HIPPA Sanctions Policy
The Health Insurance Portability and Accountability Act of 1996 (HIPPA) requires that covered entities have and apply appropriate sanctions against members of their workforce who fail to comply with Privacy Policies and Procedures of the entity, or the requirements of the Rule (45 CFR § 164.530(e)(1). Accordingly, it is the intention of Westmoreland County to ensure the confidentiality and integrity of consumer and/or employee protected health information (PHI) as required by law, professional ethics, and accreditation and/or licensure requirements. This policy established agency policy, guidance, and standards for workforce performance expectations in carrying out the provisions of HIPPA, and the corrective action(s) that may be imposed to address privacy violations.
(Return to top)
Consumer and/or employee PHI information will be regarded as confidential, and may not be used or disclosed except to authorized users for approved purposes. Access to PHI is only permitted for direct consumer care, approved administrative and/or supervisory functions, or with approval of the Privacy Officer of Human Resources Director.
Permitted Use and Disclosures
COUNTY is permitted to use or disclose PHI in the following instances:
- To the individual who is the subject of the PHI;
- In compliance with consent to carry out treatment, payment or health care operations;
- Without consent, if consent is not required and has not been sought;
- In compliance with valid authorization;
- Pursuant to an Agreement
COUNTY is required to disclose PHI in the following instances:
- To an individual, when requested under and as required by § 164.524 (Access of individuals to PHI) or § 164.528 (Accounting of disclosure of PHI) of the HIPPA Regulations;
- To specific private entities that provide services under contractual agreement (health benefits, life insurance, Workers Compensation, etc.) in order to provide such services;
- When required by the Privacy Officer or Human Resources Director to investigate or determine compliance with HIPPA requirements.
When using or disclosing PHI, or when requesting PHI from another covered entity, COUNTY will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Sanctions will not apply to disclosures by employees who are whistleblowers or crime victims. COUNTY is not considered to have violated PHI disclosure requirements if the disclosure is by an employee or business associate as follows:
Disclosure by Whistleblowers:
- The employee is acting in good faith on the belief that the COUNTY has engaged in conduct that is unlawful or otherwise violated professional or clinical standards; or,
- That the care, services and conditions provided by the COUNTY potentially endangers one (or more) consumers, employees or a member of the general public; or,
- The disclosure is made to a federal or state health oversight agency or public health authority authorized by law to oversee the relevant conduct or conditions of the covered entity; or,
- The disclosure is made to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by COUNTY; or,
- The disclosure is made to an attorney retained by or on behalf of the employee or business associate for the purpose of determining legal options regarding disclosure conduct.
Disclosure by Crime Victims:
A covered entity is not considered to have violated the use and disclosure requirements if a member of its workforce who is the victim of a criminal act discloses PHI to a law enforcement official about the suspected perpetrator of the criminal act, and the disclosed PHI is limited to identification and location purposes.
Mitigating circumstances include conditions that would support reducing the sanction in the interest of fairness and objectivity. The county will mitigate, to the extent practicable, and harmful effect that is known to be the result of the use or disclosure of PHI in violation of HIPPA regulations.
COUNTY will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual who:
- Exercises his rights or participates in COUNTY complaint process; or,
- Files a complaint with the Secretary of Health and Human Services; or,
- Testifies, assists, or participates in an investigation, compliance review, proceeding or hearing; or,
- Opposes any act or practice unlawful under HIPPA, providing that the individual acted in good faith, believing that the practice was unlawful, the manner of opposition is reasonable, and does not involve disclosure of PHI in violation of HIPPA regulations.
(Return to top)
Employees found to have violated PHI disclosure provisions will be disciplined in accordance with County disciplinary policies up to and including termination of employment. The type of sanction will be determined on a case by case basis and will depend on the intent of the individual and severity of the violation. The offenses listed below, while not all inclusive, are organized according to the severity of the violation.
Group I: Improper and/or unintentional disclosure of PHI records.
This level of breach occurs when an employee unintentionally or carelessly accesses, reviews or reveals consumer or employee PHI to himself or others without a legitimate need-to-know. Examples include, but are not limited to: employees who discuss consumer information in a public area; an employee leaves a copy of consumer medical information in a public area; an employee leaves a computer unattended in an accessible area with consumer information unsecured.
Group II: Unauthorized use and/or misuse of PHI or records.
This level of breach occurs when an employee intentionally accesses or discloses PHI in a manner that is inconsistent with COUNTY policies and procedures, but for reasons unrelated to personal gain. Examples include, but are not limited to: an employee looks up birth dates, address of friends or relatives; an employee accesses and reviews the record of a consumer out of curiosity or concern; an employee reviews a public personality's record.
Group III: Willful and/or intentional disclosure of PHI or records.
This level of breach occurs when an employee accesses, reviews or discloses PHI for personal gain or with malicious intent. Examples include, but are not limited to: an employee reviews a consumer record to use information in a personal relationship; an employee compiles a mailing list for personal use or to be sold.
(Return to top)
Employees who observe or are aware of a breach must immediately report it to his/her Supervisor. The Supervisor will report the breach to the Privacy Officer, who will notify the Human resources Director.
Failure to report a breach of which one has knowledge will result in appropriate disciplinary action. Reporting of a breach in bad faith or for malicious reasons will result in appropriate action.
Clear-cut Level I Breaches
For a breach involving any staff that is clearly a Level I breach, the Privacy Officer, in conjunction with the employee Supervisor and Human Resources Director, will develop and implement an appropriate Plan of Correction, and in a timely manner.
Breaches Other Than Clear-cut Level I Breaches
For all levels other that a clear-cut Level I breach, the Privacy Officer will establish an investigation Team that will include senior Management and Human Resources representation, and legal counsel participation or consultation.
The investigation Team will conduct an appropriate investigation, commensurate with the level of breach and specific facts. This may include, but is not limited to, interviewing the employee accused of the breach, interviewing other employees or consumers, and reviewing documentation.
- Upon conclusion of the investigation, the Investigation Team will prepare a written report including all finding and conclusions regarding the alleged breach, and forward it to the Privacy Officer. The Executive Director will make final determination of the appropriate disciplinary action, based on the report of the Investigation Team.
Reporting and Filing Requirements
For all levels of breach, after final resolution the initial report and all supporting documentation will be filed in a confidential file with the Privacy Officer. A copy of the report and supporting documentation will also be placed in the Personnel File of the employee.
(Return to top)
Under 45 CFR § 164.530(d), covered entities will provide a process for individuals to make complaints to the covered entity concerning its privacy policies and procedures, its compliance with those policies and procedures, or its compliance with the HIPPA Privacy Rule itself. The covered entity is also required to document all complaints received and their disposition.
The complaint process gives an individual an opportunity for review of decisions, actions, or failures to act that impact privacy rights and helps the County to identify policies and procedures that are unfair, wrong, or not in agreement with the law.
Filing a Complaint
- A statement informing individuals of the process to complain about violations of the County's privacy policies and procedures is contained in the "Notice of Privacy Practices" which the individual receives upon enrollment in a program and is available on the County's web-site.
- The complaint must be filed within 180 days of when the individual knew or should have known that the act or failure to act occurred.
- The individual must submit the complaint to the privacy officer and describe the act or failure to act that adversely affects an individual's privacy rights. The individual must submit the complaint in writing or electronic format.
- The individual may also file a complaint with the United States Department of Health and Human Services, Office for Civil Rights at any time. See the Section relating to Complaints to DHHS, Enforcement and Penalties.
Individuals Right to Appeal
The individual may appeal the decision of the Privacy Officer or complain to the DHHS, Office for Civil Rights. See the Section relating to Complaints to DHHS, Enforcement and Penalties.
Complaints to DHHS, Enforcement and Penalties
- Any person who believes a covered entity has not complied with the requirements of the rule may file a complaint with the DHHS. This complaint must be filed in writing (either written or electronically) within 180 days after they became aware that, or should have become aware that, the violation occurred, unless DHHS waives this requirement for good cause. DHHS may then investigate the complaint, including a review of pertinent policies, procedures, and practices of the covered entity and the circumstances underlying any alleged acts or omissions concerning compliance.
- DHHS may also conduct compliance reviews of covered entities. The Program Offices must submit quarterly compliance reviews to the Privacy Office. The Privacy Office will submit compliance reports to DHHS upon request. The County is required to cooperate with any complaint investigation or compliance review process and must permit DHHS access to its facilities, books, records, accounts and other sources of information.
- Where there is a finding of noncompliance, DHHS will provide written notice of such to the County and, if there is a complainant, to the complainant. It will then attempt to resolve the matter by informal means whenever possible. If the matter cannot be resolved informally, DHHS may issue to the County and complainant (if applicable) written findings documenting noncompliance.
- The privacy standard creates stringent penalties for covered entities that violate the Privacy Rules including civil money penalties of $100 per incident, up to $25,000 per person per year, for each standard that is violated. And there are criminal penalties:
b. $100,000 and five years in prison for obtaining PHI under false pretenses.
c. Up to $250,000 and ten years in prison for obtaining or disclosing PHI with the intent to sell it.