UAMS ADMINISTRATIVE GUIDE

NUMBER: 3.1.22
DATE:10/01/04
REVISION: 3/24/2005

SECTION: INFORMATION TECHNOLOGY 
AREA: NETWORK SECURITY
SUBJECT: MITIGATION OF USES/DISCLOSURES IN VIOLATION OF HIPAA

SCOPE

UAMS Workforce with Access to Confidential Information, including Electronic Protected Health Information (ePHI), for any purpose.

DEFINITIONS

Confidential Information includes information concerning UAMS research projects, confidential employee information, information concerning the UAMS research programs, proprietary information of UAMS, and sign-on and password codes for access to UAMS computer systems.   Confidential information shall include Protected Health Information.

Electronic protected health information means individually identifiable health information that is:

         Transmitted by Electronic media

         Maintained in Electronic media

Mitigate means the steps taken to lessen the harm or potential harm resulting from an improper use or disclosure of Protected Health information, including electronic Protected Health Information.

Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual.  This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.

UAMS Workforce means, for purposes of this Policy, physicians, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UAMS, are under the direct control of UAMS, whether or not they are paid by UAMS.

To access any other terms or definitions referenced in this policy: http://hipaa.uams.edu/DEFINITIONS%20-%20HIPAA.pdf

POLICY

UAMS will, to the extent practicable, mitigate any harmful effects that are known to UAMS of a use or disclosure of Protected Health Information, including electronic Protected Health Information by UAMS, its Business Associate or Contractors in violation of the HIPAA regulations or the UAMS policies and procedures relative to the requirements of the HIPAA regulations.

PROCEDURE

A.          When UAMS supervisors, managers or department directors are informed that Protected Health Information (PHI) or electronic Protected Health Information (ePHI) has been improperly used or disclosed, such facts will be communicated to the appropriate UAMS Privacy or Security Officer. The Officer notified will contact the UAMS HIPAA Officer to coordinate the investigation and undertake mitigation efforts.  The mitigation process must occur in accordance with the UAMS HIPAA Compliance Plan.

B.           If UAMS determines that PHI or ePHI has been improperly used or disclosed by a member of the UAMS workforce, appropriate disciplinary action will be initiated and documented.

C.          If UAMS determines that PHI or ePHI has been improperly used or disclosed by a Business Associate or Contractor, UAMS will:

1.             Investigate the incident; 

2.             Counsel the Business Associate or Contractor on the incident;

3.             Monitor the Business Associate’s or Contractor’s performance for a reasonable period of time following the incident; and

4.            If UAMS determines that the Business Associate or Contractor has not taken appropriate steps to remedy the situation leading to the inappropriate use or disclosure, UAMS will terminate the Business Associate or Contractor relationship.  Refer to UAMS Business Associate Policy, 3.1.33.