2,654
edits
Patient Privacy Investigations and Levels of Violation: Difference between revisions
Jump to navigation
Jump to search
Patient Privacy Investigations and Levels of Violation (view source)
Revision as of 12:38, November 2, 2020
, November 2, 2020no edit summary
mNo edit summary |
No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 29: | Line 29: | ||
<br /><br /> | <br /><br /> | ||
Policy No.: '''6302'''<br /> | Policy No.: '''6302'''<br /> | ||
Effective Date: ''' | Effective Date: '''11/02/20'''<br /> | ||
Revised Date: <br /> | Revised Date: <br /> | ||
Revised Date: <br /> | Revised Date: <br /> | ||
| Line 35: | Line 35: | ||
<big>'''Policy on Patient Privacy Investigations and Levels of Violation'''</big><br /><br /> | <big>'''Policy on Patient Privacy Investigations and Levels of Violation'''</big><br /><br /> | ||
==Purpose of Policy== | ==Purpose of Policy== | ||
The University of Nebraska Medical Center (UNMC) takes protecting | The University of Nebraska Medical Center (UNMC) takes protecting protected health information extremely seriously. Our goal is to ensure consistent investigation of, and to apply consistent sanction to impermissible uses or disclosures of protected health information. | ||
==Policy== | ==Policy== | ||
UNMC Workforce Members shall report, and the Privacy Office shall consistently investigate, suspected patient privacy incidents to ensure patient and employee/patient confidentiality is maintained and to mitigate any adverse effects resulting from such incidents. Consistent sanctions shall be applied by UNMC for violations of patient privacy pursuant to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). | UNMC Workforce Members shall report, and the Privacy Office shall consistently investigate, suspected patient privacy incidents to ensure patient and employee/patient confidentiality is maintained and to mitigate any adverse effects resulting from such incidents. Consistent sanctions shall be applied by UNMC for violations of patient privacy pursuant to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). | ||
| Line 59: | Line 59: | ||
'''Workforce''' means ACE member employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the ACE member, is under the direct control of the ACE member, whether or not they are paid by the ACE member. | '''Workforce''' means ACE member employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the ACE member, is under the direct control of the ACE member, whether or not they are paid by the ACE member. | ||
==Procedures== | ==Procedures== | ||
#Suspected patient privacy incidents shall be reported to the Privacy Office immediately for further investigation. | #Suspected patient privacy incidents shall be reported to the [mailto:Privacy@NebraskaMed.com Privacy Office] immediately for further investigation. | ||
##Workforce Members and Business Associates must immediately notify the Privacy Office of any suspected impermissible use or disclosure of PHI of which they are aware. The Privacy Office will investigate all reports to determine if the incident violates UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation. | ##Workforce Members and Business Associates must immediately notify the Privacy Office of any suspected impermissible use or disclosure of PHI of which they are aware. The Privacy Office will investigate all reports to determine if the incident violates UNMC privacy and/or information security policies, HIPAA, or any other related federal or state privacy law or regulation. | ||
##Individuals who desire to remain anonymous may report the violation or suspected violation through the Compliance Hotline at | ##Individuals who desire to remain anonymous may report the violation or suspected violation through the UNMC Compliance Hotline number at 844-348-9584. | ||
#For patient privacy investigations involving UNMC Workforce Members, the Privacy Office will work with UNMC Human Resources (Employee Relations). | #For patient privacy investigations involving UNMC Workforce Members, the Privacy Office will work with UNMC Human Resources (Employee Relations). | ||
##Privacy Office identifies or is notified of a potential privacy violation | ##Privacy Office identifies or is notified of a potential privacy violation. | ||
##Privacy Office will contact Employee Relations regarding violation | ##Privacy Office will contact Employee Relations regarding violation. | ||
##Privacy Office will lead the investigation | ##Privacy Office will lead the investigation. | ||
###Privacy Office will initiate contact with operational leadership (department managers) and other stakeholders | ###Privacy Office will initiate contact with operational leadership (department managers) and other stakeholders. | ||
###Employee Relations will coordinate interviews with employees | ###Employee Relations will coordinate interviews with employees. | ||
###Privacy Office participates in the interview process | ###Privacy Office participates in the interview process. | ||
##Privacy Office will discuss outcome of investigation with Employee Relations for input on Level of Breach | ##Privacy Office will discuss outcome of investigation with Employee Relations for input on Level of Breach. | ||
##Employee Relations will work with manager to determine next steps | ##Employee Relations will work with manager to determine next steps. | ||
##Employee Relations will notify the Privacy Office in writing of the final outcome including any corrective or disciplinary action | ##Employee Relations will notify the Privacy Office in writing of the final outcome including any corrective or disciplinary action. | ||
###Privacy violation documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years | ###Privacy violation documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years. | ||
#For patient privacy investigations involving dually employed, or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the Chief Medical Officer (CMO), Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair as appropriate on proper course of action for investigation and outcome. | #For patient privacy investigations involving dually employed (UNMC/Nebraska Medicine), or solely employed members of the medical staff or community/private practice members of the medical staff, the Privacy Office will work with the Chief Medical Officer (CMO), Nebraska Medicine Medical Staff leadership, Legal Services, Chief of Staff and/or Clinical Chair as appropriate on proper course of action for investigation and outcome. | ||
##Privacy identifies or is notified of a potential privacy violation | ##Privacy identifies or is notified of a potential privacy violation. | ||
##Privacy contacts Chief Medical Officer regarding violation to initiate investigation | ##Privacy contacts Chief Medical Officer regarding violation to initiate investigation. | ||
###Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key workforce members | ###Privacy Office works with CMO on coordinating interviews with stakeholders, witnesses, and other key workforce members. | ||
###Privacy Office and/or Legal Services will participate in the interview process | ###Privacy Office and/or Legal Services will participate in the interview process. | ||
##CMO discusses outcome of investigation with Privacy Office for input on Level of Breach | ##CMO discusses outcome of investigation with Privacy Office for input on Level of Breach. | ||
##CMO determines outcome and contacts Privacy Office, Nebraska Medicine and UNMC leadership as applicable to advise on next steps | ##CMO determines outcome and contacts Privacy Office, Nebraska Medicine and UNMC leadership as applicable to advise on next steps. | ||
##CMO will notify the Privacy Office in writing of the final outcome | ##CMO will notify the Privacy Office in writing of the final outcome. | ||
###Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office. | ###Such documentation must be available for internal and external oversight and regulatory responses for a minimum of six (6) years, and the corrective action will be communicated to the Privacy Office. | ||
#Privacy Office will be responsible for any required notification as a result of a breach of patient privacy. | #Privacy Office will be responsible for any required notification as a result of a breach of patient privacy. | ||
| Line 92: | Line 92: | ||
#The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional improper access of even one patient is a significant breach to the affected patient; | #The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional improper access of even one patient is a significant breach to the affected patient; | ||
#Whether the conduct included an element of malice, or desire for personal or financial gain; | #Whether the conduct included an element of malice, or desire for personal or financial gain; | ||
#The risk of reputational, financial or other harm to the victim(s) or | #The risk of reputational, financial or other harm to the victim(s) or UNMC; | ||
#Whether the Workforce Member has committed prior privacy violations; and | #Whether the Workforce Member has committed prior privacy violations; and | ||
#The Workforce Member’s conduct and cooperation during the investigation. | #The Workforce Member’s conduct and cooperation during the investigation. | ||
| Line 128: | Line 128: | ||
|} | |} | ||
==Additional Information== | ==Additional Information== | ||
*Contact the | *Contact the [mailto:privacy@nebraskamed.com Privacy Office] or at 402-559-5136. | ||
*Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545. | *Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545. | ||
*Contact [https://www.unmc.edu/human-resources/about/contact-hr.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371 | *Contact [https://www.unmc.edu/human-resources/about/contact-hr.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371 | ||