/policies/,/policies/administrative/,/policies/administrative/uw-health-administrative/,/policies/administrative/uw-health-administrative/human-resources/,

/policies/administrative/uw-health-administrative/human-resources/911.policy

20180129

page

100

UWHC,UWMF,

Policies,Administrative,UW Health Administrative,Human Resources

Corrective Action for Non-Compliance with Confidentiality of Protected Health Information (9.11)

Corrective Action for Non-Compliance with Confidentiality of Protected Health Information (9.11) - Policies, Administrative, UW Health Administrative, Human Resources

9.11

Page 1 of 5



Administrative (Non-Clinical) Policy

This administrative policy applies to the operations and staff of the University of Wisconsin
Hospitals and Clinics Authority as integrated effective July 1, 2015, including the legacy
operations and staff of University of Wisconsin Hospital and Clinics and University of Wisconsin
Medical Foundation.

Policy Title: Corrective Action for Non-Compliance with
Confidentiality of Protected Health Information
Policy Number: 9.11
Effective Date: February 1, 2018
Chapter: Human Resources
Version: Revision

I. PURPOSE

To address non-compliance with the requirements governing the confidentiality of protected health
information ("PHI").

II. POLICY

It is the policy of UW Health to take appropriate steps to promote compliance with the
requirements for maintaining the confidentiality of PHI. PHI is individually identifiable health
information that is maintained or transmitted in any form, including oral, written, or electronic. PHI
includes demographic, health, and financial information.

In order to promote compliance with confidentiality requirements and to encourage the reporting of
potential violations, the appropriate response for dealing with many violations or potential violations
of confidentiality is to provide additional education or address system changes. When there are
multiple, repeated or intentional violations or the presence of other aggravating factors, corrective
action and progressive disciplinary measures are appropriate, including immediate discharge from
employment.

Staff is prohibited from intimidating, threatening, coercing, discriminating against, or otherwise
retaliating in any manner against any other person for filing, in good faith, an internal or external
complaint alleging violation of policies concerning PHI.

UW Health reserves the right to change this policy. Employees who have questions regarding
information contained in this policy may contact the Human Resources Department.

III. PROCEDURES

A. Following an investigation, if it is determined that a violation of UW Health policies or any
state or federal law that protects the confidentiality of PHI occurred, the decision-making
manager will determine the appropriate action(s) utilizing the guidance of this policy in
consultation with Human Resources.

Page 2 of 5


B. To ensure fairness with respect to the application of this policy, the decision-making manager
will also consult with the Business Integrity Department.

C. In determining the appropriate action(s), the decision-making manager will take into account the
following factors:
1. Whether a violation of a UW Health policy or a state or federal privacy law occurred.
2. Whether the violation was intentional or inadvertent.
3. Reason for the violation.
4. Potential harm to a patient(s) or a UW Health entity (may include consideration of the
sensitive nature of the PHI).
5. Previous violations of UW Health policy or state or federal privacy law, and/or history of
progressive discipline.
6. Any attempt to conceal a violation, failure to respond to an investigatory inquiry, or
untruthfulness during the investigation.
7. Other factors deemed relevant to the investigation.



For UW Health Employed Staff:

D. Guidance for Non-Access Violations (e.g. faxing to the wrong number, mailing to the wrong
address, giving the wrong after visit summary to a patient) or Inadvertent Accesses. Due to UW
Health’s duty to protect and secure PHI, the mandatory training and regular compliance
reminders provided to all employees regarding privacy policies and state and federal privacy
laws, and our commitment to the patients we serve, the following corrective action guidance
applies:
1. A single non-access violation or inadvertent violations by an employee who has no history
of corrective action for a privacy violation will ordinarily result in counseling to include re-
education with additional training.
2. An intentional violation or multiple non-access or inadvertent violations will be subject to
counseling and additional training and if appropriate corrective action up to and including
discharge.
3. An intentional violation committed for personal gain or to harm another individual will
result in discharge.

E. Guidance for Access Violations: Violations involving improper access of PHI: Violations of
UW Health privacy policies or state or federal privacy laws due to accessing PHI will follow the
three tiers below when determining corrective action and will be reported to the Business
Integrity Office.
1. Tier 1 Access Violation: Access in violation of UW Health’s policies but not necessarily
in violation of state or federal privacy laws.
a. Access by an employee of the PHI of a child or other person for whom the employee
has legal responsibility such as a guardianship or power of attorney, without a
treatment, payment or healthcare operations purpose is a violation of UW Health policy.
b. Access by an employee of the demographic only section of the medical record.
c. The employee’s manager will counsel the employee regarding the inappropriate access
of PHI and a Written Warning will be issued.
d. Any subsequent or multiple violations or a single access with mal-intent will result in
additional corrective action, up to and including discharge.


Page 3 of 5

2. Tier 2 Access Violation: Access in violation of UW Health’s policies and/or state or
federal privacy law, for the benefit of the patient.
a. Access by an employee of any patient’s PHI, other than the employee’s own record or
that of the employee’s child or other person for whom the employee has legal
responsibility such as a guardianship or power of attorney, without a treatment,
payment or healthcare operations purpose, is a violation of UW Health’s policies and
state or federal privacy law.
b. The employee’s manager, Human Resources and Business Integrity will interview the
employee and determine whether the employee accessed the PHI of the patient for the
purpose of assisting or benefiting the patient.
c. The patient whose PHI was accessed may be notified pursuant to law after a breach
analysis is conducted by the appropriate Business Integrity staff. A statement by the
patient may be taken into account when considering the reason for access given by the
employee and subsequent discipline.
d. The employee’s manager will counsel the employee regarding the inappropriate access
of PHI and a Final Written Warning will be issued.
e. Any subsequent violation related to inappropriately accessing PHI will result in
discharge.
3. Tier 3 Access Violation: Access in violation of UW Health’s policies and state or federal
privacy law without intent to benefit the patient.
a. Access by an employee of any patient’s medical record, other than the employee’s own
record or that of the employee’s child or other person for whom the employee has legal
responsibility such as a guardianship or power of attorney, without a treatment,
payment or healthcare operations relationship, is a violation of UW Health’s policies
and state or federal law.
b. The employee’s manager, Human Resources and Business Integrity will interview the
employee and determine whether the employee’s accessed the PHI was for a purpose
other than assisting or benefiting the patient, and will consider whether the employee
shared or inappropriately used the PHI.
c. The patient whose PHI was accessed may be notified pursuant to law after a breach
analysis is conducted by the appropriate Business Integrity staff.
d. The employee will be discharged from employment.

F. Exception Review: Any exception to this policy shall be recommended by Human Resources.
The recommended exception must be approved by the Vice President - Chief Human Resources
Officer and the Vice President – Business Integrity prior to granting the exception. If any
statements in this policy are in conflict with or contradict any oral statements or agreements
made by any representatives or officials of UW Health, then the statements contained in this
policy shall control the outcome.


For Staff Employed by UW-Madison

G. All reviews determining that a privacy issue has occurred will be reported to the UW-Madison
HIPAA Privacy Officer for investigation. The UW-Madison HIPAA Privacy Officer will work
with the appropriate UW-Madison HR staff to investigate and follow-up with the involved
employee in accordance with UW-Madison’s HIPAA Policy 9.2 (“Responding to Employee
Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security
Rules”). The UW-Madison HIPAA Privacy Officer will provide a written statement to UW
Health’s Vice President of Business Integrity confirming that follow-up has occurred and the
date follow-up was completed. Investigating UW-Madison HR staff will collaborate with the

Page 4 of 5

UW Health Associate Chief Medical Officer, Senior Vice President / Chief Clinical Officer,
and/or the Vice President of Business Integrity whenever a privacy issue involves repeated
Non-Access Violations or Tier 1 Access Violations or involves initial Tier 2 or Tier 3 Access
Violations (as described in this policy).

Notwithstanding this Section G, UW Health may take corrective action against a medical staff
member and/or individual with clinical privileges for violation of this Policy in accordance with
the UW Health Bylaws and Rules and Regulations of the Medical Staff.

H. A patient whose PHI was accessed may be notified pursuant to law after a breach analysis is
conducted by the UW-Madison HIPAA Privacy Officer, after consultation with UW Health’s
Vice President of Business Integrity.


For Graduate Medical Education (GME) Trainees

I. GME will generally follow the categories of issues as outlined by the UW Health Employed
Staff Guidance for Non-Access and Access violations. For all GME trainees in accredited
programs sponsored by UW Health, regardless of employer, the decision-making manager shall
be the Director of Graduate Medical Education. At the time the case is referred to the Director
of GME, the trainee’s Program Director will also be notified. GME trainees in violation of this
policy will receive discipline in accordance with the GME policy on Academic Improvement
and Corrective Action. Action taken will be reported to the Vice President of Business Integrity
for tracking.


Other Non UW Health Employees (including but not limited to students, contractors and volunteers)

J. Other Non UW Health Employees, Volunteers or Contractors: Specific Procedures For
Corrective Action Against Other Non-UW Health Employees: Repeated Tier 1 and initial or
repeated Tier 2 and Tier 3 violations will be referred to the appropriate employer to ensure
that appropriate corrective measures are applied. If corrective action is taken the fact that it
occurred will be reported to the Vice President of Business Integrity for tracking. If no
action is taken, the employer must provide a written statement to UW Health's Vice President
of Business Integrity who will present the case to the UW Health Executive Committee. If
UW Health Executive Committee believes it is necessary, it may decide to take measures
separate from the employer, such as removing physical and electronic access privileges from
the person who committed the violation.

K. Students:, Specific Procedures For Corrective Action Against Students: Repeated Tier 1 and
initial or repeated Tier 2 and Tier 3 violations will be referred to the appropriate contact
person at the student’s academic institution. The relevant contact persons from UW Health
and the academic institution will decide the appropriate action to take regarding the student,
including, if applicable, removing the student from the clinical experience at UW Health. If
corrective action is taken, the fact that it occurred will be reported to the Vice President of
Business Integrity for tracking. If no action is taken, the academic institution must provide a
written statement as to the reason to UW Health's Vice President of Business Integrity who
will present the case to the UW Health Executive Committee. If UW Health Executive
Committee believes it is necessary, it may decide to take measures separate from the
academic institution, such as removing physical and electronic access privileges from the
person who committed the violation.

Page 5 of 5



Non-Retaliation

L. Employees and others working in UW Health facilities who report breaches of patient
confidentiality requirements shall not be retaliated against. They may report any retaliation to
their department or to the Employee Relations Department. Departments receiving allegations
of retaliation shall report them to the Employee Relations Department. The Employee
Relations Department shall determine who will investigate the matter. The Employee
Relations Department shall report all retaliation investigations to the Business Integrity
Office. Department.


IV. REFERENCES

Hospital Administrative Policy 4.13 -Using and Disclosing (or Releasing) Protected Health Information
UW Health Administrative Policy 1.02 -UW Health Access to Electronic Information Systems


V. MODIFICATIONS

This Policy creates no rights, contractual or otherwise. Statements of policy obtained herein are not made
for the purpose of inducing any person to become or remain an employee of UW Health, and should not
be considered "promises" or as granting "property" rights. UW Health may add to, subtract from and/or
modify this Policy at any time. Nothing contained in this Policy impairs the right of a non-represented
employee or UW Health to terminate the employment relationship at-will. For represented employees,
who are not at-will employees, this policy does not supersede, limit nor grant any rights beyond those
provided by the applicable collective bargaining agreement.


VI. COORDINATION

Sr. Management Sponsor: Chief Human Resources Officer
Author: Vice President of Business Integrity
Reviewers: Chief Administrative Officer, Chief Human Resources Officer, Legal Department

Approval Committee: UW Health Administrative Policy and Procedure Committee


SIGNED BY

Elizabeth Bolt
UW Health Chief Administrative Officer