Vanderbilt University Medical Center (VUMC) has legal and ethical responsibilities to safeguard the privacy of its employees, students, and patients and their families and to protect the confidentiality of protected health information (PHI) and all other types of confidential information (collectively, “Confidential Information” as further defined below). Members of the VUMC community to which this Confidentiality Agreement applies include but are not limited to a:

• VUMC Workforce Member: any individual performing work for or on behalf of a VUMC-owned legal entity and under the direct supervision or control of VUMC, including any VUMC-owned legal entity, whether or not the member is employed by VUMC. Examples include all individuals employed by any VUMC-owned legal entity; temporary or staffing agency workers; students and trainees; volunteers; and vendor representatives working on-site under direct supervision of a VUMC-owned legal entity.
• Trusted Role: a Workforce Member of VUMC or a VUMC Business Associate whose job duties require access to VUMC Confidential Information in order to provide legal or risk management advice to the institution, perform audit or review duties or investigations or to provide support for an information system. An individual in a Trusted Role is held to a higher standard of personal integrity, professionalism and judicious precaution when accessing Confidential Information.
• Non-Employed Provider with Privileges: an individual who is formally related to a VUMC-owned legal entity through medical staff membership and/or privileges but is not employed by a VUMC-owned legal entity.
• Extended Community Member: an individual who is present on VUMC premises or accessing information resources at VUMC for a specific treatment, payment, or health care operation, or other authorized purpose allowed under the Health Insurance Portability and Accountability Act (HIPAA) such as a third-party payer representative, a visitor for a guided tour or observation experience, media or vendor representatives, post-discharge care providers, other health care providers or a provider’s office or clinical staff involved in a patient’s continuum of care.
• Business Associate: a person or entity, other than a Workforce Member, that performs certain functions or activities on behalf of, or provides certain services to, VUMC that involve the use, disclosure, creation, receipt, maintenance or transmission of PHI.

VUMC’s Confidential Information includes any and all of the following categories:

• Patient information (or PHI) including demographic, health, and financial information, pictures and videos (in paper, verbal, observed or electronic form regardless of how it is obtained, stored, utilized, or disclosed);
• Information pertaining to individuals conducting or participating in research, training, or educational activities;
• Information pertaining to members of the VUMC Workforce or Extended Community (such as social security numbers, banking information, salaries, employment records, student records, disciplinary actions, etc.);
• VUMC information (such as financial and statistical records, academic or research funding, strategic plans, internal reports, memos, contracts, peer review information, communications, proprietary information including computer programs, source code, proprietary technology, etc.);
• Third-party information (such as insurance, business contracts, vendor proprietary information or source code, proprietary technology, etc.); and
• Patient, research, academic program, or other confidential or proprietary information accessed, heard or observed by being present on VUMC premises or accessing VUMC resources.

As a member of the VUMC community I agree to conduct myself in strict conformance with all applicable laws and with VUMC policies governing Confidential Information. I understand and agree that measures must be taken so that all Confidential Information captured, maintained, or utilized by VUMC and any of its off-site clinics or affiliated entities is accessed only by authorized users. These obligations apply to Confidential Information in any form, e.g., written, electronic, oral, overheard or observed.

As a condition of and in consideration of my use, access, maintenance and/or disclosure of Confidential Information, I agree that:

1. I will access, use, maintain and disclose Confidential Information only as authorized and needed to perform my assigned job duties. This means, among other things, that
   1. will only access, use, and disclose Confidential Information that I have authorization to access, use, and disclose in order to perform my job duties;
   2. will not in any way access, use, divulge, copy, release, sell, loan, review, alter, or destroy any Confidential Information except as properly and clearly authorized within the scope of my job duties and in accordance with all applicable VUMC policies and procedures and with all applicable laws;
   3. will report to the VUMC Privacy Office or my supervisor any individual’s or entity’s activities that I suspect may compromise the privacy or security of VUMC’s Confidential Information or otherwise fail to conform to VUMC policies and procedures;
   4. understand my violation of my obligations regarding Confidential Information, particularly PHI, could expose me to legal sanctions.
2. If I am granted access to VUMC electronic systems, including email, I am the only person authorized to use the individual user identification names and passwords or access codes assigned to me. I agree to the following:
   1. I will safeguard and not disclose my individual user identification passwords, access codes or any other authorizations that allow me to access VUMC Confidential Information to anyone including my manager, supervisor, IT Support staff or any other person who is not authorized to have this information.
   2. I understand that if I am in a Trusted Role I will be held to a higher standard of personal integrity, professionalism and judicious precaution when accessing Confidential Information.
   3. I will not request access to or use any other person’s passwords, access codes or other authorizations.
   4. I accept responsibility for all activities undertaken using my passwords, access codes and other authorizations.
   5. It is my responsibility to log out of any system to which I have logged on. I will not under any circumstances leave unattended a computer to which I have logged on without first either locking it or logging off the workstation.
   6. If I have reason to believe that the confidentiality of my passwords or access codes have been compromised, I will immediately report this to the VUMC Help Desk, VUMC Privacy Office and my supervisor, and I will immediately change my password.
   7. I understand that my user identification will be deactivated at such time when I am no longer a VUMC Workforce Member, Extended Community Member, or Business Associate; or when my job duties no longer require access to the computerized systems.
   8. I understand that VUMC has the right to conduct and maintain an audit trail of all accesses to Confidential Information, including, but not limited to the machine name, user, date, and data accessed and that VUMC may conduct a review of my system activity at any time and without notice in order to monitor appropriate use.
   9. I understand and accept that I have no individual rights to or ownership interests in any Confidential Information referred to in this agreement and that therefore VUMC may at any time revoke my passwords or access codes.
   10. I understand that if I access or maintain Confidential Information on any personal device I must abide by all VUMC mobile device management policies.
   11. I will not forward Confidential Information including but not limited to PHI, pictures or videos to my personal email or to any social media accounts.
   12. I understand that it is my responsibility to be aware of VUMC Information Management policies, applicable Human Resource policies, and other policies that specifically address the handling of Confidential Information and misconduct that may warrant immediate discharge or other disciplinary action.
   13. I understand that in addition to protecting Confidential Information, if I am a VUMC Workforce Member, I am also required to be aware of the Electronic Communications and Information Technology Resources policy and to abide by all of its requirements regarding the appropriate use of VUMC computer systems.
   14. My obligation to safeguard VUMC Confidential Information, including PHI, continues after I am no longer affiliated with VUMC.
3. If I am granted access to information pertaining to individuals located outside of the United States, I agree to the following:
   1. To access, view, process, analyze, store, or otherwise use such information only within the VUMC systems and environment approved for use of such information by VUMC Cybersecurity and the International Privacy Office.
   2. To access, view, process, analyze, store, or otherwise use such information only as instructed and authorized by VUMC.

   By clicking the Accept button I am indicating that I have read, accept, and agree to abide by all of the
   requirements described above. I acknowledge that any violation of these requirements may result
   in disciplinary measures up to and including termination of employment and/or affiliation with
   VUMC.