HIPAA - Get as PowerPoint by liwenting


               Electronic Protected
EPHI:           Health Information
 Examples of EPHI
    Patient names
    Diagnosis
    Date of birth / Age
    Address / Room number
    Social Security number
    Test results
    Past health conditions
    Treatments and medications
    Account number, or any number that is specific to a
   All Adams Health Network computer systems containing
    patient information are required to go through a risk
    analysis process.

   To see the Risk Analysis on the computer systems in your
    area go to:

Working Policies & Procedures> HIPAA Folder> epHI
 Security Folder> Risk Analysis Folder
System Activity & Review
• Adams Memorial Hospital and the members of Adams Health Network regularly
  review, record, and examine activity in information systems that contain or use
  electronic protected health information.
• Audit Logs
   • Selective Auditing: IT Department or designated staff will quarterly audit 10
     specific patients and print a log of activity. If the patient is an employee, the ePHI
     will request a meeting for the employee to review the audit and identify any
     person that may have accessed inappropriately. All suspicious activity will be
   • Login Monitoring Auditing: A monthly audit of specific failed login attempts will be
     reviewed by the ePHI Security Officer. Any suspicious repeated failed attempts
     will be investigated.
   • Time Specific Auditing: A quarterly audit of 5 random employees and 50 % of
     contract employees will be reviewed by the manager to identify any activity at
     unusual hours. Any suspicious activity will be investigated.
   • IP addresses auditing: A monthly audit of IP addresses will be performed and
     reviewed by the MIS department to evaluate any suspicious external activity.
   • Suspicious Auditing: At any time a suspicion arises about an employee, an audit
     based on user ID or patient name will be run by the Director of Support Services.
     The ePHI Security officer, along with privacy officer and he manager of the
     employee will review and document any questionable access of ePHi.
Target Auditing
• Any employee may request an audit of who accessed their
  records while they were a patient by completing Employee
  Audit Request Form.

  • All audit requests need to be directed to the ePHI Security Officer
    or HIPAA Privacy Officer.

• During a new hire’s probationary period, an audit will be
  performed to identify any suspicious activity.
Workforce Security
• Adams Health Network ensures that all of its members have
  appropriate access to electronic health information and will
  prevent those who do not have access from obtaining access.

• HIPAA Security Training must be performed prior to access to
  computer systems with ePHI.

• Any employee, student, and volunteer who work in an area
  where ePHI is stored will either have authorization to the
  information or require supervision by someone who does.
Workforce Security Form
• Identifies the member having authorization or needing

• An ePHI Workforce Security Authorization Form will need to
  be completed:
  • upon new hire
  • job status change
  • and annually upon evaluation

• This form will be maintained by the Human Resources and
  will be available to the ePHI Security Officer for review.
Staff Awareness & Training
• Security Training is necessary for all workforce members who
  may or may not access protected health information.

• Education is provided initially to employees during orientation
  and annually to employees during Race Day.

• Periodic Newsletters prepared by the Privacy/Security Officer,
  Joan Engels, containing new information and reminders may
  be sent out through department wide email, posted by time
  clocks, attached to the Adams Family Newsletter, and
  delivered in the physician mailboxes.
• Each user is assigned an identification label (LOG-IN) to that and
  only that user.

• System processes will use this label to identify the user and to
  associate the user with tracked actions taken by or on behalf of that

• Do NOT Share your LOGIN!
  • You are responsible for the activity that occurs under your login in.
    Therefore, when you leave a computer, you must LOG OUT (sign off).
    If you come up to a computer and someone else is logged in, you
    must log them out.

• When violations occur because someone used someone else's login,
  both employees are subject to disciplinary action.
Password Management
• All passwords should have at least six (6) characters and be
• Passwords assigned for all systems, including networks, are
  recommended to be difficult to guess.
• Personal information such as a family member's name, social
  security number, street address and birthday should not be
  used unless accompanied by additional unrelated characters.
• Passwords should also not be any part of common speech
  such as proper names (e.g. historical figures, cities), acronyms,
  and slang
• Passwords may not be used longer than one hundred and
  twenty (120) days.
Password Management
User Responsibilities

 Passwords must be promptly changed if it is known or
 suspected that they have been disclosed to unauthorized

 Users must not write their passwords down unless:
      They have effectively concealed such passwords in a string of

      They have used a coding system to conceal the password

      Keep in a secure place where unauthorized persons cannot gain
       access to them.
Password Management

 Individual Passwords must not be shared with anyone.

Users are responsible for all activity performed with their
 personal user-IDs.

User-IDs may not be utilized by anyone but the individuals to
 whom they have been issued.

Users who have forgotten or misplaced their passwords must
 contact the MIS department
Logging off
• Adams Health Network’s workforce members will log-off of
  computer systems that contain ePHI before leaving the
  • Logging Off of a computer system with ePHI is the initial
    responsibility of the user.
  • Prior to leaving workstation, the workforce member must log off
    or Lock the computer (by simultaneously pressing Windows Key –
    L on the keyboard)

                               +   L key

 This DOES NOT sign you out of any software. When you return, you will
 re-enter the windows password and the screen will be where you left it.
Automatic log off
  Automatic Logoff is an automatic function used to terminate an
   electronic session after a predetermined time of inactivity.

  When a system has Automatic Log-off functionality and the
   occurrence will not affect the performance of the task, automatic
   logoff will be activated after predetermined time of inactivity to not
   exceed 15 minutes.

  On computers that use systems that do not have the functionality or
   the occurrence will affect the performance of the task, a screen saver
   will be implemented after predetermined time of inactivity.

  On terminals that are unique to a specific user or group, a password
   protected screen saver will be used.
 Adams Health Network will
 limit physical access to its
 protected health
 information (PHI) &
 electronic information
 systems and the facilities in
 which they are housed,
 while ensuring that
 properly authorized access
 is allowed, thus preventing
 unauthorized access and
 reduce theft, vandalism,
 and other threats to
 security and privacy.
 All areas containing PHI, ePHI, and other sensitive
  information with direct access to public areas will be
  locked when not in use.

 Granting Access

    All keys and codes will be issued by the
     Maintenance Department.
    All name badges will be issued by the Human
     Resources Department.
    Keys are not to be duplicated.
    Keys/Codes/Badges are not to be given to anyone
     other than to the person they were issued to.
 Workstation, Fax and Printer location/Positioning
    The display monitors for all equipment that processes
     sensitive data will be positioned so they cannot be readily
     viewed by anyone other than the person using the

    All display monitors will utilize screen savers that
     automatically execute when the monitor has no
     activity after a period of 1-5 minutes.
 Employee Responsibilities

    All Employees will be required to wear name badges
     while working in the facility. The badges must be worn
     in a manner so both the photograph and information is visible.
     Members are not to share their name badges with ANYONE!

    Computer screens will be turned in a manner so ePHI is not
     visible to the public.

    Staff will make every effort to conceal or screen medical records,
     faxes, and other documentation containing PHI.

    Electronic records should be closed or screened when not needed
     for access.
  Employee Responsibilities continued:

     Verbal communication should be conducted in the
      most discreet manner possible.

     Screen savers will be utilized on all monitors.

     Computer printouts, faxes, medical records, and
      other paper records should not be left in open work
      areas so as to expose the contents of the records.
      Files and papers should be put away when not in use.

     File cabinets and storage areas will be locked when
      not in use, and /or no one is present in the immediate
 Employee Responsibilities continued:

    Faxes, computer printouts, and copies/originals that are sent to
     a common area, should be collected, read, acted on, filed
     appropriately, or shredded as soon as possible.

    All activities related to the handling of sensitive information
     must be conducted in areas that are physically secured and
     protected against unauthorized access, interference, and

    All PHI will be placed in shred bins located on all units.
       “Cintas,” a document management company, empties and
          removes all PHI from our facility monthly.
       If a shred bin in your area is full prior to the monthly
          disposal contact Housekeeping to empty.
 Non-Employee Access

    All non-employees needing access to an area containing pHI & ePHI
     will be accompanied by an employee having authorization to be in the
     area, to ensure that no pHI & ePHI is reviewed, removed, or in any
     other way compromised.

    Visitors requiring an escort include patients, visitors, former
     employees, worker family members or friends, equipment repair
     contractors, package delivery company staff, and law enforcement
      personnel and any other non-employee of the Adams Health Network.

    When an unescorted visitor is observed within a restricted area, the
     visitor must be immediately questioned about the purpose for being
     in restricted area, the visitor must then be directly accompanied to
     either a reception area or the person/department they came to see.
 Non-Employee Access continued

    Patients, and their visitors, will not be allowed to enter areas
     with access to sensitive information, such as nursing units,
     treatment areas, diagnostic areas, etc., without the presence
     of appropriate staff.

    Vendors should wear company’s ID.

    Departmental staff must control visitors and other third party
     access to the MIS department, communication closets, computer
     facilities, and work areas containing sensitive information.

    Under NO circumstances will a vendor be given a key
     (combination, access code, or other security token) to access
     locations with pHI & ePHI.
 Terminating Facility Access
    An inventory of authorized employees, identifying who has access to
     sensitive areas containing PHI & ePHI will be maintained by Human
     Resources. Maintenance will record who has keys.

    When it is no longer necessary for a person to have access, the
     immediate supervisor will collect the key (s) from the employee and
     return the key to the maintenance department within 24 hours of
     termination date. If the key to the Data Center is not returned upon
     termination, the locks will be changed.

    The supervisor must inform Human Resources of the termination
     within 24 hours of the date. The name badge access will be inactivated.
Employees Access To Their
Own Electronic Record

  It is inappropriate to access your own ePHI
   without following the proper procedures as that of
   a patient.

  If it is not your immediate job responsibility, the
  same applies to family members, co-workers, and
Employees Access To Their
Own Electronic Record
   Adams Health Network is responsible to protect the integrity of
    all medical records.

   Preventing employees from gaining unauthorized access to their
    own record reduces the potential for an incorrect record.

   Accessing your own ePHI is a violation of the Minimum
    Necessary Rule Policy.
Employees Access To Their
Own Electronic Record
  Discrimination: If we were to allow employees the right to
   access their own record without following appropriate
   procedures, it would be unfair to employees with less security.

  Clean Audit: When running audits, if there is personal access to
   employees, co-workers, and family records this raises concern
   for a HIPAA violation and a detailed audit is performed.

  Accessing your own record is a violation to our Sanction Policy
   and disciplinary action will be implemented.
Employees Access To Their
Own Electronic Record
 Employees are not to access the ePHI of their family, co-workers,
  friends, etc. if it is not to do their job.

 Access of this nature is flagged on audits, therefore when in doubt,
  do not proceed and rather request another co-worker to complete
  the task.

 Even if an employee or physician requests you to retrieve their
  ePHI, they should be encouraged to use the proper procedure for
  authorization and access.
Employees Access To Their
Own Electronic Record
  Employees are not to access their own ePHI for any

  If employees unintentionally access their own PHI, (for
   example: transcriptionist automatically retrieves a dictation
   of their own outpatient consult) the process is to:
      Exit out of the ePHI ASAP
      Report the occurrence to their manager.
      The manager will have the employee complete the
       form: Unintentional Access to ePHI and maintain this
       document in case an audit identifies the alleged
Employees Access To Their
Own Electronic Record

 Test Patients During Training
        Use a Test Patient rather than Yourself, Family
         Member, Friend, or Co-Worker for training

        (Contact IT Dept. if you need the name of a test
   Employees Access To Their
   Own Electronic Record
Appropriate Process to Gain Access to ePHI:
 If the task that needs to be done is part of your job responsibility, you must act as a
  “patient” and go through the same channels with another employee to complete
  the task.

 Listed below are examples of appropriate scenarios:

      When a registration clerk is scheduled for a radiology test, another registration clerk
       needs to register her.

      When a physician calls asking a radiology employee for that employee’s own chest x-ray
       report, the employee should hand the request to another radiology employee.

      When a Health Information Services employee is scanning and comes across their own
       documents, they need to give the documents to another employee to scan.

      When a lab tech comes across their vial of blood, they should ask another lab employee
       to result it.
  Employees Access To Their
  Own Electronic Record
Appropriate Process to Gain
Access to ePHI:
 To retrieve your medical records or
  those of family members, you (or the
  patient, if an adult) must proceed to the
  appropriate department and complete
  the necessary paperwork.

 Necessary Emergency Access:
   Only to access your record in the
   event that there is no other workforce
   member available at the time the
   information is required by a health
   care practitioner.
Employees Access To Their
Own Electronic Record
 “ Unintentional or Necessary Emergency Access to ePHI” Form:
     This form is to be completed when
      employees “unintentionally” access
      ePHI or had an incident where
      "emergency access was necessary."

     The employee should then forward
      the completed form to their

     When the HIPAA Security Officer
      audits this account number and
      presents you with concerns, this
      documentation will be important to
      support your employee as to why
      they accessed the ePHI.
                    Unintentional or Necessary Emergency Access to ePHI

Employee Name: ___________________________________ Employee #:______________

Division: _____________ Department: __________ Supervisor:______________________

Job Description:_____________________________

Date of Occurrence: ____________________ Date of Form Completion:_______________

Account Number Accessed: _________________ Relationship to Employee:____________

Please describe in detail want prompted the unintentional access:

Signature of Employee:__________________________________ Date:_______________

Signature of Supervisor:_________________________________ Date:_______________

Supervisors, please keep this for your records. You may have the employee type on the form
and “save as” in your network folder to eliminate a paper copy. When we audit this account
number and present to you with the concern, this documentation will be important. If you
believe there needs to be further investigation now, please forward this information to Joan
Engels or Brent Senesac.
Device & Media Controls
 • Adams Health Network workforce members are
   responsible to protect media such as drives (permanent &
   removable), diskettes, compact discs, tapes, flash drives,
   PDAs, & any other device that is capable of storing ePHI
   within the facilities & when they enter or leave the facility.

 • Cell phone/ Blackberries & personal storage devices
   should not be used to take or store ePHI (including photos
   of patients or patient information).
Device & Media Controls
  All CDs, DVDs, Diskettes, tapes, Optical Disks, computer hard, flash or
   other drives containing ePHI must go through an electronic “shredding
   device”, zeroing or degaussing or high security wipe prior to disposal

  PHI and other confidential information in hardcopy form (paper,
   microfilm, microfiche, etc.) must be shredded, incinerated, or placed in a
   secure bin designated for the disposal of confidential information.

  All offices and other areas where PHI and other confidential information is
   handled must have operational shredders or appropriate secured bins
   designated for the disposal and destruction of this information.
Transmission Security
  Virus detection software must be installed and
   enabled on all the organization firewalls, FTP
   servers, mail servers, intranet servers, and
   desktop machines.

  Intelligent workstations (PCs) and servers must
   regularly run integrity checking software in order
   to detect changes in configuration files, system
   software files, application software files, and
   other system resources.

  All computer-readable files received from
   external sources must be decrypted prior to the
   virus checking process.

  All Adams Health Network employees are to ensure the
  confidentiality, integrity, and availability of electronic
  protected health information according to HIPAA Security
  Regulations no matter what form of communication the
  information is in.
Electronic Communication
 When leaving messages on voice mail pertaining to a patient, no identifying
  information, such as social security number, birth date, complete name,
  diagnosis, etc… will be left on the voice mail.

 We must protect the patient’s confidentiality if a patient does not wish another
  family member to know the information or if the caller has the wrong number.

 Please state the following when leaving a message for a patient: “This is
  (employee name) from (Facility) Could __ (first name of patient only) please
  return my call @ (phone #) ? Thank you.

 If the patient is not home, do not give identifying information to the person
  taking the message. Only leave the message to return your call.

 When person returns call, have them speak the identifiable information to
  confirm it is the correct person.
Electronic Communication
 Do Not email ePHI outside the Adams Health Network.
    The recipient must have the (username)@adamshospital.com.
    Any other domain are not automatically protected from viewing by third

 AHN has an email encryption program available.
    If there is a need for this program , contact MIS for installation and

 If you receive an email with ePHI from another organization and it is not
  encrypted (encrypted: needing a password to view the information) you must
  contact our ePHI Security Officer and Delete the email.

 If you receive an email with ePHI from another location and it is encrypted, yet
  the password was sent with the email or in the same email account, you must
  contact the sender to send you passwords via fax, phone, or another email
Electronic Communication

 Instant Messaging
  The instant messenger managed by Adams Health Network,
   is a secure connection, therefore ePHI may be messaged to
   perform necessary work tasks.

  Any other instant messaging not provided by AMH (ie.
   yahoo, msn) is not secure; therefore no ePHI may be
Electronic Communication
Internet Usage (includes, but not limited to, Social Networking, Blogging)

 The internet is not to be used for obtaining, transmitting, or transferring
  patient information via social media, blogs, and email/instant messaging.

 Under FTC requirements, employees should be reminded of their obligation to
  disclose that they are an employee of their employer whenever they
  communicate information about the employer.

 When employees identify themselves in this manner, they should be encouraged
  to make it clear that the comments reflect their own thoughts and opinions and
  not those of their employer.

 AHN staff are prohibited from disclosing AHN’s confidential information or its
  customers’ private information.
 Electronic Communication
Internet Usage (includes, but not limited to, Social
Networking, Blogging)
 Staff are NOT to disclose a patient’s protected health information as
  regulated under HIPAA.
     Even not using a patient' name, but enough information that someone may
      identify the patient (i.e., condition, room number, date of service) is a
      HIPAA violation.

 Please be cautioned when posting information that may negatively
  impact you, co-workers, and the organization's missions, values, and

 Staff using AHN information systems and/or the Internet should realize
  that their communications are not automatically protected from
  viewing by third parties.
     Unless encryption is used, staff should not send information over the
Electronic Communication
Mobile Usage (Texting, Picture, Storing ePHI)
Mobile Device (includes, but not limited to, cell phones, i-Pads, tablets, etc...)

 AHN employees are required to NOT use any personal, non-work related
  storage device for storing ePHI.

 AHN employees are not to obtain photos of patients or ePHI with their
  personal storage devices.

 Text messaging is an acceptable use of communication between work force
  members, however text messages are not to include ANY patient
  information as it is not a protected communication method from third
Electronic Communication
  At any time and without prior notice, AHN management reserves the
   right to examine e-mail, personal file directories, and other information
   stored on AHN computers.

      This examination assures compliance with internal policies,
       supports the performance of internal investigations, and assists
       with the management of AHN information systems.

  If you receive a message containing ePHI from another workforce
   security member, please delete it, ask them to refrain from sending
   patient information in an unsecure manner, and report the issue to your
   manager or the HIPAA Privacy/Security Officer.
  Adams Health Network will protect electronic protected health
   information (ePHI) from improper alteration or destruction.

  Only authorized workforce members will be allowed to review, enter,
   or modify protected health information.

  Any user that experiences a computer virus must call the MIS
   Department immediately. Users are prohibited from attempting to
   eradicate a computer virus unless they do so while in communication
   with authorized support personnel.

  Workers must not download software from the Internet (ie. Screen
   savers, games, music), or any other systems outside the organization,
   unless authorization is received from the MIS Department and
   appropriate department management.
 Users must not use any externally provided software from a person
  or organization other than a known and trusted supplier. The only
  exception to this is when such software has first been tested and
  approved by the MIS Department.

 Virus detection software must be installed and enabled on all the
  organization firewalls, FTP servers, mail servers, intranet servers, and
  desktop machines.

 Intelligent workstations (PCs) and servers must regularly run
  integrity checking software in order to detect changes in
  configuration files, system software files, application software files,
  and other system resources.

 All computer-readable files received from external sources must be
  decrypted prior to the virus checking process.
   Whenever feasible, software running on workstations must be
    write-protected such that an error will be generated if a
    computer virus tries to modify the software.

   Users must not intentionally write, generate, compile, copy,
    collect, execute, or introduce any computer code designed to
    self-replicate, damage, or otherwise hinder the performance
    of or access to any computer, network, or information.

   The company who provides network connections will ensure
    that viruses and other internet threats are monitored and
    eliminated, as well.
Security Incident
   An IT Security Incident (“Incident”) is any activity that harms or
    represents a serious threat to the whole or part of AHN
    computer, voicemail, and network-based resources such that
    there is an absence of service, inhibition of functioning systems,
    including unauthorized changes to hardware, firmware,
    software or data, unauthorized exposure, change or deletion of
    ePHI, or a crime or natural disaster that destroys access to or
    control of these resources.

   Routine detection and remediation of a “virus,” “malware” or
    similar issue that has little impact on the day-to-day business is
    not considered an Incident under this policy.
Security Incident

   The Security Incident Response Policy define standard methods
    for identifying, tracking and responding to network and
    computer-based IT Security Incidents.

   This policy governs the general response, documentation and
    reporting of incidents affecting computerized and electronic
    communication information resources, such as theft, intrusion,
    misuse of data, denial of service, corruption of software,
    computer- and electronic communication-based HIPAA violations,
    and incidents reported to AHN by other institutions and business
Identity Theft

Adams Health Network strives:
      : to prevent the intentional or inadvertent misuse of patient names,
        identities, and medical records;

      : to report criminal activity relating to identity theft and theft of
         services to appropriate authorities;

      : to take steps to correct and/or prevent further harm to any person
        whose name or other identifying information is used unlawfully or
 Identity Theft

 The act of knowingly obtaining, possessing, buying, or using, the personal
  identifying information of another with the intent to commit any unlawful act
  including, but not limited to, obtaining or attempting to obtain credit, goods,
  services or medical information in the name of such other person; without the
  consent of such other person; or (b) without the lawful authority to obtain,
  possess, buy or use such identifying information.
Identity Theft
  Theft of services
   Intentionally obtaining services by
    deception, fraud, coercion, false
    pretense or any other means to avoid
    payment for the services

   Having control over the disposition of
    services to others, knowingly diverts
    those services to the person's own
    benefit or to the benefit of another not
    entitled to those services
Signs of Possible Identity Theft
           “Red Flags”
   Registered patient with a popped up “Just Like Message” giving information

   Patient providing a photo ID that does not match the patient

   Patient giving a social security number different than one used on a previous visit.

   Patient giving information that conflicts with information in the patient’s file or
    received from third parties, such as insurance companies

   Family members/ friends calling the patient by a name different than provided by
    the patient at registration.

   Signature inconsistent with previous signature.

   Personal identifying information associated with known fraud activity.

   Suspicious address supplied, such as a mail drop or prison, or phone numbers
    associated with pagers or answering service.
What to do if you suspect
Identity Theft?
 Continue the care of the patient.

 Contact your supervisor or House Supervisor.

 Inform other ancillary departments

 If the patient is still in the building, the supervisor will
  investigate and determine if law enforcement personnel need

 If the patient is not in the building, the supervisor will contact
  ePHI Security/HIPAA Privacy Officer.

 Everything should be documented and reviewed by the ePHI
  Security/HIPAA Privacy Officer and presented to administration.
Ways you can prevent
Identity Theft…
   Be Careful when sorting patient documents.
    Make sure all labels and documents are correct.

   Be Careful and make sure all information is correct
    when faxing , mailing, delivering, or directly handing
    information off to others.

   Be Careful to obtain and confirm all identifying
    information when entering data in the computer.

   Be on watch for people lurking in areas they are not
    authorized to do so.
protect the IDENTITY of our
Security Breach
What is a breach?

The acquirement, access, use or release of protected
health information (PHI) in a manner not permitted under
the Privacy Rule which compromises the security or
privacy of the PHI.

 “Compromises the security or privacy of the PHI” = poses
 a significant risk of financial, reputational, or other harm
                        to the individual
Most common form of Data

      When a workforce member, because of
     celebrity curiosity, domestic disputes, or
   second guessing clinician opinions, accesses
    a patient’s ePHI without a need to do their
Penalties for Breaches
   The Secretary of Health and Human Services will base
    its penalty determination on the nature and extent of
    both the violation and the harm caused by the

   The maximum penalty is $50,000 per violation, with a
    cap of $1,500,000 for all violations of an identical
    requirement or prohibition during a calendar year.

   The minimum civil monetary penalties are tiered
    based upon the organization’s perceived liability for
    the HIPAA violation.
Tier A – If the offender did not know
           $100 for each violation, total for all violations of an
           identical requirement during a calendar year cannot
           exceed $25,000.

Tier B – Violation due to reasonable cause, not willful neglect
          $1,000 for each violation, total for all violations of an
          identical requirement during a calendar year cannot
          exceed $100,000.

Tier C – Violation due to willful neglect, but was corrected
           $10,000 for each violation, total for all violations of an
           identical requirement during a calendar year cannot
           exceed $250,000.

Tier D – Violation due to willful neglect, but was NOT corrected
          $50,000 for each violation, total for all violations of an
          identical requirement during a calendar year cannot
          exceed $1,500,000.
Disciplinary Action for HIPAA

  Determined on a case-by-case basis and depend
   upon the severity of the violation

  Action can range from a verbal warning with
   remediation to suspension or termination

  Disciplinary actions is maintained in the
   employee’s personnel file
Sanctions for Privacy &
Security Related Issues

  3 Levels of Sanctions:
      Level 1: Carelessness

      Level 2: Curiosity or concern

      Level 3: Personal Gain or Malice
Level 1 Carelessness
• Employee unintentionally or carelessly accesses, reviews
  or reveals PHI to him/herself or others without a
  legitimate need to know
 • Examples:

   • Employees discussing PHI in public areas;

   • Employees leaving copies of PHI in publicly accessible areas;

   • Failing to log off computer terminals when left unattended;

   • Accessing his/her own medical record;

   • Requesting another employee to access his/her medical record;

   • Sharing passwords;

   • E-mailing PHI outside the organization (excluding the domain: adamshospital.com);

   • Not securing the storage or disposal of laptops, CDs, and other portable devices
     containing electronic PHI.
Disciplinary Sanctions
• Considering the facts on a case-by-case basis actions could
  include the following (and are not necessarily progressive):

  • Training/counseling;

  • Verbal warning and training;

  • Written warning and training;

  • Final written warning or suspension (unpaid);

  • Termination.
Level 2 Curiosity or Concern
• Employee intentionally accesses, reveals or discusses
  PHI for purposes other than the care of the patient or as
  needed to perform their job—but unrelated to person
• Level 2 violations are a purposeful disregard to
  organizational policies.
Curiosity or Concern
• Examples:

  • Employees looking up birth dates or addresses of friends or relatives;

  • Employees accessing and reviewing medical records out of curiosity
    or concern;

  • Employees reviewing public personality’s medical records;
  • Releasing PHI inappropriately;

  • Employees inappropriately accessing daily census reports;

  • Repeated Level 1 violations
 Disciplinary Sanctions
• Considering the facts on a case-by-case basis the actions could
  include the following (and are not necessarily progressive):

  • Oral warning with training.

  • Written warning with training.

  • One to three day suspension (unpaid)
    with training.

  • Termination of employment.
Level 3 Personal gain or Malice
• Employee accesses, reviews or discusses PHI for personal
  gain or with malicious intent and there is a malicious
  disregard of organizational policies
Personal gain or Malice
• Examples
  • An employee reviews a patient’s medical record to use information in
    a personal relationship;

  • An employee compiles a mailing list for personal use or to be sold for
    monetary gifts;

  • Releasing data for personal gain;
  • Destroying or altering data intentionally;

  • Releasing data with the intent to harm an individual or the

  • Repeated Level 2 violations
Disciplinary Sanctions
• Considering the facts on a case-by-case basis actions could
  include the following (and are not necessarily progressive):

  • One to three day suspension (unpaid) with training

  • Dependent upon the severity, termination of employment.
AHN HIPAA Violations for
 AHN had 17 HIPAA privacy/security violations (18 complaints)

 Notified 29 patients whose PHI we breached

 Reported 3 cases to U.S. Department of Health & Human Services (DHHS),
Office of Civil Rights re: our actions for these 29 patients

 Terminated one staff member, suspended (unpaid) one staff member
and had a Business Associate terminate one of their staff members
AHN 2011 HIPAA Violations
  1. Disclosed PHI to incorrect patient – 5 Violations

  2. Faxed PHI to the incorrect fax number – 4 Violations

  3. Accessed PHI NOT needed to do their job – 2 Violations

  4. Sent PHI in an e-mail outside of “adamshospital.com”
     without encrypting it – 1 Violation.

  5. Left PHI in cafeteria – 1 Violation

  6. Put PHI on facebook – 1 Violation

  7. Released PHI without proper authorization – 1 Violation

  8. Business Associate issues – 2 Violations
Reporting Violations

 Individuals who observe or are aware of
 suspected violations must report them to either
 the Department Manager or to the Privacy
 Officer, Joan Engels, in a manner that maintains
 privacy of both the patient(s) and the

 If it is a Department Manager who is the person
 committing the violation report it to the
 Department Manager’s supervisor or Joan Engels.

To top