Page 52 - Privacy_Program
P. 52
Employees and others DP102.6 Staff will take necessary steps to verify the identity and legal authority of
with Access to PHI persons requesting disclosure of PHI. Refer to DP‐161 VERIFICATION OF
ENTITIES REQUESTING PROTECTED HEALTH INFORMATION and DP‐ 134
PERSONAL REPRESENTATIVES.
Employees and others DP102.7 Disclosure of PHI for Judicial or Administrative Proceedings
with Access to PHI
A request that is made pursuant to a warrant, subpoena, order, or other legal
process issued by a grand jury or a judicial or administrative tribunal presumed
to constitute legal authority. All staff with access to PHI must comply with the
requirements of HIPAA Privacy Rule section 164.512(e) to disclose the PHI.
Refer to DP‐163 DISCLOSING PHI FOR REGULATORY AND LEGAL PURPOSES.
Employees and others DP102.8 Mitigating Effects of Unauthorized Use or Release of PHI Privacy Restricted
with Access to PHI Participant Information
Any use or disclosure of PHI not authorized by GESMN Privacy Policies will be
immediately reported to the program manager or director, as applicable, and
to the GESMN HIPAA Director of Information Technology, Privacy and Data
Security upon discovery of the release and all steps deemed necessary by
GESMN will be taken to mitigate any harmful effect that disclosure may have
on the individual.
Employees and others DP102.9 Alleged Violations of the Organization’s Privacy and Data Security Policies
with Access to PHI
If any employee believes that another employee, supervisor, participant,
volunteer, customer, or business associate has violated the organization’s
Privacy and Data Security policies, he or she should immediately report the
violation to his or her supervisor, unless the supervisor is the violator, and to
the Director of Information Technology, Privacy and Data Security. If that is
the case, it should be reported to the next level of management (the
supervisor’s supervisor) or to Human Resources immediately. Any suspected
privacy violation must also immediately be reported to the Director of
Information Technology, Privacy and Data Security.
Employees must immediately notify Asset Protection and the Director of
Information Technology, Privacy and Data Security of any known attempts
(successful or unsuccessful) to break into secure areas at Fairview and at other
locations where GESMN employees work and store equipment or participant
information. Employees must also immediately notify Asset Protection and the
Director of Information Technology, Privacy and Data Security of lost or stolen
laptops and desktops and other devices, even if encrypted, that may contain
PHI.
To facilitate an alleged privacy violations and/or incident, employees must also
complete the top portion of the Alleged Privacy Violations/Incidents Report and
Determination Form (attached) and submit it to the Director of Information
Technology, Privacy and Data Security within 48 hours of known violations
and/or incidents. The form can be found at O:\Forms\General Forms\Alleged
Privacy Violations_Incidents Report and Determination Form.docx.
GESMN prohibits any retaliation against any employee who reports possible
violations in good faith or assists in an investigation of possible violations.
GES CONFIDENTIAL 48