Patient Privacy Investigations and Levels of Violation: Difference between revisions

121 bytes removed , September 29

→‎Additional Information: updated Health Insurance Portability and Accountability Act of 1996 link 2x and HIPAA Security Rule link 2x

VisualWikitext

Afaylor

Bureaucrats, Administrators

1,735

edits

@@ Line 30: / Line 30: @@
 Policy No.: '''6302'''<br />
 Effective Date: '''11/02/20'''<br />
-Revised Date: '''draft 09/26/22'''<br />
+Revised Date: '''04/22/24'''
-Revised Date: <br />
+Reviewed Date: '''04/22/24''' <br />
 <br />
 <big>'''Policy on Patient Privacy Investigations and Levels of Violation'''</big><br /><br />
 ==Purpose of Policy==
-Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
+Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html HIPAA Security Rule] outline considerations for the access control family of security controls.
 ==Policy==
-Nebraska Medicine/UNMC Workforce members shall report, and the [mailto:privacy@nebraskamed.com Privacy Office] shall investigate, suspected patient Privacy Incidents to ensure patient and employee/patient confidentiality is maintained and to help mitigate any adverse effects resulting from such incidents. Appropriate sanctions shall be consistently applied by Nebraska Medicine/UNMC for violations of patient privacy pursuant to the requirements of the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)].
+Nebraska Medicine/UNMC Workforce members shall report, and the [mailto:privacy@nebraskamed.com Privacy Office] shall investigate, suspected patient Privacy Incidents to ensure patient and employee/patient confidentiality is maintained and to help mitigate any adverse effects resulting from such incidents. Appropriate sanctions shall be consistently applied by Nebraska Medicine/UNMC for violations of patient privacy pursuant to the requirements of the [https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)].
 ==Procedures==
 #Suspected Privacy Incidents shall be reported to the Privacy Office immediately for further investigation.
@@ Line 68: / Line 69: @@
 ==Definitions==
 ===Affiliated Covered Entity (ACE)===
-Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
+Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
 ===Breach of Unsecured PHI ===
 The unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons, such as e-PHI that has not been encrypted and any physical copy of PHI (e.g., in paper, film or hardcopy) that has not been shredded or destroyed such that it cannot be read or otherwise reconstructed.
 ===Business Associate===
-A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI. Some examples of such services include: claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
+A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
 ===e-PHI ===
 Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.
@@ Line 88: / Line 89: @@
 *an Individual’s genetic tests;
 *the genetic tests of an Individual’s family members; or
-*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
+*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).
-*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
 PHI excludes:
 *individually identifiable health information of a person who has been deceased for more than fifty (50) years.
@@ Line 98: / Line 98: @@
 ==Appendix A==
 ===Levels of Violations ===
-TThe violation levels and corrective actions described in this Appendix A are guidelines.  The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.<br />
+The violation levels and corrective actions described in this Appendix A are guidelines.  The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.<br />
 Factors that may be considered in determining appropriate corrective action include, but are not limited to:
-#Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertant;
+#Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertent;
 #The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional unauthorized access, use or disclosure of even one patient’s PHI is an unacceptable breach to the affected patient;
 #Whether the conduct included an element of malice, or desire for personal or financial gain;
@@ Line 146: / Line 146: @@
 *Contact the [mailto:privacy@nebraskamed.com Privacy Officer] or the [mailto:privacy@nebraskamed.com Privacy Office] at 402-559-5136.
 *Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545.
-*Contact [https://www.unmc.edu/human-resources/about/contact-hr.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371
+*Contact [https://www.unmc.edu/human-resources/about/index.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371
-*Contact Legal Services at _______________________  phone # and email(s)  (should this be UNMC or Nebraska medicine contacts? or both?)
+*Contact Legal Services at [mailto:Contracts@nebraskamed.com contracts@nebraskamed.com]
 *UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]
 *UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information]
@@ Line 153: / Line 153: @@
 *UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use and Disclosure of Protected Health Information]
 *Nebraska Medicine Use and Disclosure of Protected Health Information policy, IM.12
-*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
+*[https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]
 *[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
-*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
+*[https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html HIPAA Security Rule]
-This page maintained by [mailto:dpanowic@unmc.edu dkp].
+This page maintained by [mailto:mhurlocker@unmc.edu mh].

Patient Privacy Investigations and Levels of Violation: Difference between revisions

Patient Privacy Investigations and Levels of Violation (view source)

Revision as of 13:50, September 29, 2025