Module 3- HIPAA Employee Corrective Action Process for Breach of - - PowerPoint PPT Presentation

Module 3- HIPAA Employee Corrective Action Process for Breach of Patient Confidentiality

Objectives

Demonstrate the process to protect patient, employee and MHHS from inappropriate access, tampering or dissemination of Protected Health Information(PHI). Define the corrective action for Privacy and Security Breaches.

Policy Purpose

The purpose of this Policy is to protect the Patient, Employee(s), and inappropriate access, tampering or dissemination of Protected Health and to set forth the corrective action process for Breaches.

Capitalized terms used but not otherwise defined shall have the meaning provided under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, its implementing policies and procedures.

Definitions

Definitions Cont.

1.Breach means acquisition, access, use or disclosure of PHI which violates the HIPAA Privacy Rule and Compromises the Security or Privacy of the PHI. A Breach excludes: (i) Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Memorial Hermann or a Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule.

Definitions Cont.

(ii) Any inadvertent disclosure by a person who is authorized to access PHI at Memorial Hermann or Business Associate to another person authorized to access PHI at Memorial Hermann or Business Associate,

• r organized health care arrangement in which Memorial Hermann

participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule. (iii) A disclosure of PHI where Memorial Hermann or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Definitions Cont.

Compromises the Security or Privacy of the PHI means an acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule. A Breach is presumed to be a Breach unless Memorial Hermann or its Business Associate, as applicable, demonstrates based upon a risk assessment that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: (i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) The unauthorized person who used the PHI or to whom the disclosure was made; (iii) Whether the PHI was actually acquired or viewed; and (iv) The extent to which the risk to the PHI has been mitigated.

Definitions Cont.

2. Privacy Violation a breach of confidentiality involving the verbal, written, or electronic. 3. Information Security Violation a breach of the integrity, availability, or confidentiality of a system or any failure to adhere to approved information security policies for electronic information and systems. 4. Reportable Event any known or suspected incident, action or practice inconsistent with any Memorial Hermann privacy or information security policy. 5. Negligent Act a reportable event resulting from lack of care or attention to process or procedure, or to carelessness.

Definitions Cont.

6. Deliberate Act a reportable event resulting from a deliberate act 7. Self-reported Accidental Act an unintentional or unexpected follow an established procedure that is promptly reported by the individual responsible for the event to the Privacy Office. 8. Complaint PHI files a complaint with the Memorial Hermann Privacy Office,

• ther Memorial Hermann facility authority, or Office of Civil Rights.

Policy Statement

Report any potential or actual Breaches, Privacy Violations, Information Security Violations, or Reportable Events, immediately (same day) upon discovery, to the Memorial Hermann Privacy Office and take appropriate action to address each verified violation according to this Policy. Each Memorial Hermann Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, and Vendor is responsible for reporting any known or suspected Breach, Privacy Violation, Information Security Violation, or Reportable Event, or any

• ther action or practice that is inconsistent with any Memorial Hermann

privacy or information security policy to the Memorial Hermann Privacy Office.

Policy Statement Cont.

Individuals who accidentally violate the confidentiality or security of information policy are expected to promptly self-report the incident. Failure to self-report an accidental Breach is considered a Negligent Act. The Privacy Office is responsible for investigation and evaluation of the specific facts and circumstances of each reported Breach, Privacy Violation, Information Security Violation, or Reportable Event, to determine if a violation has occurred and if so, the level of the violation.

Policy Statement Cont.

Factors considered in evaluating the reported event include: The degree to which the specifics of the alleged incident can be verified through audit trails, interviews or other facts; Whether the conduct that led to the incident was negligent or deliberate; Whether the incident was a promptly self-reported accident; Whether inappropriate use, disclosure, or conduct caused harm or is it likely to cause harm to a patient, other person, or information infrastructure operations; The number of individuals or systems that were affected by the incident.

Policy Statement Cont.

If the Privacy Office determines that a violation has occurred, he/she will notify the Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, and Vendor and the associated (when appropriate). The Privacy Office will also work with Human Resource Advice & Counsel Services to determine the level of corrective action warranted. All corrective actions, verbal, written, final written, and termination, must be entered into Workday no later than seven (7) working days after corrective action is taken.

Levels of Violations

1. Level I: Negligent Act Unintentional a. This level of violation occurs when a Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, Vendor, or anyone associated with Memorial Hermann unintentionally or carelessly does something that leaves Protected Health Information (PHI) or Confidential Information susceptible to being overheard, accessed, or revealed to unauthorized individuals.

Levels of Violations (Level 1 continued)

b. Corrective Action for Level I Violations: 1. Verbal 2. Written 3. Final Written 4. Termination c. Examples of Level I Violations include: 1. Accidently emailing a file that includes PHI or other Confidential Information to the wrong person or persons; 2. Accidently faxing PHI or Confidential Information to an incorrect fax number.

Levels of Violations (Level 2)

• 2. Level 2: Negligent Act Intentional
• a. This level of violation occurs when a Clinical Staff,

Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, Vendor, or anyone associated with Memorial Hermann takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual Breach, Privacy Violation, Information Security Violation, or Reportable Event.

Levels of Violations (Level 2 continued)

• b. Corrective Action for Level 2 Breach:

1) Written 2) Final Written 3) Termination

• c. Examples of Level 2 violations include:

1. Releasing information to a caller about a Patient without proper consent, authorization or verification; 2. Releasing information about a Patient who is designated as a care of the Patient or otherwise required to have access to the information to do their job at Memorial Hermann.

Levels of Violations (Level 2 continued)

3. Gossiping or sharing information about a Memorial Hermann have access to that information; 4. Failure to follow defined policies or procedures that result in unintentional disclosure or incidental disclosure of highly sensitive patient information causing distress or harm to the Patient; 5. Failure to account for disclosures as required by law and policy within Memorial Hermann Web Disclose Tracking system; 6. Sharing ID/password with another person or using another system in which the user does not have role-based access. 7. Leaving PHI visible and accessible to the public and others not authorized to have access to the information;

Levels of Violations (Level 2 continued)

8. Repeated incidents of Level I violations or self-reported accidental acts; 9.

• 10. Looking up birthdates, addresses, or other demographic or

insurance information about a Patient without a need to know;

• 11. Accessing or connecting to Memorial Hermann information systems

(e.g., computers, servers, routers, switches) without authorization;

• 12. Attempting to gain unauthorized or inappropriate access to any

system or data.

Levels of Violations (Level 3)

3. Level 3: Blatant Disregard Of Confidentiality (Personal Gain or Malicious Intent) a. This level of violation occurs when an Clinical Staff, Employee, Independent Contractor, Agency Staff member, Trainee, Volunteer, Vendor, or any other person associated with Memorial Hermann accesses, reviews, or discloses PHI or Confidential Information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems or data for personal gain or with malicious intent.

Levels of Violations (Level 3 continued)

b. Corrective Action for Level 3 Violation: 1. Final Written 2. Termination c. Examples of Level 3 violations include: 1. Accessing or allowing access to patient information without having a legitimate reason and disclosure or abuse of the information for personal gain or malicious intent; 2. Compiling a mailing list for personal use or to be sold;

Levels of Violations (Level 3 continued)

3. Tampering with or unauthorized destruction of PHI or Confidential Information; 4. Deliberate acts that adversely affect the integrity, availability, and/or confidentiality of Memorial Hermann information systems (e.g., introduction of a virus to the Memorial Hermann network).

Levels of Violations

The nature of some violations is serious enough to warrant specific disciplinary action as opposed to implementing progressive action steps. minimum written warning and maximum of termination of employment and could result in a referral to the appropriate authorities for criminal investigation.

Levels of Violations Cont.

that information to someone else not otherwise authorized to access that information, whether it is to a Memorial Hermann employee or someone outside of Memorial Hermann, results in a final written warning, up to and including termination of employment. Gaining unauthorized access to any system containing PHI or Confidential Information and compromising the integrity, availability, or confidentiality of the system or any data results in a final written warning, up to and including termination of employment.

Scope

• owned by Memorial

Hermann and (iii) all facilities and entities controlled and operated by Memorial Hermann.

Summary

The purpose of this policy is to protect the patient, employee and Memorial Hermann from inappropriate access, tampering or dissemination of protected health information. A privacy and/or security breach means: acquisition, access, use or disclosure of protected health information which violates the HIPAA Privacy Rule and compromises the security or integrity of the medical record.

Summary

Employees are not to access patient information that is not directly related to their job duties. Employees are not to disclose patient information to those who are password.

Summary

You must always lock your computer when you are away from your work area. You are responsible for all activity under your user name and password. Reportable even if any known suspected incident, action or practice inconsistent with any Memorial Hermann privacy or information security policy.

Summary

There are three (3) levels of breach: Level 1 Negligent Unintentional (carelessness). Level 2 Negligent Intentional. Level 3 Blatant disregard of confidentiality (personal gain, malicious intent).

Summary

All breach levels will receive a corrective action and the corrective action will be documented in the employee file in Work Day within 7- days following the action taken. Workforce members must report any potential or actual Breach, Privacy or Security Policy Violations immediately (same day) upon discovery, to the Memorial Hermann Privacy Office. All breaches are investigated by the Privacy Office and only the Privacy Office may determine the level of a confirmed breach.

Summary

information will result in a minimum written warning and maximum of termination of employment. information and disclosure of that information to someone else not authorized to have access to that information, whether it is to a Memorial Hermann employee or someone outside of Memorial Hermann, will result in a final written warning, up to and including termination of employment.

References

Policy: HIPAA Employee Corrective Action Process for Breach of Patient Confidentiality.