Journal of AHIMA - October 2011

Multifactor Model Categories

THE MULTIFACTOR SANCTIONING model identifies three categories of severity across four areas of risk. The organization takes corrective action and bases remediation on the highest level of category indicated. If a violation falls into one or more risk areas on the chart, the corrective action is based on the highest category level of risk.

CATEGORY

1

EXPOSURE

Low external exposure to organization Medium external exposure to organization High external exposure to organization

NUMBER INVOLVED

Involves a single patient

PURPOSE

Ignorance or lack of education

2

Involves 2–99 patients Snooping or curiosity

SPECIAL PROTECTION

No additional state or federal protections Employees

3

Involves 100+ patients Malice, sale, or personal gain
HIV, mental health, adoption, etc.

formation of high profile people or celebrities or accessing or using PHI without a legitimate need to do so, such as checking the results of a coworker’s pregnancy test.

x Category 4: Willful and malicious violation with harmful intent. This is an intentional violation causing patient or organizational harm. Examples of this type of incident include disclosing PHI to an unauthorized individual or entity for illegal purposes (e.g., identity theft); posting PHI to social media Web sites; or disclosing a celebrity’s PHI to the media.

Sanctions may be modified based on mitigating factors. These factors may reflect greater damage caused by the violation and thus work against the violator, ultimately increasing the penalty.

Examples include:
x Violation of specially protected information such as HIV-
related, psychiatric, substance abuse, and genetic data
x High volume of people or data affected
x High exposure for the organization
x Large organizational expense incurred, such as breach
notifications
x Hampering the investigation, lack of truthfulness
x Negative influence on others
x History of performance issues and/or violations
Additional factors that could mitigate sanctioning include:
x Violator’s knowledge of privacy and security practices
(e.g., inadequate training, training barriers, or limited
English proficiency)
x Culture of surrounding environment (e.g., investigation
determines inappropriate practices in business unit)
x Violation occurred as a result of attempting to help a pa-
tient
x Victim(s) suffered no financial, reputational, or other per-
sonal harm
x Violator voluntarily admitted the violation in a timely
manner and cooperated with the investigation

x Violator showed remorse
x Action was taken under pressure from an individual in a
position of authority

Model 2—Multifactor Model

In this model the organization takes corrective action and bases remediation on the highest level of category indicated. This model contains four major areas of risk: organization exposure, number of patients involved, purpose of action causing violation, and involvement of PHI covered by “special protections” (e.g., HIV-related, psychiatric, substance abuse). (See sidebar above for a breakdown of the different categories.)

If a violation falls into one or more risk areas, the corrective action is based on the highest category level of risk. For example, an error in the envelope-stuffing process for patient statements involving 1,000 patients would be a category 3 incident.

From incident to incident, appropriate investigation and managerial discretion is necessary in declaring that a violation occurred. Organizations may find a severity determination document useful for supporting the corrective action determination as well as for comparative purposes and oversight trending. A sample severity determination document is available in the online version of this practice brief, in the AHIMA Body of Knowledge at www.ahima.org.

Sanctions Policy Recommendations

Sanctions imposed for privacy and security violations must be consistent across the organization, regardless of the violator’s status, with comparable discipline imposed for comparable violations.† Organizational policy should address sanctions related to violations of both state and federal regulations as well as internal privacy and security policies. The policy should also address how the sanctions support the organization’s human resource corrective action policy.