I. POLICY:

The Division of Administration (DOA) is committed to ensuring the confidentiality and integrity of protected health information (PHI) as required by law. To accomplish this, the DOA requires that all employees having access to PHI strictly comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

DOA employees are required to report identified violations of HIPAA. All such reports will be thoroughly investigated and corrective action imposed, as warranted. Employees reporting such violations, and those called upon to participate in the investigative process, are assured that they will not suffer any form of harassment, reprisal or retaliation as a result.

II. APPLICABILITY:

This policy applies to all employees of the Office of Group Benefits (OGB) and the Office of General Counsel. It also applies to those DOA employees within the Office of the Commissioner, the Office of Finance and Support Services, the Office of Technology Services, and the Office of Human Resources having access to PHI. Management personnel are required to identify the positions that handle PHI within their respective offices, and ensure that the incumbents of these positions fully comply with the HIPAA Privacy and Security Rules and OGB's HIPAA Policies and Procedures Manual.

III. TRAINING:

IV. PROHIBITIONS:

To protect against the improper handling, use or disclosure of PHI, non-compliance with and violations of the HIPAA Privacy and Security Rules or OGB's HIPAA Policies and Procedures Manual are strictly prohibited.

V. REPORTING:

DOA employees are required to report violations of the prohibitions of this policy. This requirement applies to an employee's self-report of their own violations as well as identified violations by others.

DOA does not require a rigid reporting protocol. The report can be verbal (in person or via telephone) or in writing (letter, memo, email, text) and need not utilize a specific form. The report by the employee may be made to their supervisor, the OGB HIPAA Privacy Officer at (225) 342-4471, or the Employee Relations Manager in Human Resources at (225) 342-6060.

VI. INVESTIGATIONS:

All reports and complaints of improper handling, use or disclosure of PHI, or other violation of the prohibitions of this policy, will be directed to the Employee Relations Manager. A preliminary assessment will be made of the information provided to determine the course of action required. Any investigation deemed necessary will be conducted by a designated team comprised of the Employee Relations Manager and representatives from OGB and the Office of General Counsel. All individuals conducting such investigations are required to have completed the training required by this policy.

Individuals called upon to participate in the investigation are required to fully cooperate and provide truthful responses. Employees, including the accused, do not have the option of remaining silent or declining to get involved. Those questioned may be required to prepare a written statement or provide a recorded statement. To the extent possible, the investigation will be conducted in a confidential manner and employees will be instructed that the complaint and all information provided during the investigative process are to remain confidential.

Upon completion of the investigation, the designated team will apprise management of the outcome and recommendations for resolution. Any corrective action imposed will comply with applicable Civil Service Rules.

VII. VIOLATIONS:

Any DOA employee found to have violated the prohibitions of this policy shall be subject to corrective action, up to and including termination from employment.

Additionally, appropriate corrective action will be imposed for the following:

• Failure to timely report an employee's own or another's violation of the prohibitions of this policy;
• Failure to comply with the training requirements set forth in this policy;
• Failure to participate or cooperate in an investigation, compliance review or hearing;
• Withholding information or providing false information during an investigation, compliance review or hearing;
• Any effort to intimidate, threaten, harass, retaliate or take action against any employee who reports or files a complaint regarding a violation of this policy;
• Any effort to intimidate, threaten, harass, retaliate or take action against any employee who participates in any investigation, compliance review or hearing regarding a violation of this policy; and
• Filing a complaint that is malicious, frivolous or knowingly false.

The corrective action will be appropriate to the violation and imposed only after thorough investigation. Factors to be considered in determining the appropriate action include, but are not limited to, the nature and scope of the violation, whether the violation was intentional or unintentional, whether the violation was a first or repeated offense, and whether the violation indicates a pattern or practice of improper handling, use or disclosure of PHI. All corrective actions imposed will be documented in writing or in electronic form and be retained for a period of six (6) years.

Failure of an employee to comply with privacy policies and procedures may cause civil and criminal enforcement actions and penalties against the employee and OGB.

VIII. NON-RETALIATION:

DOA has an affirmative duty to protect its employees from harassment, reprisal and retaliation. This protection extends to any employee filing a complaint regarding the improper handling, use or disclosure of PHI, or other suspected violation of HIPAA. This protection extends also to those employees who provide information or participate in an investigation, compliance review or hearing related to such a complaint.

Additionally, no employee will be subject to corrective action, harassment, reprisal or retaliation for the following:

• Opposing any act or practice made unlawful by the HIPAA Privacy Rules, provided that (i) the employee has a good faith belief that the practice opposed is unlawful; and (ii) the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the HIPAA Privacy Rules;
• Disclosing PHI to a law enforcement official when the disclosing employee is a victim of a criminal act and the PHI disclosed is about the suspected perpetrator of the criminal act and limited to the information listed in 45 C.F.R. § 164.512(f)(2)(i); or
• Disclosing PHI if (i) the person believes in good faith either that the State has engaged in conduct that is unlawful or otherwise violates professional or clinical standards or that the care, services, or conditions provided by the State potentially endanger one or more patients, workers, or the public; and (ii) the disclosure is made to one of the following:
  • A Health Oversight Agency or Public Health Authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions;
  • An attorney retained on behalf of the person for the purpose of determining the person's legal options with regard to the relevant conduct of persons; or
  • An appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the State.

IX. EXCEPTIONS:

Requests for exceptions to this policy are to be submitted to the Director of Human Resources. Any such requests shall be in writing and supported by specific and compelling written justification. Exceptions may be granted only by the Appointing Authority.

X. QUESTIONS:

Any questions related to this policy should be addressed to the OGB HIPAA Privacy Officer.

XI. REFERENCES:

45 C.F.R. § 164.502, 45 C.F.R. § 164.512, 45 C.F.R. § 164.530, HIPAA.