Obligations when staff don’t comply
HIPAA Weekly Advisor, June 24, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What obligations do we have if we find that a member of our workforce is not complying with our privacy policies and procedures or the HIPAA regulations?
A: As a covered entity, your facility must have and apply appropriate sanctions against members of the workforce who fail to comply with privacy policies and procedures or the HIPAA requirements.
Your workforce includes employees, volunteers, trainees, and others whose work is under your facility's direct control, regardless of whether you pay them.
The rules do not define the particular sanctions you must impose and leave the details of sanction policies to facilities' discretion. The proposed privacy rule, however, provided some guidance in the preamble which stated that the type of sanction applied should vary depending on factors such as:
- the severity of the violation
- whether the violation was intentional or unintentional
- whether the violation indicated a pattern or practice of improper use or disclosure of protected health information (PHI).
Sanctions can range from a warning to termination.
You must also attempt to correct the problem that caused the violation.
If the actions of the workforce member are protected whistleblower disclosures or certain disclosures by victims of a crime, the sanction requirement does not apply. The protected whistleblower disclosures include:
- those to a health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the provider
- those to an appropriate health care accreditation organization
- those to an attorney, for the purpose of determining legal options with respect to whistleblowing
The regulation states that providers must document the sanctions they apply and have written policies and procedures for the application of appropriate sanctions for violations.
As with all documentation requirements under the regulations, you must retain the documentation for six years.
Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP (http://www.bricker.com/hipaa) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- CHANGES COMING: Key differences in nationwide rollout
- Searched