Policy Details

• Definition
• Confidentiality Agreement
• Disclosure of Confidential Information
• Privacy/Confidentiality Breach

Definition

For purposes of this policy, "information" is defined as any communication or reception of knowledge and includes facts, data, or opinions that may consist of numerical, graphic, or narrative forms - whether oral or maintained in mediums including computerized databases, papers, microfilms, or magnetic tapes. The release of any such "information" may result in negative financial, competitive, or productive loss or may cause legal or other non-beneficial impacts on Duke. Confidential "information" is defined as - but not limited to - patient records, financial records, human resources/payroll records, legal documents, research data, and clinical data. These "records," "documents," and "data" may include - but are not limited to - oral, printed, and/or electronic forms.

Confidentiality Agreement

All Duke staff must sign the Duke Confidentiality Agreement. A copy of this form should be retained in the staff member's department file. The agreement is available on the Human Resources web site or on the medical center web site.

Disclosure of Confidential Information

Staff are expected to follow Duke policies and procedures governing confidentiality and to regard confidentiality as a duty and responsibility while part of the Duke workforce. Staff who disclose information observed or heard without proper authorization will be subject to corrective actions up to and including termination from Duke. Unauthorized access, use, or disclosure of confidential information may also violate federal and/or state law and may result in criminal and civil penalties. The observance of confidentiality also applies to the disclosure of information regarded as confidential within a department or unit.

Privacy/Confidentiality Breach

A privacy or confidentiality breach is defined as the use or disclosure of confidential information by an individual for purposes other than those for which the person is authorized.

For any breach in confidentiality, the involved person(s) will be subject to corrective action based on the level of the breach. Breaches in confidentiality have been divided into the following three levels with the corresponding corrective action for each level of breach.

Level 1: Carelessness - This level of breach occurs when a person unintentionally or carelessly reveals confidential information to him/herself or others without a legitimate need to know the confidential information. Examples include, but are not limited to: discussing confidential information in a public area; leaving a copy of confidential information in a public area; and leaving a computer unattended in an accessible area with a medical record unsecured.

Carelessness does not include accessing a confidential record by mistake (e.g., requesting of a medical record of a similarly named patient and looking up an incorrect name in the electronic record).

Corrective action will be administered in the following order:
First Offense: Counseling
Second Offense: Written Warning
Third Offense: Final Written Warning
Fourth Offense: Termination

All corrective actions will be documented in writing and maintained in the appropriate personnel record. Investigations and corrective actions will be coordinated by the entity/department HR representative and, if appropriate a Staff and Labor Relations representative. In addition, corrective actions will be reported to the applicable licensing board and privacy director as appropriate. Corrective action will be appropriately delayed if the action may adversely affect or compromise confidential care.

Level 2: Intentional and unauthorized accessing of confidential information - This level of breach occurs when a person intentionally accesses confidential information for purposes other than authorized purposes. Examples include but are not limited to: looking up birth dates, accessing and reviewing a public personality's record or accessing a friend's, relative's or co-worker's medical or other confidential record without proper authorization.

Duke is a teaching organization. This procedure is not intended in any way to stop professionals from reviewing records for learning purposes. Common teaching methodologies include the review of confidential charts that may be of teaching and learning interest to staff are not to be discouraged by this procedure. Any such learning methodologies utilized by staff must be program mandated and authorized by the staff member's supervisor. Examples include 1) a medical resident following a patient's care that has been referred to another provider; 2) a medical resident reviewing laboratory, radiology and operating reports; and 3) a medical resident pulling reports and working with a patient care team even though he/she may not be listed as part of the care team. In addition, Duke is a research organization. This procedure is not intended in any way to stop professionals from reviewing records for approved research purposes.

Corrective action will be administered in the following order:
First offense: Final written warning with a two-week unpaid suspension
Second offense: Termination

All corrective actions will be documented in writing and maintained in the appropriate personnel record. Investigations and corrective actions will be coordinated by the entity/department HR representative and, if appropriate a Staff and Labor Relations representative. In addition, corrective actions will be reported to the applicable licensing board and privacy director as appropriate. Corrective action will be appropriately delayed if the action may adversely affect or compromise confidential care.

Level 3: Intentional and unauthorized disclosure of confidential information - This level of breach occurs when a person accesses and discloses confidential information without required authorization. Examples include but are not limited to: discussing confidential information at a social gathering without authorization from the patient, student or staff member and; unauthorized delivery of any portion of a patient's medical record to a third party.

In addition, this level of breach includes accessing confidential information for personal gain, regardless of whether such confidential information is disclosed. An example is compiling a mailing list for personal use or to be sold.

Corrective action will be administered as follows:
First offense: Termination