Code of Conduct for Business Activities
II. D) Confidential or Privileged Information
Employees must not use for personal gain or other unauthorized purposes, confidential or privileged information acquired in connection with the individual's University-supported activities. Confidential or privileged information includes, but is not limited to, documents so designated, medical, personnel, or security records of individuals; student records; anticipated material requirements or price actions; knowledge of possible new sites for University-supported operations; and knowledge of forthcoming programs or of selections of contractors or subcontractors in advance of official announcements.
The following principles apply:
- Confidential, proprietary and private information relating to patients, the organization, employees, trustees, and students is to be kept in confidence. This includes information from all sources, including, but not limited to, medical records, student records, e-mail, voice mail, inter/intranet, personnel and payroll, financial systems, patient registration systems, and all other paper files or computer applications owned or used by the University.
- Employees should access and/or use patient, employee, or student information only with proper authorization and as needed to perform their job responsibilities and the need for staff access should be reviewed periodically by supervisors.
- No employee is permitted to view or alter (change) information concerning his or her family members, friends or other acquaintances unless required by that staff member's job responsibilities.
- No employee is permitted to access or alter his or her own medical and/or any associated information without following established procedures.
- HIV, mental health, and drug or alcohol counseling records are especially sensitive and confidential. Staff should use the utmost care in connection with any access to or use of such information.
- Each employee is responsible and will be held accountable for securing his or her passwords for any information system to which he or she has access. Employees should report any compromise of their passwords immediately to their supervisor or Information Technology Services, and others to whom such a report may be appropriate, and should change their passwords immediately after such a compromise occurs (as well as regularly).
- Each employee must report as described in Section I. B) of this Code on becoming aware of any unauthorized disclosure of confidential information by any member of the University community.
Unauthorized access and/or disclosure of confidential information will result in disciplinary action, up to and including termination of employment and may also result in civil or criminal penalties under federal, state or local law.
Patient Information: For more on confidentiality polices and procedures, see (http://www.urmc.rochester.edu/urmc/pol/compliance/code.html). For more information regarding Protected Health Information, see (http://intranet.urmc.rochester.edu/HIPAA/) as well as the Strong Memorial Hospital Policy Manual, Section 6.
Student Information: The University of Rochester complies fully with the provisions of the Family Educational Rights and Privacy Act (FERPA), and the New York State education laws. See Section V-B of the Faculty Handbook for detailed information.