Confidential Information, PII, and PHI
MEDIC volunteers may have access to confidential information regarding MEDIC and its donors, customers, or employees.
This includes but is not limited to:
-Information belonging to MEDIC and generally not known to the public.
-MEDIC’s business strategy, future plans, marketing plans, and strategies.
-Customer information
-Trade secrets
-Financial information
-Contracts, suppliers, customers, etc.
-Personal Health Information (PHI)
-Medical history, donation screening exam responses, screening physical test results, laboratory results, etc.
-Personally Identifiable Information (PII)
-Name, gender, DOB, race/ethnicity, address, address history, phone numbers, email addresses, social security numbers, driver's license numbers, etc.
Maintaining the confidentiality of this information is vital. Access to confidential information in the course of performing your job does not imply the privilege to disclose information, and under no circumstances should you discuss it with family, friends, or anyone outside the organization. This information must only be used for MEDIC business purposes and must only be discussed with those who have a legitimate business need to know the information.
Volunteers may not remove confidential information from the workplace unless specifically approved by the volunteer's supervisor. This includes but is not limited to:
-Documentation
-Notes
-Files (paper or electronic)
-Records
-Information passed by word of mouth
Any request for information, by telephone or in written form, should be referred to Human Resources or an appropriate member of management unless you are specifically authorized to release such information. PHI will only be disclosed with the proper release of records. Designated managers will serve as coordinators of exchanging PHI with any outside third party. PHI and PI of employees will be held strictly confidential. Information for these purposes will only be disclosed to an outside third party once a records release is obtained. All requests for this information are to be handled through Human Resources.
Only volunteers who have undergone a pre-volunteer background check and whose job role necessitates access to PHI or PII will be given access to the information. Vendors or service providers must sign an information security agreement, business associate agreement, or related agreement with MEDIC that includes specific use, limitations, and expiration of authorization prior to receiving or accessing PII or PHI.
Printed material containing PII or PHI must be handled and stored appropriately. The printed material must not be left unattended on a general access printer, in public areas, or in general employee access areas and must be stored securely when not in use. Printed material containing PII or PHI must be disposed of in a secure shred bin.
Email within the medicblood.org domain is secure. Exchange of PII and PHI between authorized volunteers/employees internally is acceptable for authorized purposes. Email with an attachment that is sent outside the medicblood.org domain to an authorized recipient must be sent using MEDIC’s encrypted email facility (preferred) or, at a minimum, utilize password protection within the attachment itself with a strong password. This attachment password must be communicated to the recipient separately. Personal email accounts must not be used by MEDIC employees to send or receive PII or PHI data.
Only MEDIC-issued encrypted lockable USB drives are acceptable for use in transmitting, storing, or sending PII and PHI.
Transmission of PII and PHI information by authorized employees via fax to an authorized recipient is acceptable.
Volunteers who are unsure about the confidential nature of specific information must ask their supervisor for clarification. Volunteers will be subject to appropriate disciplinary action, up to and including dismissal, for knowingly or unknowingly revealing information of a confidential nature.