Newly Revised Policy: UMHS Policy 01-04-390, Disciplinary Actions for Privacy & Information Security Violations. February 2013

Similar documents
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions 10210

HIPAA Orientation. Health Insurance Portability and Accountability Act

HIPAA PRIVACY POLICIES & PROCEDURES. Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

New Privacy Laws Impacting the Health Care Work Place

Pacific Medical Centers HIPAA Training for Residents, Fellows and Others

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

COMPLIANCE ALERT 10-12

HIPAA Privacy Overview

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Privacy & Security Training for Clinicians

HIPAA Privacy. September 21, 2013

MEDICAL OFFICE COMPLIANCE TOOLKIT. The Complete Medical Practice Compliance Resource HIPAA HITECH OSHA CLIA

HIPAA Compliance for Students

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

what your business needs to do about the new HIPAA rules

TABLE OF CONTENTS. University of Northern Colorado

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Understanding Your Health Record Information

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

HIPAA and Mental Health Privacy:

HIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)

HIPAA Compliance Annual Mandatory Education

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

The ReHabilitation Center Buffalo Street. Olean. NY

SCDA and SCDA Member Benefits Group

DEPARTMENTAL POLICY. Northwestern Memorial Hospital

Healthcare Horizons Webinar Series:

ADMINISTRATIVE REQUIREMENTS OF HIPAA

Health Insurance Portability and Accountability Act (HIPAA)

The University of Texas Health Science Center at Houston Institutional Healthcare Billing Compliance Plan JANUARY 14, 2013

Community First Health Plans Breach Notification for Unsecured PHI

HIPAA Security Rule Compliance

HIPAA and Privacy Policy Training

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA PRIVACY AND SECURITY AWARENESS

University Healthcare Physicians Compliance and Privacy Policy

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

NORTH CAROLINA WESLEYAN COLLEGE POLICY ON GENDER DISCRIMINATION AND SEXUAL HARASSMENT

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.

INDEPENDENT CONTRACTOR AGREEMENT FOR HEALTH CARE PROVIDERS

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Montclair State University. HIPAA Security Policy

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

Privacy and Security For Managers

PROTECTING PATIENT PRIVACY and INFORMATION SECURITY

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Caldwell Community College and Technical Institute

This policy has been created using the WBC Model Policy Version December 2013.

HIPAA for Business Associates

Arizona State University. HIPAA Compliance. Audit Report Number May 7, 2015

Catholic Health HIPAA/ HITECH

COMPREHENSIVE REMOTE ACCESS AGREEMENT FOR PRIVATE MEDICAL PRACTICES OR NURSING HOMES

Patient Privacy and HIPAA/HITECH

ROYAL BOROUGH OF WINDSOR & MAIDENHEAD. Disciplinary Policy & Procedure

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

University of California Policy

HIPAA Update Focus on Breach Prevention

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

HIPAA Education Level One For Volunteers & Observers

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Protection of Clients' Personal Health Information G & G LIVING CENTERS, INC.'s Privacy Practices

HIPAA Privacy & Security Rules

HIPAA 101: Privacy and Security Basics

CARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Training for the MDAA Preceptorship Program. Health Insurance Portability and Accountability Act

CODE OF ETHICS AND BUSINESS CONDUCT

Protecting Patient Privacy It s Everyone s Responsibility

POLICY SUBJECT: EFFECTIVE DATE: 5/31/2013. To be reviewed at least annually by the Ethics & Compliance Committee COMPLIANCE PLAN OVERVIEW

HIPAA Privacy Rule Policies

HIPAA and HITECH Compliance for Cloud Applications

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA. HIPAA and Group Health Plans

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

PROTECTED HEALTH INFORMATION

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

2016 OCR AUDIT E-BOOK

Document Title: System Administrator Policy

DISCIPLINARY PROCEDURE

The George Washington University Hospital

Let s Talk About Privacy

Annual Compliance Training. HITECH/HIPAA Refresher

DATA ACCESS POLICY. Attached is a policy statement regarding data access at the New Jersey Institute of Technology.

Health Insurance Portability and Accountability Act HIPAA Privacy Standards

Transcription:

Newly Revised Policy: UMHS Policy 01-04-390, Disciplinary Actions for Privacy & Information Security Violations February 2013

Privacy & Security Enforcement HITECH Act Mandatory Notice of Breach, subject to tight time frames To Individuals & U.S. HHS/OCR All cases of Breach ; To Media Enhanced State and Federal Enforcement: 4 Tiers of Civil Monetary Penalties (per HIPAA violation per year): Up to $1,500,000 Criminal fines: $250,000/up to 10 years. Criminal penalties expanded to individuals State attorney general can file civil action Disciplinary action policy and enforcement required Other possible reporting (e.g., State Licensure Board, National Practitioner Data Bank, etc.) 2

Background / Overview The policy was revised and approved by ECCA and the Compliance Committee in 4 th Quarter 2012 This policy combines existing Human Resources Disciplinary Guidelines with UMHS Policy 04-06-067 - Privacy Violations, Sanctions for Medical Staff Members, PAs and Clinical Program Trainees The Medical Staff policy has a six year track record and is considered a fair, consistent standard process compliant with external regulations and has been adopted by other Academic Medical Centers. The revised policy constitutes a single policy that applies to all faculty and staff - Codifies existing HR and OCA disciplinary processes to assure consistency across the health system

Multi-Disciplinary Involvement: Nursing Margay Britton, Laura Cherven, Marna Flaherty-Robb, Karen McConnell, Barb Wetula, Human Resources Rich Holcomb, Margaret Hough, Kevin Newman, Stephanie Schroeder, Office of the General Counsel David Masson Compliance Jeanne Strickland, Lauren Shellenberger Office of Clinical Affairs Heather Wurster

Key Policy Objectives Summarize consequences of privacy and information security violations Summarize Levels of Discipline (Levels 1 through 4) Identify situations that warrant assignment of a particular Level of Discipline Identify aggravating and mitigating circumstances and when they may or may not be applicable Consideration of all facts and circumstances available at time the decision is made Identify type(s) of disciplinary action that must be taken based on the Level of Discipline Take-Home Message: No Supervisor/Manager solely makes decision ALWAYS utilize HR

Investigation Process and Progressive Disciplinary Action Investigation of incident Documentation of investigation Determine level of violation Determine disciplinary action (appropriate within the level of violation) consider aggravating & mitigating factors and program impact

Disciplinary Variables Nature of the misconduct, severity of the transgression Employee s past record of disciplinary actions taken and insight Oral or written warning, or reprimand does NOT need to precede a Suspension/DLO Oral or written warning, reprimand, or Suspension/DLO does NOT need to precede a discharge

Tools and Guides Process Handout FAQ Discipline Grid Supervisor s Tips Policy http://www.med.umich.edu/umhshr/supervis or/privacy%20violation%20policy.html

Level 1 Violation Negligent Act - Carelessness Workforce member unintentionally or carelessly renders PHI in any format susceptible to being overheard, accessed, used or disclosed to unauthorized individuals. Examples: Failure to sign off a workstation. Leaving PHI in a non-secure area. Dictating or discussing PHI in a public area (e.g., cafeteria, elevator). Improper disposal Repeated occurrence of one or more of the above examples which was previously followed by verbal coaching.

Level 1 Corrective Action/Discipline Verbal coaching Verbal warning with documentation Documentation maintained in appropriate departmental file HIPAA Training via MLearning 10

Case Study: 1X Level 1 Violation: Negligent Act (Carelessness) Sanctions for Privacy & Information Security Violations While at an outpatient clinic for an appointment, a patient overheard Physician A and Physician B discussing patient s case while all were in the restroom. Patient told her mother that the two physicians stated their surprise that the patient did not have any STDs by now. The patient s mother reported the incident to Patient Relations, reported to Compliance Office as a privacy violation. OCA investigation and disciplinary action resulted. Disciplinary/Corrective Action Verbal Warning Education

Level 2 Violation Negligent Act - Not Following Procedure Workforce member acts without consideration of privacy or information security procedure or policy. Examples: Failure to take reasonable precautions to prevent incidental disclosure of highly sensitive PHI (e.g., HIV status.) Failure to follow the minimum necessary standard (e.g., releasing more information than applicable to a work-related injury to a workers compensation carrier) Additional Level 1 violation(s), regardless of type, which was followed by disciplinary action (prior misconduct resulting in discipline.) 12

Level 2 Corrective Action/Discipline Written warning Documentation maintained in appropriate departmental file HIPAA Training via MLearning 13

Level 2 Violation: Negligent Act (Not following procedure) Case Study: 2X Sanctions for Privacy & Information Security Violations Physician disclosed a patient s HIV status to patient s son, despite patient s request that this information not be released to the son. The patient and patient s friend, who accompanied patient during the clinic visit, confirmed that the son exited and entered throughout the course of the physician s consultation with the patient, thus substantiating physician s claim that the disclosure was inadvertent. Disciplinary/Corrective Action Written Warning Education

Level 3 Violation Purposeful Act - Deliberate act out of curiosity or concern Workforce member intentionally accesses, reviews, or uses or discloses confidential information or systems without documented authorization to do so, due to curiosity or concern, but unrelated to personal gain or malicious intent. Examples: Sharing ID/password with another coworker or using another person's ID/password. Accessing and reviewing the medical record of a patient without written authorization solely out of curiosity or concern, but with no malicious intent and/or not for personal gain Additional Level 1 and/or Level 2 violation(s), regardless of type, which was followed by disciplinary action (prior misconduct resulting in discipline.) 15

Level 3 Corrective Action/Discipline Suspension / Probation / Disciplinary Lay Off (DLO) in accordance with any applicable Bylaws, Collective Bargaining Agreement, etc. HIPAA Training via Mlearning (except in the case of discharge) 16

Case Study: 3X Level 3 Violation: Purposeful Act (Curiosity or Concern) Sanctions for Privacy & Information Security Violations An employee sent flowers to the home of a patient/fellow employee, after accessing the address information in co-worker s medical record. Case Study: 4X During the hospital stay of a famous Patient Doe, a routine audit of access revealed a two employees accessed the record out of curiosity about the severity of an injury, rather than with a clinical need to know. Disciplinary/Corrective Action Peer Review Investigation (Physician) Sanctions Medical Staff & Physician Assistant: Suspension of clinical privileges, additional privacy training, participation in an educational activity, potential report to the State Board Clinical Program Trainee (Resident): Probation Non-Medical Staff: Disciplinary Lay off, additional privacy training/education corrective action All: Additional Education

Level 4 Violation Purposeful Act - Blatant Misuse / Gross Negligence Workforce member accesses, reviews, or discloses confidential information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems and/or damage to the health system s reputation, or uses the data for personal gain or with malicious intent. Examples: Accessing or allowing access to patient record without legitimate reason for personal gain or malicious intent. Tampering with or unauthorized destruction or disposal of PHI. Additional Level 3 violation(s), regardless of type, which was followed by disciplinary action (prior misconduct resulting in discipline.) 18

Level 4 Corrective Action/Discipline Discharge/Termination/Corrective Action in accordance with applicable Bylaws, Collective Bargaining Agreements, with reporting to appropriate agencies, as applicable (e.g., licensure board, national practitioner databank, etc.) 19

Case Study: 5X Level 4 Violation: Purposeful Act (Blatant Misuse) Sanctions for Privacy & Information Security Violations Employee A and wife reconciled after wife s affair with her lover (a UMHS patient.) Employee A agreed to the wife s request to look at the ex-lover s medical record. The wife and her lover later reunited, and the wife reported her husband s inappropriate access. When confronted, Employee A (a physician) quit immediately, but resignation in lieu of investigation triggers a report to the State Licensure Board. Disciplinary/Corrective Action Medical Staff & Physician Assistant: Initiate Corrective Action per Medical Staff Bylaws Clinical Program Trainee (Resident): Initiate Corrective Action per Medical Staff Bylaws and HOA Contract Non-Medical Staff: Initiate Discharge Process

Aggravating/Mitigating Factors Consider aggravating or mitigating factors to determine the appropriate disciplinary action within the disciplinary action range of the applicable level violation. Exception: Mitigating factors are not relevant in determining the disciplinary action when it is determined that a workforce member has accessed, used and/or disclosed a patient s electronic medical record with malicious intent and/or for personal gain. 21

Target Effective Date: March 15, 2013 Education Rollout between now and March 15, 2013, spear-headed by Human Resources with involvement from Nursing, OCA, and Compliance

Extenuating Circumstances? Perhaps Investigations can reveal: Illness causing judgment errors Power of Attorney rescinded, so permission to access can become permission denied Etc. Each case is fact-specific, unique HR and/or OCA investigates each case forwarded by Compliance or other sources to determine the validity of the alleged violation, type of violation, and associated consequences, if applicable. Take-Home Message: No Supervisor/Manager solely makes decision ALWAYS utilize HR

References UMHS Policy 01-04-390, Discipline for Violations of Privacy or Security of Protected Health Information (PHI) or Other Sensitive Information for All UMHS Workforce: http://www.med.umich.edu/i/policies/umh/01-04-390.htm Human Resources Website Information: http://www.med.umich.edu/umhshr/supervisor/privacy%20violatio n%20policy.html UMHS Compliance Office HIPAA FAQs: http://www.med.umich.edu/u/compliance/area/privacy/faq.htm Direct privacy-related questions to: HIPAA-Questions@med.umich.edu or call Compliance Office 615-4400

Global User messages - During February and March 2013. HR and PRMC working on the messages. This will help to educate all UMHS staff and make them aware that things have gone to a higher level of scrutiny relative to HIPAA violations. Next Steps/Roll out HR Business Unit Managers, Consultants and Generalists These groups have been educated on the Policy, but training will continue through March 2013, including reviewing and discussing cases that arise and the pertinent issues, to ensure as thorough an understanding of the Levels of Violations and Disciplinary Action as possible. Leadership Groups - Presentations will be made to various groups in February and March. During those presentations, we will ask that each Director, Manager, Chair, etc. share the information (via HR Documents including Disciplinary Grid, Power Point Presentation, FAQs, and Process document) with their respective leadership groups in order to push the information down into the organization. (Within HR, appropriate HR professional will help coordinate and participate in those presentations so as to establish the correct protocol and to be the primary educator on the policy. This will likely be more intensive for those business units with direct patient care responsibilities.)

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information