student judicial services at the student's home campus. All individuals are subject to possible civil and criminal prosecution.

HIPAA CONFIDENTIALITY GUIDELINES

The Health Insurance Portability and Accountability Act ("HIPAA") has established privacy and security standards with mandatory guidelines for protecting PHI. This policy states the levels of Breach of Confidentiality and guidelines for further corrective action.

University staff, contractors, consultants, students, interns and volunteers are expected to maintain patients' confidentiality of PHI and follow the privacy and security standards set by federal and state regulations. Breach of Confidentiality, Privacy and/or Security from inappropriate access to use or release confidential information will lead to corrective action (sanctions), which may include termination of employment.

Staff, contractors, consultants, students, interns and volunteers may only access patient PHI on a "need to know" basis when directly involved in the treatment, payment, or health care operations for that patient.

PHI disclosed to a University employee under any other circumstance, including when authorization has been given by the patient, must be obtained through the standard process using the HIM Release of Information Office. An employee must not use online access to an electronic health record (EHR) to access patient PHI when this access is not directly related to his/her job function. This includes, but is not limited to, inquiries on family members. It is permissible to use the approved patient portal to access one's own medical information residing there or for those patients who have given the user authorization to access their information via the patient portal.

Employees working on specific projects and investigations in areas such as Internal Audit and Compliance will be authorized to view relevant PHI under the provision of health care operations with prior supervisory approval.

Level of Breach

Breaches of confidentiality/privacy and/or security have been divided into three (3) levels:

1. Level I. Carelessness/Not Following Procedures. This level of breach occurs when a person carelessly or inappropriately accesses, reviews or reveals information to him/herself or others without a legitimate need to know. Examples include, but are not limited to:
   1. Discussing patient information in a public area;
   2. Leaving a copy of patient information in a public area;
   3. Leaving a computer unattended with patient information unsecured;
   4. Accessing one's own medical information.
2. Level II. Curiosity or Concern (No Personal Gain). This level of breach occurs when a person intentionally accesses or discusses patient information for purposes other than the care of the patient or hospital operations, but for reasons unrelated to personal gain. Examples include, but are not limited to:
   1. Review of a public personality/high profile personality record;
   2. Use of another's password to access computerized patient information;
   3. Accessing the medical record of relatives, neighbors, coworkers, friends or any others out of curiosity or concern;
   4. Discussing confidential information with those who do not have a need to know;
   5. Obtaining medical information under false pretenses such as a forged authorization.
3. Level III. Personal Gain or Malicious Intent. This level of breach occurs when a person accesses, reviews or discusses patient information or sensitive information for personal gain or with malicious intent. Examples include, but are not limited to:
   1. Review of a medical record of a patient with whom the person has a relationship;
   2. Compiling a patient list for personal use or to be sold;
   3. Releasing patient information to the media regarding a public personality.

Enforcement

Violation of this policy may result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student.  Additionally, individuals are subject to loss of University Information Resources access privileges, civil, and criminal prosecution.

E. References

Federal and State Privacy laws including:

• HIPAA - Health Insurance Portability and Accountability Act;
• HITECH Act (42 USC §17921 et. seq.)
• Texas Administrative Code 202.70;
• UTS-165 UT System Information Resources Use and Security Policy (includes Confidentiality of Social Security Numbers and confidentiality and integrity of Digital Research Data

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.