Policy Protecting Completely Sensitive Information (CSI)

 

I. Scope

​

Coastal Carolina Family Practice adopts and is ultimately responsible and accountable for the administration and enforcement of this Policy Protecting Health Information.  All CCFP Personnel, including all directors, officers, other employees, trainees, volunteers, and independent contractors are subject to and shall strictly comply with this Policy.

​

II. Definitions

​

1.  Competitively Sensitive Information (CSI) protected under this Policy includes the following categories of non-public information held by the System: Past, present and future reimbursement rates and rate schedules; contracts with providers; contracts with payers; any term or condition in a payer-provider agreement that could be used to gain an unfair commercial advantage over a competitor or supplier, including but not limited to discounts, reimbursement methodologies, and provisions relating to performance, pay for performance, pay for value, tiering of providers, cost data and methodologies including specific cost and member information and revenue, or charge information specific to the payer or provider; contract negotiations or negotiating positions, including but not limited to offers, counteroffers, party positions, and thought processes; specific plans regarding future negotiations or dealings with payers or providers; and claims reimbursement data

​

2. Firewalls refer to safeguards that restrict unauthorized access, use and sharing of CSI. Firewalls segregate and protect CSI through procedures, training and behavioral guidelines and processes applicable to all System Personnel in their interactions with one another. Firewalls also include software-based and hardware-based tools and equipment to protect CSI and create additional barriers to unauthorized access. Firewalls prohibit the sharing of CSI in any form, whether oral, written, electronic or otherwise

​

3. Personnel includes any director, officer, other employee, trainee, volunteer, independent contractor or consultant performing services on behalf of the System or any company within the System.

​

4. CCFP Personnel includes any officer, other employee, trainee, volunteer, independent contractor or consultant performing services on behalf of CCFP.

 

5. Privacy Officer is the individual responsible for privacy oversight for CCFP respectively and who is directly accountable to the Highmark Health Chief Privacy Officer.

​

​IV. Roles and Responsibilities

​

1. CCFP's President and Board shall be ultimately accountable and responsible for the adoption, implementation, monitoring and strict enforcement of this Policy. The Audit Committee of the Board, or those performing the audit function, shall require periodic reports regarding compliance with this Policy and shall report that information to the full Board.

​

2. Subject to A above, the following shall be responsible for administration of this Policy:

Director of Privacy, and/or Senior Privacy Official for CCFP

​

V. Policy and Administration

​

1. All CCFP Personnel must strictly observe the following Policy to protect against the inappropriate access, use or disclosure of CSI:

​

2. CCFP who have access to, or are in possession of any CSI  shall not disclose such CSI. 

​​​

3. All CCFP Personnel must take mandatory CSI and PHI Policy training and all newly-hired CCFP Personnel must do so before performing any work. There will be no exceptions to this mandatory requirement. CCFP shall provide periodic refresher training regarding the protection of CSI, at least annually, and supplemental training as necessary. CSI Policy training shall be developed, designed, facilitated and administered by the CCFP Chief Privacy Officer. At the completion of the mandatory training session and after each refresher training session, all CCFP Personnel shall be required to certify completion of the program and comprehension of the materials presented.

​

4. All CCFP Personnel must excuse themselves from participation in any activity where their participation would necessarily involve the inappropriate access, use or disclosure of CSI. Any individual who comes in contact with CSI from CCFP in the ordinary course of his or her function cannot use that CSI in performing any activity or service for any other company. If that activity requires sharing or reference to the CSI, the individual must excuse himself or herself from that activity.

​​

5. All CCFP Personnel are encouraged to contact the CCFP Chief Privacy Officer if they have any questions about their responsibilities or other matters pertaining to this Policy.

​

VI. Infrastructure and Physical Safeguards

​

 1. CCFP shall continue to observe current safeguards and adopt any additional safeguards sufficient to assure that access to CSI is properly controlled and protected. Such safeguards include:

• Role based access

• Control and Management of User IDs

• Separation of servers or data stored on servers as appropriate

• Monitoring systems for unauthorized access

• Other necessary technical controls to accomplish segregation of duties, businesses and roles.

• ​

2. CCFP shall continue to use security tools to provide information regarding the identity of authorized CCFP Personnel in each business area, including updates on terminations, new hires, transfers and other position and organization changes.

 

3. Strong PC/workstation controls shall continue to protect CSI from unauthorized access or transmission.

​

VII. Monitoring and Auditing

​

1. The CCFP Privacy Officer shall work in collaboration with the the Digital Security Team to monitor the System to assure that CSI has not been accessed, used or disclosed in an inappropriate manner. 

​

2. CCFP shall develop and implement an audit plan to assure that proper controls are in place for the protection of CSI and that all policies and procedures are followed. The Internal Audit Department shall conduct regular audits of the System, including AHN, to ensure compliance with this Policy. Audit findings and observations shall be reported to the CCFP Chief Privacy Officer for appropriate remediation and mitigation. 

​

3. All CCFP Personnel shall certify annually that they have read and understood this Policy and that they are in full compliance with it. In addition, all CCFP shall certify their responsibility to report actual or potential inappropriate access, use or disclosure of CSI with the understanding that such reporting will not result in retribution or retaliation by any company or Personnel within the System. 

​

4. All AHN Personnel shall also affirmatively acknowledge that failure to report actual or potential inappropriate access, use or disclosure of CSI may subject the individual to disciplinary action, up to and including termination.

​

VIII. Violations and Enforcement

​

1. Inappropriate access, use or disclosure of CSI is subject to corrective action up to and including termination of employment or contractual arrangement consistent with CCFP disciplinary procedures.

​

All AHN Personnel are required to immediately report actual or suspected inappropriate access, use or disclosure of CSI to the CCFP Privacy Officer. The Privacy Officer shall investigate and take appropriate remedial action including determining the cause(s) of any inappropriate access, use or disclosure, mitigating the effects of such access, use or disclosure, taking corrective action to prevent future occurrences.

​

 

3. In any case in which any individual has violated or is suspected to have violated this Policy, the CCFP Privacy Officer shall administer appropriate disciplinary measures. There is zero tolerance for intentional inappropriate access, use or disclosure of CSI in violation of this Policy.

 

​

4. Failure to report known or suspected violations of this Policy shall constitute a violation.

​

IX. Filing a Complaint

​

1. Complaints and reports may be made in any of the following ways:

​

1. directly to the CCFP Privacy Officer 

2. by calling: (252) 426-5711 ext. 222

3. or by mail to: CCFP Privacy Officer

                                       P.O. Box 650

                                       Hertford, NC 27944

​

2. The CCFP Privacy Officer shall have ultimate responsibility for the administrative enforcement of this Policy. The CCFP Privacy Officer shall promptly investigate and ensure that necessary and appropriate remedial action is taken in response to all reported violations. The remedial actions taken shall include determination of the cause(s) of the violation, mitigation, corrective action that is required to prevent future occurrences, and facilitating appropriate workforce sanctioning if applicable.

​

X. Policy Against Retaliation

​

CCFP is committed to protecting all Personnel, health care providers, and members of the general public (collectively referred to as “Individuals”) from interference with making a good faith disclosure that this Policy has been violated, from retaliation for having made a good faith disclosure, or from retaliation for having refused a direction or order in conflict with this Policy, CCFP encourages all Individuals to report good faith concerns about potential inappropriate access, use or disclosure of CSI. No Individual or entity who in good faith reports a violation of this Policy, or who participates in the investigation of a reported violation of this Policy, will suffer harassment, retaliation, adverse employment or other adverse action as a result of the Individual’s report and/or participation. Any CCFP Personnel who retaliates against someone who has reported a violation of this Policy in good faith, or who has participated in an investigation of a reported violation, is subject to discipline up to and including termination of employment or contractual arrangement. 

​

XI. No Exceptions

​

There are no exceptions to this Policy regarding improper access, use or disclosure of CSI.

​

XII. HIPAA Compliance

​

Nothing in this Policy is intended to prohibit or otherwise prevent disclosure of information that may include competitively sensitive data elements if the disclosure is necessary, appropriate and required to comply with the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under HITECH, GINA and other modifications to the HIPAA Rules as set forth in 45 CFR Parts 160 and 164.

​

XIII. Amendments

​

Any amendments to this Policy are subject to approval by the Practice Administrator.