Sanctions for Violating Privacy/Security Policies

SCOPE

All UMB Schools and Departments designated as covered entities.

POLICY

  1. All UMB employees will abide by (i) UMB’s Information Technology Acceptable Use Policy (ii) UMB’s Information Technology Privacy Policy; and (iii) Policy on Privacy of Protected Health Information (HIPAA), as may be amended from time to time.  Employees who jeopardize the privacy or security of PHI shall be subject to appropriate disciplinary action up to and including termination of employment, pursuant to UMB’s Progressive Discipline policy.
  2. For workforce members who are non-UMB employees, UMB will work with and assist the applicable employer to take necessary steps to assure that non-UMB workforce members are disciplined for privacy or security violations, as appropriate.
  3. Sanctions applicable to business associates will be incorporated into business associate agreements.
  4. The Department of Human Resources will document any disciplinary actions arising out of a violation of the UMB HIPAA policies and procedures, and will retain such documentation for at least six (6) years.  Disclosure of sensitive information in violation of the UMB HIPAA policies and procedures are reportable events under the SECURITY INCIDENT RESPONSE AND REPORTING policy.
  5. No member of the workforce, nor any business associate, will be subject to sanctions for a disclosure of sensitive information made in good faith.

PROCEDURE

  1. All supervisors and Security Liaisons, as the case may be, will contact the Privacy Officer in an expeditious manner (e.g. phone, email, fax, etc.) whenever a workforce member is suspected of, or is known to have, violated any of the UMB HIPAA policies and procedures.
    1. Examples of violations of the UMB HIPAA policies and procedures include, for example:
      1. Improper and/or unintentional breaches, such as a workforce member unintentionally sending a fax to an unintended recipient due to careless keying of the fax number.
      2. Unauthorized use or misuse, such as workforce member discussing a patient’s PHI in an elevator, and such conversation is overheard by others.
      3. Willful and/or intentional disclosures, such as workforce member searching for PHI in any UMB system and using or selling such PHI for personal financial gain.
  2. Upon notification, the Privacy Officer will consult with the Security Officer, the Director of the Department of Human Resources and/or any affected department manager/supervisor, as appropriate, to determine the following:
    • Investigate and validate the facts regarding the reported incident, including an assessment of possible damage to the organization.
    • Determine if senior management and/or legal counsel participation is necessary.
    • Determine if organizational mitigation is appropriate (taking into consideration if the individual attempted to mitigate the situation if applicable).
    • Determine if other workforce members were involved or had knowledge of the violation and whether reasonable action should have been taken.
    • Determine if the incident was reported in bad faith or malicious in nature.
  3. Upon completion of an investigation, an appropriate action/response shall be taken by the supervisor, the Department of Human Resources and/or the Privacy Officer, as appropriate, in accordance with UMB’s Progressive Discipline policy.
  4. The Privacy Officer and the Director of Human Resources will meet periodically to:
    • Determine if any issue should be evaluated as part of a larger review (such as part of ongoing risk analysis), and whether or not changes to other related UMB policies and procedures are necessary to lessen the chance that similar workforce behavior/violations reoccur; and
    • Review UMB’s discipline policies to assure that breaches of the UMB HIPAA policies and procedures are dealt with adequately and fairly.

CROSS REFERENCES/RESOURCES:

Federal Law:  45 CFR § 164.308(a)(1)(ii)(C); 45 CFR § 164.530(d); and 45 CFR § 164.530(e).

UMB Policies & Procedures referenced herein:

  • SECURITY INCIDENT RESPONSE AND REPORTING
  • Information Technology Acceptable Use Policy
  • Information Technology Privacy Policy
  • Policy on Privacy of Protected Health Information

By Authority of: UMB Leadership

Effective Date:  4/20/05

Revision Date:  5/05/05