PRIVACY SANCTION POLICY

The purpose of this policy is to protect patient, Medical Capital Recovery, Inc., MCR employee and MCR client medical and health care provider's rights to confidentiality and privacy, and to insure uniform enforcement of this policy.

Patient and MCR staff information will be regarded as confidential and will be available
only to authorized users for approved purposes. Access to confidential information is only permitted for direct patient financial assistance, approved administrative/supervisory functions.

Confidential information obtained either during assigned duties or by accident shall not be released to any person or institution except in accordance with Patient approval or client medical or health care provider approval or policy. No MCR staff shall seek access to confidential information out of curiosity, for malicious purposes, or for financial gain. Discussion or consultation involving a patient's financial affairs or care or a staff member's confidential information should be conducted in private. Individuals not directly involved in the patient's financial consultation should not be present without the patient's consent.

POLICY:

Level of Breach

Breaches in patient confidentiality have been divided into the following three levels with the corresponding disciplinary action for each level of breach:

Level 3 breach. Carelessness - This level of breach occurs when an MCR staff member unintentionally or carelessly accesses, reviews or reveals patient information to him/herself or others without a legitimate need to know the patient information. Examples include, but are not limited to: staff discussing patient information in a public area; staff leaving a copy of patient medical information in a public area; staff leaving a computer unattended in an accessible area with medical record information unsecured.

Disciplinary Sanctions:

Depending upon the facts, disciplinary sanctions may include: counseling, oral warning, written warning, final written warning or suspension, documented in writing and maintained in the staff's personnel record, or termination. Except in the case of termination, the staff shall be required to repeat the confidentiality training module on his/her own time.

Level 3 disciplinary sanctions shall be administered in a progressive manner. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate.

Level 2 breach. Curiosity or Concern (no personal gain) - This level of breach occurs when a staff member intentionally accesses or discusses patient information for purposes other than the care of the patient or other authorized purposes but for reasons unrelated to personal gain. Examples include, but are not limited to: a staff member looks up birth dates, address of friends or relatives; a staff member accesses and reviews a record of a patient out of concern or curiosity; a staff member reviews a public personality's record.

Disciplinary Sanctions:

First offense: Depending upon the facts, oral or written warning documented and
maintained in the staff member's personnel record.

Second offense: Depending upon the facts, a final written warning and suspension for 3-
30 days without pay, documented and maintained in the staff' member's personnel record, or termination.

Third Offense: Termination.

Except in the case of termination, the employee shall be required to repeat the confidentiality training module on his/her own time.

Level 1 breach: Personal gain or malice- This level of breach occurs when a staff member accesses, reviews or discusses patient information for personal gain or with malicious intent. Examples include but are not limited to: a staff member reviews a patient record to use information in a personal relationship; a staff member compiles a mailing list for personal use or to be sold.

Disciplinary Sanctions:

Termination.

Disciplinary Process

The following process must be followed when a staff member breaches, or is suspected of breaching, patient confidentiality:

1. Initial reporting

o An individual who observes or is aware of a breach reports it to his/her immediate supervisor.

o Supervisor reports to the Vice President of Operations who notifies the Executive Vice President.

o Failure to report a breach of which one has knowledge will result in appropriate disciplinary action. Reporting of a breach in bad faith or for malicious reasons will result in appropriate disciplinary action.

2. Unambiguous Level 3 breaches

For a breach involving any staff that is clearly only a Level 3 breach, the Vice President of Operations shall, in conjunction with the Human Resources Department and/or Legal Department as necessary, identify and implement an appropriate action plan as required under this policy and shall communicate such action to the Executive Vice President in a timely manner.

3. Breaches other than unambiguous Level 3 breaches

o For all levels other than a clear-cut Level 3 breach, the Vice President of Operations shall notify the Executive Vice President of the alleged breach. The Executive Vice President in consultation with the MCR Network Administrator shall establish an investigating team which will include a representative from the Human Resources Department, and/or the Legal Department as either a participant or consultant.

o The investigating team shall conduct the necessary and appropriate investigation commensurate with the level of breach and the specific facts which may include, but is not limited to, interviewing the staff accused of the breach, interviewing other individuals, and reviewing documentation.

o Upon conclusion of the investigation, the investigating team shall prepare a written report, including its findings and conclusions, and forward it to the Vice President of Operations. The final decision will be communicated to the staff as appropriate.

4. Reporting

For all levels of breach, after final resolution, the initial report and all written documentation relating to it shall be filed in a confidential file in the Office of Information Technology and the Human Resource Office. The disciplinary action and appropriate documentation shall also be placed in the staff member's personnel file.