HIPAA Policy Section 8.5: Sanctions for Personnel Violations of Privacy
System is a Texas state agency and has adopted policies that direct the mechanism by which System employees may be disciplined. System will utilize the System policies and procedures for the imposition of sanctions it is required by HIPAA to impose for failure to comply with the HIPAA Privacy Standards or the policies and procedures set forth in this Manual. Sanctions shall not be imposed upon persons who Disclose PHI in furtherance of compliance with the HIPAA Privacy Standards. System shall never discipline or sanction an employee for reporting a HIPAA violation or a violation of this Manual.
8.5(1) Individuals Who May Be Subject to Sanctions
Employees, volunteers or other individuals considered part of the Health Care Components Workforce may be subject to sanctions under this Section. Independent contractors are not considered members of the Health Care Components’ staff and are therefore not subject to discipline under this Section.
8.5(2) Types of Sanctions.
Sanctions shall be imposed upon employees who violate these policies in accordance with the applicable System employee disciplinary policies and procedures.
Volunteers or other Workforce members who are not subject to System’s employee disciplinary policies shall receive a reprimand, retraining or both if the violation was (i) not intentional; (ii) the result of inadequate training; (iii) resulted in no actual harm; (iv) and/or the violation is such that it is reasonably likely that the Workforce member can avoid future violations. For a violation involving any other factors or a subsequent violation, the Workforce Member shall be permanently prohibited from any further access to any System PHI in that person’s capacity as a volunteer or other non- employee Workforce member. Such persons have no right to appeal a sanction.
8.5(3) Parties Responsible for Imposing Sanctions
The official imposing the sanction must have, or act in consultation with the Privacy Officer or others who have sufficient knowledge of the HIPAA Privacy Standards to assess the extent and impact of any violations that have occurred. All other sanctions shall be imposed by the Privacy Officer in consultation with the director of the office utilizing the volunteer or other Workforce Member that committed the violation.
8.5(4) Considerations in Imposing Employee Discipline for A HIPAA Violation
In addition to other factors that must be considered under System’s applicable disciplinary policies, System must take into consideration the circumstances surrounding the violation and the best way to ensure that System remains in compliance with the HIPAA Privacy Standards and that Individual’s HIPAA rights are protected.
8.5(5) When Violations Will Prompt Consideration of Disciplinary Action
- Persons may be subject to discipline, up to and including discharge, for violations of either (i) the HIPAA Privacy Standards or (ii) the policies and procedures set forth in this Manual. Managers or supervisors may also be subject to discipline, up to and including discharge, if their lack of diligence or lack of supervision contributes to a subordinate’s privacy violation.
- A person shall not be subject to discipline as a result of performing one or more of the following:
- Filing a complaint with the Secretary for suspected violation of the HIPAA Privacy Standards;
- Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing in connection with the “Administrative Simplification” provisions of HIPAA;
- Opposing any act or practice made unlawful by the HIPAA Privacy Standards, provided that (I) the person has a good faith belief that the practice opposed is unlawful; and (II) the manner of the opposition is reasonable and does not involve a Disclosure of PHI in violation of the HIPAA Privacy Standards;
- Disclosing PHI if (I) the person believes in good faith either that System has engaged in conduct that is unlawful or otherwise violates professional or clinical standards or that the care, services, or conditions provided by System potentially endanger one or more Individuals, workers, or the public; and (II) the Disclosure is either to a Health Oversight Agency or Public Health Authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of System, to an attorney retained by or on behalf of the individual for the purpose of determining the person’s legal options with regard to the relevant conduct of persons, or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by System; or
- Disclosing PHI to a law enforcement official in compliance with this Manual.
8.5(6) Existence of Appeal Process
In the event that a sanction triggers any process of appeal under the applicable System employee disciplinary policies and procedures such process shall be made available to the employee. However, in the event that the party hearing the appeal is not authorized by this Manual and or the HIPAA Privacy Standards to have access to PHI, the identity of the individual whose privacy rights were violated shall be removed to the extent feasible or, if that is not possible, other measures must be taken to ensure HIPAA compliance prior to providing the party with PHI.
8.5(7) Documentation of Disciplinary Actions
- System shall document the disciplinary action, including (i) the privacy violation; (ii) the parties who determined the disciplinary action; (iii) the facts and circumstances considered in determining the disciplinary action (without regard to whether such considerations were relied upon in determining the disciplinary action); (iv) the discipline imposed (including lack of discipline); (v) the appeals process used, if any, and the results thereof; and (vi) the actions taken in order to enforce the discipline.
- Such documentation shall be retained in accordance with Section 9.2 of this Manual in addition to the documentation required by the applicable System Administration policies and procedures. Any documentation that identifies the individual whose privacy rights were violated may constitute PHI. To the extent practicable, such identifying information shall be removed prior to a Use or Disclosure of the documentation. In addition, where feasible, the violator’s identity shall be removed prior to any Disclosure of such documentation.
45 C.F.R. §§ 164.502(j), 164.512(f)(2)(i), 164.530(e), (g)
65 Fed. Reg. at 82,501-02, 82,562, 82,636-37, 82,747 (Dec. 28, 2000)