Confidentiality/HIPPA Electronic Protected EPHI: Health Information Examples of EPHI Patient names Diagnosis Date of birth / Age Address / Room number Social Security number Test results Past health conditions Treatments and medications Account number, or any number that is specific to a patient. RISK ANALYSIS & MANAGEMENT All Adams Health Network computer systems containing patient information are required to go through a risk analysis process. To see the Risk Analysis on the computer systems in your area go to: Working Policies & Procedures> HIPAA Folder> epHI Security Folder> Risk Analysis Folder System Activity & Review (Auditing) • Adams Memorial Hospital and the members of Adams Health Network regularly review, record, and examine activity in information systems that contain or use electronic protected health information. • Audit Logs • Selective Auditing: IT Department or designated staff will quarterly audit 10 specific patients and print a log of activity. If the patient is an employee, the ePHI will request a meeting for the employee to review the audit and identify any person that may have accessed inappropriately. All suspicious activity will be investigated. • Login Monitoring Auditing: A monthly audit of specific failed login attempts will be reviewed by the ePHI Security Officer. Any suspicious repeated failed attempts will be investigated. • Time Specific Auditing: A quarterly audit of 5 random employees and 50 % of contract employees will be reviewed by the manager to identify any activity at unusual hours. Any suspicious activity will be investigated. • IP addresses auditing: A monthly audit of IP addresses will be performed and reviewed by the MIS department to evaluate any suspicious external activity. • Suspicious Auditing: At any time a suspicion arises about an employee, an audit based on user ID or patient name will be run by the Director of Support Services. The ePHI Security officer, along with privacy officer and he manager of the employee will review and document any questionable access of ePHi. Target Auditing • Any employee may request an audit of who accessed their records while they were a patient by completing Employee Audit Request Form. • All audit requests need to be directed to the ePHI Security Officer or HIPAA Privacy Officer. • During a new hire’s probationary period, an audit will be performed to identify any suspicious activity. Workforce Security • Adams Health Network ensures that all of its members have appropriate access to electronic health information and will prevent those who do not have access from obtaining access. • HIPAA Security Training must be performed prior to access to computer systems with ePHI. • Any employee, student, and volunteer who work in an area where ePHI is stored will either have authorization to the information or require supervision by someone who does. Workforce Security Form • Identifies the member having authorization or needing supervision • An ePHI Workforce Security Authorization Form will need to be completed: • upon new hire • job status change • and annually upon evaluation • This form will be maintained by the Human Resources and will be available to the ePHI Security Officer for review. Staff Awareness & Training • Security Training is necessary for all workforce members who may or may not access protected health information. • Education is provided initially to employees during orientation and annually to employees during Race Day. • Periodic Newsletters prepared by the Privacy/Security Officer, Joan Engels, containing new information and reminders may be sent out through department wide email, posted by time clocks, attached to the Adams Family Newsletter, and delivered in the physician mailboxes. UNIQUE USER IDENTIFICATION • Each user is assigned an identification label (LOG-IN) to that and only that user. • System processes will use this label to identify the user and to associate the user with tracked actions taken by or on behalf of that user. • Do NOT Share your LOGIN! • You are responsible for the activity that occurs under your login in. Therefore, when you leave a computer, you must LOG OUT (sign off). If you come up to a computer and someone else is logged in, you must log them out. • When violations occur because someone used someone else's login, both employees are subject to disciplinary action. Password Management • All passwords should have at least six (6) characters and be alphanumeric. • Passwords assigned for all systems, including networks, are recommended to be difficult to guess. • Personal information such as a family member's name, social security number, street address and birthday should not be used unless accompanied by additional unrelated characters. • Passwords should also not be any part of common speech such as proper names (e.g. historical figures, cities), acronyms, and slang • Passwords may not be used longer than one hundred and twenty (120) days. Password Management User Responsibilities Passwords must be promptly changed if it is known or suspected that they have been disclosed to unauthorized parties. Users must not write their passwords down unless: They have effectively concealed such passwords in a string of characters They have used a coding system to conceal the password Keep in a secure place where unauthorized persons cannot gain access to them. Password Management Individual Passwords must not be shared with anyone. Users are responsible for all activity performed with their personal user-IDs. User-IDs may not be utilized by anyone but the individuals to whom they have been issued. Users who have forgotten or misplaced their passwords must contact the MIS department Logging off • Adams Health Network’s workforce members will log-off of computer systems that contain ePHI before leaving the terminal. • Logging Off of a computer system with ePHI is the initial responsibility of the user. • Prior to leaving workstation, the workforce member must log off or Lock the computer (by simultaneously pressing Windows Key – L on the keyboard) + L key This DOES NOT sign you out of any software. When you return, you will re-enter the windows password and the screen will be where you left it. Automatic log off Automatic Logoff is an automatic function used to terminate an electronic session after a predetermined time of inactivity. When a system has Automatic Log-off functionality and the occurrence will not affect the performance of the task, automatic logoff will be activated after predetermined time of inactivity to not exceed 15 minutes. On computers that use systems that do not have the functionality or the occurrence will affect the performance of the task, a screen saver will be implemented after predetermined time of inactivity. On terminals that are unique to a specific user or group, a password protected screen saver will be used. FACILITY ACCESS CONTROL Adams Health Network will limit physical access to its protected health information (PHI) & electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed, thus preventing unauthorized access and reduce theft, vandalism, and other threats to security and privacy. FACILITY ACCESS CONTROL (Continued) All areas containing PHI, ePHI, and other sensitive information with direct access to public areas will be locked when not in use. Granting Access All keys and codes will be issued by the Maintenance Department. All name badges will be issued by the Human Resources Department. Keys are not to be duplicated. Keys/Codes/Badges are not to be given to anyone other than to the person they were issued to. FACILITY ACCESS CONTROL (Continued) Workstation, Fax and Printer location/Positioning The display monitors for all equipment that processes sensitive data will be positioned so they cannot be readily viewed by anyone other than the person using the monitor. All display monitors will utilize screen savers that automatically execute when the monitor has no activity after a period of 1-5 minutes. FACILITY ACCESS CONTROL (Continued) Employee Responsibilities All Employees will be required to wear name badges while working in the facility. The badges must be worn in a manner so both the photograph and information is visible. Members are not to share their name badges with ANYONE! Computer screens will be turned in a manner so ePHI is not visible to the public. Staff will make every effort to conceal or screen medical records, faxes, and other documentation containing PHI. Electronic records should be closed or screened when not needed for access. FACILITY ACCESS CONTROL (Continued) Employee Responsibilities continued: Verbal communication should be conducted in the most discreet manner possible. (NOT IN HALLWAYS, ELEVATORS, CAFETERIA ETC…) Screen savers will be utilized on all monitors. Computer printouts, faxes, medical records, and other paper records should not be left in open work areas so as to expose the contents of the records. Files and papers should be put away when not in use. File cabinets and storage areas will be locked when not in use, and /or no one is present in the immediate area. FACILITY ACCESS CONTROL (Continued) Employee Responsibilities continued: Faxes, computer printouts, and copies/originals that are sent to a common area, should be collected, read, acted on, filed appropriately, or shredded as soon as possible. All activities related to the handling of sensitive information must be conducted in areas that are physically secured and protected against unauthorized access, interference, and damage. All PHI will be placed in shred bins located on all units. “Cintas,” a document management company, empties and removes all PHI from our facility monthly. If a shred bin in your area is full prior to the monthly disposal contact Housekeeping to empty. FACILITY ACCESS CONTROL (Continued) Non-Employee Access All non-employees needing access to an area containing pHI & ePHI will be accompanied by an employee having authorization to be in the area, to ensure that no pHI & ePHI is reviewed, removed, or in any other way compromised. Visitors requiring an escort include patients, visitors, former employees, worker family members or friends, equipment repair contractors, package delivery company staff, and law enforcement personnel and any other non-employee of the Adams Health Network. When an unescorted visitor is observed within a restricted area, the visitor must be immediately questioned about the purpose for being in restricted area, the visitor must then be directly accompanied to either a reception area or the person/department they came to see. FACILITY ACCESS CONTROL (Continued) Non-Employee Access continued Patients, and their visitors, will not be allowed to enter areas with access to sensitive information, such as nursing units, treatment areas, diagnostic areas, etc., without the presence of appropriate staff. Vendors should wear company’s ID. Departmental staff must control visitors and other third party access to the MIS department, communication closets, computer facilities, and work areas containing sensitive information. Under NO circumstances will a vendor be given a key (combination, access code, or other security token) to access locations with pHI & ePHI. FACILITY ACCESS CONTROL (Continued) Terminating Facility Access An inventory of authorized employees, identifying who has access to sensitive areas containing PHI & ePHI will be maintained by Human Resources. Maintenance will record who has keys. When it is no longer necessary for a person to have access, the immediate supervisor will collect the key (s) from the employee and return the key to the maintenance department within 24 hours of termination date. If the key to the Data Center is not returned upon termination, the locks will be changed. The supervisor must inform Human Resources of the termination within 24 hours of the date. The name badge access will be inactivated. Employees Access To Their Own Electronic Record It is inappropriate to access your own ePHI without following the proper procedures as that of a patient. If it is not your immediate job responsibility, the same applies to family members, co-workers, and friends. Employees Access To Their Own Electronic Record Adams Health Network is responsible to protect the integrity of all medical records. Preventing employees from gaining unauthorized access to their own record reduces the potential for an incorrect record. Accessing your own ePHI is a violation of the Minimum Necessary Rule Policy. Employees Access To Their Own Electronic Record Discrimination: If we were to allow employees the right to access their own record without following appropriate procedures, it would be unfair to employees with less security. Clean Audit: When running audits, if there is personal access to employees, co-workers, and family records this raises concern for a HIPAA violation and a detailed audit is performed. Accessing your own record is a violation to our Sanction Policy and disciplinary action will be implemented. Employees Access To Their Own Electronic Record Employees are not to access the ePHI of their family, co-workers, friends, etc. if it is not to do their job. Access of this nature is flagged on audits, therefore when in doubt, do not proceed and rather request another co-worker to complete the task. Even if an employee or physician requests you to retrieve their ePHI, they should be encouraged to use the proper procedure for authorization and access. Employees Access To Their Own Electronic Record Employees are not to access their own ePHI for any purpose. If employees unintentionally access their own PHI, (for example: transcriptionist automatically retrieves a dictation of their own outpatient consult) the process is to: Exit out of the ePHI ASAP Report the occurrence to their manager. The manager will have the employee complete the form: Unintentional Access to ePHI and maintain this document in case an audit identifies the alleged breach. Employees Access To Their Own Electronic Record Test Patients During Training Use a Test Patient rather than Yourself, Family Member, Friend, or Co-Worker for training purposes. (Contact IT Dept. if you need the name of a test patient.) Employees Access To Their Own Electronic Record Appropriate Process to Gain Access to ePHI: If the task that needs to be done is part of your job responsibility, you must act as a “patient” and go through the same channels with another employee to complete the task. Listed below are examples of appropriate scenarios: When a registration clerk is scheduled for a radiology test, another registration clerk needs to register her. When a physician calls asking a radiology employee for that employee’s own chest x-ray report, the employee should hand the request to another radiology employee. When a Health Information Services employee is scanning and comes across their own documents, they need to give the documents to another employee to scan. When a lab tech comes across their vial of blood, they should ask another lab employee to result it. Employees Access To Their Own Electronic Record Appropriate Process to Gain Access to ePHI: To retrieve your medical records or those of family members, you (or the patient, if an adult) must proceed to the appropriate department and complete the necessary paperwork. Necessary Emergency Access: Only to access your record in the event that there is no other workforce member available at the time the information is required by a health care practitioner. Employees Access To Their Own Electronic Record “ Unintentional or Necessary Emergency Access to ePHI” Form: This form is to be completed when employees “unintentionally” access ePHI or had an incident where "emergency access was necessary." The employee should then forward the completed form to their supervisor. When the HIPAA Security Officer audits this account number and presents you with concerns, this documentation will be important to support your employee as to why they accessed the ePHI. Unintentional or Necessary Emergency Access to ePHI Employee Name: ___________________________________ Employee #:______________ Division: _____________ Department: __________ Supervisor:______________________ Job Description:_____________________________ Date of Occurrence: ____________________ Date of Form Completion:_______________ Account Number Accessed: _________________ Relationship to Employee:____________ Please describe in detail want prompted the unintentional access: Signature of Employee:__________________________________ Date:_______________ Signature of Supervisor:_________________________________ Date:_______________ Supervisors, please keep this for your records. You may have the employee type on the form and “save as” in your network folder to eliminate a paper copy. When we audit this account number and present to you with the concern, this documentation will be important. If you believe there needs to be further investigation now, please forward this information to Joan Engels or Brent Senesac. Device & Media Controls • Adams Health Network workforce members are responsible to protect media such as drives (permanent & removable), diskettes, compact discs, tapes, flash drives, PDAs, & any other device that is capable of storing ePHI within the facilities & when they enter or leave the facility. • Cell phone/ Blackberries & personal storage devices should not be used to take or store ePHI (including photos of patients or patient information). Device & Media Controls Disposal: All CDs, DVDs, Diskettes, tapes, Optical Disks, computer hard, flash or other drives containing ePHI must go through an electronic “shredding device”, zeroing or degaussing or high security wipe prior to disposal PHI and other confidential information in hardcopy form (paper, microfilm, microfiche, etc.) must be shredded, incinerated, or placed in a secure bin designated for the disposal of confidential information. All offices and other areas where PHI and other confidential information is handled must have operational shredders or appropriate secured bins designated for the disposal and destruction of this information. Transmission Security Virus detection software must be installed and enabled on all the organization firewalls, FTP servers, mail servers, intranet servers, and desktop machines. Intelligent workstations (PCs) and servers must regularly run integrity checking software in order to detect changes in configuration files, system software files, application software files, and other system resources. All computer-readable files received from external sources must be decrypted prior to the virus checking process. EHI SECURITY: ELECTRONIC COMMUNICATION (EMAIL, SOCIAL MEDIA, VOICEMAIL, TEXT, ETC) All Adams Health Network employees are to ensure the confidentiality, integrity, and availability of electronic protected health information according to HIPAA Security Regulations no matter what form of communication the information is in. Electronic Communication Security Voicemail When leaving messages on voice mail pertaining to a patient, no identifying information, such as social security number, birth date, complete name, diagnosis, etc… will be left on the voice mail. We must protect the patient’s confidentiality if a patient does not wish another family member to know the information or if the caller has the wrong number. Please state the following when leaving a message for a patient: “This is (employee name) from (Facility) Could __ (first name of patient only) please return my call @ (phone #) ? Thank you. If the patient is not home, do not give identifying information to the person taking the message. Only leave the message to return your call. When person returns call, have them speak the identifiable information to confirm it is the correct person. Electronic Communication Security Email Do Not email ePHI outside the Adams Health Network. The recipient must have the (username)@adamshospital.com. Any other domain are not automatically protected from viewing by third parties. AHN has an email encryption program available. If there is a need for this program , contact MIS for installation and training. If you receive an email with ePHI from another organization and it is not encrypted (encrypted: needing a password to view the information) you must contact our ePHI Security Officer and Delete the email. If you receive an email with ePHI from another location and it is encrypted, yet the password was sent with the email or in the same email account, you must contact the sender to send you passwords via fax, phone, or another email account. Electronic Communication Security Instant Messaging The instant messenger managed by Adams Health Network, is a secure connection, therefore ePHI may be messaged to perform necessary work tasks. Any other instant messaging not provided by AMH (ie. yahoo, msn) is not secure; therefore no ePHI may be messaged. Electronic Communication Security Internet Usage (includes, but not limited to, Social Networking, Blogging) The internet is not to be used for obtaining, transmitting, or transferring patient information via social media, blogs, and email/instant messaging. Under FTC requirements, employees should be reminded of their obligation to disclose that they are an employee of their employer whenever they communicate information about the employer. When employees identify themselves in this manner, they should be encouraged to make it clear that the comments reflect their own thoughts and opinions and not those of their employer. AHN staff are prohibited from disclosing AHN’s confidential information or its customers’ private information. Electronic Communication Security Internet Usage (includes, but not limited to, Social Networking, Blogging) Staff are NOT to disclose a patient’s protected health information as regulated under HIPAA. Even not using a patient' name, but enough information that someone may identify the patient (i.e., condition, room number, date of service) is a HIPAA violation. Please be cautioned when posting information that may negatively impact you, co-workers, and the organization's missions, values, and reputation. Staff using AHN information systems and/or the Internet should realize that their communications are not automatically protected from viewing by third parties. Unless encryption is used, staff should not send information over the Internet. Electronic Communication Security Mobile Usage (Texting, Picture, Storing ePHI) Mobile Device (includes, but not limited to, cell phones, i-Pads, tablets, etc...) AHN employees are required to NOT use any personal, non-work related storage device for storing ePHI. AHN employees are not to obtain photos of patients or ePHI with their personal storage devices. Text messaging is an acceptable use of communication between work force members, however text messages are not to include ANY patient information as it is not a protected communication method from third parties. Electronic Communication Security At any time and without prior notice, AHN management reserves the right to examine e-mail, personal file directories, and other information stored on AHN computers. This examination assures compliance with internal policies, supports the performance of internal investigations, and assists with the management of AHN information systems. If you receive a message containing ePHI from another workforce security member, please delete it, ask them to refrain from sending patient information in an unsecure manner, and report the issue to your manager or the HIPAA Privacy/Security Officer. TRANSMISSION SECURITY & INTEGRITY Adams Health Network will protect electronic protected health information (ePHI) from improper alteration or destruction. Only authorized workforce members will be allowed to review, enter, or modify protected health information. Any user that experiences a computer virus must call the MIS Department immediately. Users are prohibited from attempting to eradicate a computer virus unless they do so while in communication with authorized support personnel. Workers must not download software from the Internet (ie. Screen savers, games, music), or any other systems outside the organization, unless authorization is received from the MIS Department and appropriate department management. TRANSMISSION SECURITY & INTEGRITY Users must not use any externally provided software from a person or organization other than a known and trusted supplier. The only exception to this is when such software has first been tested and approved by the MIS Department. Virus detection software must be installed and enabled on all the organization firewalls, FTP servers, mail servers, intranet servers, and desktop machines. Intelligent workstations (PCs) and servers must regularly run integrity checking software in order to detect changes in configuration files, system software files, application software files, and other system resources. All computer-readable files received from external sources must be decrypted prior to the virus checking process. TRANSMISSION SECURITY & INTEGRITY Whenever feasible, software running on workstations must be write-protected such that an error will be generated if a computer virus tries to modify the software. Users must not intentionally write, generate, compile, copy, collect, execute, or introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of or access to any computer, network, or information. The company who provides network connections will ensure that viruses and other internet threats are monitored and eliminated, as well. Security Incident An IT Security Incident (“Incident”) is any activity that harms or represents a serious threat to the whole or part of AHN computer, voicemail, and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of ePHI, or a crime or natural disaster that destroys access to or control of these resources. Routine detection and remediation of a “virus,” “malware” or similar issue that has little impact on the day-to-day business is not considered an Incident under this policy. Security Incident The Security Incident Response Policy define standard methods for identifying, tracking and responding to network and computer-based IT Security Incidents. This policy governs the general response, documentation and reporting of incidents affecting computerized and electronic communication information resources, such as theft, intrusion, misuse of data, denial of service, corruption of software, computer- and electronic communication-based HIPAA violations, and incidents reported to AHN by other institutions and business entities. Identity Theft Adams Health Network strives: : to prevent the intentional or inadvertent misuse of patient names, identities, and medical records; : to report criminal activity relating to identity theft and theft of services to appropriate authorities; : to take steps to correct and/or prevent further harm to any person whose name or other identifying information is used unlawfully or inappropriately. Identity Theft The act of knowingly obtaining, possessing, buying, or using, the personal identifying information of another with the intent to commit any unlawful act including, but not limited to, obtaining or attempting to obtain credit, goods, services or medical information in the name of such other person; without the consent of such other person; or (b) without the lawful authority to obtain, possess, buy or use such identifying information. Identity Theft Theft of services Includes: Intentionally obtaining services by deception, fraud, coercion, false pretense or any other means to avoid payment for the services Having control over the disposition of services to others, knowingly diverts those services to the person's own benefit or to the benefit of another not entitled to those services Signs of Possible Identity Theft “Red Flags” Registered patient with a popped up “Just Like Message” giving information Patient providing a photo ID that does not match the patient Patient giving a social security number different than one used on a previous visit. Patient giving information that conflicts with information in the patient’s file or received from third parties, such as insurance companies Family members/ friends calling the patient by a name different than provided by the patient at registration. Signature inconsistent with previous signature. Personal identifying information associated with known fraud activity. Suspicious address supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service. What to do if you suspect Identity Theft? Continue the care of the patient. Contact your supervisor or House Supervisor. Inform other ancillary departments If the patient is still in the building, the supervisor will investigate and determine if law enforcement personnel need notified. If the patient is not in the building, the supervisor will contact ePHI Security/HIPAA Privacy Officer. Everything should be documented and reviewed by the ePHI Security/HIPAA Privacy Officer and presented to administration. Ways you can prevent Identity Theft… Be Careful when sorting patient documents. Make sure all labels and documents are correct. Be Careful and make sure all information is correct when faxing , mailing, delivering, or directly handing information off to others. Be Careful to obtain and confirm all identifying information when entering data in the computer. Be on watch for people lurking in areas they are not authorized to do so. It is our RESPONSIBILITY to protect the IDENTITY of our PATIENTS! Security Breach What is a breach? The acquirement, access, use or release of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. “Compromises the security or privacy of the PHI” = poses a significant risk of financial, reputational, or other harm to the individual Most common form of Data Breach: When a workforce member, because of celebrity curiosity, domestic disputes, or second guessing clinician opinions, accesses a patient’s ePHI without a need to do their job. Penalties for Breaches The Secretary of Health and Human Services will base its penalty determination on the nature and extent of both the violation and the harm caused by the violation. The maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year. The minimum civil monetary penalties are tiered based upon the organization’s perceived liability for the HIPAA violation. Tier A – If the offender did not know $100 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $25,000. Tier B – Violation due to reasonable cause, not willful neglect $1,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $100,000. Tier C – Violation due to willful neglect, but was corrected $10,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $250,000. Tier D – Violation due to willful neglect, but was NOT corrected $50,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $1,500,000. Disciplinary Action for HIPAA violations Determined on a case-by-case basis and depend upon the severity of the violation Action can range from a verbal warning with remediation to suspension or termination Disciplinary actions is maintained in the employee’s personnel file Sanctions for Privacy & Security Related Issues 3 Levels of Sanctions: Level 1: Carelessness Level 2: Curiosity or concern Level 3: Personal Gain or Malice Level 1 Carelessness • Employee unintentionally or carelessly accesses, reviews or reveals PHI to him/herself or others without a legitimate need to know Carelessness • Examples: • Employees discussing PHI in public areas; • Employees leaving copies of PHI in publicly accessible areas; • Failing to log off computer terminals when left unattended; • Accessing his/her own medical record; • Requesting another employee to access his/her medical record; • Sharing passwords; • E-mailing PHI outside the organization (excluding the domain: adamshospital.com); • Not securing the storage or disposal of laptops, CDs, and other portable devices containing electronic PHI. Disciplinary Sanctions • Considering the facts on a case-by-case basis actions could include the following (and are not necessarily progressive): • Training/counseling; • Verbal warning and training; • Written warning and training; • Final written warning or suspension (unpaid); • Termination. Level 2 Curiosity or Concern • Employee intentionally accesses, reveals or discusses PHI for purposes other than the care of the patient or as needed to perform their job—but unrelated to person gain. • Level 2 violations are a purposeful disregard to organizational policies. Curiosity or Concern • Examples: • Employees looking up birth dates or addresses of friends or relatives; • Employees accessing and reviewing medical records out of curiosity or concern; • Employees reviewing public personality’s medical records; . • Releasing PHI inappropriately; • Employees inappropriately accessing daily census reports; • Repeated Level 1 violations Disciplinary Sanctions • Considering the facts on a case-by-case basis the actions could include the following (and are not necessarily progressive): • Oral warning with training. • Written warning with training. • One to three day suspension (unpaid) with training. • Termination of employment. Level 3 Personal gain or Malice • Employee accesses, reviews or discusses PHI for personal gain or with malicious intent and there is a malicious disregard of organizational policies Personal gain or Malice • Examples • An employee reviews a patient’s medical record to use information in a personal relationship; • An employee compiles a mailing list for personal use or to be sold for monetary gifts; • Releasing data for personal gain; . • Destroying or altering data intentionally; • Releasing data with the intent to harm an individual or the organization; • Repeated Level 2 violations Disciplinary Sanctions • Considering the facts on a case-by-case basis actions could include the following (and are not necessarily progressive): • One to three day suspension (unpaid) with training • Dependent upon the severity, termination of employment. AHN HIPAA Violations for 2011 AHN had 17 HIPAA privacy/security violations (18 complaints) Notified 29 patients whose PHI we breached Reported 3 cases to U.S. Department of Health & Human Services (DHHS), Office of Civil Rights re: our actions for these 29 patients Terminated one staff member, suspended (unpaid) one staff member and had a Business Associate terminate one of their staff members AHN 2011 HIPAA Violations 1. Disclosed PHI to incorrect patient – 5 Violations 2. Faxed PHI to the incorrect fax number – 4 Violations 3. Accessed PHI NOT needed to do their job – 2 Violations 4. Sent PHI in an e-mail outside of “adamshospital.com” without encrypting it – 1 Violation. 5. Left PHI in cafeteria – 1 Violation 6. Put PHI on facebook – 1 Violation 7. Released PHI without proper authorization – 1 Violation 8. Business Associate issues – 2 Violations Reporting Violations Individuals who observe or are aware of suspected violations must report them to either the Department Manager or to the Privacy Officer, Joan Engels, in a manner that maintains privacy of both the patient(s) and the employee(s). If it is a Department Manager who is the person committing the violation report it to the Department Manager’s supervisor or Joan Engels.
Pages to are hidden for
"HIPAA - Get as PowerPoint"Please download to view full document