Up actions become known throughout the course of the

This preview shows page 36 - 38 out of 60 pages.

up actions become known throughout the course of the investigation.6.4.1.3.5. If the findings of the investigation confirm a breach occurred, the MTFHPO will recommend corrective actions to the MTF Commander, or MAJCOM if theinvestigation involves the Commander.(T-1)The MTF HPO will also recommendactions to mitigate, to the extent possible, any harmful effect of a confirmed breach.(T-0)6.4.1.3.5.1. Actions taken reduce the severity of the incident and prevent similarrecurrences.6.4.1.3.5.1.1. Written attestation is one form of mitigation that can occurwhen PHI has been released to an incorrect or unintended recipient.TheMDG should:6.4.1.3.5.1.1.1. Contact the recipient and request the return or destruction ofthe PHI, if it has not been reported to the HPO by the recipient already.6.4.1.3.5.1.1.2. Obtain from the recipient a written attestation (e.g., via e-mail or fax) that they have either returned or destroyed “any and all PHI andretained no copies or further used or disclosed the PHI to any another personor entity.”6.4.1.3.5.1.1.3. Situations where an attestation may be required include:6.4.1.3.5.1.1.3.1. When an individual has received PHI belonging toanother patient (copies of medical records/documents) and the individualdoes not have an obligation to protect the PHI; or6.4.1.3.5.1.1.3.2. When an (unintended) individual or entity hasincorrectly received PHI (misdirected e-mail, mail, CD-ROM, or fax)and the individual/entity has no obligation under HIPAA or the PrivacyAct to protect PHI or PII.6.4.1.3.5.1.2. Retain the written attestation in the investigation file IAW theinvestigation document retention requirements.(T-1)6.4.1.3.6. The MTF is required to apply sanctions (disciplinary action) depending onthe nature of the incident.(T-0)6.4.1.3.6.1. Members of the military may be sanctioned in accordance with theprovisions of AFI 36-2907 or the Uniform Code of Military Justice.6.4.1.3.6.2. Civilian employees may be sanctioned in accordance with theprovisions of AFI 36-704.6.4.1.3.6.3. Contractor personnel may be sanctioned in accordance withapplicable procurement regulations.
AFI41-20025 JULY 2017376.4.1.3.7. An MTF may not threaten, intimidate, coerce, harass, discriminate against,or take any other retaliatory action against any individual for:filing of a complaint;testifying, assisting, or participating in an investigation, compliance review,proceeding, or hearing; or opposing any act or practice that involves theimpermissible disclosure of PHI (in violation of the HIPAA rules.(T-0)6.4.1.3.8. Disclosures by whistleblowers.An MTF is not considered to have violatedHIPAA if a member of its workforce or a business associate discloses PHI, providedthat the workforce member or business associate believes in good faith that the MTFhas engaged in conduct that is unlawful or otherwise violates professional or clinicalstandards, or that the care, services, or conditions provided by the MTF potentiallyendangers one or more patients, workers, or the public; and6.4.1.3.8.1. The disclosure is to a health oversight agency or public healthauthority authorized by law to investigate or otherwise oversee the relevant

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 60 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Spring
Professor
Beck
Tags
Health Insurance Portability and Accountability Act

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture