Protected Health Information and Patient Privacy Policy

Policy Statement

During the course of employment, staff may have access to Protected Health Information (PHI). Any PHI, whether oral, written, photographic, or electronic, should be maintained in a manner that ensures its privacy and security.

PHI must be treated with respect and care by any workforce member who is authorized to have access to this information. Workforce members who are authorized to use or disclose PHI also have the responsibility to safeguard access to such information. Workforce members who are authorized by Duke to access PHI have a responsibility to limit uses and disclosures to those that are allowed by permission, by authorization and/or bylaw. The access must be appropriate to the workforce member's job responsibility. A breach is a violation of Duke privacy or security policies and/or state or federal regulatory requirements resulting in the unauthorized or inappropriate use, disclosure or access of PHI. Any Duke workforce member's behavior, that compromises a patient's or a human subject's privacy or PHI, is covered by this policy.

Policy Details

Definitions

Disclosure: The release, transfer, access to, or divulging in any other manner protected health information outside of Duke Health Enterprise. An example would be the release of protected health information to a third party who is not acting as a workforce member of the Duke Health Enterprise.

Privacy Breach: The use or disclosure of oral, paper or electronic Protected Health Information by an individual for purposes other than those for which s/he is authorized, or a violation of a privacy or security requirement resulting in potential for such an unauthorized use or disclosure.

Privacy Director: The person whose official duties include addressing the privacy activities for a Duke University Health System (DUHS) or Duke entity. The Privacy Director is designated to the role by the DUHS Privacy Officer.

Privacy Officer: The person who is the DUHS Privacy Officer.

Protected Health Information (PHI): For purposes of this policy, PHI includes: 1. Individually identifiable health information in any form (paper, electronic, oral) that is transmitted and/or stored by Duke or a business associate that relates to the past, present, or future health of an individual, provision of health care, or payment for health care that is linked to a patient; or 2. Identifying or Personal Information, as defined in Federal Trade Commission's Red Flags Rules or the NC Identity Theft Protection Act of 2006 regulations, including any name or number that may be used in conjunction with any other information to identify a specific person, e.g. social security number, credit card number or passwords.

Use: The authorized sharing, application, review, or analysis of PHI within Duke.

Workforce Members: Employees, volunteers, trainees, medical staff and other persons whose conduct, in the performance of work for Duke, is subject to the control of such entity, whether or not they are paid by Duke.

Reporting Responsibilities

The individual, who commits, observes or becomes aware of an unauthorized or inappropriate access, use or disclosure of PHI is responsible for promptly reporting such to one of the following:

  • Immediate supervisor
  • Department Head or Manager of the area in which the individual works \
  • Entity Privacy Director
  • DUHS Compliance Office: 919-668-2573
  • Human Resources
  • Integrity Line: 1-800-826-8109

The immediate supervisor, department management or Human Resources will notify DUHS Compliance and Privacy Office ("DUHS Compliance Office") when a potential breach occurs. DUHS Compliance Office will coordinate a review of the potential breach with department management and Human Resources and, when applicable, review the circumstances surrounding the breach, mitigation steps and any harmful effect that may result from the breach. DUHS Compliance Office, in conjunction with Human Resource staff, will determine appropriate sanctions concerning the breach.

Process

Through the coordination of the DUHS Compliance Office, the following process should be followed when a potential breach occurs:

1. Upon receipt of a potential breach, department management or Human Resources shall report this potential breach to the appropriate entity Privacy Director or DUHS Compliance immediately upon awareness of such a potential breach. The confidentiality of all participants shall be maintained to the extent possible, within reason, throughout the investigation.

2. Upon notice of the potential breach by a workforce member, DUHS Compliance Office or its designee will assess and/or investigate the potential breach and determine, in collaboration with Human Resources, any corrective action as warranted. Investigations may include, but are not limited to interviews, electronic user access audit trails, review of telephone logs, or other activities.

3. DUHS Compliance Office or Human Resources may request department management to investigate the circumstances of the potential breach, including interviews or request for written(s) statement from staff.

4. In the event of an electronic user access audit, the following steps will be taken:

a. DUHS Compliance Office or designee may perform a user access audit or request the designated department(s) to prepare computer reports detailing a specific workforce member's access to identified electronic systems and, if indicated, access to specific patient(s).

b. DUHS Compliance Office will establish the designation of specific time frames for the potential breach and will share that information when requesting the audit.

c. The audit report will be forwarded to DUHS Compliance Office who will review and assess potential breaches. The expected turnaround time for this assessment is one week from the date of receipt of the audit report.

d. Instances of unexplained access will be forwarded to the workforce member's supervisor for further investigation. DUHS Compliance Office will assist the supervisor with the investigation by being available as a resource to interpret the policy or perform a potential unauthorized access audit.

e. Instances of unexplained access by Duke University (DU) Faculty will be forwarded to the appropriate Department Chair or Division Chief. DUHS Compliance Office will assist the Department Chair or Division Chief with the investigation by being available as a resource to interpret the policy, or perform user access audits.

f. The workforce member's supervisor or the Department Chair is responsible for evaluating the circumstances under which the user accessed the PHI. This may be accomplished through discussions with the said workforce member or faculty and, if necessary, with other workforce members.

g. The supervisor or the Department Chair will advise DUHS Compliance Office of the findings.

5. During the review of the potential breach, DUHS Compliance Office may contact the Office of Counsel. The Office of Counsel may direct DUHS Compliance Office's investigation under the attorney/client privilege.

6. When a breach is substantiated, DUHS Compliance Office will review the findings with department management and Human Resources to coordinate the communication of corrective action. In the case of DU Faculty, DUHS Compliance Office, Human Resource, and Department Chair will coordinate the communication of corrective actions.

7. Such factors as the nature and severity of the potential breach will be taken into consideration in determining the appropriate level of sanction.

8. It may be appropriate to delay corrective action if the action adversely affects or compromises patient care.

Corrective Action

Corrective action, if warranted, will be imposed based on the nature and severity of the violation, whether intentional or not, circumstances surrounding the privacy breach or whether the violation demonstrates a pattern or practice of improper use or disclosure of confidential information on the part of the workforce member.

DUHS Compliance Office, in collaboration with the workforce member’s department management and Human Resources, will determine the level of corrective action. Corrective action relating to this policy shall be applied fairly and consistently. 
For Duke University Faculty, Human Resources, in collaboration with DUHS Compliance Office and Chair or Dean, will determine the level of corrective action in accordance with the Policy. Appeals rights would be in accordance with faculty hearing process, Handbook or Medical Staff Bylaws.

The Chair in consultation with the School of Medicine Vice Dean for Faculty or the Dean, or School of Nursing Dean, will review the facts and circumstances of the potential breach. In consultation with Human Resources and/or Medical Center Management Center and Compliance Office based upon the nature and severity of breach, actions may result in progressive corrective actions for Faculty.

All corrective actions will be documented in writing and maintained in the appropriate personnel record. If warranted, corrective actions, up to and including termination may be reported to the applicable licensing board in collaboration with entity senior management.

Description of Corrective Action Levels

For any breach, the involved workforce member(s) will be subject to corrective action, up to and including termination, based on the nature and severity of the violation, pattern or practice of such behavior and prior discipline. Breaches are divided into four levels with the corresponding corrective action for each level. Such factors as the circumstances surrounding the breach and the workforce member’s history of non-compliance, the frequency of non-compliance, and the impact of non-compliance (e.g. probability that PHI is compromised or harm caused to patient by the breach) will be taken into consideration in determining the appropriate level of sanction. 

Level 1

This level of breach occurs when a workforce member unintentionally or carelessly fails to exercise appropriate care and safeguards in handling PHI. Examples include, but are not limited to: leaving a copy of test results  in a public area

  • discussing patient information in a public area;
  • leaving a copy of patient information in a public area leaving a computer with an application accessible unattended in an open area
  • transmission of electronic communication without encryption when encryption is required by DUHS policies and procedures (includes sending, replying to or forwarding) to a non-Duke email address of an intended recipient;
  • faxing documentation to a wrong office or telephone number with a covered entity;
  • emailing documentation to a wrong email address within a covered entity.

A Level 1 Carelessness breach does not include unintentional access to PHI that is non-repetitive, e.g., 

  • requesting a record of similarly named patient or selecting an incorrect name, if staff recognizes mistake and immediately returns or exits the record without taking any operational action.
  •  mistakenly giving PHI to the wrong patient but immediately retrieves the information before the recipient has a chance to read it or leaves the facility with it.

Depending on the facts and circumstances of the event, corrective action may be administered in the following order: 

  • First Offense: Documented counseling session
  • Second Offense: Written warning
  • Third Offense: Final Written Warning and two (2) weeks unpaid suspension
  • Fourth Offense: Termination of employment, ineligible for rehire

Level 2

This level of breach occurs when a workforce member’s actions result in inappropriate use, disclosure or access to PHI or when the action is not part of the workforce member’s area of responsibility. Examples include, but are not limited to:

  • sharing user IDs and/or passwords with other staff/colleagues or permitting another to access PHI through one’s computer or access;
  • inappropriate disposal of PHI, e.g., failure to shred labels or records; o permitting an unauthorized third party to use a Duke computer or system;
  • removing PHI from DHE premises in violation of policies or standards, e.g., paper medical records for purposes other than for provision of clinical care;
  • maintaining unencrypted PHI on laptop, PDA and/or thumb/jump drive;
  • releasing PHI to a third party without proper verification of the person’s identification;
  • faxing documentation to a wrong office or telephone number (not a covered entity);
  • sending, replying or forwarding of electronic communication (whether or not encrypted) to an unintended recipient who is not a covered entity (i.e., wrong email address);
  • mailing PHI to a wrong person or address.

Depending on the facts and circumstances of the event, corrective action may be administered in the following order:

  • First Offense: Written warning
  • Second Offense: Final written warning and two (2) weeks unpaid suspension
  • Third Offense: Termination of employment, ineligible for rehire

Level 3

This level of breach occurs when a workforce member deliberately accesses, uses or discloses PHI without a business need. Examples include, but are not limited to: 

  • posting or participating in communication containing PHI on a social networking/open source site in a manner inconsistent with DUHS policies and procedures ;
  • accessing another person’s PHI, e.g., medical record, without a business need or the patient's authorization.  This includes friends, relatives, co-worker’s medical record, or any other person (e.g. accessing an estranged spouse's medical record, obtaining a phone number of a relative, “check on” a co-worker that is rumored to be a patient in the facility, reviewing areas of a person's medical record outside the employee's job responsibilities. 
  • sharing PHI with the media without authorization from the patient;
  • sharing PHI obtained from a third party that is not necessary for the workforce member’s responsibilities;
  • discussing PHI with individual(s) not involved in the patient's care or without a business need.

Depending on the facts and circumstances of the event, corrective action may be administered in the following order: 

  • First Offense: Final Written Warning and two (2) week unpaid suspension
  • Second Offense: Termination of employment, ineligible for rehire

Level 4

This level of breach occurs when a workforce member knowingly and/or maliciously takes actions or omissions causing unauthorized access, use, or disclosure of PHI, regardless of whether the actual use or disclosure occurred. Such level also includes access to PHI as described in the level 3 sanction, excessive in number, distribution or scope. Examples include, but are not limited to:

  • the workforce member inappropriately and repeatedly accessing, using, or disclosing individual screen(s) or information from individual or multiple patient records
  • disclosing PHI for a personal gain
  • theft or sale of PHI
  • disclosing PHI to cause harm to patient or any third party

Depending on the facts and circumstances of the event, corrective action may be administered in the following order: 

  • First offense: Termination of employment, ineligible for rehire

Depending on the facts of the offense, a workforce member that receives discipline at levels 1 through 3 may also be asked to conduct an educational in-service with co-workers regarding safeguarding PHI and the appropriate uses/disclosures.

Policy Number: 04.16

Categories

Workplace Expectations & Guidelines Policy