Protected Health Information Sanction Policy

ADMINISTRATIVE MEMORANDUM

COUNTY OF SAN MATEO

NUMBER: B-27

SUBJECT: Protected Health Information Sanction Policy

RESPONSIBLE DEPARTMENT: County Manager / Clerk of the Board

APPROVED: John L. Maltbie, County Manager

DATE: June 26, 2014

I. Purpose

The County of San Mateo has adopted this Sanction Policy to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as amended, the Health Information Technology for Economic and Clinical Health (HITECH) Act as implemented through the revised HIPAA Omnibus Rule published on January 17, 2013, see 78 Fed. Reg. 5565 (Jan. 25, 2013) amending C.F.R. Parts 160 and 164, and the California Confidentiality of Medical Information Act (CMIA). This memorandum supersedes and replaces Administrative Memorandum B-27, dated April 28, 2003.

There are several countywide guidelines including the E-Mail Policy (Administrative Memo F-2), Internet Policy (Administrative Memo F-3), Information Systems Security protocols, and individual departmental policies that require officers and workforce members to protect information that is considered private, confidential or sensitive. Workforce members are employees, contractors, volunteers, trainees, and other persons whose performance is directed by San Mateo County whether or not they are paid by San Mateo County. These policies provide that failure to adhere to them may constitute grounds for disciplinary action up to and including termination.

This policy recognizes that Federal Law permits incidental uses and disclosures. An incidental disclosure is defined as a disclosure that occurs as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard where applicable, with respect to the primary use or disclosure.

Although the minimum necessary standard is not specifically defined by law it is generally understood to mean that some uses and disclosures are expected and permitted. For example, disclosures for treatment, payment, and healthcare operations are permissible. The County will make reasonable efforts to limit the use and disclosure of private, confidential or sensitive information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Unnecessary disclosures beyond that required to execute care are considered breaches.

This policy sets forth the procedures for handling reported inappropriate releases of Protected Health Information (PHI) of persons currently receiving or who have received services or benefits from the County. The County’s policy as outlined in this memo are to be read in conjunction with its legal requirements under HIPAA as outlined in Administrative Memo B-25. Individually identifiable health information is that which can be linked to a particular person. This information can relate to the individual’s past, present, or future physical or mental health condition; the provision of health care to the individual, or, the past, present, or future payment for the provision of heath care to the individual.

This policy is referenced in other countywide and departmental policies (i.e. E-Mail Policy, Internet Policy, and Information Systems Security policies among others) that require officers and employees to protect information that is considered private, confidential or sensitive. This policy will establish consistent procedures for handling breaches of confidentiality.

II. Policy

Workforce members from San Mateo County must guard against improper use or disclosure of PHI. No workforce member shall inappropriately release PHI of persons who are currently receiving or have received services or benefits from the County.

Workforce members are required to be aware of privacy and security responsibilities and to protect confidential information from improper use and/or disclosure. All workforce members who may have access to PHI must attend Privacy and Security Awareness training either on an annual or bi-annual basis as determined by the County’s HIPAA Oversight Committee. Workforce members who are unclear if a use or disclosure is permitted should first consult with an immediate supervisor or their HIPAA liaison.

Any workforce member who inadvertently releases PHI is required to report the incident as soon as the incident is known to have occurred in the manner described below (“III. Procedure”). The workforce member may also have a legal obligation to report the incident. An incidental disclosure, as defined above, may not subject the individual to discipline.

All other breaches of confidentiality will be reviewed following the procedures identified in Section III of this policy. County response will depend on the nature of the breach. Accidental releases of PHI, such as an employee erroneously sending an e-mail to the wrong recipient, or releases that are not within the employee’s control, such as the theft of an encrypted and secured laptop, will be treated differently than releases that are the result of the employee not following County policies, such as leaving a computer screen on with PHI in full view, willful release or destruction of PHI, or the result of a willful or criminal act by an employee.

Any workforce member who knowingly and willfully violates state or federal privacy laws may be subject to criminal investigation and prosecution, civil monetary penalties, and disciplinary action up to and including termination of employment from the County. In addition, in 2010 California law was changed to make individual employees potentially responsible for the disclosure of PHI in egregious circumstances. Employees should keep this change in mind and avail themselves of education relating to the protection of PHI.

III. Procedure

A. Reporting by Self

A workforce member is expected to report breaches of confidentiality to his or her supervisor or manager and their HIPAA liaison as soon as the individual is aware of the event. The HIPAA liaison will work with the County’s Privacy Officer to review the information and consult with the respective stakeholders as necessary, including County Counsel, the Department Head, and/or Employee Relations, to plan an investigation. Incidental disclosures are not necessarily subject to disciplinary action, but shall be reviewed by appropriate supervisors to assure that all reasonable steps have been taken to prevent further disclosures.

B. Reporting by Others in the Workforce

Any workforce member who believes that another workforce member has inappropriately released the PHI of a person who is currently receiving or has received services or benefits from the County must immediately report such a breach to his or her supervisor/manager. The supervisor/manager will consult with the respective HIPAA liaison who will work with the Privacy Officer to review the information and work with the respective stakeholders as necessary, including County Counsel, the Department Head, and/or Employee Relations, to plan an investigation. Incidental disclosures that do not violate County policy are not subject to disciplinary action but shall be reviewed by appropriate supervisors to assure that all reasonable steps have been taken to prevent further disclosures.

The County will not retaliate against or permit reprisals against a workplace member who reports a possible PHI breach. Allegations not made in good faith, however, may result in disciplinary action up to and including termination. C. Reporting By Members of the Public

A patient, healthcare professional (who is not a workforce member), or any other member of the public who believes that a workforce member has inappropriately released the PHI of a person who is currently receiving or has received services or benefits from the County should be advised to immediately report the incident to the Privacy Officer, or in the case of services provided by Behavioral Health and Recovery Services (BHRS) to the appropriate BHRS Division. The BHRS Division will immediately report all privacy complaints to the Privacy Officer. The Privacy Officer will review the information and work with the BHRS Division to plan an investigation. Incidental disclosures that do not violate County policy are not subject to disciplinary action, but shall be reviewed by supervisors to assure that all reasonable steps have been taken to prevent further disclosures.

D. Investigation

All reported incidences of inappropriately released PHI of persons who are currently receiving or have received services or benefits from the County (other than incidental disclosures that do not violate County policy) will be investigated as soon as possible. All investigations will be conducted consistent with applicable County policies.

Upon receipt of a reported violation, the Privacy Officer will review the information and work with the respective stakeholders as necessary, including County Counsel, the appropriate Department Head, and/or Employee Relations, to plan an investigation. Depending on the nature of the alleged violation, the investigation may also involve the Security Officer, appropriate law enforcement, and state or federal regulatory agencies.
Throughout the investigative process, all involved parties will treat the investigation with the same high degree of confidentiality as they would any significant personnel action.
At the conclusion of the investigation, the workforce member will be advised of the results of the investigation, including any proposed disciplinary or corrective action.
At the conclusion of the investigation, the Privacy Officer and/or the Department will initiate steps regarding systemic changes as well as any necessary remediation efforts.

E. Consequences

Workforce members who inappropriately release the PHI of a person who is currently receiving or has received services or benefits from the County may be terminated for the first such release if the seriousness of the release warrants such action, especially if the release entails a willful or grossly negligent release of PHI. Workforce members should expect to be terminated for a willful or grossly negligent breach of the County’s standards for protecting the integrity and confidentiality of PHI. Workforce members must report any breaches as soon as the incident is known to have occurred. Failure to do so may result in fines levied against the County as a covered entity, disciplinary action for the workforce member, and potentially fines against the individual workforce member under California law.

For less serious PHI-related incidents, employees may be subject to other disciplinary or corrective action less severe than dismissal.

In situations potentially warranting involvement from law enforcement and/or licensing agencies, County Counsel will be contacted to determine what action or referral should be made. All officers, workforce members, and agents of the County of San Mateo are expected to comply and cooperate with the County’s administration of this policy.

Any workforce members with questions or who may require assistance regarding the County’s sanction policy or privacy practices, should contact:

San Mateo Medical Center
C/O Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403
(650) 573-2182