Code number: C-03
Date issued: 9/6/2012
Date last reviewed: 09/19/2024
Version: 1.4
Approval authority: Chief Information Security Officer
Responsible office: Information Assurance
I. Overview
In the course of performing authorized work, university staff members may be granted access to university information systems that maintain Protected Health Information (PHI) as defined by the Health Information Portability and Accountability Act (HIPAA). Such access creates an obligation to treat PHI in a confidential and secure manner.
This Code of Conduct affirms the commitment of staff to:
- Understand their obligations to comply with all applicable policies, and statutory and regulatory requirements.
- Act in an ethical and compliant manner.
- Understand the consequences of failure to comply with the Code of Conduct.
- Take action to appropriately address violations and conflicts to the Code of Conduct.
II. Guiding U-M Policies
All staff members of the university community are expected to use U-M information resources properly and to abide by all the requirements of Responsible Use of Information Resources (SPG 601.07). U-M staff members, however, have a unique and critical institutional role in supporting the university’s academic, research, teaching, administrative, and clinical missions whereby they are expected to hold to the highest standard of compliance with these policies and procedures.
III. Staff Responsibilities and Consequences for Non-Compliance
All staff are required to be knowledgeable of and follow this Code of Conduct. Staff that fail to exercise appropriate ethical and professional conduct may be subject to disciplinary action up to and including termination, as identified by Privacy and the Need to Monitor and Access Records (SPG 601.11) (Section IV: Sanctions) and Discipline (SPG 201.12).
Staff members are specifically responsible for the following:
- Knowledge of, and understanding and compliance with, the policies and procedures that apply to their work, including U-M Standard Practice Guides and all unit policies and standards.
- Protecting the confidentiality, privacy, and security of PHI in whatever format it is in.
- Only accessing, releasing, or sharing PHI sensitive information as necessary as a part of their assigned duties.
- Understanding that their access to U-M systems containing PHI is audited and may be reviewed at any time, with or without cause.
- Protecting PHI by not sharing passwords or access to any U-M systems or applications with any other person.
- Understanding that when their employment, affiliation, or assignments with U-M end, that they may not take any institutional PHI with them.
IV. Reporting Violations, Inappropriate Conduct, or Non-Compliance
Staff are obligated to report suspicious or illegal activities, including the unauthorized disclosure of PHI, that violate University of Michigan policies or state and federal regulations. The responsibility of the staff member ends with reporting the suspicious or illegal activity to an appropriate authority. Under no circumstances should a staff member confront another staff member or other campus community member or conduct any kind of investigation.
Staff members should immediately report any potential breach or unauthorized disclosure of PHI to [email protected], as detailed at Report an IT Security Incident.
No staff should experience harassment or retribution when acting responsibly by reporting what they believe to be a legitimate and serious concern. Staff that feel they have been harassed, punished, or retaliated against for reporting a compliance concern should report this to their unit HR department, University Human Resources (UHR) or the U-M Compliance Hotline.
V. Training Requirements
All staff must meet the following training and attestation requirements.
- Complete your unit's data protection training course that covers PHI (e.g. DPE101: Data Protection for ITS and DPE110 Data Protection for Unit IT). Successful completion of the course on an annual basis will serve as a renewal of this attestation.