Unauthorized Release of Protected Health Information

Our patient’s privacy is a high priority, and we take unauthorized release of our patients’ personal health information seriously. If you observe or have knowledge of any unauthorized release of protected health information from us, you must immediately report this release to the Security Officer. Failure to do so may result in discipline by the Security Officer as an accomplice to the unauthorized release.

Once the Security Officer has knowledge of an alleged unauthorized use or disclosure of PHI, he or she shall immediately begin a thorough investigation of the unauthorized release of PHI. This may be performed through confidential interviews with staff members, inspection of release logs and/or access logs, and any other method(s) the Security Officer deems appropriate. The Security Officer shall also follow the steps indicated by the HITech Act and our interpretations of these requirements.

As part of the investigation, the Security Officer shall complete:

• Breach Identification Form
• Internal Investigation Form
• Notification requirements (if required)
• Breach Notification Form (if required)
• Security Incident Log

It may also be necessary for the Security Officer to ask for assistance from another staff member in conducting the investigation; if so, he or she shall ask for assistance from a staff member he or she has concluded is not party to the alleged unauthorized release of PHI.

The investigation may find a systemic issue with our policies and procedures on handling PHI, or the investigation may find a personnel issue, or both. The Security Officer, upon concluding the investigation, shall implement appropriate changes to policies and/or personnel as he or she deems necessary, and shall do so as expeditiously as possible. The following illustrates how the Security Officer may make changes:

Policy changes: the Security Officer may find the practice policies and/or procedures require adjustment(s). The Security Officer shall make the necessary modifications to the practice policies by adding addendum(s) to the current policies, and shall notify all staff members of the change(s) through inter-office memorandum. This shall be done as expeditiously as possible.

Personnel changes: the Security Officer may find that one or more staff members either does not understand or refuses to abide by our policies and procedures on maintaining the privacy and confidentiality of PHI. It may be necessary for employees to be disciplined by the Security Officer for violations of the practice policies. The Security Officer shall determine the severity of the punishment based on the severity of the unauthorized release. However, the following provides a guide as to how the Security Officer may discipline the employee(s):

• Procedural Offense: Re-training on the practice’s policies and procedures governing privacy of PHI, and verbal reprimand/counseling, with a note of the verbal reprimand filed in the staff members’ personnel file.
• Significant Offense: Written reprimand from the Security Officer, with one copy given to the employee(s) and one copy kept in the employees’ file.
• Serious Offense: Suspension from duties without pay, for a period to be determined by the Security Officer, but no to exceed two (2) weeks.
• Critical Offense: Termination of the employee.

In addition, the Security Officer may transfer the employee(s) to another department within our office in which the employee (s) will no longer have access to PHI.

In all cases, the Security Officer shall document in writing the unauthorized use(s) or disclosure(s) of PHI, the perpetrator(s), and what action(s) (if any) were taken as a result of the violation(s)