Patient Privacy Investigations and Levels of Violation: Difference between revisions

← Older edit

Patient Privacy Investigations and Levels of Violation (view source)

Revision as of 10:36, April 24, 2024

307 bytes removed , April 24

→‎Levels of Violations

VisualWikitext

Mhurlocker

Administrators

263

edits

@@ Line 30: / Line 30: @@
 Policy No.: '''6302'''<br />
 Effective Date: '''11/02/20'''<br />
-Revised Date: '''draft 10/28/22'''<br />
+Revised Date: '''04/22/24'''
-Revised Date: <br />
+Reviewed Date: '''04/22/24''' <br />
 <br />
 <big>'''Policy on Patient Privacy Investigations and Levels of Violation'''</big><br /><br />
@@ Line 68: / Line 69: @@
 ==Definitions==
 ===Affiliated Covered Entity (ACE)===
-Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
+Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
 ===Breach of Unsecured PHI ===
 The unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons, such as e-PHI that has not been encrypted and any physical copy of PHI (e.g., in paper, film or hardcopy) that has not been shredded or destroyed such that it cannot be read or otherwise reconstructed.
 ===Business Associate===
-A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI. Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
+A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
 ===e-PHI ===
 Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.
@@ Line 88: / Line 89: @@
 *an Individual’s genetic tests;
 *the genetic tests of an Individual’s family members; or
-*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
+*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).
-*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
 PHI excludes:
 *individually identifiable health information of a person who has been deceased for more than fifty (50) years.
@@ Line 98: / Line 98: @@
 ==Appendix A==
 ===Levels of Violations ===
-TThe violation levels and corrective actions described in this Appendix A are guidelines.  The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.<br />
+The violation levels and corrective actions described in this Appendix A are guidelines.  The actual level of violation will be determined by the Privacy Office and corrective action will be determined by Human Resources and/or the CMO, as applicable.<br />
 Factors that may be considered in determining appropriate corrective action include, but are not limited to:
-#Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertant;
+#Whether the Workforce member’s conduct appears to be intentional or unintentional or inadvertent;
 #The magnitude of the violation, including the number of patients and the volume of PHI accessed or disclosed, keeping in mind that intentional unauthorized access, use or disclosure of even one patient’s PHI is an unacceptable breach to the affected patient;
 #Whether the conduct included an element of malice, or desire for personal or financial gain;
@@ Line 147: / Line 147: @@
 *Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545.
 *Contact [https://www.unmc.edu/human-resources/about/contact-hr.html Human Resources, Employee Relations], 402-559-7394, 402-559-8534 or 402-559-4371
-*Contact Legal Services at _______________________  phone # and email(s)  (should this be UNMC or Nebraska medicine contacts? or both?)
+*Contact Legal Services at [mailto:Contracts@nebraskamed.com contracts@nebraskamed.com]
 *UNMC Policy No. 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action]
 *UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information]
@@ Line 157: / Line 157: @@
 *[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
-This page maintained by [mailto:dpanowic@unmc.edu dkp].
+This page maintained by [mailto:mhurlocker@unmc.edu mh].