Module 3- HIPAA Employee Corrective Action Process for Breach of Patient Confidentiality
Objectives Demonstrate the process to protect patient, employee and MHHS from inappropriate access, tampering or dissemination of Protected Health Information(PHI). Define the corrective action for Privacy and Security Breaches.
Policy Purpose The purpose of this Policy is to protect the Patient, Employee(s), and inappropriate access, tampering or dissemination of Protected Health and to set forth the corrective action process for Breaches.
Definitions Capitalized terms used but not otherwise defined shall have the meaning provided under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, its implementing policies and procedures.
Definitions Cont. 1.Breach means acquisition, access, use or disclosure of PHI which violates the HIPAA Privacy Rule and Compromises the Security or Privacy of the PHI. A Breach excludes: (i) Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Memorial Hermann or a Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule.
Definitions Cont. (ii) Any inadvertent disclosure by a person who is authorized to access PHI at Memorial Hermann or Business Associate to another person authorized to access PHI at Memorial Hermann or Business Associate, or organized health care arrangement in which Memorial Hermann participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule. (iii) A disclosure of PHI where Memorial Hermann or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Definitions Cont. Compromises the Security or Privacy of the PHI means an acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule. A Breach is presumed to be a Breach unless Memorial Hermann or its Business Associate, as applicable, demonstrates based upon a risk assessment that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: (i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) The unauthorized person who used the PHI or to whom the disclosure was made; (iii) Whether the PHI was actually acquired or viewed; and (iv) The extent to which the risk to the PHI has been mitigated.
Definitions Cont. 2. Privacy Violation a breach of confidentiality involving the verbal, written, or electronic. 3. Information Security Violation a breach of the integrity, availability, or confidentiality of a system or any failure to adhere to approved information security policies for electronic information and systems. 4. Reportable Event any known or suspected incident, action or practice inconsistent with any Memorial Hermann privacy or information security policy. 5. Negligent Act a reportable event resulting from lack of care or attention to process or procedure, or to carelessness.
Definitions Cont. 6. Deliberate Act a reportable event resulting from a deliberate act 7. Self-reported Accidental Act an unintentional or unexpected follow an established procedure that is promptly reported by the individual responsible for the event to the Privacy Office. 8. Complaint PHI files a complaint with the Memorial Hermann Privacy Office, other Memorial Hermann facility authority, or Office of Civil Rights.
Policy Statement Report any potential or actual Breaches, Privacy Violations, Information Security Violations, or Reportable Events, immediately (same day) upon discovery, to the Memorial Hermann Privacy Office and take appropriate action to address each verified violation according to this Policy. Each Memorial Hermann Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, and Vendor is responsible for reporting any known or suspected Breach, Privacy Violation, Information Security Violation, or Reportable Event, or any other action or practice that is inconsistent with any Memorial Hermann privacy or information security policy to the Memorial Hermann Privacy Office.
Policy Statement Cont. Individuals who accidentally violate the confidentiality or security of information policy are expected to promptly self-report the incident. Failure to self-report an accidental Breach is considered a Negligent Act. The Privacy Office is responsible for investigation and evaluation of the specific facts and circumstances of each reported Breach, Privacy Violation, Information Security Violation, or Reportable Event, to determine if a violation has occurred and if so, the level of the violation.
Policy Statement Cont. Factors considered in evaluating the reported event include: The degree to which the specifics of the alleged incident can be verified through audit trails, interviews or other facts; Whether the conduct that led to the incident was negligent or deliberate; Whether the incident was a promptly self-reported accident; Whether inappropriate use, disclosure, or conduct caused harm or is it likely to cause harm to a patient, other person, or information infrastructure operations; The number of individuals or systems that were affected by the incident.
Policy Statement Cont. If the Privacy Office determines that a violation has occurred, he/she will notify the Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, and Vendor and the associated (when appropriate). The Privacy Office will also work with Human Resource Advice & Counsel Services to determine the level of corrective action warranted. All corrective actions, verbal, written, final written, and termination, must be entered into Workday no later than seven (7) working days after corrective action is taken.
Levels of Violations 1. Level I: Negligent Act Unintentional a. This level of violation occurs when a Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, Vendor, or anyone associated with Memorial Hermann unintentionally or carelessly does something that leaves Protected Health Information (PHI) or Confidential Information susceptible to being overheard, accessed, or revealed to unauthorized individuals.
Levels of Violations (Level 1 continued) b. Corrective Action for Level I Violations: 1. Verbal 2. Written 3. Final Written 4. Termination c. Examples of Level I Violations include: 1. Accidently emailing a file that includes PHI or other Confidential Information to the wrong person or persons; 2. Accidently faxing PHI or Confidential Information to an incorrect fax number.
Levels of Violations (Level 2) 2. Level 2: Negligent Act Intentional a. This level of violation occurs when a Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, Vendor, or anyone associated with Memorial Hermann takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual Breach, Privacy Violation, Information Security Violation, or Reportable Event.
Levels of Violations (Level 2 continued) b. Corrective Action for Level 2 Breach: 1) Written 2) Final Written 3) Termination c. Examples of Level 2 violations include: 1. Releasing information to a caller about a Patient without proper consent, authorization or verification; 2. Releasing information about a Patient who is designated as a care of the Patient or otherwise required to have access to the information to do their job at Memorial Hermann.
Levels of Violations (Level 2 continued) 3. Gossiping or sharing information about a Memorial Hermann have access to that information; 4. Failure to follow defined policies or procedures that result in unintentional disclosure or incidental disclosure of highly sensitive patient information causing distress or harm to the Patient; 5. Failure to account for disclosures as required by law and policy within Memorial Hermann Web Disclose Tracking system; 6. Sharing ID/password with another person or using another system in which the user does not have role-based access. 7. Leaving PHI visible and accessible to the public and others not authorized to have access to the information;
Levels of Violations (Level 2 continued) 8. Repeated incidents of Level I violations or self-reported accidental acts; 9. 10. Looking up birthdates, addresses, or other demographic or insurance information about a Patient without a need to know; 11. Accessing or connecting to Memorial Hermann information systems (e.g., computers, servers, routers, switches) without authorization; 12. Attempting to gain unauthorized or inappropriate access to any system or data.
Recommend
More recommend