DPID, LLC
PRIVACY AND SECURITY POLICIES
Date: January 2013
OVERALL POLICY
DPID, LLC (“DPid”) is committed to protecting the privacy of DPid’s client’s Protected Health Information (“PHI”). DPid will protect the privacy of PHI in accordance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and its Administrative Simplification provisions, 45 C.F.R. 160, et seq., 45 C.F.R. 162, et seq., and 45 C.F.R. 164, et seq., collectively referred to hereafter as HIPAA, in accord with the Health Information Technology for Economic and Clinical Health (HITECH) Act, establishing national standards for electronic health care transactions and the privacy of health data, and consistent with applicable state laws that govern the use and disclosure of health information.
It is the policy of DPid to use or disclose individuals’ PHI, as defined in HIPAA, only for the purpose of making or obtaining payment for care, conducting its health care operations, or as otherwise allowed by HIPAA. Generally, PHI is considered individually identifiable health information that is transmitted or maintained by DPid in any form.
In response to outside requests for PHI, DPid will limit lawful disclosure to the minimum amount of information needed to accomplish the purpose of the request or disclosure. DPid recognizes an individual’s right to authorize use and release, request restrictions, inspect his or her records, and amend and request an accounting of disclosures of his or her PHI. DPid shall provide to all client’s the NOTICE OF PRIVACY PRACTICES describing in more detail how an individual’s PHI may be used and disclosed.
ARTICLE 1
DEFINITIONS
1.1 Business Associate. “Business Associate” means a person, who on behalf of DPid, but not as a DPid employee, performs, or assists in the performance of any function or activity that uses or discloses PHI, including claims processing or administration, data analysis, administration, utilization review, quality assurance, billing, benefit management, company management, and repricing, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for DPid, where the provision of the services involves the disclosure of individually identifiable health information from DPid or from another Business Associate of DPid.
1.2 Client. “Client” means a DPid client.
1.3 Client Record. “Client Record” means any item, collection, or grouping of information that includes Protected Health Information that is maintained, collected, used, or distributed by Provider.
1.4 Person. “Person” means any legal entity or individual.
1.5 Privacy Rule. “Privacy Rule” shall mean the standards for Privacy of Individually Identifiable Health Information contained in 45 C.F.R. Parts 160 and 164, Subparts A and E.
1.6 Protected Health Information. “Protected Health Information” and/or “PHI” means information, whether oral or recorded in any form or medium, including demographic information, that (i) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and (ii) identifies the individual, or for which there is a reasonable basis for believing that the information can be used to identify the individual. PHI includes, without limitation, “Electronic Protected Health Information” and/or “EPHI,” as that term is defined at 45 C.F.R. § 160.103. PHI does not include individually identifiable health information in: (i) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a covered entity in its role as employer.
1.7 Provider. “Provider” means a HIPAA covered entity, in this case DPid.
1.8. Security Rule. “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information contained in 45 C.F.R. Parts 160 and 164, Subparts A and C.
1.9 Services Agreement. “Services Agreement” means any Agreement by and between DPid and a Business Associate.
1.10 Terms. Terms used, but not defined, in this Privacy Agreement shall have the same meaning as those terms in the Privacy Rule or the Security Rule.
1.11. Unsecured Protected Health Information. “Unsecured Protected Health Information” and/or “Unsecured PHI” means information that is not secured through the use of a technology or methodology to render the Protected Health Information unusable, unreadable and undecipherable to unauthorized users.
ARTICLE 2
Privacy POLICY AND Practices
2.1 Privacy Policy. DPid is committed to ensuring the confidentiality, integrity, and availability of the PHI of its Clients. DPid will protect the privacy of PHI in accordance with HIPAA standards, specifically those provided in the HIPAA Privacy Rule and Security Rule. This means that DPid will take the necessary steps to maintain the privacy of the individual’s health information, provide the individual with this notice of his or her legal duties and privacy practices with respect to information that DPid collects and records, and abide by the terms of the Notice of Privacy Practices (“Notice”), which sets forth the individual’s rights in regards to his or her PHI.
2.2 The Individual’s Rights under the Privacy Rule. DPid recognizes and will take steps to enforce the following rights for all Clients:
a. That Clients may request DPid to use or disclose health information records in certain ways.
b. That Clients may receive communications in an alternate manner or location.
c. That Clients may access and obtain a copy of health information records.
d. That Clients may request an amendment to health information records.
e. That Clients may receive an accounting of disclosures from a Client’s health information records.
2.3 Privacy Officer. DPid will appoint a Privacy Officer whose responsibility it is to assure the accountability for DPid’s privacy program and to develop and implement policies and procedures as they relate to the existing and future HIPAA regulations. The Privacy Official will assist in the interpretation of all laws and regulations related to this Policy, the procedures and practices, and will guide the Client in their implementation. The Privacy Officer duties include:
a. Reviewing the HIPAA regulations and develop policies to remain compliant with these regulations;
b. Providing training to appropriate staff regarding the Policy, its implementation, and any changes; and
c. Creating and maintaining HIPAA policies for DPid.
In addition, the Privacy Officer is also authorized to receive complaints related to privacy matters and provide further information about the Notice of Privacy Practices.
2.4 Notice. DPid shall provide the Notice of Privacy Practices (“Notice”) to all new Clients of DPid. When and if any changes are made to the policy, copies of the new Policy will be made available upon request and in a new notice. The distributed Notice is the recipient’s to keep.
ARTICLE 3
SECURITY OFFICER AND POLICIES
3.1 Security Rule. DPid seeks to maintain up to date and effective Security Policies and Practices that comply with HIPAA’s Security Rule to ensure the confidentiality, integrity and availability of both PHI and electronic protected health information (EPHI) created, received, maintained, and transmitted by DPid.
3.2 Technical and Physical Safeguarding. DPid will establish appropriate technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation DPid’s policies and HIPAA standards. Technical safeguards include, but are not limited to, computer firewalls. Physical safeguards may include locking doors or filing cabinets to the extent applicable and ensuring the use of appropriate authorization and Business Associate agreements.
3.3 Administrative Safeguards. The Security Rule defines administrative safeguards as administrative actions, and related policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
3.4 Security Officer. DPid will designate a Security Officer, who shall have the following responsibilities:
a. Periodically reviewing, developing, and implementing security policies and procedures;
b. Performing ongoing risk analysis and risk management;
c. Exercising the day to day responsibility of HIPAA security compliance;
d. Receiving complaints related to security matters; and
e. Training affected employees on security policies and procedures.
3.5 Implementation. Implementing security measures to sufficiently reduce the organization’s risk of losing or compromising its electronic PHI and to meet the general security standards, including but not limited to:
i. security reminders,
ii. protection from malicious software,
iii. log-in monitoring, and
iv. password management.
3.6 Periodic Evaluation. All HIPAA Security Policies are subject to periodic audits by the HIPAA Security Officer. The Security Officer will also regularly review DPid’s Security Policies and practices to assure continued viability in light of technological, environmental or operational changes that could affect the security of PHI and EPHI.
3.7 Contingency Plan. DPid shall establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. The contingency plan standard includes five implementation specifications:
a. Data backup plan;
b. Disaster recovery plan;
c. Emergency mode operation plan;
d. Testing and revision procedures; and
e. Applications and data criticality analysis.
3.8 Information Access Management. DPid shall implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the Privacy Rule. By implementing this standard, the risk of inappropriate disclosure, alteration, or destruction of EPHI is minimized. DPid must determine those persons and/or entities that need access to PHI and EPHI. Compliance with this standard supports DPid compliance with the HIPAA Privacy Rule minimum necessary requirements, which requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.
a. Isolating Health Care Clearinghouse Functions. A health care clearinghouse is responsible for protecting the EPHI that it is processing.
b. Access Authorization of PHI. DPid shall identify who has authority to grant access privileges and document the granting of access by all employees.
c. Access Establishment and Modification of PHI.
3.9 Workforce Security. DPid employees, contractors and staff that need access to EPHI to carry out their duties must be identified. DPid shall provide only the minimum necessary access to EPHI that is required for a workforce member to do his or her job.
a. Authorization and/or Supervision. DPid shall implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed.
b. Workforce Clearance Procedure. DPid shall implement procedures to determine that the access of a workforce member to EPHI is appropriate.
c. Termination Procedures. DPid shall implement procedures for terminating access to EPHI when the employment of a workforce member ends.
3.10 Evaluation upon Occurrence of Certain Events. The policy evaluation process will be triggered if one or more of the following events occur:
a. Changes in the HIPAA Security Rule or Privacy Rule;
b. New federal, state or local regulation regarding PHI; or
c. Changes in technology, environmental process or business process that may affect HIPAA Security Policies or procedures.
ARTICLE 4
DISCLOSURE OF PROTECTED HEALTH INFORMATION
4.1 Permitted Uses and Disclosures. DPid may use or disclose PHI in its possession as follows:
a. To the individual;
b. For treatment, payment, or health care operations;
c. Incident to a use or disclosure from other covered entities subject to appropriate administrative, technical, and physical safeguards to protect the privacy of PHI;
d. Pursuant to and in compliance with a valid authorization;
e. About victims of abuse, neglect or domestic violence;
f. For judicial and administrative proceedings, including a request made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal but subject to an objection of the individual whose records are being requested;
g. For public health activities, such as to prevent or control disease, injury or disability; to report deaths; to report abuse or neglect; to collect or report reactions to medications, food supplements or dietary supplements; to collect or report product problems or defects; to notify persons of recalls, replacements or repairs relating to products they may be using; and to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
h. For health oversight activities, including, but not limited to audits, investigations, inspections and licensure or disciplinary actions;
i. To avert a serious threat to health or safety;
j. For research purposes, subject to a special approval process and including information about decedents;
k. To prevent a serious threat to an individual’s health and safety or the health and safety of the public or another person;
l. To an organ procurement or transplant organization or other similar entity, following the appropriate authorizations;
m. That relate to workers’ compensation programs; and
n. For any other reasons required by federal, state or local law.
4.2 Required Disclosures. A Client’s PHI must be disclosed as required by HIPAA in two situations:
a. The disclosure is to the individual who is the subject of the information.
b. The disclosure is made to the U.S. Department of Health & Human Services for purposes of enforcing of HIPAA.
4.3 Minimum Necessary Disclosure Standard. DPid shall reasonably ensure that HIPAA’s standards, requirements, and implementation specifications relating to a request for the use and disclosure of the minimum necessary PHI are met. DPid shall limit any request for PHI to that which is:
a. Reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities;
b. Made on a routine and recurring basis; and
c. For all other requests, determined by DPid that the PHI sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made after review of the request on an individual basis.
4.4 Right to Release Records. The Client or appropriate legal representative has the right to release information from the Client’s record to persons or agencies outside DPid.
4.5 Authorization to Release PHI. PHI may be disclosed for any purpose if an authorization, such as the “Release of Personal Information,” which satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. Any disclosure indicating that information was provided will be retained on the disclosure log.
4.6 Release of Records. Information will not be released from the Client’s record without prior authorization except in the following circumstances:
a. When the records have been properly subpoenaed;
b. When the Client is in need of emergency medical care and is unable or unwilling to grant permission to release information or his legal representative is not available to grant permission.
ARTICLE 5
BUSINESS ASSOCIATE AGREEMENT
5.1 Business Associate Policy. DPid shall ensure that all Business Associates comply with this policy and the Business Associate standards under HIPAA in order to secure the PHI that is entrusted to individuals and agencies contracted as Business Associates of DPid. Business Associates of DPid who require PHI to perform work related to DPid’s role as a covered entity must have that role detailed in a written Business Associate agreement.
5.2 Business Associate Agreement. Business Associate agreements must specify the uses and disclosures of PHI that DPid requires of the Business Associate. The agreement shall state that the Business Associate must comply with all applicable HIPAA policies and conduct its business as a covered entity. At the minimum, the agreement will assure that the Business Associate:
a. Not use or further disclose the information other than permitted by the contract or required by law;
b. Use appropriate safeguards to protect PHI;
c. Report any use or disclosure not provided for in the agreement immediately upon discovery of a breach or release of unsecured PHI; no later than 30 days from the discovery to allow for notification to individuals, the media and the Secretary of Health and Human Services within the 60 day allowed time frame pursuant to American Recovery and Reinvestment Act of 2009 (ARRA), by DPid or the Business Associate as dictated in the contract;
d. Ensure that any agents or subcontractors used by the Business Associate also apply the appropriate safeguards required by the Business Associate agreement;
e. Provide a mechanism by which PHI is made available to the client for review, copying, or amendment and will make available the information necessary to account for these disclosures;
f. Make its internal practices and records available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA and ARRA; and
g. Return or destroy all PHI received from DPid at the termination of the contract, if feasible.
5.3 Enforcement of Business Associate Agreement. If DPid becomes aware of any practices of the Business Associate that constitute a material breach of the agreement, DPid shall take steps to correct or end the violation. If such steps are unsuccessful, DPid shall either terminate the contract or, if that is not feasible, report the problem to the Secretary of Health and Human Services. However, DPid is not required to monitor the privacy practices of the Business Associate and is not liable for privacy breaches of the Business Associate. PHI disclosed to a Business Associate for purposes of treatment, payment or healthcare operations does not require an accounting to the client.
5.4 Exception. The Business Associate Agreement standard does not apply to the transmission by DPid of EPHI to a health care provider concerning the treatment of an individual.
ARTICLE 6
RECORD OF DISCLOSURES
6.1 Disclosure History. DPid and its Business Associates will track accountable disclosures. All disclosures of PHI shared when a Client, their responsible party, or appropriate government agency requests a review of or copy of an individual’s PHI and necessary information will be listed on the appropriate tracking logs for each disclosure that is accountable. This record will remain a part of the Client’s permanent record. DPid will record and maintain for at least six years the following information:
a. The date of each disclosure;
b. The name and address of the organization or person who received the PHI; and
c. A brief statement of the purpose for the disclosure.
6.2 Requesting Disclosure History. An individual may request an accounting of each PHI disclosure going back as far as six years from the date of the request with an “Access Request Form.” DPid will respond to the individual’s request for a disclosure accounting within 60 days. DPid is entitled to charge a reasonable cost-based fee for researching and copying requests for a disclosure accounting.
ARTICLE 7
RESTRICTING USE OF PROTECTED HEALTH INFORMATION
7.1 Policy. A Client may request restrictions on the use and disclosure of their PHI. DPid will attempt to honor such requests if, in the sole discretion of the Company, the requests are reasonable. DPid will restrict the PHI if the requests are reasonable.
ARTICLE 8
RIGHT TO ACCESS PROTECTED HEALTH INFORMATION
8.1 Individual’s Right to Inspect and Copy PHI. DPid allows an individual to access (inspect and copy) his or her PHI as long as such information is maintained in designated record sets. This inspection and copying also applies to PHI maintained in designated record sets by DPid’s Business Associates. DPid will respond to an individual’s request for access within 30 days.
8.2 Providing Access. A reasonable, cost-based fee for copies and postage (as applicable) will be charged for the requested PHI. DPid will provide a private area to allow the individual to view his or her PHI upon request.
8.3 Right to Deny Access. DPid may deny access to information, including copies, listed below without a review or challenge of the denial:
a. Information compiled in reasonable anticipation of (or for use in) a civil, criminal, or administration action or proceeding;
b. Certain PHI maintained by a covered entity that is subject to or exempted from the Clinical Laboratory Improvements Amendments of 1988 (CLIA);
c. PHI obtained in the course of research that includes treatment of the research participants;
d. PHI obtained from someone outside DPid under a condition of confidentiality, and allowing access would likely reveal the source of the information; or
e. PHI subject to the Privacy Act of 1974.
8.4 Right to Deny Access for Safety Reasons. DPid has the right to deny an individual’s access to PHI, if DPid believes such access could endanger the physical safety of the individual or others. In addition, client access may be denied for some psychotherapy notes, for information compiled for a lawsuit, or for certain other limited circumstances. These denials of client access are subject to review and appeal to DHHS. See “DHHS Complaint Form” or go to www.hhs.gov/ocr/privacy/hipaa/complaints.
ARTICLE 9
AMENDING PROTECTED HEALTH INFORMATION
9.1 Right to Amend. HIPAA allows an individual to request a provider amend his or her PHI. Though not a provider, DPid will permit such amendments for as long as it maintains the individual’s PHI in designated record sets. DPid should respond to the individual’s request within 60 days.
9.2 Right to Decline to Amend PHI. DPid reserves the right to decline to amend PHI if:
a. The information was not created by DPid except where the client provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
b. The information is not part of a designated record set maintained by DPid or a DPid Business Associate;
c. DPid determines that the information in dispute is accurate and complete; and
d. The information may be lawfully withheld from the right of access.
9.3 Notice of Denial to Amend. DPid shall inform in writing any denial of a request by an individual to amend his or her PHI held in its possession.
ARTICLE 10
De-identification of PROTECTED HEALTH INFORMATION
10.1 De-identification of PHI. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information and therefore not subject to the HIPAA Privacy Rule and Security Rule. DPid may determine that health information is not individually identifiable health information only if: (1) a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify an individual who is subject of the information; or (2) the following specific identifiers of the individual or of relatives, employers, or household members of the individual, are removed from the health information and DPid does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information:
a. Names;
b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
c. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
d. Telephone numbers;
e. Fax numbers;
f. Electronic mail addresses;
g. Social security numbers;
h. Medical record numbers;
i. Health plan beneficiary numbers;
j. Account numbers;
k. Certificate/license numbers;
l. Vehicle identifiers and serial numbers, including license plate numbers;
m. Device identifiers and serial numbers;
n. Web Universal Resource Locators (URLs);
o. Internet Protocol (IP) address numbers;
p. Biometric identifiers, including finger and voice prints; and
q. Full face photographic images and any comparable images.
10.2 Re-identification. DPid may assign a code or other means of record identification to allow information de-identified to be re-identified, provided that: (1) the code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (2) DPid does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.
ARTICLE 11
NOTIFICATION OF BREACHES
11.1 Security Breach Policy. DPid will notify any Client when it has a security breach that results in, or which DPid believes may result in the individual’s unsecured PHI being accessed, acquired or disclosed by a third party.
11.2 Security Breach Definition. “Security Breach” means an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information, except where an unauthorized person would not reasonably have been able to retain such information.
11.3 Investigation. DPid will investigate any suspected improper releases of PHI. DPid’s Privacy Officer will be responsible for conducting the investigation. He or she will determine:
a. If PHI was improperly released;
b. How it was released;
c. Who was responsible;
d. How to mitigate the release;
e. What changes need to be made to the security plan to prevent it from happening in the future; and
f. What appropriate actions, including sanctions, to take.
11.4 Notices to Individuals. DPid will notify Clients of any unintentional or inadvertent breaches of PHI within 60 days of the Discovery of such breach. “Discovery” is defined as actual knowledge of the breach by a member of DPid’s workforce or an agent or Business Associate, or deemed knowledge if the breach would have been discovered by exercising reasonable diligence. These individual notices must be written in plain language and include basic information such as: (1) the date of the breach, if known; (2) the types of PHI involved such as full name, social security number, Medicare number, other health insurance numbers, date of birth, etc.; (3) a brief description of the breach and what DPid is doing to mitigate damages and protect against future breaches; and (4) steps affected participants should take to protect themselves. The notices may be sent by first-class mail to the individual’s last known address or by e-mail if the individual has agreed to receive electronic notices (and has not withdrawn that agreement). If there is insufficient or out-of-date contact information, substitute notice may be provided by an alternative form of written notice, or by phone or other means – if there are fewer than 10 affected individuals. If there are more than 10 affected individuals, substitute notice would be in the form of a notice posted for a specified period on the home page of a relevant website or notice in major print or broadcast media. The notification will include the date on which the breach was discovered, or if asked by law enforcement to wait, as soon as is possible to notify after the investigation is complete.
11.5 Notices to Media. In addition to notifying affected individuals, if a breach affects more than 500 Clients of one state or other smaller jurisdiction (such as a county, city or town), prominent media outlets serving that jurisdiction must be notified. This notice must be provided without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. This notice must include the same basic information as the individual notice. DHHS clarifies in the preamble to the regulations that it expects this notice would usually be done in the form of a press release.
11.6 Notices to DHHS. In addition to the required notices to individuals and any potential notices to media outlets, DPid will have to notify DHHS of any breaches of participant unsecured PHI. If a breach involves 500 or more individuals, DPid must notify DHHS at the same time it notifies the individuals. The manner and content of this notice are expected to be specified on the DHHS website. DHHS will post on its website a list of HIPAA covered entities that submit reports of breaches involving more than 500 individuals. For breaches that affect fewer than 500 individuals, a covered entity must provide DHHS with notice annually. All notifications of breaches occurring in a calendar year must be submitted within sixty (60) days of the end of the calendar year in which the breaches occurred.
11.7 Notices by Business Associates DHHS. Any third-party administrator, claims administrator, pharmacy benefit manager or other Business Associate to DPid is required to notify the DPid Privacy Officer in the event of a breach of unsecured PHI. Again, the notice must be provided without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a breach.
11.8 Mitigation. DPid shall mitigate, to the extent possible, any harmful effects that become known of a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. Knowledge of inadvertent disclosures will be immediately brought to the attention of the Privacy Officer for appropriate action.
11.9 De-identified PHI. If information is de-identified in accordance with Article 9 above, (complying with 45 C.F.R. 164.514(b)), it is not PHI, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart.
ARTICLE 12
EMPLOYEE TRAINING
12.1 Employee Training. DPid will provide training during orientation for all employees on the HIPAA privacy rules and PHI. By signing the Employee HIPAA Policy Acknowledgment Form, employees acknowledge they read and understand DPid’s Privacy and Security Policies. All employees receive additional annual training through an educational program designated by the Privacy Officer. Revisions to DPid’s Privacy and Security Policies will be provided to all employees with proper acknowledgement.
ARTICLE 13
WHISTLEBLOWER PROTECTIONS
13.1 Whistleblower Protections. No employee shall intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals, including Clients and their personal representatives for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.
13.2 Investigation of Complaint. If an accusation is made indicating that any of the above actions have taken place, the DPid Privacy Officer and the DPid Security Committee will investigate and determine the course of action. All officers, employees, students, contractors and agents of DPid are expected to comply and cooperate with the investigation and sanctioning of violations of HIPAA law or regulations.
ARTICLE 14
DISCIPLINARY ACTION FOR VIOLATING HIPAA
14.1 Discipline Policy. DPid considers the PHI and EPHI in its possession as confidential. A DPid employee that is responsible for a violation of the HIPAA privacy and/or security rules is subject to disciplinary action. DPid reserves the right to terminate employment upon the first breach of the HIPAA privacy rules.
14.2 Violations of HIPAA Privacy and Security Rules. Examples of violations of HIPAA privacy and security rules include but are not limited to:
a. Accessing PHI/EPHI you do not need to perform your job;
b. Leaving a copy of PHI in a public area;
c. Providing your computer access codes to someone else;
d. Logging on to a PHI/EPHI program and then leaving the computer unattended;
e. Modifying or copying PHI/EPHI without authorization;
f. Discussing PHI in a place where unauthorized persons could overhear the conversation;
g. Discussing PHI with an unauthorized person;
h. Disclosing or using PHI/EPHI in an unauthorized manner;
i. Failing to cooperate with the HIPAA privacy or security official; and
j. Obtaining PHI/EPHI under false pretenses for personal gain.
14.3 Investigation of Violation. When the Privacy Officer or becomes aware of a violation of DPid’s Privacy Policy, they will begin an investigation to determine the extent of the violation and proceed according to any DPid policies. All officers, employees, interns, contractors and agents of DPid are expected to comply and cooperate with the investigation and sanctioning of violations of HIPAA law, regulations. Any employee who knowingly falsely accuses another of a breach of HIPAA rules and policy shall be subject to disciplinary action up to and including termination.
Adopted: February 01, 2013
To learn more about how DPid can benefit you, please explore our web site or contact us.
Thank you for considering DPid (Dental Prosthetics Identification).