Policy No.

8-27-2019

Revised Date:

Introduction:

WSU Employee Wellness understands that an open line of communication is essential to an effective compliance program.  All workforce members shall follow these procedures when reporting a potential violation of WSU Employee Wellness’s HIPAA Policies or Procedures or the law.  It is WSU Employee Wellness’s policy to carefully review every report or possible wrongdoing or violation of WSU Employee Wellness’s HIPAA Policies or Procedures.

Definitions:

Confidentiality: means that data or information is not made available or disclosed to unauthorized persons or processes.

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media, but excludes individually identifiable health information in: (a) Education covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (c) employment records held by WSU Employee Wellness in its role as employer.

Protected Health Information (“PHI”): means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Policy:

A. Assignments and Duties

WSU Employee Wellness has appointed a HIPAA Privacy Officer to coordinate the HIPAA privacy compliance effort.  The HIPAA Privacy Officer is Raeanna Johnson, referred to herein as “HIPAA Privacy Officer” or “Privacy Officer”).

WSU Employee Wellness has appointed a HIPAA Security Officer to coordinate the HIPAA security compliance effort.  The HIPAA Security Officer is Florian Stellet, referred to herein as “HIPAA Security Officer” or “Security Officer”). For its information technology and security needs, WSU Employee Wellness relies on its information technology provider.  The Security Officer will work with Weber State University’s information provider to ensure that WSU Employee Wellness’s information systems containing electronic protected health information (“PHI”) have the appropriate security safeguards.   

 

B. Duty of Report

All workforce members are required to report conduct that a reasonable person would, in good faith, believe to be erroneous or in violation of WSU Employee Wellness’s HIPAA Policies or Procedures and/or the law.  Reporting such activity shall be made as soon as reasonably possible under the circumstances.  Unreasonable delays in reporting a violation of this Policy may subject the reporting party to discipline and potentially termination. Failure to report fraudulent or erroneous conduct is a violation of WSU Employee Wellness’s HIPAA Policies or Procedures subjecting the workforce member to discipline or potentially termination. Reporting any suspected violation shall be made by any means.  

There will be no retribution or discipline for reporting conduct that a reasonable person acting in good faith would have believed to be fraudulent, erroneous or unlawful.  However, discipline or termination may result for recklessly or intentionally reporting any false claims or giving false information.  If the reporting party is personally involved in any wrongdoing or violation of WSU Employee Wellness’s HIPAA Policies or Procedures, that party is still subject to discipline even if they report the wrongdoing.  However, a voluntary disclosure of personal involvement will be taken into account when determining what, if any, discipline should be imposed.  

 

C. Intake Procedures

Upon receipt of the alleged violation, the HIPAA Privacy Officer shall consider the facts, record the report in the HIPAA Compliance Activity Log, as appropriate, and acknowledge receipt of the report.  Acknowledgment may result in an investigation by the HIPAA Privacy Officer and Weber State University’s information technology provider. 

 

D. Report Investigation Status and Documentation

The HIPAA Privacy Officer shall maintain the status of all reports in the HIPAA Compliance Activity Log, as appropriate, as well as document the investigation process, the findings and outcome of each investigation, and the Corrective Action Policy to prevent future activities of a similar nature.  Upon completion of the investigation, the HIPAA Privacy Officer shall notify the reporting party of the outcome of the investigation to the extent permitted under the applicable policies and circumstances.         

 

E. Confidentiality of Report and Investigation

The HIPAA Privacy Officer and all parties involved in any investigation conducted shall maintain the confidentiality of the individuals involved in the alleged fraudulent, erroneous or unlawful conduct, as well as the individual making the allegation, to the extent reasonable under the circumstances.  If the investigation so requires, individuals alleged to be involved with the fraudulent, erroneous or unlawful conduct may become known, as well as the reporting party.  However, disclosing such parties shall only be done if appropriate or if required to facilitate resolution of the investigation.