Sanction Policy

In the event that an employee violates the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these sanction guidelines apply.

HIPAA regulations require that imposed sanctions be consistent, with fair and consistent outcomes. Sanctions based on the category level of the incident should follow an escalation process as such:

• Documented discussion with offender with recommendations for additional training if necessary
• First written warning (may include training as above)
• Final warning, with or without suspension and pay (may include training as above)
• Termination of employment, contract, privileges, volunteer status or Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.

 

Category 1 Offenses - Unintentional breach of privacy or security that may be caused by carelessness, lack of knowledge or lack of judgement.

• Accessing information that you do not need to know to do your job;
• Sharing your computer access codes (user name & password);
• Leaving your computer unattended while you are logged into a PHI program;
• Sharing PHI with another employee without authorization;
• Copying PHI without authorization;
• Changing PHI without authorization;
• Discussing confidential information in a public area or in an area where the public could
• overhear the conversation;
• Discussing confidential information with an unauthorized person; or
• Failure to cooperate with privacy officer.

 

Category 2 Offenses - Deliberate unauthorized disclosure of patient health information (PHI) without PHI disclosure.

• Second offense of any class I offense (does not have to be the same offense);
• Unauthorized use or disclosure of PHI;
• Using another person’s computer access codes (user name & password); or
• Failure to comply with a resolution team resolution or recommendation.

 

Category 3 Offenses

• Second offense of any class II offense (does not have to be the same offense);
• Third offense of any class I offense (does not have to be the same offense);
• Obtaining PHI under false pretenses; or
• Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm.

 

 

HIPAA VIOLATION SANCTION POLICY ACKNOWLEDGMENT OF RECEIPT

Effective Date: ____________________

I, the undersigned employee, hereby acknowledge receipt of a copy of the HIPAA Violation Sanction

Policy for _______________________________________________.

 

___________________________________________	_____________________
Signature of Employee	Date
___________________________________________	_____________________
Signature of Administrator	Date