- (a) Scope and applicability. This policy applies to the Office of Health Information Technology, all participating entities, and their BAs and contractors.
(b) Individual complaints.
- (1) Any individual may submit a complaint about a use or disclosure of protected health information by the Office of Health Information Technology to either the Office of Health Information Technology or the United States Secretary of Health and Human Services in Washington, D.C.
- (2) If the individual wants to file a formal complaint with the Office of Health Information Technology, he or she should be directed to the Office of Health Information Technology Privacy Officer.
- (3) If the individual wants to file his or her complaint with the United States Secretary of Health and Human Services, he or she should be directed to the United States Office for Civil Rights website (www.hhs.gov/ocr/hipaa).
- (4) The Office of Health Information Technology Privacy Officer will document each privacy complaint received including in the documentation a brief description of and/or the basis for the complaint.
- (5) The Privacy Officer will supplement the initial documentation to include documentation of the investigation and any actions taken in response to the complaint.
- (6) All documentation relating to the individual's complaint will be maintained for a minimum of six (6) years.
(c) Duty to investigate.
- (1) Each participating entity shall promptly investigate reported or suspected privacy breaches implicating privacy or security safeguards deployed by the Office of Health Information Technology, or its contractors, according to its own policies.
- (2) Upon learning of a reported or suspected breach, the participating entity shall notify the Office of Health Information Technology within five (5) business days and any other participating entity whom the notifying participating entity has reason to believe is affected or may have been the subject of unauthorized access, use, or disclosure.
- (3) The Office of Health Information Technology shall participate in the investigation and remedial actions taken.
- (4) The Office of Health Information Technology need not be notified of specific workforce disciplinary actions.
- (5) Each investigation shall be documented.
- (6) At the conclusion of an investigation, a participating entity shall document its findings and any action taken in response to an investigation.
- (7) A summary of the findings shall be sent to the Office of Health Information Technology.
(d) Compliance with HIPAA security rule.
- (1) The Office of Health Information Technology will comply with the HIPAA security rule.
- (2) Each participating entity will be required to comply with all applicable federal, state, and local laws, which may include laws relating to notification of patients.
(e) Training and enforcement.
- (1) Each participating entity that may have access to patient data via the State Health Alliance for Records Exchange must appropriately train its personnel and inform them that any breach of confidentiality is actionable.
- (2) Each participating entity should follow and enforce its own confidentiality policies and disciplinary procedures.
(f) Notification of breach.
- (1) As a BA, the Office of Health Information Technology must report any breaches and/or security incidents to the particular data provider whose data was improperly used.
- (2) Each participating entity must agree to inform the Office of Health Information Technology of any breach of confidentiality.
(g) Incident response.
- (1) The Office of Health Information Technology shall implement an incident response system in connection with known or suspected privacy breaches, whether reported by a participating entity or discovered by the Office of Health Information Technology.
(2) The incident response system shall include the following features, each applicable as determined by the circumstances:
- (A) Cooperation in any investigation conducted by the participating entity or direct investigation by the Office of Health Information Technology;
- (B) Notification of other participating entities or authorized users as needed to prevent further harm or to enlist cooperation in the investigation and/or mitigation of the breach;
- (C) Cooperation in any mitigation steps initiated by the participating entity;
- (D) Furnishing audit logs and other information helpful in the investigation;
- (E) Developing and disseminating remediation plans to strengthen safeguards or hold participating entities or authorized users accountable;
- (F) Any other steps mutually agreed to as appropriate under the circumstances; and
- (G) Any other step required under the incident reporting and investigation system contained in the Office of Health Information Technology security policies.
- (g) Office cooperation. The Office of Health Information Technology shall cooperate with a participating entity in any investigation of the participating entity’s privacy and security compliance, whether conducted by an agency of state or federal government or conducted as a self-investigation by the participating entity, when the investigation implicates the Office of Health Information Technology conduct or the conduct of another participating entity or authorized user, or the adequacy or integrity of system safeguards.
- (h) Participating entity cooperation. Each participating entity shall cooperate with the Office of Health Information Technology in any investigation of the Office of Health Information Technology or of another participating entity into the Office of Health Information Technology’s or such other participating entity’s privacy and security compliance, whether conducted by an agency of state or federal government or conducted as a self-investigation by the Office of Health Information Technology or the other participating entity, when the investigation implicates such participating entity’s compliance with the Office of Health Information Technology policies or the adequacy or integrity of system safeguards.
- (i) Application to BAs and contractors. Participating entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their BA agreements.
Codification Notes: "HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. "BA" means business associate.