IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions 10210

Transcription

1 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title: Sanctions Responsible Executive (RE): General Counsel Sponsoring Organization (SO): Office of General Counsel Dates: Effective Date: Revised: Annual Review: I. POLICY STATEMENT The purpose of this policy is to provide guidance and guidelines for imposing appropriate sanctions against workforce members that violate ISU s HIPAA policies, in accordance with 45 CFR and (a)(1)(ii)(C). II. AUTHORITY AND RESPONSIBILITIES ISU is a hybrid entity in accordance with ISU s HIPPA Privacy Policy Only the health care component (i.e., the covered functions) of ISU must comply with this policy. All references in this policy to ISU shall be construed to refer only to the health care component of ISU. III. DEFINITIONS See HIPAA Privacy Policy IV. PROCEDURES TO IMPLEMENT A. The Privacy Officer shall be responsible for determining, in conjunction with other appropriate personnel (e.g., HR, CEO, legal, department supervisor of the workforce member in question), whether a policy violation has occurred and if so, the sanctions that should be imposed. B. Sanctions for privacy and information security-related violations must be applied consistently. C. This section describes methods for determining the response to a privacy and/or information security policy violation. The procedure includes an outline of categories of HIPAA Privacy & Security Sanctions Page 1 of 5

2 violations with examples and recommended appropriate actions. The ISU Human Resources Director should be involved in all policy and disciplinary action decisions. Examples below are for illustrative purposes only. D. The Privacy and Security Officer must review the investigation results regarding the following factors before assigning a category of violation (see Violation Categories and Examples). Questions to consider are: 1. Was the inappropriate use of disclosure of PHI negligent or was it intentional? 2. How egregious was the policy violation; in other words, how severe? a. How many patients were affected? b. To what degree was a patient harmed? c. Did the inappropriate action (or omission) cause harm or is it likely to cause harm? d. To what degree is the confidentiality, integrity, and/or availability of the covered entity s systems or data impacted? e. To what degree did the workforce member s action (or failure to act) place the covered entity s systems or network at risk? 3. Is the covered entity able to verify the workforce member s policy violation through audit trails, interviews, or other facts and circumstances? 4. In addition to the nature of the policy violation itself, answers to the following questions may affect the severity of disciplinary action: a. Has the workforce member been disciplined for HIPAA policy violations before? b. What is the workforce member s past work record regarding policy compliance? Does the workforce member have any written warnings or verbal reprimands for HIPAA policy violations in his/her HR file? c. Does the workforce member appear to comprehend how he/she failed to comply with the HIPAA policy? d. Did the workforce member reasonably believe he/she was acting in compliance with HIPAA policies? e. After explanation and retraining, does the employee appear to understand how to avoid the policy violation in the future? E. Violation Categories and Examples For purposes of this policy two violation categories will be used and examples of each provided. The two categories are: 1. Negligent, and 2. Intentional. F. Negligent Violation Examples: 1. Not properly verifying individuals by phone, in person, or in writing. (Negligent) Example: A workforce member receives a call from a physician who is calling for a status report on his patient. Rather than sending the requested information via fax to HIPAA Privacy & Security Sanctions Page 2 of 5

3 the physician s office or via secure to the physician s on-file address, the customer service representative releases the information over the phone without asking for any additional identification information from the physician. The person calling is found to be co-worker of the patient (not involved in the care of the patient) who simply wanted to know the patient s diagnosis. a. Negligent Violation: Failure to verify requestor and follow facility procedure. b. Recommended Action: Warning with retraining regarding applicable policies. 2. Improper protection of medical records or other PHI (Negligent) Example: Billing and collections personnel leave medical records on counters in their department, visible and available to personnel who work outside the billing and collections department. a. Negligent Violation: Failure to safeguard health information and follow procedure. b. Recommended Action: Warning and retraining regarding applicable policies. c. Note: The work areas should be surveyed to ensure that reasonable safeguards are applied to further protect patient privacy. Files should be kept out of sight when not in use or when left unsecured; after hours or when not in use, files should be kept locked or otherwise secured. 3. Faxing information to an incorrect fax number in error. (Negligent) Example: Workforce member is working with an insurance company to get a patient s stay certified. The workforce member dials the number and sends the fax without double-checking the number dialed. The workforce member transposes a number, inadvertently faxing information to a beauty salon. a. Negligent Violation: Failure to safeguard health information and follow procedure. b. Recommended Action: Warning with retraining, document. In addition, the employee should be instructed to pre-program fax numbers to commonly called insurers (with annual confirmation that number remains the same). For first time calls to new numbers, the employee should double-check fax numbers prior to sending faxes. 4. Failure to properly safeguard PHI or systems storing PHI or other confidential or restricted information. (Negligent) Example: During routine security monitoring rounds, a workforce member is seen leaving her workstation for the day without signing off. a. Negligent Violation: Failure to safeguard health information. b. Recommended Action: Warning with retraining HIPAA Privacy & Security Sanctions Page 3 of 5

4 G. Intentional Violation Examples: 1. Accessing or using PHI without having a legitimate need to do so. (Intentional) Example: An employee who is curious about the status of a friend who is having surgery accesses the record. a. Intentional Policy Violation: Failure to meet the minimum necessary requirement. b. Recommended Action: Options range between the following lowest sanction: Written warning with retraining; document. Highest sanction: Termination of employee, particularly if there is any past history of inappropriate access. c. Note: This event may have caused a HIPAA Breach under HIPAA Privacy Policy 10240, and the analyses set forth in Policy should be performed. Also, the covered entity must account for this disclosure in accordance with HIPAA Privacy Policy Allowing another workforce member to utilize the Laboratory Information System, or LIS, using the employee s password. (Intentional) Example: Workforce member without authorization from her supervisor asks another workforce member to help her input data and otherwise perform her job. To hide the fact, she gives her log on identification and password to her co-worker. a. Intentional Policy Violation: Failure to comply with reasonable safeguards requirement and minimum necessary standard. b. Recommended Action: Options range between the following lowest sanction: Written warning with retraining for employees involved; document. Highest sanction: Termination of employees involved. 3. Any uses or disclosures that could invoke harm to a patient. (Intentional) Example: An employee calls the ex-spouse of a patient to let him know that his wife has cancer because the employee feels that the ex-spouse had a right to know. a. Intentional Policy Violation: Intentional disregard for policies, failure to meet minimum necessary requirements. b. Recommended Action: The employee should be terminated and the reasons documented in personnel file. c. Note: This event may have caused a HIPAA Breach under HIPAA Privacy Policy 10240, and the analyses set forth in Policy should be performed. Also, the covered entity must account for this disclosure in accordance with HIPAA Privacy Policy V. REFERENCES HIPAA Privacy Policies 10240, 10020, CFR , (a)(1)(ii)(C) VI. ATTACHMENTS HIPAA Privacy & Security Sanctions Page 4 of 5

5 N/A PRESIDENTIAL CERTIFICATION Approved by Arthur C. Vailas President, Idaho State University Date: OGC use only: Received by OGC on by (initial). Published to ISUPP on by (initial) HIPAA Privacy & Security Sanctions Page 5 of 5