Page 52 - Privacy_Program
P. 52

Employees and others   DP102.6      Staff will take necessary steps to verify the identity and legal authority of
         with Access to PHI                  persons requesting disclosure of PHI. Refer to DP‐161 VERIFICATION OF
                                             ENTITIES REQUESTING PROTECTED HEALTH INFORMATION and DP‐ 134
                                             PERSONAL REPRESENTATIVES.

         Employees and others   DP102.7      Disclosure of PHI for Judicial or Administrative Proceedings
         with Access to PHI
                                             A request that is made pursuant to a  warrant, subpoena, order, or other legal
                                             process issued by a grand jury or a judicial or administrative tribunal presumed
                                             to constitute legal authority. All staff with access to PHI must comply with the
                                             requirements of HIPAA Privacy Rule section 164.512(e) to disclose the PHI.
                                             Refer to DP‐163 DISCLOSING PHI FOR REGULATORY AND LEGAL PURPOSES.
         Employees and others   DP102.8      Mitigating Effects of Unauthorized Use or Release of PHI Privacy Restricted
         with Access to PHI                  Participant Information

                                             Any use or disclosure of PHI not authorized by GESMN Privacy Policies will be
                                             immediately reported to the program manager or director, as applicable, and
                                             to the GESMN HIPAA Director of Information Technology, Privacy and Data
                                             Security upon discovery of the release and all steps deemed necessary by
                                             GESMN will be taken to mitigate any harmful effect that disclosure may have
                                             on the individual.

         Employees and others   DP102.9      Alleged Violations of the Organization’s Privacy and Data Security Policies
         with Access to PHI
                                             If any employee believes that another employee, supervisor, participant,
                                             volunteer, customer, or business associate has violated the organization’s
                                             Privacy and Data Security policies, he or she should immediately report the
                                             violation to his or her supervisor, unless the supervisor is the violator, and to
                                             the Director of Information Technology, Privacy and Data Security. If that is
                                             the case, it should be reported to the next level of management (the
                                             supervisor’s supervisor) or to Human Resources immediately. Any suspected
                                             privacy violation must also immediately be reported to the Director of
                                             Information Technology, Privacy and Data Security.

                                             Employees must immediately notify Asset Protection and the Director of
                                             Information Technology, Privacy and Data Security of any known attempts
                                             (successful or unsuccessful) to break into secure areas at Fairview and at other
                                             locations where GESMN employees work and store equipment or participant
                                             information. Employees must also immediately notify Asset Protection and the
                                             Director of Information Technology, Privacy and Data Security of lost or stolen
                                             laptops and desktops and other devices, even if encrypted, that may contain
                                             PHI.

                                             To facilitate an alleged privacy violations and/or incident, employees must  also
                                             complete the top portion of the Alleged Privacy Violations/Incidents Report and
                                             Determination Form (attached) and submit it to the Director of Information
                                             Technology, Privacy and Data Security within 48 hours of known violations
                                             and/or incidents. The form can be found at O:\Forms\General Forms\Alleged
                                             Privacy Violations_Incidents Report and Determination Form.docx.

                                             GESMN prohibits any retaliation against any employee who reports possible
                                             violations in good faith or assists in an investigation of possible violations.





          GES CONFIDENTIAL                                                                                   48
   47   48   49   50   51   52   53   54   55   56   57