Tip: Consider having staff review and sign off on HIPAA sanction policies
HIPAA Weekly Advisor, March 28, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
If you know that an employee has violated a patient's privacy and do nothing about it, your facility could be held accountable. That's why it's important to develop and follow a policy for employee sanctions.
"If we don't sanction someone and we know that he or she violated someone's privacy, the Office for Civil Rights could come in and throw the book at us," says Sue Dill, RN, MSN, JD, privacy officer and vice president of legal services for Memorial Hospital of Union County, in Marysville, OH. Every facility should have a policy that includes sanctions to impose when staff members violate patients' privacy. The policy must be uniform and applied across the board, whether it's the chief executive officer or someone from the housekeeping staff who commits a violation, says Dill.
"It's also important to point out to staff that the penalties for violations could be up to $50,000, one year imprisonment, or both for wrongful disclosure of PHI," says Dill. "But even though sanctions for privacy violations are covered by HIPAA, hospitals and other providers should have always had them, because there's a ton of case law out there."
Memorial Hospital rewrote a lot of its policies and procedures for HIPAA. But even before HIPAA, the organization made new staff members read an education packet on confidentiality and sign it before beginning work. "During orientation, new employees get more confidentiality training, and they get continuing education at an annual inservice," she says. At the inservice, staff are required to sign another written acknowledgement that they've read and understand the hospital's confidentiality policy.
The hospital includes sanctions in its confidentiality policy, which it stores with all other policies in public folders in Microsoft Outlook, so staff have easy access to it. "Employees must sign that they have read the policy and understand it," says Dill.
"Sanctions include but are not limited to termination," she says. "The policy says that any violation regarding confidentiality will be subject to disciplinary procedures, and violations determined to be of a serious nature can lead to immediate termination." The policy also requires all employees to attend an annual in-service on security and confidentiality.
Editor's note: From the April 2003 issue of Briefings on HIPAA. See the April issue for Memorial Hospital's policy on confidentiality and employee sanctions.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched