Printer FriendlyPolicy Number: 04.12
Issued Date: 07/01/2006
Duke Today about HR | ask HR | contacts | managers | site index | forms
SEARCH Duke
HR
Policy Resources
Duke Human Resources
705 Broad Street
Box 90496
Durham, NC 27705
(919) 684-5600
705 Broad Street
Box 90496
Durham, NC 27705
(919) 684-5600
Confidentiality
Policy Information
During the course of employment, staff may have access to proprietary or confidential information. Any confidential information - whether verbal, written, faxed, photographic, or electronic - is considered to be as privileged and is strictly confidential. All confidential information should be maintained in a manner that ensures its privacy and safety. Work-related and/or patient information should not be discussed in open areas such as in elevators, hallways, lobbies, or food areas.
Policy Details
- Definition
- Confidentiality Agreement
- Disclosure of Confidential Information
- Privacy/Confidentiality Breach
For purposes of this policy, "information" is defined as any communication or reception of knowledge and includes facts, data, or opinions that may consist of numerical, graphic, or narrative forms - whether oral or maintained in mediums including computerized databases, papers, microfilms, or magnetic tapes. The release of any such "information" may result in negative financial, competitive, or productive loss or may cause legal or other non-beneficial impacts on Duke. Confidential "information" is defined as - but not limited to - patient records, financial records, human resources/payroll records, legal documents, research data, and clinical data. These "records," "documents," and "data" may include - but are not limited to - oral, printed, and/or electronic forms.
All Duke staff must sign the Duke Confidentiality Agreement. A copy of this form should be retained in the staff member's department file. The agreement is available on the Human Resources web site or on the medical center web site.
Disclosure of Confidential Information
Staff are expected to follow Duke policies and procedures governing confidentiality and to regard confidentiality as a duty and responsibility while part of the Duke workforce. Staff who disclose information observed or heard without proper authorization will be subject to corrective actions up to and including termination from Duke. Unauthorized access, use, or disclosure of confidential information may also violate federal and/or state law and may result in criminal and civil penalties. The observance of confidentiality also applies to the disclosure of information regarded as confidential within a department or unit.
Privacy/Confidentiality Breach
A privacy or confidentiality breach is defined as the use or
disclosure of confidential information by an individual for
purposes other than those for which the person is authorized.
For any breach in confidentiality, the involved person(s) will
be subject to corrective action based on the level of the breach.
Breaches in confidentiality have been divided into the following
three levels with the corresponding corrective action for each
level of breach.
Level 1: Carelessness - This level of breach occurs when a
person unintentionally or carelessly reveals confidential
information to him/herself or others without a legitimate need to
know the confidential information. Examples include, but are not
limited to: discussing confidential information in a public area;
leaving a copy of confidential information in a public area; and
leaving a computer unattended in an accessible area with a medical
record unsecured.
Carelessness does not include accessing a confidential record by
mistake (e.g., requesting of a medical record of a similarly named
patient and looking up an incorrect name in the electronic
record).
Corrective action will be administered in the following
order:
First Offense: Counseling
Second Offense: Written Warning
Third Offense: Final Written Warning
Fourth Offense: Termination
All corrective actions will be documented in writing and
maintained in the appropriate personnel record. Investigations and
corrective actions will be coordinated by the entity/department HR
representative and, if appropriate a Staff and Labor Relations
representative. In addition, corrective actions will be reported to
the applicable licensing board and privacy director as appropriate.
Corrective action will be appropriately delayed if the action may
adversely affect or compromise confidential care.
Level 2: Intentional and unauthorized accessing of confidential
information - This level of breach occurs when a person
intentionally accesses confidential information for purposes other
than authorized purposes. Examples include but are not limited to:
looking up birth dates, accessing and reviewing a public
personality's record or accessing a friend's, relative's or
co-worker's medical or other confidential record without proper
authorization.
Duke is a teaching organization. This procedure is not intended in
any way to stop professionals from reviewing records for learning
purposes. Common teaching methodologies include the review of
confidential charts that may be of teaching and learning interest
to staff are not to be discouraged by this procedure. Any such
learning methodologies utilized by staff must be program mandated
and authorized by the staff member's supervisor. Examples include
1) a medical resident following a patient's care that has been
referred to another provider; 2) a medical resident reviewing
laboratory, radiology and operating reports; and 3) a medical
resident pulling reports and working with a patient care team even
though he/she may not be listed as part of the care team. In
addition, Duke is a research organization. This procedure is not
intended in any way to stop professionals from reviewing records
for approved research purposes.
Corrective action will be administered in the following
order:
First offense: Final written warning with a two-week unpaid
suspension
Second offense: Termination
All corrective actions will be documented in writing and
maintained in the appropriate personnel record. Investigations and
corrective actions will be coordinated by the entity/department HR
representative and, if appropriate a Staff and Labor Relations
representative. In addition, corrective actions will be reported to
the applicable licensing board and privacy director as appropriate.
Corrective action will be appropriately delayed if the action may
adversely affect or compromise confidential care.
Level 3: Intentional and unauthorized disclosure of confidential
information - This level of breach occurs when a person
accesses and discloses confidential information without required
authorization. Examples include but are not limited to: discussing
confidential information at a social gathering without
authorization from the patient, student or staff member and;
unauthorized delivery of any portion of a patient's medical record
to a third party.
In addition, this level of breach includes accessing confidential
information for personal gain, regardless of whether such
confidential information is disclosed. An example is compiling a
mailing list for personal use or to be sold.
Corrective action will be administered as follows:
First offense: Termination
Back to Top