Administrative-HIPAA Privacy Title: HIPAA PRIVACY ADMINISTRATIVE Scope: All MultiCare Health System (MHS) workforce members, which includes but not limited to, employees, residents, students, volunteers and other persons who are under direct control of MHS, who access, use, disclose or come in contact with Protected Health Information (PHI) in any form (paper, electronic or verbal). Location Scope: MultiCare Health System adopts the following policy and procedure for the following locations: Tacoma General Hospital/Allenmore Hospital, Mary Bridge Children s Hospital, MultiCare Good Samaritan Hospital, MultiCare Auburn Medical Center, MultiCare Deaconess Hospital, MultiCare Valley Hospital, Covington Medical Center and all ambulatory and retail sites. Policy Statement: This policy includes all HIPAA Privacy requirements under 164.530. Policy Table of Contents: I. Privacy Official Contact II. III. IV. HIPAA Education and Training Privacy Safeguards Complaints V. Sanctions VI. VII. Duty to Mitigate HIPAA Retaliatory Acts VIII. HIPAA Policy Revisions IX. Waiver of Rights X. Document Retention Policy: I. Privacy Official Contact A. Based on 164.530(a)(1) of the HIPAA Privacy Rule, MHS must designated a privacy official who is responsible for the development and implementation of the HIPAA Privacy policies and procedures. In additional, MHS must designate a contact person and/or office to be responsible for receiving complaints related to the Privacy Regulations and to provide further information about matters covered by MHS Notice of Privacy Practices. Page 1 of 7
II. B. MHS currently has a Corporate Privacy Office, led by the Chief Privacy Officer, which reports up through the Corporate Compliance department. C. The Inland Northwest region has Facility Privacy Officers at each location, which report privacy related issues to the Chief Privacy Officer. HIPAA Education and Training A. Based on 164.530(b)(1) of the HIPAA Privacy Rule, MHS must train all workforce members on the policies and procedures with respect to PHI as necessary for the workforce to carry out their functions with the covered entity. B. MHS will train all workforce members on the HIPAA Privacy policies and procedures. Failure to complete the training course(s) may result in disciplinary actions, up to and including termination. Each training course is reviewed and updated (if necessary) on an annual basis. All training completion dates are documented by the ILD Education department. C. Workforce Training Methods: 1. Training on HIPAA Privacy is provided during New Employee Orientation (NEO). 2. The annual Computer Based Learning (CBL) HIPAA Privacy course is part of annual mandatory training and all workforce members are required to complete the CBL within the two months prior to their birth month. 3. The Corporate Privacy Office (Facility Privacy Officer) attends department staff meetings to give privacy updates or provide additional HIPAA training to that area. 4. The Corporate Privacy Office (Facility Privacy Officer) provides areas with HIPAA training documentation for the department heads to educate their staff. Workforce Member New Employee Orientation (NEO) New Volunteer Orientation (NVO) Annual Computer Based Learning (CBL) Ad Hoc Training Employees X X X Non-Employees Travelers X X X Volunteers X X Daily Agency (Per Diem) 5. The Corporate Privacy Office (Facility Privacy Officer) X X X Page 2 of 7
provides education during announced and unannounced HIPAA Privacy walkthroughs and tours. D.Requirements: 1. The Chief Privacy Officer is responsible for the development, approval and implementation of the HIPAA Privacy training consistent with HIPAA requirements. 2. The Chief Information Security Officer is responsible for the development, approval and implementation of the HIPAA Security training consistent with HIPAA requirements. 3. MHS workforce members are required to be trained on HIPAA policies and procedures. 4. The completion date of the required annual CBL is maintained in the Learning Management System (LMS), owned by the ILD Education department. 5. Documentation of attendance of HIPAA-related education and training that is not documented in the training system will be forwarded to the Privacy Officer and placed in the ComplyTrack system. III. Privacy Safeguards A. Based on 164.530(c) of the HIPAA Privacy Rule, MHS must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of patients PHI. B. MHS must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of MHS policies and/or procedures. This includes but is not limited to the following: 1. MHS has a business associate agreement with a professional shredding company (Iron Mountain) to provide shredding services of all paper PHI. Locked shred bins are located throughout all MHS facilities for convenient and confidential PHI disposal. 2. Efforts are made to de-identify all materials containing PHI that are unable to be placed in a shred bin (i.e. PHI on IV bags). 3. Faxes containing PHI should include an MHS fax coversheet, which includes a confidentiality notice. 4. Workforce members are to verify that the fax number is accurate and the correct PHI is attached before faxing to another location. 5. Fax machines and printers are placed in secure locations to prevent unauthorized access to patients information. Workforce members are to remove PHI immediately from faxes and copiers to avoid HIPAA disclosures. 6. Workforce members are to double check each page prior to handing out paperwork to patients (i.e. After Visit Summary, Discharge Instructions, prescriptions, etc.). Page 3 of 7
7. Departments are expected to store any paper PHI in a secure location (i.e. locked office, locked drawer, nursing station, etc.). 8. When discussing PHI orally in the proximity of others, workforce members are to reasonably safeguard the information by lowering his or her voice. PHI should not be discussed in high traffic areas, or areas easily accessible by the public (i.e. cafeterias or elevators). 9. Workforce members will lock or log out of their workstation when leaving the workstation unattended. (See MHS Information Security: MHS Common Security Policy & Management Plan) IV. Complaints A. Based on 164.530(d)(1) of the HIPAA Privacy Regulations, a patient has the right to make a complaint to the covered entity, and to the Office for Civil Rights (OCR), concerning the following: 1. The covered entity s privacy policies and procedures; 2. The covered entity s compliance with the requirements of the Privacy Regulations (see the MHS Notice of Privacy Practices). B. The Corporate Privacy Office (and Facility Privacy Officer) is responsible for responding to complaints via written notification in a timely manner. MHS may not intimidate, threaten, coerce, discriminate against, or take any retaliatory action against the patient for exercising this right. V. Sanctions A. Based on 164.530(e) of the HIPAA Privacy Rule, MHS must have and apply appropriate sanctions against workforce members who fail to comply with MHS privacy policies and procedures, or the requirements of the Breach Notification Rule. B. Violations of MHS HIPAA Privacy policies and procedures by workforce members may result in progressive guidance up to termination. (See Human Resources: Progressive Guidance policy.) C. Violations of MHS HIPAA Privacy policies and procedures by community health care providers with access to MHS systems may result in progressive action up to termination of access. (See Technology: Actions for Policy Violations by Non-MHS Entities policy.) D.The Privacy Office will conduct investigations into potential violations of MHS HIPAA Privacy policies and procedures in conjunction with (but not limited to) Human Resources and the workforce member s supervisor or manager. Page 4 of 7 E. Once it is determined that a violation of MHS HIPAA Privacy policies and procedures has occurred, sanctions will be imposed as outlined in MHS Human Resources policies and procedures, and will be documented in the employee s file.
F. Violations of a severe nature may result in notification to law enforcement, regulatory agencies, and accreditation or licensure organizations. VI. Duty to Mitigate VII. A. Based on 164.530(f) of the HIPAA Privacy Rule, MHS must mitigate, to the extent practicable, any harmful effect that is known to MHS of a use or disclosure of PHI in violation of MHS policies and procedures. B. MHS Corporate Privacy Office (Facility Privacy Officer) determines whether, under the circumstances, the mitigation should include notice to the patient. Additional considerations include whether credit monitoring will be offered to patients depending on the circumstances. (See Administrative-HIPAA Privacy: HIPAA Privacy Breach Notification policy.) C. The Chief Privacy Officer (Facility Privacy Officer) will take prompt action to mitigate potentially harmful effects of any improper use or disclosure of PHI to the degree that mitigation is possible and reasonable. HIPAA Retaliatory Acts A. Based on section 164.530(g) of the HIPAA Privacy Rule, MHS may not intimidate, threaten, coerce, discriminate or retaliate against an individual who exercises his or her rights, including filing a complaint, under the HIPAA Privacy Rule. B. MHS will not tolerate any workforce member who attempts to intimidate, threaten, coerce, discriminate, or retaliate against any person who: 1. Makes a complaint to HHS, OCR, DOH, and/or CMS; 2. Makes a complaint to the MHS Corporate Privacy Office or Facility Privacy Officer; 3. Testifies for, assists with, or participates in an investigation, compliance review, proceeding, or hearing by HHS or other appropriate authority; 4. Opposes any act or practice the person believes in good faith is illegal under the HIPAA Privacy Rules, provided the opposition is reasonable and does not involve illegal disclosure of PHI. C. If a workforce member suspects someone at MHS has committed a retaliatory act pertaining to their HIPAA Privacy Rights or that of a patient, he or she should report the incident to the Corporate Privacy Office or the Corporate Compliance Hotline immediately so the following steps can occur: 1. The Chief Privacy Officer will investigate the grievance; 2. The Chief Privacy Officer will conduct the investigation in coordination with but not limited to Corporate Compliance, Legal Services, Facility Privacy Officer, Risk Management and/or Human Resources to discuss Page 5 of 7
the findings, if any; 3. The workforce member will be notified in writing when the issue has been resolved in accordance with MHS policy and procedure. 4. All documentation will be retained in the Corporate Privacy Office. VIII. HIPAA Policy Revisions A. Based on section 164.530(i) of the HIPAA Privacy Rule, MHS must implement policies and procedures with respect to PHI that address each applicable standard in the Privacy Regulations. B. MHS HIPAA Privacy policies, procedures, and forms are reviewed by the Chief Privacy Officer on an annual basis and updated, if necessary. All HIPAA Privacy policies and procedures take into account how PHI relates to each department and the entity as a whole to ensure compliance. 1. The Corporate Privacy Office will conduct an annual review of all policies, procedures, and forms according to the policy revision date. 2. The Corporate Privacy Office may make changes to a policy, procedure, and/or form at any time, if the changes do not materially affect the content of the Notice of Privacy Practices (NPP). 3. If changes to the documentation occur, the appropriate committee will approve all changes made by the Corporate Privacy Office. 4. If a change occurs to the HIPAA Privacy Rule or other applicable state or federal laws before the annual evaluation period, the Corporate Privacy Officer will update the HIPAA Privacy policies, procedures, and/or form to comply with the change(s). 5. Once the policy is reviewed and/or updated by the Privacy Office and the appropriate committee, the revision and approval dates will be updated and all documentation saved on the HIPAA shared drive. 6. Any necessary communications to workforce members affected by the policy change(s) will be communicated by the Corporate Privacy Office. IX. Waiver of Rights A. Based on 164.530(h) of the HIPAA Privacy Rule, MHS may not require individuals to waive their rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. (See the MHS Standards for Business Conduct and the MHS Notice of Privacy Practices.) X. Document Retention A. Based on 164.530(j)(2) of the HIPAA Privacy Rule, all documentation related to HIPAA Privacy and patients PHI will be retained in the Corporate Privacy Office up to six (6) years. However, there may be additional retention requirements at an MHS system level. Page 6 of 7
Related Policies: Administrative-HIPAA Privacy: HIPAA Privacy Breach Notification Administrative-HIPAA Privacy: Incidental Uses and Disclosures of Protected Health Information (PHI) MHS Policy Progressive Guidance MHS Information Security: MHS Common Security Policy & Management Plan Notice of Privacy of Practices MHS Standards for Business Conduct References: 45 C.F.R. 164.530: Administrative requirements Point of Contact: MHS Privacy Office (253) 459-8300 Approval by: SKRB on behalf of CMC MEC Quality Safety and Steering Committee Original Date: Revision Dates: Reviewed with no Changes Dates: Distribution: MHS Intranet Scope updated (added CMC only) April, 2018. Date of Approval: 4/18 11/17, 4/18 9/17 XX XX Page 7 of 7