Information Disclosure & Confidentiality PolicyJanuary 22, 2010 (Replaces policy dated December 10, 2002) (Replaces policy entitled "Information Disclosure Policy" dated July 22, 1998) [Edited April 10, 2007, to include reference to Data Protection and Security Policy] [Edited March 18, 2009, for change in titles and unit names]
UAB is the owner of all information captured using UAB resources and assets. As such, UAB is responsible for providing guidelines and procedures which will support ease of use and access to data and information according to authorized and legitimate needs of members of the UAB community and the public. As a state-supported institution, UAB recognizes its obligation to provide the citizens of Alabama with information concerning expenditure of public funds, and UAB is committed to providing such information in an orderly and consistent manner. This usually is accomplished through regular, public reports to local, state, and federal agencies; through broad distribution of UAB's independently audited financial statements; by making annual salary information available through the UAB libraries; and by responding appropriately to specific requests for information. UAB recognizes that employees of the institution may exercise the right of any citizen to report violations of law to appropriate authorities and that employees have a duty to cooperate with authorized officials of local, state, and federal agencies. In general, UAB records and documents (except for certain categories of information including, but not limited to, those protected by confidentiality laws and regulations) may be subject to inspection as provided by law. This policy is established to provide for the orderly disclosure of UAB records to individuals or entities requesting them.
This policy primarily deals with "administrative," "management," "business," or "policy-making" information generated as part of running the institution. Not covered by this policy are the dissemination of results of academic, research, and scholarly activities which relate to the free exchange of ideas and the sharing of knowledge in a higher education institution. However, there may be school, department, or unit rules and regulations specifying how and when such intellectual knowledge is presented, reported, and disseminated by UAB faculty and research personnel.
Confidentiality of Information
Unless otherwise noted, all information covered by this policy is to be treated as "confidential information for official internal use only," until it is released based on the terms of release included in this policy. As part of normal UAB operations, certain departments or units may release information otherwise classified as confidential when required by external entities such as granting agencies.
Disposal of Confidential Documents
Subject to record retention requirements, documents containing confidential information or restricted-release information must be shredded, torn, or cut into pieces such that the information is no longer recognizable prior to its being placed in trash or recycling bins. Likewise, electronic storage media (for example, diskettes, compact disks, tapes, disk drives, etc.) containing confidential information or restricted-release information must be completely erased, reformatted, or destroyed prior to being discarded or placed in trash bins. (Contact the UAB Equipment Accounting Department concerning procedures for destroying UAB information in computers being sent to the UAB Warehouse for disposal.)
Confidentiality of Medical/Health Information
ALL MEDICAL AND HEALTH INFORMATION IS CONFIDENTIAL INFORMATION AND MUST BE TREATED AS SUCH.
Medical/Health Information in Patient-care Settings
All medical and health information in any patient-care or health-care setting at UAB or in any setting involving medical or health information (including research involving patient care or medical/health information) is confidential information and must not be revealed to anyone who does not have the right to view, or know, the information. (See the Individually Identifiable Health Information section of this policy for additional information concerning medical and health information.)
No physician, other health-care provider, or student may view or discuss a person's health information unless he or she is the attending physician or primary provider, has been requested to be involved by the attending physician or primary provider, or otherwise has been asked to be involved in health-care services for the patient.
Any medical or health information which an employee (or student functioning in the health-care arena) receives, or has access to, (whether verbal, written, visual, or electronic) concerning patients or concerning any individual and the medical/health services performed for that individual is confidential information even if the employee (or student) did not actually furnish the services.
Medical/Health Information in "Non-patient-care" Settings
All medical and health information outside of a direct patient-care setting also is confidential information and must be treated as such. Any medical or health information that an employee learns, even inadvertently, as a result of his or her job responsibilities at UAB or otherwise as a result of his or her employment relationship with UAB is considered confidential. This includes, but is not limited to, medical or health information in research settings even if the research does not involve direct patient care.
All medical and health information about UAB employees (including, but not limited to, medical condition, medical examination results, letters or records from medical personnel, information concerning a disability, medical information concerning ability to perform a job, medical history, etc.) must be treated as confidential information, must be collected and maintained on forms separate from other employee/employment forms, and must be maintained in separate files established for this purpose.
Use and Release of Information
From time to time, UAB employees may receive requests for information which may or may not be available through "public" sources, and it is recognized that often it is difficult for employees in departments or units to know the legal or UAB restrictions on the release of information to external entities. Confidential information, no matter on what medium it is stored, must not be accessed or transmitted in violation of UAB policy or in violation of law. For purposes of this policy, UAB information has been classified into the following three categories, and each category contains a description of the restrictions for disseminating the information through approved channels:
1. Internal Information
Definition: Internal information as used here means information which is gathered or generated for UAB's internal use and which has not yet been broadly disseminated to UAB's internal or external constituents. This includes "administrative," "management," "business," or "policy-making" information which UAB employees, including faculty, generate or maintain during the course of their duties or responsibilities as UAB employees.
Terms of Release:
Portions of this information may be confidential, and all requests for this type of information should be reviewed, prior to its release, by the UAB Public Relations Officer, the Office of Counsel, and the UAB executive who ultimately is responsible for the department/unit which received the request for information. UAB executives authorized to release internal information are the President; the Provost; the Vice President for Development, Alumni and External Relations; the Vice-President for Equity and Diversity; the Vice President for Financial Affairs and Administration; the Vice President for Information Technology/ CIO; the Vice President/Dean, School of Medicine; the CEO of the UAB Health System; the Vice President for Research and Economic Development; and the Vice President for Student Affairs.
UAB employees may not use internal UAB information for personal purposes and may not obstruct its use for proper UAB purposes. Disclosure of documents containing internal information may be required from time to time, but such disclosures must be made by one of the UAB officials listed above as authorized to release such information.
2. Individually Identifiable Information
Except for directory information, as defined by UAB's Student Records Policy, and information included in UAB employee directories and in publicly accessible lists of salaries, all employee, student, and patient records are confidential, and the privacy rights of the individuals who are the subject of those records must be respected.
All individually identifiable information of UAB employees, students, research subjects, and patients may be disseminated only in appropriate circumstances, after proper review, and through the distribution channels described below or described in separate documents specifying such processes.
Individually Identifiable Employee Information: This category includes any information which is part of an individual's demographic or employment record at UAB.
Terms of Release:
General: Appropriate departments, units, and individuals are authorized to release salary or other individually identifiable information required by external entities (for example, granting agencies) when that disclosure is a part of normal UAB operations. Likewise, individually identifiable information that normally is a part of such things as letters of recommendation or letters of reference may be included in such documents.
Publicly Available Information: The printable and online UAB directories contain information such as employee name, e-mail address, department, job title, office location, office telephone number, and office facsimile number. For purposes of this policy, those items are considered public employment information, and such information may be released without prior approval.
UAB Campus Directories File: The file of the UAB directory shall only be accesable by the use of a BlazerID and password. This file allows for the printing of the UAB directory. The file or the printed UAB directory may be distributed outside of UAB only by the Office of Public Relations and Marketing. Requests from external entities or individuals for copies of the printed UAB directory must be referred to that office.
Use of E-mail Addresses for Broad Distributions: E-mail addresses are not to be used for mass or bulk mailings to UAB employees unless approved by the Office of Human Resources or processed through the appropriate UAB organizational entity.
List of UAB Salaries: A comprehensive list of all UAB faculty and staff salaries paid from UAB sources of funds is available for general access and review at the Lister Hill Library of the Health Sciences and at the Mervyn H. Sterne Library.
Employment Information Requests--News Media: All requests by external news media personnel for salary, employment status information, or employee information must be referred to UAB's Public Relations Officer.
Employment Information Requests--Non-media: All non-media requests for individually identifiable information about UAB employees must be referred to the Office of Human Resource Management for approval of release and distribution of the information. (As indicated above, salary information is available to the general public at the Lister Hill Library of the Health Sciences and at the Mervyn H. Sterne Library.) The only information about individual UAB employees given to persons who inquire of the Office of Human Resources is as follows:
- Verification of dates of employment and whether the person currently is employed at UAB or no longer is employed at UAB
- Job title
- Salary information if requested in writing and if the employee signs an authorization for release of the salary information. (Salary information is not given over the telephone.)
Internal UAB Requests: Internal requests for individually identifiable employee information should be referred to the Chief Human Resources Officer if it is not clear whether the information should be provided to another UAB department or unit.
Individually Identifiable Student Information: This is any information which pertains to a specific, individual student and includes all information pertaining to a student's enrollment.
Terms of Release: The release of individually identifiable information is covered by federal law and the policies and procedures of the Office of Registration and Academic Records. All requests for disclosure of any type of individually identifiable student information must be referred to that office.
Individually Identifiable Health Information: This information (including such information collected or maintained in research settings) also is known as "protected health information." This information is covered by federal and state rules and regulations and by policies of UAB, the UAB University Hospital, and the UAB Health System.
Terms of Release: All requests for disclosure of an individual's patient record, medical information, or health information are subject to federal and state rules and regulations and to policies of UAB, the UAB University Hospital, and the UAB Health System. Requests for clarification of those policies should be directed to an immediate supervisor, to the UAB official(s) coordinating implementation of the Health Insurance Portability and Accountability Act (HIPAA), to the Office of the Hospital Executive Director, or to the Office of the CEO of the UAB Health System.
Non-individually Identifiable Employee and Student Information: This is standardized, summary, general, averaged, or otherwise non-individually identifiable information (or de-identified information) used in research and in official reporting or for other official purposes. It includes, but is not limited to, general profiles of the employee and student populations.
Terms of Release: Appropriate UAB officials may release generalized, averaged, and summary salary or non-individually identifiable information as needed for standardized or other official reporting. For information concerning which officials or offices may release such information, contact the President's Office.
3. Broadly Disseminated Information
Definition: This is information which is generated for distribution to UAB's internal and external constituents or which is published for broad distribution. Examples include, but are not limited to, information contained in nonconfidential reports to federal, state, and local agencies and information contained in UAB publications such as Facts & Figures, the UAB Financial Report, and The President's Report.
Terms of Release: Deans, directors, and department heads, or their designees, have the authority to disseminate this type of information to requesting parties. However, if there is a doubt as to whether the information is intended for broad distribution as defined by this section, the request should be reviewed by one of the appropriate UAB officials listed above in item number 1 entitled "Internal Information."
All UAB records which are required to be retained permanently based on UAB, or other, retention requirements are sent to the UAB Archives when the records no longer are needed in the UAB department or unit. It should be understood by individuals, departments, or units which send records to a directly accessible archival function such as the UAB Archives that those records may be accessible to the public and that the records may be released by the staff of the UAB Archives unless the records are restricted by statute or are otherwise confidential as specified in this policy. Archive records may be classified by the individual, department, or unit sending them to the Archives into categories relative to their intended accessibility including, but not limited to, "records with unlimited accessibility," "records which are not to be accessed for a specified period of time except by court or other binding order," "confidential records not to be accessed except by an appropriate UAB official," etc.
This policy applies to all employees of the University of Alabama at Birmingham, including faculty and including students functioning as employees.
A violation of this policy by employees, including faculty, shall result in disciplinary action according to established UAB disciplinary procedures up to, and including, discharge for nonfaculty employees and termination for cause for faculty employees.
The Office of the Vice President for Financial Affairs and Administration is responsible for the development and maintenance of procedures to implement this policy.
See also the following:
- "Data Protection and Security Policy"
- Relevant item in the "Employee Behavior and the Working Environment" section of the You & UAB Handbook for Faculty and Staff.
- Policies 407 and 408 in the Human Resource Management Personnel Policies and Procedures Manual.
- "UAB Student Records Policy" in the catalogs of the various schools and divisions.
- "Patient Information" section of the You & UAB Handbook for Faculty and Staff
- UAB Health System Interdisciplinary Standard "Confidentiality of Information."
- "UAB University Hospital confidentiality and information disclosure policies.
- Board of Trustees Rule 105 "Ownership and Preservation of Records and Files."