Page 21 - Privacy_Program
P. 21
Employees DP112.1c GES Confidential Information: Information that must never go outside the
organization or be used within the organization without strict adherence
to organizational policies and procedures, and all applicable state and
federal data privacy and security rules. This information, if publicly
exposed, could cause irreversible harm to an individual or GESMN. Privacy
Restricted Participant Information (PRPI) cannot be disclosed outside of
the organization without a signed Authorization for Release of Information
Form from the participant unless specifically permitted by GESMN Privacy
and Data Security Policies or with approval from the Director of
Information Technology, Privacy and Data Security.
Individual‐Specific Information, including Employee‐Specific, Participant‐
Specific and Customer‐Specific Information. Information about an
individual (whether an employee, participant or store customer) will
always be Privacy Restricted Information. Examples include Social Security
numbers, driver’s license numbers and other personal data, credit card
numbers, bank account numbers and other financial data, all information
in a participant’s case file, excel spreadsheet containing a list of participant
names, the health record of an employee or program participant (this
includes verbal, written and electronic disclosures without the proper
authorizations), employee files including personal contact information and
performance reviews, and passwords and other information unique to an
individual that may be used to access Confidential Business Information or
other Privacy Restricted Information (this includes “loaning” security badges
and bypassing other GESMN security systems designed to restrict access to
certain designated areas).
Protected Health Information (“PHI”) is any health information, including
demographic information collected from an individual, transmitted or
maintained in any form or medium; that is created or received by GESMN
and relates to the past, present or future physical or mental health or
condition of a participant; the provision of health care to a participant; or
the past, present, or future payment for the provision of health care to a
participant; and that identifies the participant; or with respect to which
there is a reasonable basis to believe the information can be used to identify
the individual.
Other health information about an employee, customer or participant in
other services will not be PHI but will be Privacy Restricted Information
(Individual‐ Specific Information). See DP‐113 IDENTIFYING PROTECTED
HEALTH INFORMATION for detailed definition). GESMN also has access to
PHI with respect to health flexible spending account for its employees.
GESMN has separate HIPAA policies (Human Resources) for its health
flexible spending account.
GES CONFIDENTIAL 21
