Page 48 - Privacy_Program
P. 48
SANCTIONS FOR PRIVACY VIOLATIONS [DP181]
Back to Table of Contents
Scope: Enterprise
Distribution: All Employees
Purpose: To hold employees and contractors accountable to material violations of the organization’s privacy and data security
policies.
External Regulation or Standard: 45 C.F.R. §164.530(e) ‐ sanctions
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Executive Leadership DP181.1 The organization will apply appropriate sanctions against members of its
Team workforce who fail to comply with its privacy policies and procedures.
Executive Leadership DP181.2 The type of sanction applied shall vary depending on the severity of the violation,
Team whether the violation was intentional or unintentional, whether the violation
indicates a pattern or practice of improper access, use or disclosure of health
information, and similar factors.
Executive Leadership DP181.3 Employees, agents, and other contractors should be aware that violations of a
Team severe nature may result in notification to law enforcement officials as well as
regulatory, accreditation, and/or licensure organizations.
Executive Leadership DP181.4 The policy and procedures contained herein do not apply specifically when
Team members of the organization’ workforce exercise their right to:
DP181.4a (a) file a complaint with a government agency;
DP181.4b (b) testify, assist, or participate in an investigation, compliance review,
proceeding, or hearing under Part C of Title XI; or
DP181.4c (c) oppose any act made unlawful by the HIPAA Privacy rule; provided the
individual or person has a good faith belief that the act opposed is unlawful,
and the manner of the opposition is reasonable and does not involve a
disclosure of privacy restricted information in violation of the HIPAA privacy
rule;
DP181.4d (d) disclose privacy restricted information as a whistleblower and the disclosure
is to a health oversight agency; public health authority; or an attorney retained
by the individual for purposes of determining the individual’s legal options about
the whistleblower activity; or
DP181.4e (e) an employee who is a victim of a crime and discloses privacy restricted
information to a law enforcement official, if the privacy restricted information is
about a suspected perpetrator of the criminal act; and is limited to the
information listed in HIP‐UD‐ANR‐106 (Disclosing PRIVACY RESTRICTED
INFORMATION for Law Enforcement Release).
Executive Leadership DP181.5 The Privacy Steering Committee, in conjunction with the Chief Human Resources
Team Officer, is responsible for determining the severity of sanctions necessary.
Chief Human Resources DP181.6 All sanctioning of employees will be documented and retained for a period of at
Officer least six years from the date of its creation or the date when it was last in effect,
whichever is later.
GES CONFIDENTIAL 44
