https://artifacts.trustmarkinitiative.org/lib/tds/appropriate-sanctions-against-workforce/1.0/Appropriate Sanctions Against Workforce1.0Specifies that a covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures.2017-02-17T00:00:00.000Zhttps://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/Health care related organizations that use protected health information (PHI) in a manner that is subject to regulations in the Health Insurance Portability and Accountability Act (HIPAA).Health care related organizations that want to demonstrate that they use, disclose, process and store protected health information (PHI) in a manner that complies with HIPAA regulations 45 CFR Parts 160 - 164.Health care related organizations and individuals that require their trusted partners' privacy and security policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA).Organizations that audit or evaluate health care related organizations for compliance with privacy and security policies and procedures in the Health Insurance Portability and Accountability Act (HIPAA).Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.This Trustmark Definition requires no extension data.This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.Health CareHIPAA PrivacyAdministrative RequirementsBusiness AssociateBA
Covered entities must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule.
A covered entity may be a business associate of another covered entity.]]>Correctional InstitutionCICovered EntityCE
A covered entity may be a business associate of another covered entity.]]>DisclosureElectronic Protected Health Informatione-PHIprotected health information (PHI) that is transmitted by electronic means or maintained in electronic media.]]>Health Insurance Portability and Accountability Act of 1996HIPAAPlan Administration FunctionsPAFProtected Health InformationPHI
In education records covered by the Family Educational Rights and Privacy Act;
In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
In employment records held by a covered entity in its role as employer;
Regarding a person who has been deceased for more than 50 years.
HIPAA rules protect most PHI held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.
PHI is information, including demographic information, which relates to the individual's past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. For example, PHI includes name, address, birth date, Social Security Number, a medical record, laboratory report, or hospital bill. However, reporting or aggregating data that cannot be used to individually identify a person would not be considered PHI.]]>Summary Health InformationU.S. Department of Health and Human ServicesHHSHIPAA-Privacy-RuleHIPAA Privacy Rule, published by U.S. Dept of Health and Human Services, HIPAA Administrative Simplification Regulation Text 45 CFR Part 160 and subparts A and E of Part 164, available at <a href="http://www.hhs.gov/hipaa/for-professionals">http://www.hhs.gov/hipaa/for-professionals</a>1Apply SanctionsThe covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of Section 164.500-599 (subpart E) or Section 164.400-499 (subpart D).2Document SanctionsThe covered entity must have policies and procedures to document any sanctions that are applied, as required by Section 164.530(j).
This standard does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of Section 164.502(j) (Disclosures by whistleblowers and workforce member crime victims) or Section 164.530(g)(2) (Refraining from retaliation). The policies and procedures for sanctions must state so.]]>1Sanctions PoliciesDoes a covered entity have policies and procedures to apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of Section 164.400-499 (subpart D) and 164.500-599 (subpart E)?A12Sanctions RecordsDoes a covered entity have policies and procedures to document any sanctions that are applied, as required by Section 164.530(j)?A1