Patient Privacy Investigations and Levels of Violation

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6302
Effective Date: 11/02/20
Revised Date: 04/22/24

Reviewed Date: 04/22/24

Policy on Patient Privacy Investigations and Levels of Violation

Purpose of Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

Nebraska Medicine/UNMC Workforce members shall report, and the Privacy Office shall investigate, suspected patient Privacy Incidents to ensure patient and employee/patient confidentiality is maintained and to help mitigate any adverse effects resulting from such incidents. Appropriate sanctions shall be consistently applied by Nebraska Medicine/UNMC for violations of patient privacy pursuant to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Procedures

  1. Suspected Privacy Incidents shall be reported to the Privacy Office immediately for further investigation.
    1. Workforce members must immediately notify the Privacy Office of any suspected unauthorized use or disclosure of Protected Health Information (PHI) of which they are or become aware:
      1. The Privacy Office can be reached at 402-559-5136 or at privacy@nebraskamed.com.
      2. Individuals who desire to remain anonymous may report the suspected Privacy Incident through the Compliance Hotline at 800-822-8310.
      3. The Medical Staff may report suspected Privacy Incidents to the System Chief Medical Officer (CMO).
    2. The Privacy Office will investigate all reports to determine if the suspected Privacy Incident violates Nebraska Medicine/UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation.
  2. For patient privacy investigations involving Workforce members, the Privacy Office will work with Nebraska Medicine/UNMC Human Resources (Employee Relations) as follows:
    1. Privacy Office identifies or is notified of a potential Privacy Incident.
    2. Privacy Office contacts Employee Relations regarding suspected Privacy Incident.
    3. Employees Relations initiates investigation.
      1. Employee Relations works with operational leadership on coordinating interviews with stakeholders, witnesses and other key Workforce members. Interviews will be conducted either in-person or via Zoom or other similar technology with secure audio and video capabilities. If secure audio and video capabilities are unavailable for any reason, an in-person interview will be conducted.
      2. Privacy Office will participate in the interview process.
    4. Employee Relations discusses outcome of investigation with Privacy Office for input on level of violation.
    5. Employee Relations determines outcome of the investigation, and advises manager on next steps
    6. Employee Relations will notify the Privacy Office in writing of the final outcome
      1. Corrective actions resulting from Privacy Incidents involving employed individuals must be documented in writing by Human Resources, regardless of the level of corrective action.
      2. Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
  3. For Privacy Incident investigations involving dually employed or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the CMO, Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair, as appropriate, on the proper course of action for the investigation and its outcome as follows:
    1. Privacy Office identifies or is notified of a potential Privacy Incident
    2. Privacy Office contacts CMO regarding potential Privacy Incident to initiate investigation.
      1. Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key Workforce members if/as needed.
      2. Privacy Office and/or Legal Services will participate in the interview process if/as needed.
    3. CMO discusses outcome of investigation with Privacy Office for input on level of violation.
    4. CMO determines outcome and contacts Privacy Office and Nebraska Medicine and UNMC leadership, as applicable, to advise on next steps.
    5. CMO will notify the Privacy Office in writing of the investigation’s final outcome.
      1. Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office.
  4. Privacy Office will be responsible for any required patient notification as a result of a Breach of Unsecured PHI.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Breach of Unsecured PHI

The unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons, such as e-PHI that has not been encrypted and any physical copy of PHI (e.g., in paper, film or hardcopy) that has not been shredded or destroyed such that it cannot be read or otherwise reconstructed.

Business Associate

A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.

e-PHI

Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.

Health Information

Individually identifiable, and therefore considered PHI, unless 18 identifiers of the individual or of relatives, employers or household members of the individual have been removed and Nebraska Medicine/UNMC does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information for the list of 18 identifiers.

Privacy Incident

An unauthorized use or disclosure of Protected Health Information. See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information or Nebraska Medicine Use and Disclosure of Protected Health Information policy, IM.12 for permitted uses and disclosures of PHI.

Privacy Office

The Nebraska Medicine/UNMC Privacy Office. The Privacy Office can be reached at (402) 559-5136 or at Privacy Office.

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Appendix A

Levels of Violations

The violation levels and corrective actions described in this Appendix A are guidelines. The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.

Factors that may be considered in determining appropriate corrective action include, but are not limited to:

  1. Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertent;
  2. The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional unauthorized access, use or disclosure of even one patient’s PHI is an unacceptable breach to the affected patient;
  3. Whether the conduct included an element of malice, or desire for personal or financial gain;
  4. The risk of reputational, financial or other harm to the victim(s) or Nebraska Medicine/UNMC;
  5. Whether the Workforce member has committed prior privacy violations;
  6. The Workforce member’s conduct and cooperation during the investigation; and
  7. Overall performance and status of the employee in the organization.
  8. Overall performance and status of the employee in the organization.

In addition to any corrective action taken by Human Resources, Workforce members may be subject to referral to applicable licensing boards. In addition, the Privacy Office may be required to report any breach of PHI to the Office for Civil Rights, which enforces HIPAA.

Level 1 Violation: Careless and Unintentional.
Level 1 violation can generally be described as careless or unintentional. These actions may be due to momentary lack of attention/focus or inattention to detail. The individual unknowingly violated patient privacy and only became aware of the violation after the act.

Level 1 violations may result in, but are not limited to, a first or second written corrective action.

Level 2 Violation: Reckless, Intentional or Willful Disregard
Level 2 violation can generally be described as reckless, intentional, or willful disregard of policies/procedures/protocols. Choosing to disregard procedures is considered reckless, intentional and willful disregard. Violations are considered level 2 when the individual knows or should know the right thing to do and chooses to do otherwise.

Level 2 sanctions may also apply to successive level 1 violations, where the individual has been made aware of the mistake and so should be less likely to make the same mistake again. Level 2 sanctions may also be appropriate for level 1 violations that are of significant volume, distribution, or scope or involve highly sensitive information.

Level 2 violations may result in, but are not limited to, a final written corrective action.

Level 3 Violation: Malice, Gross Misconduct, Personal Gain or Violation of Patient Privacy
Level 3 violation can generally be described as knowingly violating policies/procedures/protocols (a level 2 violation) with an element of malice, gross misconduct, and/or personal gain or as intentional violation of the privacy of a patient who is generally not a member of the individual’s household.

Level 3 sanctions may also be appropriate for level 1 or level 2 violations that are of significant volume, distribution, or scope or involve highly sensitive information.

Level 3 violations may result in termination.

Additional Information

This page maintained by mh.