1 / 17

3.04 HIPAA Compliant Employee Sanctions: A Fair and Objective Approach

3.04 HIPAA Compliant Employee Sanctions: A Fair and Objective Approach. Presenter:. Frank Ruelas, MBA Director, Corporate Compliance Gila River Health Care Corporation Sacaton, Arizona. Some views on enforcement…. “It's about time law enforcement got as organized as organized crime.

birch
Download Presentation

3.04 HIPAA Compliant Employee Sanctions: A Fair and Objective Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3.04 HIPAA Compliant Employee Sanctions: A Fair and Objective Approach Presenter: Frank Ruelas, MBA Director, Corporate Compliance Gila River Health Care Corporation Sacaton, Arizona

  2. Some views on enforcement… “It's about time law enforcement got as organized as organized crime. - Rudolph W Giuliani National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 2

  3. Add Visibility to Enforcement Activities • Maintains awareness • Increases participation • Aids decision making • Deterrent effect National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 3

  4. E-E-E-Essential Elements of the Sanctions Policy • Education • Enforcement • Expedient • Equitable National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 4

  5. Applies to Privacy and Security • Coordination aspects • Privacy Officer • Security Officer • Compliance Officer 45 CFR 164.530(e)(1) 45 CFR 164.308(a)(1)(ii)(C) National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 5

  6. Key Point # 1: Define Violation Levels or Categories Though named differently... • Level I • Level II • Level III • Type I • Type II • Type III • Group I • Group II • Group III ...they share common themes National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 6

  7. Level I / Type I / Group I Cause or Motivation Sanction Activity • Lack of training • Inexperience • Accidental • Unintentional • No harm no foul • Training • Counseling • 3 Strikes Model National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 7

  8. Level II / Type II / Group II Cause or Motivation Sanction Activity • Curiosity • Concern • Compassion • Carelessness • Documentation • Warning • Counseling • Notice • Admin leave • Probationary Period • Corrective Action • Plan (CAP) National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 8

  9. Level III / Type III / Group III Cause or Motivation Sanction Activity • Malicious Intent • Financial Gain • Termination National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 9

  10. Key Point # 2: Identify Examples for Each Violation Level or Category National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 10

  11. Level I / Type I / Group I Examples Possible themes • Originals left on copier or fax • Unopened mail left unattended • Email address error • PHI sent to similar named patient • PHI in conversation overheard • Desk or work area left unsecured • Computer files erased • Computer temporary files not deleted • Document not placed in shred bin • Phone messages overheard • Computer screen left unattended • Clerical error • Technical error • Judgment error National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 11

  12. Level II / Type II / Group II Examples Possible themes • Checking on patient condition • Copying information as a favor • Accessing patient test results • Installing software • Experimenting with computer • Using someone else’s password • Providing access to someone else • Deleting information from network • Not following policy or procedure • Unauthorized • Not job related • Stealth mode National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 12

  13. Level III / Type III / Group III Examples Possible themes • Selling patient addresses • e-Broadcasting patient info • Intentionally altering PHI • Disgruntled • Theft • Maliciousness National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 13

  14. Key Point # 3: Link the Violation to the Sanction Activity and Provide Disciplinary Recommendation • Provides a high level of objectivity • Aids in achieving long term consistency • “Surprise” factor is reduced (eliminated) National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 14

  15. Key Point # 4: Request and Document Activities Performed by Other Departments • Identifies sanction “creep” • Validates level of follow through • Completes file National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 15

  16. Key Point # 5: Under development at print deadline, more to follow… National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 16

  17. Summary: • Enforcement is a critical activity • Sanctions should be applied consistently • Remember that mistakes will happen and people learn from mistakes that they make Email: fruelas@grhc.org National HIPAA Summit XI: September 7, 2005 Frank Ruelas, MBA 17

More Related