Page 1 of 6
Policy on Sanctions for
Personnel Breaches of Confidentiality of PHI
June 2, 2014
University of Wisconsin Medical Foundation, Inc.
Page 2 of 6
I. Purpose of Policy:
This policy establishes sanctions for employees for any breaches of confidentiality of patients’
Protected Health Information (“PHI”); the confidentiality of patients’ PHI must be maintained in
accordance with state and federal privacy laws and regulations.
Protected Health Information (PHI): Any individually-identifiable patient information that is
transmitted or maintained in any form, including oral, written, or electronic. PHI includes
demographic, health, and financial information.
III. Policy, Standards, and Principles:
A. UWMF Policy Regarding Breaches of Confidentiality of PHI
Both state and federal law, professional standards of conduct, and UWMF policies
protect PHI from unauthorized access and/or disclosure, and provide for a framework of
physical and electronic security measures that apply to all UWMF employees.
(Applicable law, standards of conduct, and UWMF policies will be referred to as “UWMF’s
policies” from this point forward.)
UWMF employees may have access to PHI through other institutions’ electronic or paper
records systems (i.e. Meriter, UWHC, etc.). When accessing PHI through other
institutions’ records systems, UWMF employees must abide by those institutions’
applicable policies, but are subject to employment sanctions under this UWMF policy for
any breaches of confidentiality of the PHI accessed through those institutions’ records
Several core principles provide the basis for this policy:
UWMF provides its employees with authorized access to PHI – through medical
records, computerized records systems, appointment schedules, facility
directories, billing information, and other patient and financial records – based on
their role or job duties.
2. Need to Know / Minimum Necessary
UWMF expects its employees to exercise their authorized access only to the
extent minimally necessary to carry out their job duties, and as permitted by
3. Control After Access
UWMF expects its employees to comply with UWMF policies related to the
control and re-disclosure of patient information after access to such information.
When an employee violates the standards and principles referenced, above, or
violates UWMF’s policies related to the confidentiality of PHI, UWMF imposes
sanctions in accordance with this policy.
UWMF collaborates with other institutions whose employees and medical staff
members have access to UWMF’s patients’ PHI to ensure that those institutions
impose similar sanctions for similar violations.
Page 3 of 6
UWMF does not allow any of its employees to intimidate, threaten, coerce, discriminate
against or retaliate in any manner against any other employee who files, in good faith, an
internal or external complaint alleging a violation of UWMF’s policies.
IV. Process and Procedure:
1. When Sanctions Occur
An employee is subject to employment sanctions for breaching the confidentiality
of PHI in violation of UWMF’s policies, or by failing to exercise reasonable
precautions related to the PHI.
An employee who is granted access to other institutions’ records systems by
virtue of employment with UWMF is subject to employment sanctions under this
policy by UWMF for breaching the confidentiality of PHI accessed through those
other institutions’ records systems, in violation of the applicable policies of that
2. Types of Sanctions
Employment sanctions will be administered based on the type of breach
involved, and utilizing the disciplinary steps outlined below.
PLEASE SEE THE ATTACHED FAQ’s DOCUMENT FOR EXAMPLES OF
EACH TYPE OF BREACH
Type I – Inadvertent / Unintentional Breach
A Type I breach of confidentiality of PHI is an inadvertent/unintentional or
negligent act which violates UMWF policies (or another institution’s policies)
pertaining to that PHI and which may or may not result in PHI being disclosed.
Discipline for Type I breaches of confidentiality will be consistent with the
progressive improvement process for other areas of performance in accordance
with the Employee Performance Expectations Policy as administered by Human
Resources. In addition, the level of risk of the inadvertent breach will also be
considered when determining the level of discipline.
Repeat incidents of this nature or other failures to maintain performance will lead
to further disciplinary action and/or termination.
Type II – Intentional Breach
A Type II breach of confidentiality of PHI is an intentional act which violates
UWMF’s policies (or another institution’s policies) pertaining to that PHI and
which may or may not result in actual harm to the patient or personal gain to the
employee. A Type II breach will be confirmed by an ad hoc forum which will
include representation from the UWMF Human Resources Department (HR), the
Privacy Officer, the Director of Health Information, and the Medical Director of
Ambulatory Clinic Operations.
Page 4 of 6
It is presumed that discipline for a Type II breach will be immediate termination.
In the alternative, the presumption may be overcome and a first Type II breach
may be addressed through sanctions other than termination if is determined that
such sanctions will be sufficient to deter any further breaches by the employee
and such sanctions are recommended by the ad hoc forum referenced above
after consideration of the following factors:
The reason for accessing the information
The extent and nature of information accessed
Any subsequent use or misuse of the information
Disruption to patients or the organization if termination were to occur
Unique circumstances warranting a sanction other than termination
The final decision on an appropriate sanction for a Type II breach of
confidentiality shall be made by the Vice President of Human Resources in
consultation with the Vice President who has responsibility over the employee
who committed the breach.
3. Duration of Discipline
Formal disciplinary action is considered “active” for a twelve-month period. If an
employee is on formal disciplinary action, he/she is not eligible to apply for other
positions within UWMF until a six-month timeframe has lapsed without any
further disciplinary action.
Employment sanctions relating to Type II breaches of confidentiality of PHI will
be considered a permanent part of an employee’s disciplinary record (i.e.
disciplinary actions relating to Type II breaches of confidentiality of PHI will
compound for the duration of the employee’s employment with UWMF); however,
employees will be eligible for transfer after six months with no further sanctions
under this policy.
4. Investigation of a Breach of Confidentiality of PHI
If a breach of a confidentiality of PHI is suspected, the individual suspecting the
breach shall initiate an investigation about the breach by contacting his or her
supervisor, or directly contacting the Employment Services Representative of
HR; if a supervisor is contacted, the supervisor will involve the Employment
Services Representative of HR. The Employment Services Representative of
HR will work with the Director of Health Information and representatives from
other UWMF departments as needed to investigate the situation and determine
whether a breach of confidentiality of PHI has been committed, and if so, what
type of breach has been committed. If an investigation leads to the
determination that a breach of confidentiality of PHI has been committed, the
UWMF HR Department will administer employment sanctions in accordance with
this policy and coordinate follow-up with the involved employee’s manager or
If it is determined that a breach of confidentiality of PHI occurred, the manager or
supervisor of the involved employee will complete an Incident Report form
(Patient Safety Net Report) and Accounting of Disclosure form for each breach in
accordance with UWMF’s Incident Reporting Policy.
HR and the Health Information Department will take all reasonable measures to
mitigate any harm caused by any breach of confidentiality of PHI, and will work
Page 5 of 6
with the Privacy Officer and/or Patient Resources to coordinate any other
necessary follow-up related to the breach of confidentiality of PHI.
1. Retaliation Complaints
An employee who believes he or she is the victim of retaliation as a result of
reporting a suspected breach of confidentiality of PHI (under Section IV.A.4.,
above) shall make a complaint with his or her supervisor or manager, or with HR.
HR may be contacted by phone at (608) 821-4150.
2. Investigation of Retaliation Complaints
UWMF will investigate retaliation complaints immediately and will, when justified,
take prompt and appropriate corrective action. Complaints will be kept
confidential to the extent possible, consistent with the need for a thorough
Additional assistance relative to concerns regarding breaches of confidentiality of PHI or
retaliation for reporting a suspected breach of confidentiality of PHI may be obtained from
the following sources:
HR Services Director & Manager
Director of Health Information
UWMF Legal Counsel
D. Resources and References
Use, Release & Disclosure of Patient’s Protected Health Information Policy
Authorization Use Policy
Clinical and Non-Clinical Staff Best Practices Guidelines
Disposal of PHI Policy
Human Resources Confidentiality Policy
HIPAA 101 & 201
Incident Reporting Policy
HIPAA Privacy Policies
V. Author and Review
Original Sponsor (2009): HIPAA Steering Committee
Sponsor of Revisions (2011): HIPAA Privacy Officer
Sponsor of Revisions (2013): HIPAA Privacy Officer
Sponsor of Revisions (2014): HIPAA Privacy Officer
Author / Review: UWMF Health Information Department
UWMF Human Resources Department
UWMF Legal Services Department
UWMF Operations Department
Committee Approval: HR Department Management Staff
Page 6 of 6
UWMF Senior Management (December 5, 2011)
UWMF Senior Management (April 1, 2013)
UWMF Senior Management (June 2, 2014)
Approved: Peter Christman, Executive Vice President and COO
William Schrum, Vice President of Human Resources
Richard Welnick, M.D., Director for Ambulatory Operations