Proprietary and Confidential Information
Applies to: | Original Policy Date: | Date of Last Review: | Approved by: |
---|---|---|---|
Florida Tech Employees, Contractors, & Vendors | October 2015 | September 2022 | Dr. Marco Carvalho Executive Vice President & Provost |
Policy Owner: Office of Human Resources
Policy Purpose
This policy outlines expectations and protections to safeguard proprietary and confidential individual and University information at Florida Tech.
Policy Scope
All employees, contractors, and vendors who have access to university data or materials that contain personal, academic, financial, proprietary, or other confidential information or who have knowledge of confidential university information through their association with the university.
Policy Statement
Confidential information is to be accessed, used, discussed, released, or disclosed, directly or indirectly, only when necessary to perform duties for the university and only in accordance with applicable law. Those with access to or knowledge of confidential information must guard against its inadvertent disclosure. Employees, contractors, and vendors may not remove confidential information from a university department, office, or system, or duplicate confidential information, unless authorized by the University to do so. Upon termination of any assignment or as directed by a supervisor or university designee, employees, contractors, and vendors must cease accessing the applicable confidential information and return any copies of or materials containing such information to their proper location at the university.
Procedures/Guidelines
For requirements related to the electronic transmission and storage of proprietary/confidential information please see the Transmission and Use of Sensitive Information Policy.
FERPA Compliance
FERPA is a Federal law that protects the privacy of student education records.
Under the provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA), it is unlawful to:
- Make unauthorized copies or permit the unauthorized use of information in student files maintained, stored, or processed by any university office
- Seek personal benefit or allow others to benefit personally by knowledge of confidential information from student files
- Exhibit or divulge the contents of any student record or report to any person except in the performance of assigned duties and in accordance with FERPA and university policies and procedures
- Knowingly include or cause to be included in any record or report, a false, inaccurate, or misleading entry
- Remove an official record or report or copy thereof from the office or system in which it is maintained, except as authorized by a supervisor/university designee in the performance of assigned duties
- Aid, abet, or act in conspiracy with another to violate this policy
- Withhold knowledge of a violation of FERPA.
Additional information regarding FERPA requirements may be found in the Annual Notification of Student Rights (FERPA); questions may be directed to the Office of the Registrar
HIPAA Compliance
HIPAA is a Federal law that relates to privacy of medical information.
Annually or as necessary, the university performs benefit enrollment, changes in enrollment and payroll deductions, provides assistance in claims problem resolution and explanation of benefits issues, and assists in coordination of benefits with other providers. Some or all of these activities may require the use or transmission of Protected Health Information (PHI). Thus, all information related to these processes will be maintained in confidence and employees will not disclose PHI from these processes for employment-related actions, except as provided by administrative procedures approved by the HIPAA Compliance Officer (HCO).
Disclosures that do not qualify as PHI-protected disclosures include: disclosure of PHI to the individual to whom the PHI belongs, requests by providers for treatment and/or payment, disclosures requested to be made to authorized parties by the individual PHI holder, disclosures to government agencies for reporting or enforcement purposes, disclosures to workers’ compensation providers and those authorized by the workers’ compensation providers.
Information regarding whether an individual is covered by a plan for claims processing purposes may be disclosed.
Information external to the health plan is not considered PHI if the information is being furnished for claims processing purposes involving workers’ compensation and/or short- or long-term disability and medical information received to verify ADA or FMLA status.
As required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), regarding health insurance plans offered through Florida Tech the University will:
- Not use or further disclose protected health information, other than as permitted by health insurance plan documents or as may be required by HIPAA.
- Ensure that agents or subcontractors of the university who receive health insurance plan protected health information agree to comply with the same restrictions.
- Not use or disclose this information for employment-related actions or in connection with other employee benefit plans.
- Report to the health insurance plan any use or disclosure of protected health information that is inconsistent with permitted uses or disclosures.
- Decide participant's protected health information available to the plan participant, consider plan participant requests for amendments, and, upon request, provide plan participants with an accounting of disclosures of their protected health information to third parties.
- Provide documentation to Health and Human Services upon request.
- Return or destroy protected health information received from the health plan that the university maintains in any form, with no copies to be retained, if feasible, or ensure continued protections if not feasible.
Further information about HIPAA is available the U.S. Department of Health and Human Services Health Information Privacy website.
Information about privacy of student health-related information is available on the Holzer Health Center website.
For more information about PHI in research, see Human Subjects Regulation HIPAA Forms and Regulations.
Reporting
Individuals who have knowledge of confidential or proprietary information being misused should report this to the Office of Human Resources at hr@fit.edu, 321-674-8100, or through the Anonymous Reporting Form.
Definitions
Confidential Information: For purposes of this policy, "confidential information" includes, but is not limited to:
- Student education records and discipline records
- Non-public personal information concerning employees, contractors and students including, but not limited to, Florida Tech Identification Numbers, information system user IDs and passwords, social security numbers, internal communications, banking or financial information, medical and health information, disability status or special needs, insurance information and personal benefits information.
- Protected Health Information concerning employees or students
- University-related information which has not been publicly published or released with university authorization, including but not limited to budget, financial, negotiation, bidding, and other information
- University research data, information, and findings that are protected by law, contract, or policy
- Information described as confidential under any other University policy, rule, or directive
- Other information and records which the employee, contractor, or vendor is directed under proper authority to not disclose.
Confidential information does not include information publicly disclosed by the University or which is required to be disclosed pursuant to law or contract.
Education Records: Those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or by a party acting for the agency or institution.
Protected Health Information (PHI): Any information, including genetic information, whether oral or recorded in any form or medium, that (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Protected Health Information (PHI) PHI information includes medical conditions, health status, claims experience, medical histories, physical examinations, genetic information, and evidence of disability.
Compliance Reference
HIPAA: Health Insurance Portability and Accountability Act of 1996, 45 CFR Part 160 and Subparts A and E of Part 164
FERPA: Family and Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; 34 CFR Part 99
Responsibilities
The Office of Human Resources is responsible for receiving any reports of violation of this policy and for coordinating investigation of the alleged violation with the appropriate departments.
The Office of Human Resources in partnership with Procurement Services is responsible for ensuring contractors agree to abide by this policy and applicable requirements of FERPA, HIPAA, and any other regulations governing information privacy.
Procurement Services is responsible for ensuring vendors with access to confidential or proprietary information agree to abide by this policy and applicable requirements of FERPA, HIPAA, and any other regulations governing information privacy.
Enforcement
Violation of this policy may lead to disciplinary action, termination of contract/vendor relationship, and/or legal action, as applicable.