HSDMHDC TRAINING

1
HSDM/HDC TRAINING

• HIPAA SANCTIONS

2
This presentation will cover

• Sanctions Policy
• Sanctions Procedures
• Sanctions Guidelines Grid

3
Sanctions Policy

• This policy establishes processes for
• Workforce members to report any activity they
  feel may be in violation
• Investigating complaints and suspected violations
• Guidelines for sanctions

4
Sanctions Policy

• All workforce members have an obligation to
  report any activity that they feel is in
  violation of federal or state law, or our
  policies and procedures related to HIPAA to the
  Privacy Officer (John Da Silva) and/or
  Information Security Officer (Mary Cassesso).
• Because of this obligation, workforce members
  have the right to question situations they feel
  are violations.

5
Sanctions Policy

• Violations will be taken seriously and may result
  in sanctions.
• Sanctions are the penalties and actions taken in
  response to a violation.
• The entire workforce will be informed through
  training sessions of the potential consequences
  of violations.

6
Sanctions Policy

• Remember . . .
• It is the patients right to make a complaint to
  HSDM/HDC and/or the Secretary of the Department
  of Health and Human Services (HHS)/Office for
  Civil Rights (OCR) concerning our compliance with
  HIPAA rules and our privacy and security policies
  and procedures.

7

• The fact that a complaint has been made will not
  negatively impact a patients dental care and
  HSDM/HDC will not take any kind of retaliatory
  action against any patient or workforce member
  when they
• File a complaint or incident report
• Bring to light a situation they feel is
  inappropriate
• Provide information to or testify against the
  alleged offending individual or HSDM/HDC
• Refuse to participate in an activity if they feel
  it violates a federal or state law or HSDM/HDC
  policies and procedures

8
Sanctions Procedures

• As mentioned earlier, violations will be taken
  seriously and may result in sanctions.
• Sanctions may include
• Oral or written warnings
• Suspension, immediate termination of employment,
  faculty appointment, or student enrollment, loss
  of clinical privileges or business contract with
  HSDM/HDC
• Reporting violations to outside agencies and law
  enforcement officials or licensing boards, which
  could result in civil or criminal penalties.

9
Sanctions Procedures

• Sanctions must be based on
• The severity of the violation and its impact
• Whether the violation was intentional or
  unintentional
• Whether the violation indicates a pattern of
  improper use or release of protected information
• Mitigating factors will be considered

10
Sanctions Guidelines

• So . . . every case is different and unique.
• That is why guidelines have been established to
  address possible violations of our policies and
  procedures.

11
Sanctions Guidelines

• Step 1
• The violation will be brought to the attention
  of the Privacy and/or Information Security
  Officer. If the violation also involves a member
  of the HUCTW, an HUCTW Representative will also
  be notified.

12
Sanctions Guidelines

• Step 2
• The Privacy and/or Information Security Officer
  instructs the complainant to complete the Privacy
  and Security Complaint Form (if not already
  completed). This form should be forwarded to the
  HUCTW Representative if the violation involves a
  member of HUCTW.

13
Sanctions Guidelines

• Step 3
• Should the Privacy and/or Information Security
  Officer consider the offense to be of low
  severity, the Sanctions Guidelines Grid will be
  used to determine the sanction of oral warning,
  written warning or final written warning.

14
Sanctions Guidelines

• Step 4
• Should the Privacy and/or Information
• Security Officer consider the offense to be of
• moderate or high severity, the Review
• Committee will begin the review process.

15
Sanctions Guidelines

• Step 4 (continued)
• The Review Committee will consist of
• Privacy Officer
• Information Security Officer
• Associate Dean for Clinical Affairs
• Workforce Members Supervisor
• Director of Human Resources
• HUCTW Representative, as applicable
• Office of the General Counsel Representative, as
  applicable

16
Sanctions Guidelines

• Step 5
• During the review process, the Review
• Committee will use the Sanctions Guidelines
• Grid to determine what sanctions should be
• imposed.

17
Sanctions Guidelines

• Step 5 (continued)
• In addition to consulting the sanctions
  guidelines grid, the Review Committee will also
  refer to
• The Disciplinary Process of the Harvard Union of
  Clerical and Technical Workers Personnel Manual
  for HUCTW members
• Administrative and Professional Staff Personnel
  Manual for Administrative/Professional Staff and
  Non-Bargaining Unit Support Staff for non-union
  staff members
• The Harvard Medical School System of Titles and
  Appointments, Criteria and Procedures for Making
  Permanent, Term and Annual Appointments
  (otherwise known as the Purple Book) for
  faculty members
• The Due Process and Grievance section of the HSDM
  Student Handbook for students

18
Sanctions Guidelines

• Step 6
• After the review process, the Workforce members
  supervisor will be informed of sanctions to be
  imposed to ensure appropriateness, consistency,
  and fairness.

19
Sanctions Guidelines

• Step 7
• The Workforce members supervisor will inform the
  Workforce member of the sanctions to be imposed.

20
Sanctions Guidelines

• Step 8
• The review process and issuing of sanctions can
  take no longer than 30 days from the date the
  violation is brought to the attention of the
  Privacy Officer and and/or Information Security
  Officer in keeping with the timeline outlined in
  the HUCTW Disciplinary Process.

21
Sanctions Guidelines

• Step 9
• During this process HSDM/HDC must determine the
  measures needed to protect a patient, staff,
  faculty, student member or HSDM/HDC itself from
  the consequences of the violation.

22
Sanctions Guidelines Grid
23
Sanctions Guidelines Grid (continued)
24
Sanctions Guidelines Grid (continued)
25
Sanctions Guidelines GridFactors to Consider
26
Sanctions Guidelines GridLow Severity Examples

• I want to look up my co-workers birth date in
  Dentech to be sure we have the surprise birthday
  party on the right day
• Why is this a violation?
• I just dont have time to log out of Dentech when
  I walk away from the computer
• Why is this a violation?

27
Sanctions Guidelines GridLow Severity Examples
28
Sanctions Guidelines GridModerate Severity
Examples

• I just looked up my co-workers financial
  information in Dentech to see how much is owed on
  her bill because I was curious
• Why is this a violation?
• I know that there must be famous people who come
  hereI want to look in Dentech to see where they
  live
• Why is this a violation?

29
Sanctions Guidelines GridModerate Severity
Examples
30
Sanctions Guidelines GridHigh Severity Examples

• I need a new credit card, I think I will go into
  Dentech and look up a patients Social Security
  number to apply for a new credit card
• Why is this a violation?
• When those lab results come in for Mr. VIP, I am
  going to sell the information to the Boston Globe
  for money
• Why is this a violation?

31
Sanctions Guidelines GridHigh Severity Examples
32
Sanctions Guidelines GridOther Examples

• Are there other examples of low, moderate
• and high severity breaches that you can think
• of?

33
Discussion

• Does anyone have any comments or questions?

34
(No Transcript)