The Cochise Family Advocacy Center representatives will not discuss with the public any information or personal opinions gained as a result of participating in confidential CFAC business. A CFAC Confidentiality Agreement is signed by all staff, interns, volunteers and board members. Similarly, the the CFAC takes measures to ensure the privacy of board members, employees, clients, interns and volunteers. Private information will never be sold or given to outside companies, and files will be kept in a restricted access area. Access to files on board members, employees, clients, interns and volunteers will be limited to those who demonstrate a legitimate need to know and to situations where the law demands disclosure.
Disclosure: The release, transfer, access to, or divulging in any other manner protected health information outside of the CFAC. An example would be the release of protected health information to a third party who is not engaged as a relevant MDT member of the Cochise Family Advocacy Center.
Privacy Breach: The use or disclosure of oral, paper or electronic Protected Health Information by an individual for purposes other than those for which s/he is authorized, or a violation of a privacy or security requirement resulting in potential for such an unauthorized use or disclosure.
Protected Health Information (PHI): For purposes of this policy, PHI includes:
1. Individually identifiable health information in any form (paper, electronic, oral) that is transmitted and/or stored by CFAC or a business associate that relates to the past, present, or future health of an individual, provision of health care, or payment for health care that is linked to a patient; or
2. Identifying or Personal Information, as defined in Federal Trade Commission's Red Flags Rules, including any name or number that may be used in conjunction with any other information to identify a specific person, e.g. social security number, credit card number or passwords.
Use: The authorized sharing, application, review, or analysis of PHI within CFAC.
Team Members: Employees, volunteers, trainees, Interns, medical staff and other persons whose conduct, in the performance of work for CFAC, is subject to the control of such entity, whether or not they are paid by the CFAC.
The individual, who commits, observes or becomes aware of an unauthorized or inappropriate access, use or disclosure of PHI is responsible for promptly reporting such to one of the following:
When a potential breach occurs the supervisor or Executive Director will coordinate a review of the potential breach and, when applicable, review the circumstances surrounding the breach, mitigation steps and any harmful effect that may result from the breach. The supervisor in conjunction with Human Resource staff, will determine appropriate sanctions concerning the breach.
The following process should be followed when a potential breach occurs:
1. Upon receipt of a potential breach, the supervisor shall report this potential breach to the Executive Director immediately upon awareness of such a potential breach. The confidentiality of all participants shall be maintained to the extent possible, within reason, throughout the investigation.
2. Upon notice of the potential breach by a team member, the supervisor will assess and/or investigate the potential breach and determine any corrective action as warranted. Investigations may include, but are not limited to interviews, electronic user access audit trails, review of telephone logs, or other activities.
3. The supervisor may investigate the circumstances of the potential breach, including interviews or request for written(s) statement from staff.
6. When a breach is substantiated, the supervisor will review the findings with the Executive Director to coordinate the communication of corrective action. In the case of CFAC Interns, the supervisor will coordinate the communication of corrective actions with the intern’s academic institution.
7. Such factors as the nature and severity of the potential breach will be taken into consideration in determining the appropriate level of sanction.
8. It may be appropriate to delay corrective action if the action adversely affects or compromises client care.
Corrective action, if warranted, will be imposed based on the nature and severity of the violation, whether intentional or not, circumstances surrounding the privacy breach or whether the violation demonstrates a pattern or practice of improper use or disclosure of confidential information on the part of the team member. Corrective action relating to this policy shall be applied fairly and consistently.
All corrective actions will be documented in writing and maintained in the appropriate personnel record. If warranted, corrective actions, up to and including termination may be reported to the applicable licensing board.