Information Privacy Security Administration Policy
Information Privacy Security
Tenet respects the privacy of every patient’s medical information and the rights patients have with respect to their medical information. The purpose of this policy is to set forth the information privacy and security administrative structure that Tenet is required to have in place and to ensure consistencyacross all facilities for information privacy and security practices.
.
- Complaint and Privacy/Security Incident Reporting
- Complaints may be made to information security and privacy designees
- Complaints and incidents may be made in writing or in person
- Non-Retaliation
- Tenet will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against members of Tenet’s Workforce
- Safeguards
- Administrative, technical and physical safeguards to protect the privacy and security of PHI and other confidential information
- Evaluation
- Evaluation of facility’s compliance with Tenet’s Information Privacy and Security Policies and Standards
- Technical and non-technical components of privacy and security are evaluated
- Information Privacy and Security Vulnerability Reviews
- Conducted annually to identify and address vulnerabilities
- Information Privacy and Security Self-Evaluations
- Information Privacy and Security Control Exceptions Book documents
- Program requirements that the Tenet Facility cannot meet
- Compensating controls for the unmet requirement
- Information Privacy and Security Program Control Exceptions Book contains
- Date the control exception was documented
- Name of the individual documenting the control exception
- Effective date and, if applicable, end date of the control exception
- Program Policy, Standard, or Procedure that required the control
- Description of the control as required in policy or standard
- Description of how the control was fully/partially/not met
- Description of compensating controls that were implemented
- Reason(s) why control could not be implemented
- Name of Approver
- Date of annual review
- Information Privacy and Security Training
- Workforce must be trained on Tenet’s Information Privacy and Security Program
- New workforce members must be trained within 30 days of start
- Business Associates and Business Associate Agreements
- Business Associate must safeguard PHI as required by the HIPAA regulations
- Business Associate Agreement must contain elements specified by the HIPAA regulations
- Template business associate agreement is in Contractual Arrangements Manual(CAM)
- Contingency and Disaster Recovery Plan
- Tenet’s Disaster Preparedness Task Force
- Led by the Director of Business Continuity
- Manages Tenet’s Contingency and Disaster Recovery Plan
- Training
- On-Line Training
- Documented and maintained in Tenet’s online education system
- Classroom Training
- Attendance is documented and maintained by HR
- Training Materials
- Maintained per records and retention policy
- Training Completion
- Documentation includes time, date, place and content for training session
- Mitigation
- Violations or Allegations
- Reported to Tenet Facility’s PIRT or Privacy and Security Compliance Officer
- Investigations
- Privacy and Security Compliance Officer investigates all violations and allegations
- Patient Reporting
- Patient, visitor or another individual may report to any Tenet person
- Mitigation
- PIRT and department leader mitigates harmful results that have occurred
- Sanctions
- Documentation
- HR documents-imposed sanctions on the workforce member
- Documentation is maintained per records and retention schedule