Confidentiality Policy

Policy Statement

During the course of employment, staff may have access to Confidential Information. Any Confidential Information, whether oral, written, or electronic, should be maintained in a manner that ensures its confidentiality. The release of any such Confidential Information may result in negative financial or competitive action, productive loss, or cause legal or other non-beneficial impacts on Duke.

Confidential Information must be treated with respect and care by any workforce member who is authorized to have access to this information.  Workforce members who are authorized to use or disclose Confidential Information also have the responsibility to safeguard access to such information.  Workforce members who are authorized by Duke to access Confidential Information have a responsibility to limit access to those that are allowed by permission and/or by law.  The access must be appropriate to the workforce member's job responsibility.  A breach is a violation of this policy and/or state or federal regulatory requirements resulting in the unauthorized or inappropriate use, disclosure or access of Confidential Information.  

Staff shall comply with the terms of Duke Confidentiality Agreement.  Any Duke workforce member's behavior that compromises Confidential Information is covered by this policy.  This policy does not address a breach of protected health information; such breaches are addressed under the DUHS Breach of Protected Health Information/Privacy Policy (DUHS intranet).

Duke is a teaching organization. This procedure is not intended in any way to prevent professionals from reviewing records for learning purposes. Common teaching methodologies including the appropriate review of confidential charts that may be of teaching and learning interest to staff are not to be discouraged by this procedure. Any such learning methodologies utilized by staff must be program mandated and authorized by the staff member's supervisor. In addition, Duke is a research organization. This procedure is not intended in any way to prevent professionals from reviewing records for approved research purposes in accordance with applicable policies and procedures and statutes and regulations.

Policy Details

Confidentiality Agreement

All Duke staff must sign the Duke Confidentiality Agreement. A copy of this form should be retained in the staff member's department file. The agreement is available on the HR web site or on the DUHS website (DUHS intranet).

Definitions

Breach: Accessing, sharing, reviewing, or disclosing oral, paper or electronic Confidential Information by an individual for purposes other than his/her job responsibility or for which s/he is authorized.

Confidential Information: Confidential Information is any communication, information, or reception of knowledge and includes facts, documents, data, or opinions that may consist of numerical, graphic or narrative forms-whether oral, printed, or electronic including in databases or on papers. Confidential Information includes but is not limited to patient records, student records, financial records, human resources/payroll records, legal documents, and research data. Duke governs subsets of Confidential Information under separate policies.  See the DUHS Breach of Protected Health/Patient Information (DUHS intranet) policy for breaches of patient information and the DUHS Protecting the Confidentiality of Social Security Numbers (DUHS intranet) policy for access of social security numbers. 

Identifying Information: Identifying Information: Includes the following:

  • Social security or employer taxpayer identification numbers
  • Driver's license, state identification card, or passport numbers
  • Checking account numbers
  • Savings account numbers
  • Credit card numbers
  • Debit card numbers
  • Personal Identification (PIN) Code which is a numeric and/or alphabetical code assigned to the cardholder of a financial transaction card by the issuer to permit authorized electronic use of that financial transaction card. (NCGS § 14-113.8(6))
  • Digital signatures
  • Any other numbers or information that can be used to access a person's financial resources
  • Biometric data
  • Fingerprints

Personal Information: A person's first name or first initial and last name in combination with identifying information as defined above. Personal information does not include a publicly available directory containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.

Workforce Members: Employees, volunteers, trainees, faculty and other persons whose conduct, in the performance of work for Duke, is subject to the control of such entity, whether or not they are paid by Duke. 

Reporting Responsibilities

The individual, who commits, observes or becomes aware of an unauthorized or inappropriate access, use or disclosure of Confidential Information is responsible for promptly reporting such to one of the following: 

  • Immediate supervisor
  • Department head or manager of the area in which the individual works
  • Human Resources
  • DUHS Compliance Office: 919-668-2573
  • Integrity Line: 1-800-826-8109

The immediate supervisor or department management will coordinate a review of the potential breach with Human Resources and, when applicable, review the circumstances surrounding the breach, mitigation steps and any harmful effect that may result from the breach. Department management in conjunction with Human Resources staff will determine appropriate sanctions concerning the breach.

Process

Upon the allegation of a potential breach of Confidential Information the department management should:

1. Investigate this potential breach immediately upon awareness of a potential breach. The confidentiality of all participants shall be maintained to the extent possible, within reason, throughout the investigation.

2. For potential breaches of "Personal Information" e.g. social security numbers, such breaches shall be reported according to the DUHS Security Breach policy (DUHS intranet), DUHS Protecting the Confidentiality of Social Security Numbers policy(DUHS intranet), the Duke University IT Security Office procedures for avoiding identity theft, and the Duke University Campus Security Incident Procedure for reporting a security breach. If the breach involves patient information, it should be reported to the DUHS Compliance Office and will be investigated according to the Breach of Protected Health Information/Patient Privacy Policy.

3. Upon notice of the potential breach by a workforce member, department/management will assess and/or investigate the potential breach and determine, in collaboration with Human Resources, any corrective action as warranted.  Investigations may include, but are not limited to interviews, requests for written statements from staff, electronic user access audits, reviews of telephone logs, or other activities. In the event of an electronic user access of Confidential Information, managers will review and consult with Human Resources as necessary to determine if an access audit will be performed.

4. Instances of an alleged breach by Duke faculty will be forwarded to the appropriatedepartment chair or division chief.  Human Resources will assist the Department Chair or Division Chief with the investigation by being available as a resource to Interpret the policy, conduct interviews or perform user access audits.

5. The supervisor or the Department Chair will advise Human Resources of the findings. 

6. During the review of the potential breach, Human Resources may contact applicable Compliance Offices, Risk Management or the Office of Counsel.  The Office of Counsel may direct the investigation under the attorney/client privilege.

7. When a breach is substantiated, department management/chair and Human Resources will coordinate the communication of corrective action.  In the case of Duke University faculty, Human Resources and the Department Chair will coordinate the communication of corrective actions in accordance with the faculty handbook.

8. Such factors as the nature and severity of the potential breach will be taken into consideration in determining the appropriate level of sanction.

Corrective Action

Corrective action, if warranted, will be imposed based on the nature and severity of the violation, whether intentional or not, circumstances surrounding the privacy breach or whether the violation demonstrates a pattern or practice of improper use or disclosure of confidential information on the part of the workforce member.

DUHS Compliance Office, in collaboration with the workforce member’s department management and Human Resources, will determine the level of corrective action. Corrective action relating to this policy shall be applied fairly and consistently.

For Duke University Faculty, Human Resources, in collaboration with DUHS Compliance Office and Chair or Dean, will determine the level of corrective action in accordance with the Policy. Appeals rights would be in accordance with faculty hearing process, Handbook or Medical Staff Bylaws.

The Chair in consultation with the School of Medicine Vice Dean for Faculty or the Dean, or School of Nursing Dean, will review the facts and circumstances of the potential breach. In consultation with Human Resources and/or Medical Center Management Center and Compliance Office based upon the nature and severity of breach, actions may result in progressive corrective actions for Faculty.

All corrective actions will be documented in writing and maintained in the appropriate personnel record. If warranted, corrective actions, up to and including termination may be reported to the applicable licensing board in collaboration with entity senior management.

Description of Corrective Action Levels

For any breach, the involved workforce member(s) will be subject to corrective action, up to and including termination, based on the nature and severity of the violation, pattern or practice of such behavior and prior discipline. Breaches are divided into four levels with the corresponding corrective action for each level. Such factors as the circumstances surrounding the breach and the workforce member’s history of non-compliance, the frequency of non-compliance, and the impact of non-compliance (e.g. probability that PHI is compromised or harm caused to patient by the breach) will be taken into consideration in determining the appropriate level of sanction. 

Level 1: Carelessness

This level of breach occurs when a workforce member unintentionally or carelessly fails to exercise appropriate care and safeguards in handling PHI. Examples include, but are not limited to: leaving a copy of test results  in a public area

  • discussing patient information in a public area;
  • leaving a copy of patient information in a public area leaving a computer with an application accessible unattended in an open area
  • transmission of electronic communication without encryption when encryption is required by DUHS policies and procedures (includes sending, replying to or forwarding) to a non-Duke email address of an intended recipient;
  • faxing documentation to a wrong office or telephone number with a covered entity;
  • emailing documentation to a wrong email address within a covered entity.

A Level 1 Carelessness breach does not include unintentional access to PHI that is non-repetitive, e.g., 

  • requesting a record of similarly named patient or selecting an incorrect name, if staff recognizes mistake and immediately returns or exits the record without taking any operational action.
  •  mistakenly giving PHI to the wrong patient but immediately retrieves the information before the recipient has a chance to read it or leaves the facility with it.

Depending on the facts and circumstances of the event, corrective action may be administered in the following order: 

  • First Offense: Documented counseling session
  • Second Offense: Written warning
  • Third Offense: Final Written Warning and two (2) weeks unpaid suspension
  • Fourth Offense: Termination of employment, ineligible for rehire
Level 2: Reckless Disregard

This level of breach occurs when a workforce member’s actions result in inappropriate use, disclosure or access to PHI or when the action is not part of the workforce member’s area of responsibility. Examples include, but are not limited to:

  • sharing user IDs and/or passwords with other staff/colleagues or permitting another to access PHI through one’s computer or access;
  • inappropriate disposal of PHI, e.g., failure to shred labels or records; o permitting an unauthorized third party to use a Duke computer or system;
  • removing PHI from DHE premises in violation of policies or standards, e.g., paper medical records for purposes other than for provision of clinical care;
  • maintaining unencrypted PHI on laptop, PDA and/or thumb/jump drive;
  • releasing PHI to a third party without proper verification of the person’s identification;
  • faxing documentation to a wrong office or telephone number (not a covered entity);
  • sending, replying or forwarding of electronic communication (whether or not encrypted) to an unintended recipient who is not a covered entity (i.e., wrong email address);
  • mailing PHI to a wrong person or address.

Depending on the facts and circumstances of the event, corrective action may be administered in the following order:

  • First Offense: Written warning
  • Second Offense: Final written warning and two (2) weeks unpaid suspension
  • Third Offense: Termination of employment, ineligible for rehire
Level 3: Willful Disregard

This level of breach occurs when a workforce member deliberately accesses, uses or discloses PHI without a business need. Examples include, but are not limited to:

  • posting or participating in communication containing PHI on a social networking/open source site in a manner inconsistent with DUHS policies and procedures ;
  • accessing another person’s PHI, e.g., medical record, without a business need or the patient's authorization.  This includes friends, relatives, co-worker’s medical record, or any other person (e.g. accessing an estranged spouse's medical record, obtaining a phone number of a relative, “check on” a co-worker that is rumored to be a patient in the facility, reviewing areas of a person's medical record outside the employee's job responsibilities. 
  • sharing PHI with the media without authorization from the patient;
  • sharing PHI obtained from a third party that is not necessary for the workforce member’s responsibilities;
  • discussing PHI with individual(s) not involved in the patient's care or without a business need.

Depending on the facts and circumstances of the event, corrective action may be administered in the following order:

  • First Offense: Final Written Warning and two (2) week unpaid suspension
  • Second Offense: Termination of employment, ineligible for rehire
Level 4: Willful Disregard with Malicious Behavior

This level of breach occurs when a workforce member knowingly and maliciously takes actions or omissions causing unauthorized access, use, or disclosure of PHI, regardless of whether the actual use or disclosure occurred. Such level also includes access to PHI as described in the level 3 sanction, excessive in number, distribution or scope. Examples include, but are not limited to:

  • the workforce member inappropriately and repeatedly accessing, using, or disclosing individual screen(s) or information from individual or multiple patient records
  • disclosing PHI for a personal gain
  • theft or sale of PHI
  • disclosing PHI to cause harm to patient or any third party

Depending on the facts and circumstances of the event, corrective action may be administered in the following order:

  • First offense: Termination of employment, ineligible for rehire

Depending on the facts of the offense, a workforce member that receives discipline at levels 1 through 3 may also be asked to conduct an educational in-service with co-workers regarding safeguarding PHI and the appropriate uses/disclosures.

Policy Number: 04.12

Categories

Workplace Expectations & Guidelines Policy