Page 53 - Privacy_Program
P. 53

Employees and others   DP102.10     Investigation of Alleged HIPAA Violations

         with Access to PHI
                                             The Director of Information Technology, Privacy and Data Security will
                                             investigate (and document the investigation of) alleged privacy violations.
                                             Asset Protection and the Privacy and Data Security Officer will coordinate
                                             investigations involving facilities or assets, and Asset Protection will involve
                                             law enforcement where appropriate. The Director of Information Technology,
                                             Privacy and Data Security will inform the Chief Services and Programs Officer,
                                             and Asset Protection will inform the Director of Sales immediately of
                                             investigations that have been initiated and will provide updates as requested.
                                             All reports of alleged violations will be examined impartially without prejudice
                                             and without malice toward the reporting party regardless of the status of the
                                             person accused. Information provided will be released only on a need to know
                                             basis. After an investigation of the allegations, a determination will be made
                                             and recommended action will be made by the Director of Information
                                             Technology, Privacy and Data Security to management. All determinations of
                                             recommended actions will be made on an individual basis according to
                                             DP281.C – NON‐MEDICAL BREACH NOTIFICATION PLAN – PROCEDURES
                                             RELATED TO ELECTRONIC PRPI, and DP281.B – HIPAA/HITECH BREACH
                                             NOTIFICATION PLAN – PROCEDURES  FOR ALL PHI.
         Employees and others   DP102.11     Employee Sanctions for HIPAA Violations
         with Access to PHI
                                             The organization (the employee’s manager in conjunction with the Director of
                                             Information Technology, Privacy and Data Security and Human Resources if
                                             consequences include more than counseling the offending employee and with
                                             Legal if the consequences include sanctions 4. or 5. below) will apply any
                                             consequences or a combination of consequences to eliminate any unlawful
                                             conduct and remedy the impact of any violation. These could include:
                                                 1.  Counseling the offending employee.
                                                 2.  Transferring the employee to another position.
                                                 3.  Placing the employee on probation, with a warning of suspension or
                                                    discharge for continuing or recurring offenses.
                                                 4.  Suspending the employee with or without pay.
                                                 5.  Discharging the employee.

                                             The Director of Information Technology, Privacy and Data Security will not take
                                             action other than counseling the offending employee without discussing the
                                             matter with the employee’s Manager, Human Resources and Legal as
                                             appropriate.
         Employees and others   DP102.12     Also see DP‐100 – PROGRAM PARTICIPANT PRIVACY POLICY. Staff will also refer
         with Access to PHI                  to the Privacy and Data Security Policies located at O:\Policies and
                                             Procedures\Data Privacy

                                             Table of Contents for GESMN Privacy Policies and GESMN Data Security
                                             Policies is included at the end of this Policy and staff will refer to each policy
                                             located at O:\Policies and Procedures\Data Privacy for more detail on
                                             individual privacy and data security policies.

                                             For specific questions regarding privacy and data security policies or
                                             procedures, contact the Director of Information Technology, Privacy
                                             and Data Security at privacy@goodwilleasterseals.org or (651) 379‐
                                             5949






          GES CONFIDENTIAL                                                                                   49
   48   49   50   51   52   53   54   55   56   57   58