Protected Health Information Sanction Policy

Policy created on April 28, 2003
If you have questions or concerns about this policy, please contact your Ron Davis at 650-573-2054.

I. PURPOSE

The County of San Mateo has adopted this Sanction Policy to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the federal regulations promulgated there under as well as the California Confidentiality of Medical Information Act.

There are several countywide (E-Mail Policy, Internet Usage, and Information Systems Security among others) and departmental policies that require officers and employees to protect information that is considered private, confidential or sensitive. These policies provide that failure to adhere to them may constitute grounds for disciplinary action up to and including termination.

This policy recognizes that Federal Law permits incidental uses and disclosures.

An incidental disclosure is defined as a disclosure that occurs as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standards where applicable, with respect to the primary use or disclosure. Examples of incidental disclosures include, but are not limited, to situations such as: a client in a waiting room overhears the names of other clients, clients are transported in a group for laboratory blood draws, a client observes another client leaving a medication room after receiving an injection, or a staff member sees the names of other clients while searching on the computer for a specific client’s information.

This policy sets forth the procedures for handling reported inappropriate releases of “Protected Health Information” (PHI) of persons currently receiving or who have received services or benefits from the county. PHI is defined as information relating to a patient’s health, the care received and payment for services, and demographic information.

This policy is referenced in other countywide and departmental policies (E-Mail Policy, Internet Usage, and Information Systems Security among others) that require officers and employees to protect information that is considered private, confidential or sensitive. This policy will establish consistent procedures for handling breaches of confidentiality.

II. POLICY

No employee, officer or independent contractor shall inappropriately release PHI of persons who are currently receiving or have received services or benefits from the County. Any employee, officer or independent contractor who inadvertently releases PHI is encouraged to report the incident in the manner described below. An incidental disclosure, as defined above, will not subject the individual to discipline. (Note: An incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure that violated HIPAA.)

All other breaches of confidentiality will be reviewed following the procedures identified in this policy. County response will depend on the nature of the release. Accidental releases, such as erroneously sending an e-mail to a wrong recipient, or releases that are not within the employee’s control, such as the theft of a secured laptop PC, will be treated differently than releases that are the result of the employee not following policies, such as leaving a computer screen on with PHI in full view, willful release or destruction of PHI data or the result of a willful or criminal act of the employee.

County response may include but not be limited to mandatory training, review of departmental procedures, and/or disciplinary action up to and including termination of employment.

III. PROCEDURE

A. Reporting by Self

An employee or officer is expected to report breaches of confidentiality to his/her supervisor / manager and the Privacy Officer as soon as the individual is aware of the event. The Privacy Officer will provide the necessary complaint forms and will notify the Department Head and Employee Relations to plan an investigation. Incidental disclosures are not subject to disciplinary action but shall be reviewed by supervisors to assure that all reasonable steps have been taken to prevent further disclosures.

B. Reporting by Others in the Workforce

Any employee or officer who believes that another employee or officer has inappropriately released the PHI of a person who is currently or has received services or benefits from the County must immediately report such breach to his/her supervisor / manager and the Privacy Officer. The Privacy Officer will provide the necessary complaint forms and will notify the Department Head and Employee Relations to plan an investigation. Incidental disclosures are not subject to disciplinary action but shall be reviewed by supervisors to assure that all reasonable steps have been taken to prevent further disclosures.

The County will not retaliate against or permit reprisals against an informant. Allegations not made in good faith, however, may result in disciplinary action up to and including termination.

C. Reporting By Members of The Public

A patient, healthcare professional (who is not an employee) or any other member of the public who believes that an employee or officer has inappropriately released the PHI of a person who is currently or has received services or benefits from the County should be advised to report the incident to the Privacy Officer, or in the case of services provided by the Mental Health Division, to the Mental Health Advocacy Services or to the Privacy Officer. The Mental Health Advocacy Services will immediately report all privacy complaints to the Privacy Officer. The Privacy Officer will provide the necessary complaint forms and will notify the Department Head and Employee Relations to plan an investigation. Incidental disclosures are not subject to disciplinary action but shall be reviewed by supervisors to assure that all reasonable steps have been taken to prevent further disclosures.

D. Investigation

All reported incidences of inappropriately released PHI of persons who are currently or have received services or benefits from the County (other than incidental disclosures) will be investigated. All investigations will be conducted consistent with the County Manager’s memo on Allegations of Employee Misconduct (June 30, 1997) and Employee Relations Bulletins 96-1 and 99-1.

  1. Upon receipt of a reported violation, the Privacy Officer will immediately call the Department Head and Employee Relations Manager to discuss how to plan and conduct the investigation. Depending on the nature of the alleged violation, the investigation may involve departmental management, the Privacy Officer, County Counsel, Employee Relations and/or appropriate law enforcement agencies.
  2. Throughout the investigative process, all involved parties will treat the investigation with the same high degree of confidentiality as they would any significant personnel action.
  3. At the conclusion of the investigation, the officer or employee will be advised of the results of the investigation, including any proposed disciplinary or corrective action.
  4. At the conclusion of the investigation, the HIPAA Privacy Officer and/or the Department will initiate steps regarding systemic changes as well as any necessary remediation efforts. The HIPAA Officer will notify the complainant, unless anonymous, of the results of the investigation and whether corrective action was taken.

E. Consequences

Employees who inappropriately release the PHI of a person who is currently or has received services or benefits from the County may be terminated for the first such release if the seriousness of the release warrants such action, especially if its entails a willful or grossly negligent release of PHI. Employees should expect to be terminated for a willful or grossly negligent breach of the County’s standards for protecting the integrity and confidentiality of said information or for repeated violations.

For less serious releases of PHI, employees may be subject to other disciplinary or corrective action less severe than dismissal.

In situations potentially warranting involvement from law enforcement and or licensing agencies, County Counsel will be contacted to determine what action or referral should be made.

All officers, employees and agents of the County of San Mateo are expected to comply and cooperate with the County’s administration of this policy.