Risk Treatment Plan and Management

I.                PURPOSE:

 

The purpose of the standard is to establish a consistent procedure to be followed in circumstances where corrective, remedial, or disciplinary action is appropriate to address an employee or contractor’s failure to comply with Uprise’s Information Privacy and Security Program policies, Uprise’s Standards of Conduct, applicable state and federal privacy laws. These guidelines were designed to align a “typical” privacy violation with the “normal” disciplinary action consequences.

 

II.              DEFINITIONS:

A.              A “Disclosure” means the release, transfer, provision of access to, or divulging of information in any other manner outside the Uprise Facility holding the information.

B.               “Health Information” is broadly defined and includes any health information that pertains to a particular individual.

C.               “Personally Identifiable Information” or “PII” means any information about an individual maintained by Uprise, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as assessment, educational, financial, and employment information. 

D.              “Protected Health Information” or “PHI” means individually identifiable health information that is transmitted by electronic media; maintained in any medium as described in the definition of electronic media; or transmitted or maintained in any other form.

E.               “Workforce” includes employees, volunteers, trainees and other persons, whose conduct, in the performance of work for the facility, is under the direct control of such facility, whether or not they are paid by the facility. Workforce excludes independent contractors of the facility because the facility may not exercise direct control over an independent contractor. Workforce also excludes Business Associates or an employee, agent or contractor of a Business Associate.

 

 

III.           STANDARD:

 

Uprise Facilities are strongly committed to the protection of the PHI of all users throughout the organization.  Leadership and employees are reminded that the unauthorized release or unauthorized access of PHI in any form may result in disciplinary action up to an including termination.

 

Any reported or suspected privacy violations will be investigated in accordance with organizational practices.  Leadership will be expected to consult with the Human Resources Officer and the Privacy Officer, or the Compliance Officer in the absence of a Privacy Officer, or designee, regarding violations of Uprise’s privacy policies, state privacy laws, or federal privacy laws.

 

When extenuating circumstances exist or atypical violations occur, the facility Human

Resources Officer, or designee, and the employee’s Manager, in consultation with the Privacy Officer or the Uprise Compliance Officer in the absence of a Privacy Officer, are to rely on their best judgment in determining the appropriate disciplinary action consistent with Uprise’s Discipline Principles and in consideration of an employee’s past disciplinary history.

 

The Facility will normally follow progressive discipline; however, depending on the circumstances and on the severity of the violation, an employee may be disciplined at any level of the disciplinary process up to and including termination of employment.

 

              A.      Types of Disciplinary Action

 

1.               Verbal Counselling/Coaching

2.               Verbal Counselling/Written

3.               Written Warning

4.               Final Written

5.               Decision Making Leave/Suspension

6.               Termination

               B.           Severity Level of Privacy Violations

It is recognized that there are different severity levels of privacy violations related to the unauthorized release, or access to PHI. This standard outlines those levels. The examples provided below are not exhaustive, but are intended to be an informational guide for Leadership, Supervisors, and Human Resources in order to make the best decision when administering the disciplinary action. This standard does not alter the

‘at-will’ employment relationship and either the employee or the organization may terminate the employment relationship at any time, with or without notice and with or without cause.

 

                              1.        Severity Level I

 

a.                A Level I violation may consist of the following:

 

(1)             Leaving documents containing PHI in public areas.

(2)             Leaving a computer screen unattended with unsecured PHI in an accessible area.

(3)             Discussing PHI in public areas with colleagues involved in treatment, payment or operations of a user in a volume higher than necessary without considering the surroundings.  

(4)             Discarding PHI into the trash instead of a secure shred container.

(5)             Any other violation with similar scope that may result from unintentional error or oversight.

 

b.               A Level I violation may result in a verbal warning/coaching and may be documented on a performance improvement plan to be included in the employee’s personnel file. If the disciplinary action was a verbal coaching session, then “coaching” is to be written at the top left of the Performance Management for.

 

                              2.        Severity Level II

 

a.                A Level II violation may consist of the following:

(1)             Transmitting PHI via mail, facsimile or electronic mail to the incorrect location/recipient.

(2)             Inadvertent fax of PHI to the incorrect recipient by misdialling (manual) or mistyping (electronic) the fax number.

(3)             Accidental electronic transfer/e-mail of user data to unintended vendors that are not contracted as business associates of the entity.

(4)             Entering information into the user’s account/assessment record for the wrong user that results in an individual, a doctor’s office, a business associate, etc. receiving the incorrect user information.

(5)             Allowing a co-worker to use your workstation/log-in credentials to access a user’s assessment record, sharing passwords or other log-in credentials (intent to circumvent user safety efforts).

(6)             Employee accessing paper or electronic assessment record of a family member or friend to print their results for them instead of the user signing a release authorization in assessment records.

(7)             Inadvertent disclosure of PHI to the incorrect user by not double-checking each page and/or using user identifiers (i.e. discharge instruction).

(8)             Discussing PHI with colleagues or vendors that do not have the need to know the user’s information.

(9)             Discussing PHI with family or visitors of the user without first allowing the user an opportunity to exercise their right to consent or object to their information being disclosed. 

(10)         Any other violation with similar scope that may involve access to or release of PHI.

(11)         A repeated Level I violation.

 

b.               A Level II violation may result in a written warning and will be documented on a performance improvement plan.

 

                              3.        Severity Level III

 

a.                A Level III violation may consist of the following:

(1)             Employee accessing an electronic assessment record of a user (i.e. family, friend, or VIP user) when they are not a member of the treatment team, operational purposes, or billing or coding efforts (snooping).

(2)             Knowingly and intentionally releasing PHI, in any form, of a user to unauthorized individuals without authorized consent of the user.

(3)             Intentionally releasing components of the assessment record including prescriptions of one user to another user. Or to the non-intended recipient.

(4)             Posting user information, images, or PHI of a user on social media web sites (see also Uprise Standards of Conduct).

(5)             Authorized texting user identifiable information, images, or PHI of a user to an unauthorized party. 

(6)             Any other violation with similar scope that may involve access to or release of PHI.

(7)             A repeated Level II violation.

 

b.               A Level III violation may result in a final written warning and a three -day suspension without pay.

 

                              4.        Severity Level IV

 

a.                A Level IV violation may consist of the following:

(1)             Intent of personal gain by accessing assessment records, whether  paper or electronic assessment record of a user, family member, co-worker’s or other member of the public.

(2)             Selling, releasing, or otherwise disclosing for personal gain, or with malicious intent.

(3)             Access of PHI to compile a mailing list for personal use or to sell

(4)             Taking a laptop or user file that contains PHI for personal use or to sell.

(5)             Loss or theft of paper documents or paper records that contain PHI.

(6)             Loss or theft of an unencrypted laptop, computer, Blackberry, iPhone, iPad, or any electronic device that contains PHI.

(7)             Loss or theft of an unencrypted media device, such as a flash drive that contains PHI.

(8)             Loss or theft of unsecured assets.

(9)             Unauthorized texting user identifiable information, images, or PHI of a user intentionally to an unauthorized party. 

(10)         Any other violation with similar scope that may involve access to or release of PHI.

(11)         A repeated Level III violation.

 

b.               A Level IV violation may result in immediate termination of employment, and may result in civil or criminal penalties   initiated by the organization or an external agency.

 

               C.       Additional Consideration(s)

 

To determine the severity of a privacy incident and the appropriate disciplinary action, facility Leadership, Supervisor, Privacy Officer, or the Uprise Compliance Officer in the absence of a Privacy Officer, and the Human Resources Department will take into consideration the answers to the following questions:

 

1.               Is this a repeat occurrence for this employee?

2.               Did the employee complete privacy training within the last year?

3.               Was the violation intentional or accidental?

4.               Did the employee fail to self-disclose?

5.               Does this employee have other documented performance issues?

 

               D.        Performance Management Process

 

1.               Depending on the severity, a breach may result in mandatory re-education, suspension and/or termination of employment, reporting to authorities, and reporting to applicable licensing/certification and registration agencies.

 

2.               Facility Human Resources will provide assistance, guidance, and support to Leadership, Supervisors and Employees in all aspects of the Performance Management process. 

 

3.               The facility Supervisor in consultation with Human Resources Department is responsible for ensuring that Uprise’s disciplinary and remedial policies are enforced consistently for all employees involved in or responsible for a violation. 

 

IV.           IMPLEMENTATION:

 

A.              Uprise Facility WITHOUT Privacy Officer

 

1.               The Uprise Facility Compliance Officer, Uprise Facility Information Security Officer, Uprise Facility Compliance Committee, and Uprise Facility Leadership are responsible for distribution and oversight of Information Privacy and Security Program Standards at the facility level.

 

2.               Uprise Facility Leadership will:

 

a.                Adopt this standard and where necessary develop specific written procedures in order for the Uprise Facility to operationalize this standard;

                

b.               Develop appropriate methods to monitor adherence to the written procedures; and

 

c.                Report monitoring activity to the Uprise Facility Compliance Officer.

 

B.              Uprise Facility WITH Privacy Officer

 

1.               The Privacy Officer, Uprise Facility Information Security Officer, Uprise Facility Compliance Committee, and Uprise Facility Leadership are responsible for distribution and oversight of Information Privacy and Security Program Standards at the facility level. 

 

2.               Uprise Facility Leadership will

 

a.                Adopt this standard and where necessary develop specific written procedures in order for the Uprise Facility to operationalize this standard;

 

b.               Develop appropriate methods to monitor adherence to the written procedures; and

 

c.                Report monitoring activity to the Privacy Officer.

 

                     C.    Home Office/Region/Market

 

1.               Uprise’s Information Privacy/Security Office will work with the Privacy Officers, Uprise Facility Human Resources Officers, and Uprise Facility Leadership to develop, maintain, and update procedures and standards for protecting the privacy of PHI and affording users their rights with respect to their PHI.

 

2.               Uprise Home Office and Uprise Region/Market Offices must incorporate these standards into their specific policies and procedures where necessary.

 

 

 

Jay Spence