P2

SNO Policy 700: Workforce, Agents,
and Contractors

Purpose and Principles: By incorporating HIPAA’s administrative requirements for workforce training, sanctions for privacy violations, and the reporting of complaints,³³ this recommended model policy advances the privacy principles of use limitation, security safeguards and controls, accountability and oversight, data integrity and quality, and remedies. Because a Participant’s workforce is responsible for implementation of privacy practices, proper training is vital to ensure the legitimate use of health information and the prompt identification, reporting, and correction of any security weaknesses. Individual accountability in the form of sanctions for those persons responsible for privacy violations is fundamental to encouraging compliance with privacy practices. Without such incentive for compliance, privacy violations and security risks may go unchecked and lead to larger privacy problems. Similarly, providing for the reporting of non-compliance enables Participants to discover and correct privacy violations and identify and sanction privacy violators. This model policy helps guarantee the legitimate use of health data, the proper implementation of Participants’ privacy practices, and the prompt identification of and undertaking of remedial action for privacy violations.

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide, make available, or request health information through the SNO. 

Policy:

1. Access to System. Each Participant shall allow access to the SNO only by those workforce members, agents, and contractors who have a legitimate and appropriate need to use the SNO and/or release or obtain information through the SNO. No workforce member, agent, or contractor shall be provided with access to the SNO without first having been trained on these Policies, as set forth below.
2. Training. Each Participant shall develop and implement a training program for its workforce members, agents, and contractors who will have access to the SNO to ensure compliance with these Policies.³⁴ The training shall include a detailed review of applicable Policies and each trained workforce member, agent, and contractor shall sign a representation that he or she received, read, and understands these Policies.
3. Discipline for Non-Compliance. Each Participant shall implement procedures to discipline and hold workforce members, agents, and contractors accountable for ensuring that they do not use, disclose, or request health information except as permitted by these Policies and that they comply with these Policies.³⁵ Such discipline measures shall include, but not be limited to, verbal and written warnings, demotion, and termination and provide for retraining where appropriate.
4. Reporting of Non-Compliance. Each Participant shall have a mechanism for, and shall encourage, all workforce members, agents, and contractors to report any non-compliance with these Policies to the Participant.³⁶ Each Participant also shall establish a process for individuals whose health information is included in the RLS to report any non-compliance with these Policies or concerns about improper disclosures of information about them.