Sanctions for Violations of Privacy Policy Sanctions for using or disclosing PHI in violation of this HIPAA privacy policy will be imposed in accordance with Orderly Termination Procedures up to and including termination. Mitigation of Inadvertent Disclosures of Protected Health Information Any harmful effect due to an unauthorized disclosure of an individual PHI will be mitigated to the extent possible. If an employee becomes aware of a disclosure of protected health information, either by an employee of the Plan or an outside consultant/contractor, that is not in compliance with this policy, the Privacy Official shall be contacted so that the appropriate steps to mitigate the harm to the participant can be taken. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy No intimidation, discrimination, or other retaliatory action will be taken against an individual for exercising their right to file a complaint, participate in an investigation, or oppose any improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility. Plan Document The Plan document shall include provisions to describe the permitted and required uses and disclosures of PHI administrative purposes. Specifically, the Plan document shall include provisions to describe the permitted and required uses and disclosures of PHI administrative purposes. Not use or further disclose PHI other than as permitted by the Plan documents or as required by law; Ensure that any agents or subcontractors to whom it provides PHI received from the Plan agree to the same restrictions and conditions that apply to the District; Not use or disclose PHI for employment-related actions or in connection with any other employee benefit plan; Report to the Privacy Official any use or disclosure of the information that is inconsistent with the permitted uses or disclosures; Make PHI available to Plan participants, consider their amendments and, upon requests, provide them with an account of PHI disclosures; Make the District’s internal practices and records relating to the use and disclosure of PHI received from the Plan available to the Department of Health and Human Services (DHHS) upon request; and If feasible, return or destroy all PHI received from the Plan that the District still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. The Plan document must also require the District to (1) certify to the Privacy Official that the Plan documents have been amended to include the above restrictions and that the District agrees to those restrictions; and (2) provide adequate firewalls.
Made with FlippingBook flipbook maker