Patient Privacy Investigations and Levels of Violation

From University of Nebraska Medical Center
Revision as of 16:16, August 17, 2022 by Dpanowic (talk | contribs)
Jump to navigation Jump to search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6302
Effective Date: 11/02/20
Revised Date:
Revised Date:

Policy on Patient Privacy Investigations and Levels of Violation

Purpose of Policy

The University of Nebraska Medical Center (UNMC) takes protecting protected health information extremely seriously. Our goal is to ensure consistent investigation of, and to apply consistent sanction to impermissible uses or disclosures of protected health information.

Policy

UNMC Workforce Members shall report, and the Privacy Office shall consistently investigate, suspected patient privacy incidents to ensure patient and employee/patient confidentiality is maintained and to mitigate any adverse effects resulting from such incidents. Consistent sanctions shall be applied by UNMC for violations of patient privacy pursuant to the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

Definitions

Affiliated Covered Entity (ACE) means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Breach of Unsecured Protected Health Information (PHI) means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is: 1) e-PHI that has not been encrypted; and 2) paper, film or hardcopy PHI that has not been shredded or destroyed, such that it cannot be read or otherwise reconstructed.

Business Associate means a third party who performs services on behalf of an ACE member and has access to protected health information (PHI) when performing services; or provides one of the following services for the ACE involving access to PHI: claims processing, data analysis, data processing, practice management, utilization review, quality assurance, billing, benefit management, and repricing.

Privacy Incident means an improper use or disclosure of Protected Health Information. See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information for permitted uses of Protected Health Information.

Privacy Office means the Nebraska Medicine/UNMC Privacy Office. The Privacy Office can be reached at 402-559-5136 or at Privacy Office.

Protected Health Information (PHI) means individually identifiable health information. Health information means any information, whether oral or recorded in any medium that:
a. is created or received by member(s) of the ACE; and
b. relates to the past, present, or future physical or mental health or condition of the individual; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to an individual.

Health information is individually identifiable, and therefore considered PHI, unless 18 identifiers of the individual or of relatives, employers, or household members of the individual have been removed and the ACE does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information for the list of 18 identifiers.

e-PHI means Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.

Workforce means ACE member employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the ACE member, is under the direct control of the ACE member, whether or not they are paid by the ACE member.

Procedures

  1. Suspected patient privacy incidents shall be reported to the Privacy Office immediately for further investigation.
    1. Workforce Members and Business Associates must immediately notify the Privacy Office of any suspected impermissible use or disclosure of PHI of which they are aware. The Privacy Office will investigate all reports to determine if the incident violates UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation.
    2. Individuals who desire to remain anonymous may report the violation or suspected violation through the UNMC Compliance Hotline number at 844-348-9584.
  2. For patient privacy investigations involving UNMC Workforce Members, the Privacy Office will work with UNMC Human Resources (Employee Relations).
    1. Privacy Office identifies or is notified of a potential privacy violation.
    2. Privacy Office will contact Employee Relations regarding violation.
    3. Privacy Office will lead the investigation.
      1. Privacy Office will initiate contact with operational leadership (department managers) and other stakeholders.
      2. Employee Relations will coordinate interviews with employees.
      3. Privacy Office participates in the interview process.
    4. Privacy Office will discuss outcome of investigation with Employee Relations for input on Level of Breach.
    5. Employee Relations will work with manager to determine next steps.
    6. Employee Relations will notify the Privacy Office in writing of the final outcome including any corrective or disciplinary action.
      1. Privacy violation documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years.
  3. For patient privacy investigations involving dually employed (UNMC/Nebraska Medicine), or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the Chief Medical Officer (CMO), Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair as appropriate on proper course of action for investigation and outcome.
    1. Privacy identifies or is notified of a potential privacy violation.
    2. Privacy contacts Chief Medical Officer regarding violation to initiate investigation.
      1. Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key workforce members.
      2. Privacy Office and/or Legal Services will participate in the interview process.
    3. CMO discusses outcome of investigation with Privacy Office for input on Level of Breach.
    4. CMO determines outcome and contacts Privacy Office, Nebraska Medicine and UNMC leadership as applicable to advise on next steps.
    5. CMO will notify the Privacy Office in writing of the final outcome.
      1. Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
  4. Privacy Office will be responsible for any required notification as a result of a breach of patient privacy.
    1. Privacy Incidents involving UNMC employees must be reported to and documented in writing by Human Resources. A summary of the Privacy Incident, investigation outcome, and any corrective or disciplinary action will be documented by the Privacy Office. Privacy Incident summaries must be available for internal and external oversight and regulatory responses.

Appendix A

Levels of Violations

The violation levels and corrective actions described in this Appendix A are guidelines. UNMC follows a progressive disciplinary action process up to and including termination. The actual level of violation will be determined by the Privacy Office and corrective action will be recommended by Human Resources.

Factors that may be considered in determining appropriate corrective action include, but are not limited to:

  1. Whether the Workforce Member’s conduct appears to be intentional or unintentional;
  2. The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional improper access of even one patient is a significant breach to the affected patient;
  3. Whether the conduct included an element of malice, or desire for personal or financial gain;
  4. The risk of reputational, financial or other harm to the victim(s) or UNMC;
  5. Whether the Workforce Member has committed prior privacy violations; and
  6. The Workforce Member’s conduct and cooperation during the investigation.
  7. Overall performance and status of the employee in the organization.

In addition to any corrective action taken by Human Resources, Workforce Members may be subject to referral to applicable licensing boards.

Level 1 Violation: Careless and Unintentional.
Level 1 violation can generally be described as careless or unintentional. These actions may be due to momentary lack of attention/focus, inattention to detail. The individual unknowingly violated patient privacy, and only became aware of the violation after the act.

Level 1 violation may result in a discussion with the employee, a verbal warning, or further corrective and disciplinary action up to and including termination.

Level 2 Violation: Reckless, Intentional or Willful Disregard
Level 2 violation can generally be described as reckless, intentional or willful disregard of policies/procedures/protocols. Choosing to disregard procedures, is considered reckless and intentional.

Violations may also be considered level 2 when the individual knows or should know the right thing to do and chooses to do otherwise; the violations are of significant volume, distribution, scope, or involve highly sensitive information, or where the individual has been made aware of the mistake and so should be less likely to make the same mistake again.

Level 2 violation may result in a written warning, or further corrective and disciplinary action up to and including termination.

Level 3 Violation: Malice, Gross Misconduct, Personal Gain or Violation of Patient Privacy
Level 3 violation can generally be described as knowingly violating policies/procedures/protocols (a level 2 violation) with an element of malice, gross misconduct, and/or personal gain, or as intentional violation of the privacy of a patient who is not a member of the individual’s household.

Level 3 violations may result in a written warning or further corrective and disciplinary action up to and including termination.

Additional Information


This page maintained by dkp.