Patient Privacy Investigations and Levels of Violation: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
No edit summary
(4 intermediate revisions by 2 users not shown)
Line 26: Line 26:
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI As Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
<br /><br />
<br /><br />
Policy No.: '''6302'''<br />
Policy No.: '''6302'''<br />
Effective Date: '''11/02/20'''<br />
Effective Date: '''11/02/20'''<br />
Revised Date: <br />
Revised Date: '''draft 10/28/22'''<br />
Revised Date: <br />
Revised Date: <br />
<br />
<br />
<big>'''Policy on Patient Privacy Investigations and Levels of Violation'''</big><br /><br />
<big>'''Policy on Patient Privacy Investigations and Levels of Violation'''</big><br /><br />
==Purpose of Policy==
==Purpose of Policy==
The University of Nebraska Medical Center (UNMC) takes protecting protected health information extremely seriously. Our goal is to ensure consistent investigation of, and to apply consistent sanction to impermissible uses or disclosures of protected health information.
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
==Policy==
==Policy==
UNMC Workforce Members shall report, and the Privacy Office shall consistently investigate, suspected patient privacy incidents to ensure patient and employee/patient confidentiality is maintained and to mitigate any adverse effects resulting from such incidents. Consistent sanctions shall be applied by UNMC for violations of patient privacy pursuant to the requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Nebraska Medicine/UNMC Workforce members shall report, and the [mailto:privacy@nebraskamed.com Privacy Office] shall investigate, suspected patient Privacy Incidents to ensure patient and employee/patient confidentiality is maintained and to help mitigate any adverse effects resulting from such incidents. Appropriate sanctions shall be consistently applied by Nebraska Medicine/UNMC for violations of patient privacy pursuant to the requirements of the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)].
==Definitions==
'''Affiliated Covered Entity (ACE)''' means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.<br />
<br />
'''Breach of Unsecured Protected Health Information (PHI)''' means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is: 1) e-PHI that has not been encrypted; and 2) paper, film or hardcopy PHI that has not been shredded or destroyed, such that it cannot be read or otherwise reconstructed. <br />
<br />
'''Business Associate''' means a third party who performs services on behalf of an ACE member and has access to protected health information (PHI) when performing services; or provides one of the following services for the ACE involving access to PHI: claims processing, data analysis, data processing, practice management, utilization review, quality assurance, billing, benefit management, and repricing.<br />
<br />
'''Privacy Incident''' means an improper use or disclosure of Protected Health Information. See UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use and Disclosure of Protected Health Information] for permitted uses of Protected Health Information.<br />
<br />
'''Privacy Office''' means the Nebraska Medicine/UNMC Privacy Office. The Privacy Office can be reached at 402-559-5136 or at [mailto:privacy@nebraskamed.com Privacy Office]. <br />
<br />
'''Protected Health Information (PHI)''' means individually identifiable health information. Health information means any information, whether oral or recorded in any medium that:<br />
a. is created or received by member(s) of the ACE; and <br />
b. relates to the past, present, or future physical or mental health or condition of the individual; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to an individual.<br />
 
Health information is individually identifiable, and therefore considered PHI, unless 18 identifiers of the individual or of relatives, employers, or household members of the individual have been removed and the ACE does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use and Disclosure of Protected Health Information] for the list of 18 identifiers.<br />
 
'''e-PHI''' means Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.<br />
<br />
'''Workforce''' means ACE member employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the ACE member, is under the direct control of the ACE member, whether or not they are paid by the ACE member.  
==Procedures==
==Procedures==
#Suspected patient privacy incidents shall be reported to the [mailto:Privacy@NebraskaMed.com Privacy Office] immediately for further investigation.   
#Suspected Privacy Incidents shall be reported to the Privacy Office immediately for further investigation.   
##Workforce Members and Business Associates must immediately notify the Privacy Office of any suspected impermissible use or disclosure of PHI of which they are aware. The Privacy Office will investigate all reports to determine if the incident violates UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation.   
##Workforce members must immediately notify the Privacy Office of any suspected unauthorized use or disclosure of Protected Health Information (PHI) of which they are or become aware:
##Individuals who desire to remain anonymous may report the violation or suspected violation through the UNMC Compliance Hotline number at 844-348-9584.
###The Privacy Office can be reached at 402-559-5136 or at privacy@nebraskamed.com. 
#For patient privacy investigations involving UNMC Workforce Members, the Privacy Office will work with UNMC Human Resources (Employee Relations).
###Individuals who desire to remain anonymous may report the suspected Privacy Incident through the Compliance Hotline at 800-822-8310. 
##Privacy Office identifies or is notified of a potential privacy violation.
###The Medical Staff may report suspected Privacy Incidents to the System Chief Medical Officer (CMO).
##Privacy Office will contact Employee Relations regarding violation.
##The Privacy Office will investigate all reports to determine if the suspected Privacy Incident violates Nebraska Medicine/UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation.   
##Privacy Office will lead the investigation.
#For patient privacy investigations involving Workforce members, the Privacy Office will work with Nebraska Medicine/UNMC Human Resources (Employee Relations) as follows:
###Privacy Office will initiate contact with operational leadership (department managers) and other stakeholders.
##Privacy Office identifies or is notified of a potential Privacy Incident.
###Employee Relations will coordinate interviews with employees.
##Privacy Office contacts Employee Relations regarding suspected Privacy Incident.  
###Privacy Office participates in the interview process.
##Employees Relations initiates investigation.
##Privacy Office will discuss outcome of investigation with Employee Relations for input on Level of Breach.
###Employee Relations works with operational leadership on coordinating interviews with stakeholders, witnesses and other key Workforce members. Interviews will be conducted either in-person or via Zoom or other similar technology with secure audio and video capabilities. If secure audio and video capabilities are unavailable for any reason, an in-person interview will be conducted.
##Employee Relations will work with manager to determine next steps.
###Privacy Office will participate in the interview process.
##Employee Relations will notify the Privacy Office in writing of the final outcome including any corrective or disciplinary action.
##Employee Relations discusses outcome of investigation with Privacy Office for input on level of violation.
###Privacy violation documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years.
##Employee Relations determines outcome of the investigation, and advises manager on next steps  
#For patient privacy investigations involving dually employed (UNMC/Nebraska Medicine), or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the Chief Medical Officer (CMO), Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair as appropriate on proper course of action for investigation and outcome.
##Employee Relations will notify the Privacy Office in writing of the final outcome
##Privacy identifies or is notified of a potential privacy violation.
###Corrective actions resulting from Privacy Incidents involving employed individuals must be documented in writing by Human Resources, regardless of the level of corrective action.
##Privacy contacts Chief Medical Officer regarding violation to initiate investigation.
###Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
###Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key workforce members.
#For Privacy Incident investigations involving dually employed or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the CMO, Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair, as appropriate, on the proper course of action for the investigation and its outcome as follows:
###Privacy Office and/or Legal Services will participate in the interview process.
##Privacy Office identifies or is notified of a potential Privacy Incident
##CMO discusses outcome of investigation with Privacy Office for input on Level of Breach.
##Privacy Office contacts CMO regarding potential Privacy Incident to initiate investigation.
##CMO determines outcome and contacts Privacy Office, Nebraska Medicine and UNMC leadership as applicable to advise on next steps.
###Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key Workforce members if/as needed.
##CMO will notify the Privacy Office in writing of the final outcome.
###Privacy Office and/or Legal Services will participate in the interview process if/as needed.
##CMO discusses outcome of investigation with Privacy Office for input on level of violation.  
##CMO determines outcome and contacts Privacy Office and Nebraska Medicine and UNMC leadership, as applicable, to advise on next steps.
##CMO will notify the Privacy Office in writing of the investigation’s final outcome.
###Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
###Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
#Privacy Office will be responsible for any required notification as a result of a breach of patient privacy.
#Privacy Office will be responsible for any required patient notification as a result of a Breach of Unsecured PHI.
##Privacy Incidents involving UNMC employees must be reported to and documented in writing by Human Resources. A summary of the Privacy Incident, investigation outcome, and any corrective or disciplinary action will be documented by the Privacy Office. Privacy Incident summaries must be available for internal and external oversight and regulatory responses.
==Definitions==
===Affiliated Covered Entity (ACE)===
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
===Breach of Unsecured PHI ===
The unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons, such as e-PHI that has not been encrypted and any physical copy of PHI (e.g., in paper, film or hardcopy) that has not been shredded or destroyed such that it cannot be read or otherwise reconstructed.  
===Business Associate===
A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
===e-PHI ===
Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.
===Health Information===
Individually identifiable, and therefore considered PHI, unless 18 identifiers of the individual or of relatives, employers or household members of the individual have been removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]] for the list of 18 identifiers.
===Privacy Incident===
An unauthorized use or disclosure of Protected Health Information. See UNMC Policy No. 6057, [[Use and Disclosure of Protected Health Information]] or Nebraska Medicine Use and Disclosure of Protected Health Information policy, IM.12 for permitted uses and disclosures of PHI.
===Privacy Office===
The Nebraska Medicine/UNMC Privacy Office. The Privacy Office can be reached at (402) 559-5136 or at [mailto:privacy@nebraskamed.com Privacy Office].
===Protected Health Information (PHI)===
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests;
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and  
*employment records held by UNMC in its role as employer.
===Workforce===
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
==Appendix A==
==Appendix A==
===Levels of Violations ===
===Levels of Violations ===
The violation levels and corrective actions described in this Appendix A are guidelines. UNMC follows a progressive disciplinary action process up to and including termination. The actual level of violation will be determined by the Privacy Office and corrective action will be recommended by Human Resources.<br />
The violation levels and corrective actions described in this Appendix A are guidelines. The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.<br />


Factors that may be considered in determining appropriate corrective action include, but are not limited to:
Factors that may be considered in determining appropriate corrective action include, but are not limited to:
#Whether the Workforce Member’s conduct appears to be intentional or unintentional;
 
#The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional improper access of even one patient is a significant breach to the affected patient;
#Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertant;
#The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional unauthorized access, use or disclosure of even one patient’s PHI is an unacceptable breach to the affected patient;
#Whether the conduct included an element of malice, or desire for personal or financial gain;
#Whether the conduct included an element of malice, or desire for personal or financial gain;
#The risk of reputational, financial or other harm to the victim(s) or UNMC;
#The risk of reputational, financial or other harm to the victim(s) or Nebraska Medicine/UNMC;
#Whether the Workforce Member has committed prior privacy violations; and
#Whether the Workforce member has committed prior privacy violations;  
#The Workforce Member’s conduct and cooperation during the investigation.
#The Workforce member’s conduct and cooperation during the investigation; and
#Overall performance and status of the employee in the organization.
#Overall performance and status of the employee in the organization.
#Overall performance and status of the employee in the organization.


In addition to any corrective action taken by Human Resources, Workforce Members may be subject to referral to applicable licensing boards.<br />
In addition to any corrective action taken by Human Resources, Workforce members may be subject to referral to applicable licensing boards. In addition, the Privacy Office may be required to report any breach of PHI to the Office for Civil Rights, which enforces HIPAA.<br />


{| class="wikitable"
{| class="wikitable"
|-
|-
!Level 1 Violation: Careless and Unintentional.  
!Level 1 Violation: Careless and Unintentional.  
|-
|-
| '''Level 1 violation''' can generally be described as careless or unintentional. These actions may be due to momentary lack of attention/focus, inattention to detail. The individual unknowingly violated patient privacy, and only became aware of the violation after the act. <br />
| '''Level 1 violation''' can generally be described as careless or unintentional. These actions may be due to momentary lack of attention/focus or inattention to detail. The individual unknowingly violated patient privacy and only became aware of the violation after the act. <br />


Level 1 violation may result in a discussion with the employee, a verbal warning, or further corrective and disciplinary action up to and including termination.
Level 1 violations may result in, but are not limited to, a first or second written corrective action.
|}
|}


{| class="wikitable"
{| class="wikitable"
|-
|-
! Level 2 Violation: Reckless, Intentional or Willful Disregard  
! Level 2 Violation: Reckless, Intentional or Willful Disregard  
|-
|-
| '''Level 2 violation''' can generally be described as reckless, intentional or willful disregard of policies/procedures/protocols. Choosing to disregard procedures, is considered reckless and intentional. <br />
| '''Level 2 violation''' can generally be described as reckless, intentional, or willful disregard of policies/procedures/protocols. Choosing to disregard procedures is considered reckless, intentional and willful disregard. Violations are considered level 2 when the individual knows or should know the right thing to do and chooses to do otherwise. <br />


Violations may also be considered level 2 when the individual knows or should know the right thing to do and chooses to do otherwise;  the violations are of significant volume, distribution, scope, or involve highly sensitive information, or where the individual has been made aware of the mistake and so should be less likely to make the same mistake again.<br />
Level 2 sanctions may also apply to successive level 1 violations, where the individual has been made aware of the mistake and so should be less likely to make the same mistake again. Level 2 sanctions may also be appropriate for level 1 violations that are of significant volume, distribution, or scope or involve highly sensitive information. <br />


Level 2 violation may result in a written warning, or further corrective and disciplinary action up to and including termination.
Level 2 violations may result in, but are not limited to, a final written corrective action.
|}
|}


Line 123: Line 136:
! Level 3 Violation: Malice, Gross Misconduct, Personal Gain or Violation of Patient Privacy
! Level 3 Violation: Malice, Gross Misconduct, Personal Gain or Violation of Patient Privacy
|-
|-
| '''Level 3 violation''' can generally be described as knowingly violating policies/procedures/protocols (a level 2 violation) with an element of malice, gross misconduct, and/or personal gain, or as intentional violation of the privacy of a patient who is not a member of the individual’s household.  <br />
| '''Level 3 violation''' can generally be described as knowingly violating policies/procedures/protocols (a level 2 violation) with an element of malice, gross misconduct, and/or personal gain or as intentional violation of the privacy of a patient who is generally not a member of the individual’s household.<br />
   
Level 3 sanctions may also be appropriate for level 1 or level 2 violations that are of significant volume, distribution, or scope or involve highly sensitive information. <br />


Level 3 violations may result in a written warning or further corrective and disciplinary action up to and including termination.  
Level 3 violations may result in termination.  
|}
|}
==Additional Information==
==Additional Information==
*Contact the [mailto:privacy@nebraskamed.com Privacy Office] or at 402-559-5136.
*Contact the [mailto:privacy@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136.
*Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545.
*Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545.
*Contact [https://www.unmc.edu/human-resources/about/contact-hr.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371
*Contact [https://www.unmc.edu/human-resources/about/contact-hr.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371
*UNMC Policy 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]
*Contact Legal Services at _______________________  phone # and email(s)  (should this be UNMC or Nebraska medicine contacts? or both?)
*UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]
*UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information]
*UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information]
*UNMC Policy No. 6051, [https://wiki.unmc.edu/index.php/Computer_Use/Electronic_Information Computer Use/Electronic Information]
*UNMC Policy No. 6051, [https://wiki.unmc.edu/index.php/Computer_Use/Electronic_Information Computer Use/Electronic Information]
*UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use and Disclosure of Protected Health Information]
*UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use and Disclosure of Protected Health Information]
 
*Nebraska Medicine Use and Disclosure of Protected Health Information policy, IM.12
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Revision as of 09:52, August 16, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6302
Effective Date: 11/02/20
Revised Date: draft 10/28/22
Revised Date:

Policy on Patient Privacy Investigations and Levels of Violation

Purpose of Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

Nebraska Medicine/UNMC Workforce members shall report, and the Privacy Office shall investigate, suspected patient Privacy Incidents to ensure patient and employee/patient confidentiality is maintained and to help mitigate any adverse effects resulting from such incidents. Appropriate sanctions shall be consistently applied by Nebraska Medicine/UNMC for violations of patient privacy pursuant to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Procedures

  1. Suspected Privacy Incidents shall be reported to the Privacy Office immediately for further investigation.
    1. Workforce members must immediately notify the Privacy Office of any suspected unauthorized use or disclosure of Protected Health Information (PHI) of which they are or become aware:
      1. The Privacy Office can be reached at 402-559-5136 or at privacy@nebraskamed.com.
      2. Individuals who desire to remain anonymous may report the suspected Privacy Incident through the Compliance Hotline at 800-822-8310.
      3. The Medical Staff may report suspected Privacy Incidents to the System Chief Medical Officer (CMO).
    2. The Privacy Office will investigate all reports to determine if the suspected Privacy Incident violates Nebraska Medicine/UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation.
  2. For patient privacy investigations involving Workforce members, the Privacy Office will work with Nebraska Medicine/UNMC Human Resources (Employee Relations) as follows:
    1. Privacy Office identifies or is notified of a potential Privacy Incident.
    2. Privacy Office contacts Employee Relations regarding suspected Privacy Incident.
    3. Employees Relations initiates investigation.
      1. Employee Relations works with operational leadership on coordinating interviews with stakeholders, witnesses and other key Workforce members. Interviews will be conducted either in-person or via Zoom or other similar technology with secure audio and video capabilities. If secure audio and video capabilities are unavailable for any reason, an in-person interview will be conducted.
      2. Privacy Office will participate in the interview process.
    4. Employee Relations discusses outcome of investigation with Privacy Office for input on level of violation.
    5. Employee Relations determines outcome of the investigation, and advises manager on next steps
    6. Employee Relations will notify the Privacy Office in writing of the final outcome
      1. Corrective actions resulting from Privacy Incidents involving employed individuals must be documented in writing by Human Resources, regardless of the level of corrective action.
      2. Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
  3. For Privacy Incident investigations involving dually employed or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the CMO, Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair, as appropriate, on the proper course of action for the investigation and its outcome as follows:
    1. Privacy Office identifies or is notified of a potential Privacy Incident
    2. Privacy Office contacts CMO regarding potential Privacy Incident to initiate investigation.
      1. Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key Workforce members if/as needed.
      2. Privacy Office and/or Legal Services will participate in the interview process if/as needed.
    3. CMO discusses outcome of investigation with Privacy Office for input on level of violation.
    4. CMO determines outcome and contacts Privacy Office and Nebraska Medicine and UNMC leadership, as applicable, to advise on next steps.
    5. CMO will notify the Privacy Office in writing of the investigation’s final outcome.
      1. Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
  4. Privacy Office will be responsible for any required patient notification as a result of a Breach of Unsecured PHI.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Breach of Unsecured PHI

The unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons, such as e-PHI that has not been encrypted and any physical copy of PHI (e.g., in paper, film or hardcopy) that has not been shredded or destroyed such that it cannot be read or otherwise reconstructed.

Business Associate

A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.

e-PHI

Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.

Health Information

Individually identifiable, and therefore considered PHI, unless 18 identifiers of the individual or of relatives, employers or household members of the individual have been removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information for the list of 18 identifiers.

Privacy Incident

An unauthorized use or disclosure of Protected Health Information. See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information or Nebraska Medicine Use and Disclosure of Protected Health Information policy, IM.12 for permitted uses and disclosures of PHI.

Privacy Office

The Nebraska Medicine/UNMC Privacy Office. The Privacy Office can be reached at (402) 559-5136 or at Privacy Office.

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Appendix A

Levels of Violations

The violation levels and corrective actions described in this Appendix A are guidelines. The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.

Factors that may be considered in determining appropriate corrective action include, but are not limited to:

  1. Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertant;
  2. The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional unauthorized access, use or disclosure of even one patient’s PHI is an unacceptable breach to the affected patient;
  3. Whether the conduct included an element of malice, or desire for personal or financial gain;
  4. The risk of reputational, financial or other harm to the victim(s) or Nebraska Medicine/UNMC;
  5. Whether the Workforce member has committed prior privacy violations;
  6. The Workforce member’s conduct and cooperation during the investigation; and
  7. Overall performance and status of the employee in the organization.
  8. Overall performance and status of the employee in the organization.

In addition to any corrective action taken by Human Resources, Workforce members may be subject to referral to applicable licensing boards. In addition, the Privacy Office may be required to report any breach of PHI to the Office for Civil Rights, which enforces HIPAA.

Level 1 Violation: Careless and Unintentional.
Level 1 violation can generally be described as careless or unintentional. These actions may be due to momentary lack of attention/focus or inattention to detail. The individual unknowingly violated patient privacy and only became aware of the violation after the act.

Level 1 violations may result in, but are not limited to, a first or second written corrective action.

Level 2 Violation: Reckless, Intentional or Willful Disregard
Level 2 violation can generally be described as reckless, intentional, or willful disregard of policies/procedures/protocols. Choosing to disregard procedures is considered reckless, intentional and willful disregard. Violations are considered level 2 when the individual knows or should know the right thing to do and chooses to do otherwise.

Level 2 sanctions may also apply to successive level 1 violations, where the individual has been made aware of the mistake and so should be less likely to make the same mistake again. Level 2 sanctions may also be appropriate for level 1 violations that are of significant volume, distribution, or scope or involve highly sensitive information.

Level 2 violations may result in, but are not limited to, a final written corrective action.

Level 3 Violation: Malice, Gross Misconduct, Personal Gain or Violation of Patient Privacy
Level 3 violation can generally be described as knowingly violating policies/procedures/protocols (a level 2 violation) with an element of malice, gross misconduct, and/or personal gain or as intentional violation of the privacy of a patient who is generally not a member of the individual’s household.

Level 3 sanctions may also be appropriate for level 1 or level 2 violations that are of significant volume, distribution, or scope or involve highly sensitive information.

Level 3 violations may result in termination.

Additional Information

This page maintained by dkp.