/policies/,/policies/administrative/,/policies/administrative/uwmf/,/policies/administrative/uwmf/uwmf-wide/,/policies/administrative/uwmf/uwmf-wide/patient-resources/,

/policies/administrative/uwmf/uwmf-wide/patient-resources/114010.policy

201410297

page

100

UWMF,

Policies,Administrative,UWMF,UWMF-wide,Patient Resources

Policy on Sanctions for Personnel Breaches of Confidentiality of PHI (114.010)

Policy on Sanctions for Personnel Breaches of Confidentiality of PHI (114.010) - Policies, Administrative, UWMF, UWMF-wide, Patient Resources

114.010




Page 1 of 6




Policy on Sanctions for
Personnel Breaches of Confidentiality of PHI

June 2, 2014

























University of Wisconsin Medical Foundation, Inc.








Page 2 of 6

I. Purpose of Policy:

This policy establishes sanctions for employees for any breaches of confidentiality of patients’
Protected Health Information (“PHI”); the confidentiality of patients’ PHI must be maintained in
accordance with state and federal privacy laws and regulations.

II. Definitions:

Protected Health Information (PHI): Any individually-identifiable patient information that is
transmitted or maintained in any form, including oral, written, or electronic. PHI includes
demographic, health, and financial information.

III. Policy, Standards, and Principles:

A. UWMF Policy Regarding Breaches of Confidentiality of PHI

Both state and federal law, professional standards of conduct, and UWMF policies
protect PHI from unauthorized access and/or disclosure, and provide for a framework of
physical and electronic security measures that apply to all UWMF employees.
(Applicable law, standards of conduct, and UWMF policies will be referred to as “UWMF’s
policies” from this point forward.)

UWMF employees may have access to PHI through other institutions’ electronic or paper
records systems (i.e. Meriter, UWHC, etc.). When accessing PHI through other
institutions’ records systems, UWMF employees must abide by those institutions’
applicable policies, but are subject to employment sanctions under this UWMF policy for
any breaches of confidentiality of the PHI accessed through those institutions’ records
systems.

Several core principles provide the basis for this policy:

1. Access

UWMF provides its employees with authorized access to PHI – through medical
records, computerized records systems, appointment schedules, facility
directories, billing information, and other patient and financial records – based on
their role or job duties.
2. Need to Know / Minimum Necessary

UWMF expects its employees to exercise their authorized access only to the
extent minimally necessary to carry out their job duties, and as permitted by
UWMF’s policies.
3. Control After Access

UWMF expects its employees to comply with UWMF policies related to the
control and re-disclosure of patient information after access to such information.

When an employee violates the standards and principles referenced, above, or
violates UWMF’s policies related to the confidentiality of PHI, UWMF imposes
sanctions in accordance with this policy.

UWMF collaborates with other institutions whose employees and medical staff
members have access to UWMF’s patients’ PHI to ensure that those institutions
impose similar sanctions for similar violations.





Page 3 of 6

B. Non-Retaliation

UWMF does not allow any of its employees to intimidate, threaten, coerce, discriminate
against or retaliate in any manner against any other employee who files, in good faith, an
internal or external complaint alleging a violation of UWMF’s policies.

IV. Process and Procedure:
A. Sanctions

1. When Sanctions Occur

An employee is subject to employment sanctions for breaching the confidentiality
of PHI in violation of UWMF’s policies, or by failing to exercise reasonable
precautions related to the PHI.
An employee who is granted access to other institutions’ records systems by
virtue of employment with UWMF is subject to employment sanctions under this
policy by UWMF for breaching the confidentiality of PHI accessed through those
other institutions’ records systems, in violation of the applicable policies of that
institution.
2. Types of Sanctions

Employment sanctions will be administered based on the type of breach
involved, and utilizing the disciplinary steps outlined below.

PLEASE SEE THE ATTACHED FAQ’s DOCUMENT FOR EXAMPLES OF
EACH TYPE OF BREACH

Type I – Inadvertent / Unintentional Breach

A Type I breach of confidentiality of PHI is an inadvertent/unintentional or
negligent act which violates UMWF policies (or another institution’s policies)
pertaining to that PHI and which may or may not result in PHI being disclosed.

Discipline for Type I breaches of confidentiality will be consistent with the
progressive improvement process for other areas of performance in accordance
with the Employee Performance Expectations Policy as administered by Human
Resources. In addition, the level of risk of the inadvertent breach will also be
considered when determining the level of discipline.

Repeat incidents of this nature or other failures to maintain performance will lead
to further disciplinary action and/or termination.


Type II – Intentional Breach

A Type II breach of confidentiality of PHI is an intentional act which violates
UWMF’s policies (or another institution’s policies) pertaining to that PHI and
which may or may not result in actual harm to the patient or personal gain to the
employee. A Type II breach will be confirmed by an ad hoc forum which will
include representation from the UWMF Human Resources Department (HR), the
Privacy Officer, the Director of Health Information, and the Medical Director of
Ambulatory Clinic Operations.





Page 4 of 6

It is presumed that discipline for a Type II breach will be immediate termination.
In the alternative, the presumption may be overcome and a first Type II breach
may be addressed through sanctions other than termination if is determined that
such sanctions will be sufficient to deter any further breaches by the employee
and such sanctions are recommended by the ad hoc forum referenced above
after consideration of the following factors:

 The reason for accessing the information
 The extent and nature of information accessed
 Any subsequent use or misuse of the information
 Disruption to patients or the organization if termination were to occur
 Unique circumstances warranting a sanction other than termination
The final decision on an appropriate sanction for a Type II breach of
confidentiality shall be made by the Vice President of Human Resources in
consultation with the Vice President who has responsibility over the employee
who committed the breach.

3. Duration of Discipline

Formal disciplinary action is considered “active” for a twelve-month period. If an
employee is on formal disciplinary action, he/she is not eligible to apply for other
positions within UWMF until a six-month timeframe has lapsed without any
further disciplinary action.

Employment sanctions relating to Type II breaches of confidentiality of PHI will
be considered a permanent part of an employee’s disciplinary record (i.e.
disciplinary actions relating to Type II breaches of confidentiality of PHI will
compound for the duration of the employee’s employment with UWMF); however,
employees will be eligible for transfer after six months with no further sanctions
under this policy.

4. Investigation of a Breach of Confidentiality of PHI

If a breach of a confidentiality of PHI is suspected, the individual suspecting the
breach shall initiate an investigation about the breach by contacting his or her
supervisor, or directly contacting the Employment Services Representative of
HR; if a supervisor is contacted, the supervisor will involve the Employment
Services Representative of HR. The Employment Services Representative of
HR will work with the Director of Health Information and representatives from
other UWMF departments as needed to investigate the situation and determine
whether a breach of confidentiality of PHI has been committed, and if so, what
type of breach has been committed. If an investigation leads to the
determination that a breach of confidentiality of PHI has been committed, the
UWMF HR Department will administer employment sanctions in accordance with
this policy and coordinate follow-up with the involved employee’s manager or
supervisor.

If it is determined that a breach of confidentiality of PHI occurred, the manager or
supervisor of the involved employee will complete an Incident Report form
(Patient Safety Net Report) and Accounting of Disclosure form for each breach in
accordance with UWMF’s Incident Reporting Policy.

HR and the Health Information Department will take all reasonable measures to
mitigate any harm caused by any breach of confidentiality of PHI, and will work




Page 5 of 6

with the Privacy Officer and/or Patient Resources to coordinate any other
necessary follow-up related to the breach of confidentiality of PHI.

B. Non-Retaliation

1. Retaliation Complaints

An employee who believes he or she is the victim of retaliation as a result of
reporting a suspected breach of confidentiality of PHI (under Section IV.A.4.,
above) shall make a complaint with his or her supervisor or manager, or with HR.
HR may be contacted by phone at (608) 821-4150.

2. Investigation of Retaliation Complaints

UWMF will investigate retaliation complaints immediately and will, when justified,
take prompt and appropriate corrective action. Complaints will be kept
confidential to the extent possible, consistent with the need for a thorough
investigation.

C. Assistance

Additional assistance relative to concerns regarding breaches of confidentiality of PHI or
retaliation for reporting a suspected breach of confidentiality of PHI may be obtained from
the following sources:

HR Services Director & Manager
Director of Health Information
Privacy Officer
UWMF Legal Counsel

D. Resources and References

Use, Release & Disclosure of Patient’s Protected Health Information Policy
Authorization Use Policy
Clinical and Non-Clinical Staff Best Practices Guidelines
Disposal of PHI Policy
Human Resources Confidentiality Policy
HIPAA 101 & 201
Incident Reporting Policy
HIPAA Privacy Policies
HIPAACOW (www.hipaacow.org)

V. Author and Review

Original Sponsor (2009): HIPAA Steering Committee

Sponsor of Revisions (2011): HIPAA Privacy Officer
Sponsor of Revisions (2013): HIPAA Privacy Officer
Sponsor of Revisions (2014): HIPAA Privacy Officer

Author / Review: UWMF Health Information Department
UWMF Human Resources Department
UWMF Legal Services Department
UWMF Operations Department

Committee Approval: HR Department Management Staff




Page 6 of 6

UWMF Senior Management (December 5, 2011)
UWMF Senior Management (April 1, 2013)
UWMF Senior Management (June 2, 2014)

Approved: Peter Christman, Executive Vice President and COO
William Schrum, Vice President of Human Resources
Richard Welnick, M.D., Director for Ambulatory Operations