Page 53 - Privacy

Page 53 - Privacy_Program

P. 53

Employees and others DP102.10 Investigation of Alleged HIPAA Violations

with Access to PHI
The Director of Information Technology, Privacy and Data Security will
investigate (and document the investigation of) alleged privacy violations.
Asset Protection and the Privacy and Data Security Officer will coordinate
investigations involving facilities or assets, and Asset Protection will involve
law enforcement where appropriate. The Director of Information Technology,
Privacy and Data Security will inform the Chief Services and Programs Officer,
and Asset Protection will inform the Director of Sales immediately of
investigations that have been initiated and will provide updates as requested.
All reports of alleged violations will be examined impartially without prejudice
and without malice toward the reporting party regardless of the status of the
person accused. Information provided will be released only on a need to know
basis. After an investigation of the allegations, a determination will be made
and recommended action will be made by the Director of Information
Technology, Privacy and Data Security to management. All determinations of
recommended actions will be made on an individual basis according to
DP281.C – NON‐MEDICAL BREACH NOTIFICATION PLAN – PROCEDURES
RELATED TO ELECTRONIC PRPI, and DP281.B – HIPAA/HITECH BREACH
NOTIFICATION PLAN – PROCEDURES FOR ALL PHI.
Employees and others DP102.11 Employee Sanctions for HIPAA Violations
with Access to PHI
The organization (the employee’s manager in conjunction with the Director of
Information Technology, Privacy and Data Security and Human Resources if
consequences include more than counseling the offending employee and with
Legal if the consequences include sanctions 4. or 5. below) will apply any
consequences or a combination of consequences to eliminate any unlawful
conduct and remedy the impact of any violation. These could include:
1. Counseling the offending employee.
2. Transferring the employee to another position.
3. Placing the employee on probation, with a warning of suspension or
discharge for continuing or recurring offenses.
4. Suspending the employee with or without pay.
5. Discharging the employee.

The Director of Information Technology, Privacy and Data Security will not take
action other than counseling the offending employee without discussing the
matter with the employee’s Manager, Human Resources and Legal as
appropriate.
Employees and others DP102.12 Also see DP‐100 – PROGRAM PARTICIPANT PRIVACY POLICY. Staff will also refer
with Access to PHI to the Privacy and Data Security Policies located at O:\Policies and
Procedures\Data Privacy

Table of Contents for GESMN Privacy Policies and GESMN Data Security
Policies is included at the end of this Policy and staff will refer to each policy
located at O:\Policies and Procedures\Data Privacy for more detail on
individual privacy and data security policies.

For specific questions regarding privacy and data security policies or
procedures, contact the Director of Information Technology, Privacy
and Data Security at privacy@goodwilleasterseals.org or (651) 379‐
5949

GES CONFIDENTIAL 49

48 49 50 51 52 53 54 55 56 57 58