URMC Compliance Program Policy Manual:
Confidentiality

URMC employees and health care professionals possess sensitive, privileged information about patients and their care. Patients properly expect that this information will be kept confidential. The System takes very seriously any violation of a patient's confidentiality. Discussing a patient's medical condition, or providing any information to other unauthorized persons, will have serious consequences for the disclosing party. Personnel should not discuss patients in public or with their families.

Each provider is the owner of the medical record which documents a patient's condition and the services received by the patient. Medical records are strictly confidential, which means that they may not be released to outside parties except with the written consent of the patient or in other limited circumstances. Special protections apply to mental health records, records of drug and alcohol abuse treatment, and HIV related information. Medical records must not be physically removed from the provider's office or facility, altered, or destroyed. Personnel who have access to medical records must take pains to preserve their confidentiality and integrity, and nobody is permitted access to the medical record of any patient without a legitimate, work-related reason for so doing. Any unauthorized release of or access to medical records should be reported to a supervisor or the Compliance Officer.

New York State has enacted a series of computer crime laws that are designed to punish and deter computer crime. In compliance with the law, URMC prohibits unauthorized access to its computer system, either directly or by network or telephone. An individual who does not have a legitimate password is unauthorized to gain access. The System also prohibits the destruction or corruption of electronically stored or processed data. Persons who violate these rules will be prosecuted to the full extent of the law.