HIPAA Code of Conduct and Confidentiality Agreement

Code number: C-03
Date issued: 9/6/2012
Date last reviewed: 3/17/2021
Version: 1.3
Approval authority: Chief Information Security Officer
Responsible office: Information Assurance
Printable copy: HIPAA Code of Conduct and Confidentiality Agreement (PDF)

I. Overview

In the course of performing authorized work, university staff members may be granted access to university information systems that maintain Protected Health Information (PHI) as defined by the Health Information Portability and Accountability Act (HIPAA). Such access creates an obligation to treat PHI in a confidential and secure manner.

This Code of Conduct affirms the commitment of staff to:

  1. Understand their obligations to comply with all applicable policies, and statutory and regulatory requirements.
  2. Act in an ethical and compliant manner.
  3. Understand the consequences of failure to comply with the Code of Conduct.
  4. Take action to appropriately address violations and conflicts to the Code of Conduct.

II. Guiding U-M Policies

All staff members of the university community are expected to use U-M information resources properly and to abide by all the requirements of Responsible Use of Information Resources (SPG 601.07). U-M staff members, however, have a unique and critical institutional role in supporting the university’s academic, research, teaching, administrative, and clinical missions whereby they are expected to hold to the highest standard of compliance with these policies and procedures.

III. Staff Responsibilities and Consequences for Non-Compliance

All staff are required to be knowledgeable of and follow this Code of Conduct. Staff that fail to exercise appropriate ethical and professional conduct may be subject to disciplinary action up to and including termination, as identified by Privacy and the Need to Monitor and Access Records (SPG 601.11) (Section IV: Sanctions) and Discipline (SPG 201.12).

Staff members are specifically responsible for the following:

  • Knowledge of, and understanding and compliance with, the policies and procedures that apply to their work, including U-M Standard Practice Guides and all unit policies and standards.
  • Protecting the confidentiality, privacy, and security of PHI in whatever format it is in.
  • Only accessing, releasing, or sharing PHI sensitive information as necessary as a part of their assigned duties.
  • Understanding that their access to U-M systems containing PHI is audited and may be reviewed at any time, with or without cause.
  • Protecting PHI by not sharing passwords or access to any U-M systems or applications with any other person.
  • Understanding that when their employment, affiliation, or assignments with U-M end, that they may not take any institutional PHI with them.

IV. Reporting Violations, Inappropriate Conduct, or Non-Compliance

Staff are obligated to report suspicious or illegal activities, including the unauthorized disclosure of PHI, that violate University of Michigan policies or state and federal regulations. The responsibility of the staff member ends with reporting the suspicious or illegal activity to an appropriate authority. Under no circumstances should a staff member confront another staff member or other campus community member or conduct any kind of investigation.

Staff members should immediately report any potential breach or unauthorized disclosure of PHI to security@umich.edu, as detailed at Report an IT Security Incident.

No staff should experience harassment or retribution when acting responsibly by reporting what they believe to be a legitimate and serious concern. Staff that feel they have been harassed, punished, or retaliated against for reporting a compliance concern should report this to their unit HR department, University Human Resources (UHR) or the U-M Compliance Hotline.

V. Training and Attestation Requirements

All staff must meet the following training and attestation requirements.

  • Complete the "HIPAA and Protected Health Information" course in My LINC and pass the associated quiz at the 80% level within the first 30 days after starting employment or being assigned job responsibilities that require accessing PHI. Successful completion of the course on an annual basis will serve as a renewal of this attestation.
  • Provide a signed copy of this attestation to their unit HR office within thirty (30) days after starting employment or being assigned job responsibilities that require accessing PHI.
  • Sign or attest to service- or unit-specific codes of conduct where required.

HIPAA Code of Conduct and Confidentiality Agreement

I,______________________________, have read and received training on the HIPAA Code of Conduct and Confidentiality Agreement and will comply with the requirements indicated in the Code.
I also understand the need to: 

  1. Comply with all applicable University of Michigan policies, and state and federal laws and regulations while performing my job; 
  2. Successfully complete the online HIPAA and PHI course in My LINC within 30 days of my initial  employment and subsequently once a year; I completed the required module on  ______________. 
  3. Continue any training necessary to comply with the HIPAA Code of Conduct and Confidentiality Agreement; 
  4. Maintain the highest ethical standards in the conduct of university business affairs in a manner that represents integrity and compliance with applicable laws and in which personal advantage and gain are excluded; 
  5. Exercise due care to preserve the security, integrity and confidentiality of PHI; 
  6. Take reasonable precaution to ensure the protection of PHI from unauthorized access,  disclosure or destruction; 
  7. Report potential security violations including unauthorized access, loss, disclosure of PHI; misuse, theft, or unauthorized modification of such information, including information stolen in conjunction with the theft of a computer or any other device containing PHI, by using the procedure referred to in Section IV of the Code;
  8. I have thirty (30) days after my start of employment or being assigned job responsibilities that require accessing PHI to provide a signed copy of my attestation to my unit’s HR office to maintain in my file.

Employee Signature/Print Name:  ______________________________________________________

Date Signed: __________________________________________________________________________

Job Title: ______________________________________________________________________________

Uniqname/UMID #: ____________________________________________________________________

Department Name: ____________________________________________________________________

Loc/Dept Number: ____________________________________________________________________

Supervisor Signature: _________________________________________________________________

Date Signed: __________________________________________________________________________