Skip to main content

Information Security Policy

Overview

Information, as here in after defined, in all its forms and throughout its life cycle will be protected in a manner consistent with its sensitivity and value to any agency to which a student or faculty member is assigned via contractual agreement or Memorandum of Understanding between the UNC Eshelman School of Pharmacy and the agency. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit information.

This policy applies to all information which includes clinical information generated in the context of patient care or clinical research, including, for example, laboratory data, x-ray results, other tests and procedures, and dictated and written notes detailing patient histories and physical exam findings. Such client/subject-related data may be available electronically, or in written form in standard medical records and patient charts. It may be available for individual or groups of clients/subjects. Such information may reside in large central computer databases, such as those maintained by large hospitals and academic health centers where it can be made available electronically to peripheral workstations, such as clinical workstations or peripheral clinical databases maintained by individual agency personnel. It may also reside in databases that are separate from the centrally maintained databases, such as the clinical or research databases that have been developed by certain agency personnel members.

Scope
The scope of information security is protection of information that is written, spoken, recorded electronically or printed, from accidental or intentional modification, destruction or disclosure. Information will be protected throughout its life cycle (origination, entry, processing, distribution, storage, and disposal).

Examples of Breaches of Security
Accessing information that is not within the scope of your job/role as student.

  • Unauthorized reading of account information
  • Unauthorized reading of a client’s/subject’s chart
  • Unauthorized access of personnel file information
  • Accessing information that you do not “need-to-know” for the proper execution of your job function

Misusing, disclosing without proper authorization, or altering patient or personnel information.

  • Making unauthorized marks on a client’s or subject’s chart
  • Making unauthorized changes to a personnel file or research data files
  • Sharing or reproducing information in a client’s/subject’s chart or personnel file with unauthorized personnel
  • Discussing confidential information in a public area such as a waiting room or elevator

Disclosing to another person your sign-on code and password for accessing electronic or computerized records.

  • Telling a coworker your password so that he or she can log in to your work
  • Telling an unauthorized person the access codes for personnel files or patient accounts

Using another person’s sign-on code and password for accessing electronic or computerized records.

  • Using a co-worker’s password to log into the hospital’s computer system
  • Unauthorized use of a login code for access to personnel files or client/subject information

Leaving a secured application unattended while signed on.

  • Being away from your desk while you are logged in an application
  • Allowing a coworker to use your secured application for which he or she does not have access after you have logged in

Attempting to access a secured application without proper authorization.

  • Trying passwords and login codes to gain access to an unauthorized area of the computer system
  • Using a coworker’s application for which you do not have access after he or she is logged in