Update on Starling’s Policy on HIPPA Disclosures
Back in March, 2016, the Starling BOD approved a sanction policy relating to HIPAA disclosures – to address both incidental and intention disclosures. I am sending this note to you as a reminder of this policy as we are working closely with the Practice Managers on the importance of reporting disclosures and following the organizational protocol. Attached is the Starling Privacy Manual for your review.
Below is an excerpt from Page 5 describing the Starling BOD approved corrective action process and sanction policy:
A use or disclosure of a patient’s individually identifiable health information, other than as allowed by law or authorized by a signed “Authorization for Release of Information” constitutes a breach of privacy and should be reported to the Privacy Officer. Access to an employee’s own record is prohibited by law. Access to any patient’s record is prohibited by law unless specifically for the purposes of treatment, payment or healthcare operations.
The Privacy Officer will take actions to minimize any harmful effect of any privacy violation and to notify the patient, as is appropriate. Deficiencies of the Patient Privacy Plan or of the procedure and security safeguards used to implement the Plan, whether found by formal monitoring/audit or otherwise, should be brought to the attention of the Privacy Officer. Appropriate procedure and security safeguards changes will be made by the Privacy Officer. Plan changes require the additional approval of the Starling Physicians Compliance Committee.
Actions against Starling Physicians personnel for patient Privacy Plan violations include sanctions up to and including discharge, as described in the Starling Physicians Employee Manual.
- An unintentional violation of the HIPAA guidelines will result in a written warning and re-education/re-review of the Privacy Manual with an updated acknowledgement of understanding.
- A second unintentional violation of the HIPAA regulations will result in a one week unpaid suspension and re-education/re-review of the Privacy Manual with an updated acknowledgement of understanding.
- A third unintentional violation of the HIPAA regulations within twelve months will result in termination.
- A third unintentional violation beyond twelve months from the initial violation will result in a one week unpaid suspension and re-education/re-review of the Privacy Manual with an updated acknowledgement of understanding. Any violations after the initial violation will result in a one week unpaid suspension or termination.
Intentional violations of the HIPAA guidelines or Privacy Plan will result in termination. Employee access or viewing of his/her own medical record is considered an intentional violation. Also, employee access or viewing of any patient’s medical record without an identifiable treatment, payment or healthcare operation purpose is considered an intentional violation.
For any questions about this policy, please contact either myself or Cindy Kisselburgh, Compliance Director, directly.
Larry Koch, MD