§ 12. ENFORCEMENT, SANCTIONS AND PENALTIES FOR VIOLATIONS.
   (A)   General.
      (1)   All staff and workforce members must guard against improper uses or disclosures of department and village's patient information.
      (2)   Department and village staff and workforce members who are uncertain if a disclosure is permitted are advised to consult with the department and village Privacy Officer. The department and village Privacy Officer is the responsible resource for any department and village employee who cannot resolve a disclosure question, and may be consulted in accordance with all privacy policies of department and village.
      (3)   All staff and workforce members are required to be aware of their responsibilities under department and village privacy policies.
      (4)   Department and village staff and workforce members will be expected to sign an "Employee Statement of Understanding of Privacy Policies"; included with this section, indicating that they have been informed of department and village business and privacy practices as they relate to privacy, and that they understand their responsibilities to ensure the privacy of protected health information of department and village patients. Management and supervisors are responsible for assuring that employees who have access to confidential information, whether it be electronic, hard copy, or orally, are informed of their responsibilities.
      (5)   Department and village staff and workforce members who violate department and village policies and procedures regarding the safeguarding of an individual's information are subject to disciplinary action by department and village up to and including immediate dismissal, and legal action by the individual.
      (6)   Department and village staff and workforce members who knowingly and willfully violate state or federal law for improper use or disclosure of an individual's information are subject to criminal investigation and prosecution or civil monetary penalties.
   (B)   Retaliation prohibited. Neither the department or village as an entity nor any department and village employee will intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against:
      (1)   Any individual for exercising any right established under department and village policy, or for participating in any process established under department and village policy, including the filing of a complaint with department and village or with DHHS.
      (2)   Any individual or other person for:
         (a)   Filing of a complaint with department and village or with DHHS as provided in department and village privacy policies;
         (b)   Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing relating to department and village policy and procedures; or
         (c)   Opposing any unlawful act or practice, provided that:
            1.   The individual or other person (including a department and village staff and workforce member) has a good faith belief that the act or practice being opposed is unlawful; and
            2.   The manner of such opposition is reasonable and does not involve a use or disclosure of an individual's protected health information in violation of department and village policy.
   (C)   Disclosures by whistleblowers and workforce crime victims.
      (1)   A department or village staff, workforce member, or business associate may disclose an individual's PHI if:
         (a)   The department and village staff, workforce member, or business associate believes, in good faith, that the department or the village has engaged in conduct that is unlawful or that otherwise violates professional standards or department and village policy, or that the care, services, or conditions provided by the department and the village could endanger department and village staff, workforce members, patients, or the public; and
         (b)   The disclosure is to:
            1.   An oversight agency or public authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of department and village;
            2.   An appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or of misconduct by department and village; or
            3.   An attorney retained by or on behalf of the department and village staff, workforce member, or business associate for the purpose of determining the legal options of the department and village staff, workforce member, or business associate with regard to this policy.
      (2)   Department and village's staff and workforce members may disclose limited protected information about an individual to a law enforcement official if the staff or workforce member is the victim of a criminal act and the disclosure is:
         (a)   About only the suspected perpetrator of the criminal act; and
         (b)   Limited to the following information about the suspected perpetrator:
            1.   Name and address;
            2.   Date and place of birth;
            3.   Social Security number;
            4.   ABO blood type and rh factor;
            5.   Type of any injury;
            6.   Date and time of any treatment; and
            7.   Date and time of death, if applicable.
   (D)   Enforcement.
      (1)   Department and village staff and workforce members who violate department and village policies and procedures regarding the safeguarding of an individual's information are subject to appropriate disciplinary action by the department and the village, up to and including immediate dismissal from employment.
      (2)   Department and village staff and workforce members who knowingly and willfully violate state or federal law for improper invasions of personal privacy may be subject to:
         (a)   Criminal investigation and prosecution, both by the state and by the federal government, depending on the nature of the violation. Federal and state law provides substantial fines and prison sentences upon conviction, depending on the nature and severity of the violation.
         (b)   Civil monetary penalties that the federal Department of Health and Human Services (DHHS) may impose.
      (3)   The department's Privacy Officer is responsible for enforcing this policy, and shall be entitled to the assistance of the Village Manager in doing so, if such assistance should be needed. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process under this policy and the applicable ordinances of the village, up to and including termination or dismissal.
   (E)   Employee statement of understanding of policy.
   Employee Statement of Understanding of Privacy Policies
I,                          , have been trained and informed about the business and privacy practices in effect as a result of the Health Insurance Portability and Accountability Act (HIPAA).
I understand that I am responsible for ensuring the security, integrity and confidentiality of patient health information created, obtained and/or maintained by the Romeoville Fire Department and the Village of Romeoville.
I have reviewed, understand, and agree to abide by the policy for privacy set forth as Appendix A to Chapter 32 of the Village Code of Ordinances.
I understand that non-compliance will be cause for disciplinary action up to and including dismissal, and possible legal actions for violations of applicable regulations and laws.
I agree to promptly report all violations or suspected violations of any of the above policies to the Privacy Officer through the designated reporting channels.
                                           
Print Employee Name
                                                                              
Employee Signature            Date
                                                                              
Privacy Officer/Designee Signature      Date
(Ord. 0030-03, passed 4-2-03)