10.00
Sanctions
POLICY OVERVIEW
UTHSC-H shall have and apply appropriate sanctions against members of its workforce who fail to comply with UTHSC-H’s Policies and Procedures or the Privacy Standards. UTHSC-H will not apply sanctions to members of its workforce who disclose PHI in furtherance of compliance with the Privacy Standards.
PROCEDURE
1. Persons Who May Be Subject to Discipline. Members of UTHSC-H’s workforce—including employees, volunteers, trainees, and other persons whose conduct, in the performance of their work, is under UTHSC-H’s direct control, whether or not they are paid by UTHSC-H—may be subject to discipline under this Policy. Independent contractors are considered UTHSC-H’s business associates, not members of UTHSC-H’s workforce, and are not subject to discipline under this Policy.
2. Violations That Will Prompt Consideration of Disciplinary Action. Persons may be subject to discipline, up to and including discharge and/or restitution, for violations of either (a) the Privacy Standards or (b) these Policies and Procedures relating to the confidentiality of health care information. Managers or supervisors may also be subject to discipline, up to and including discharge or restitution, if their lack of diligence or lack of supervision contributes to a subordinate’s privacy violation.
3. Exceptions. A person shall not be subject to discipline as a result of performing one or more of the following:
a. Filing a complaint with the Secretary for a suspected violation of the Privacy Standards;
b. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing in connection with the Administrative Simplification provisions of HIPAA;
c. Opposing any act or practice made unlawful by the Privacy Standards, provided that (i) the person has a good faith belief that the practice opposed is unlawful and (ii) the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Standards;
d. Disclosing PHI if (i) the person believes in good faith either that UTHSC-H has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by UTHSC-H potentially endanger one or more patients, workers, or the public; and (ii) the disclosure is either to a health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of UTHSC-H, to an attorney retained by or on behalf of the person for the purpose of determining the person’s legal options with regard to the relevant conduct, or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct; or
e. Disclosing PHI to a law enforcement officer if (i) the person is the victim of a criminal act that occurred on or off the premises, (ii) the PHI relates to the suspected perpetrator of the criminal act, and (iii) no PHI other than the following is disclosed: current location, name, address, date of birth, place of birth, social security number, ABO blood type, rh factor, type of injury (if applicable), date and time of treatment (if applicable), date and time of death (if applicable), and a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos.
4. Imposition of Discipline. Any discipline imposed should be appropriate to the nature of the violation that prompted the disciplinary action. Determination of the proper level of disciplinary action requires that the facts and circumstances surrounding the violation be considered. After considering the relevant facts and circumstances of a privacy violation, UTHSC-H shall impose discipline that it deems appropriate, in its sole discretion, to the nature of the violation that prompted the disciplinary action. Discipline may include, but is not limited to, a fine, probation, suspension, additional training, and/or termination.
5. Documentation of Discipline. UTHSC-H shall document the disciplinary action, including (a) the privacy violation, (b) the parties that determined the action, (c) the facts and circumstances considered in determining the action (without regard to whether such considerations were relied upon in determining the disciplinary action), (d) the discipline imposed (including lack of discipline), (e) the appeals process used, if any, and the results thereof, and (f) the actions taken in order to enforce the discipline.
UTHSC-H shall maintain the documentation described in the above paragraph for a period of at least 6 years from the date it was created.
UTHSC-H may use or disclose its documentation containing the identity of the individual whose privacy rights were violated only under the following circumstances:
a. if required by law or by court order;
b. in accordance with the individual’s authorization;
c. in determining disciplinary actions for subsequent violations; or
d. to investigate or determine compliance with this Policy and/or the Privacy Standards (whether such investigation originates internally or by request of the individual or the Secretary);
Under any other circumstances, such documentation must be de-identified (as to the individual whose privacy rights were violated) prior to any use or disclosure. For example, documentation of disciplinary actions, if de-identified, may be stored in the violator’s personnel file. In addition, where feasible, the violator’s identity should be removed prior to any use or disclosure, for example if the documentation is to be used by those responsible for privacy training.
REFERENCES/CITATIONS
45 C.F.R. §§ 164.502(j), 164.512(f)(2)(i), 164.530(e), (g)(2) (2001)
65 Fed. Reg. 82462, 82501-02, 82562, 82636-37, 82747 (Dec. 28, 2000), 67 Fed. Reg. 53182-273 (Aug. 14, 2002)
JCAHO Standards IM.2 (2002) (confidentiality, security, and integrity of data and information)