Sanctions for Non-Compliance with HIPAA Policies

Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting business in compliance with all applicable laws, regulations and WU policies. WU has adopted this policy regarding sanctions for violations by workforce members of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

This Policy covers all workforce members within Washington University covered entity component parts whose actions or failures to act violate WU HIPAA policies. Workforce members include employees (both faculty and staff), appointees, volunteers, trainees and other persons whose conduct, in the performance of work for Washington University, is under the direct control of the University whether or not they are paid by the University.

Sanctions for violations of HIPAA policies may include, without limitation, verbal counseling, written warning, suspension, and discharge. Sanctions may also be applied for failure to report a known or suspected HIPAA violation. Factors in determining appropriate disciplinary action may include, but are not limited to:

  • Whether workforce member self-reported the violation
  • Whether the breach was intentional or inadvertent
  • The nature of the breach, including whether the breach involved specially protected information such as HIV, psychiatric, substance abuse, or genetic data
  • The magnitude of the breach, including the number of patients and the volume of protected health information accessed or disclosed
  • Workforce member’s motive in accessing or disclosing protected health information
  •  Whether the workforce member has committed prior HIPAA violations
  •  Workforce member’s response or conduct during investigation
  • Harm to the breach victim(s)

Investigation and Disciplinary Process:

  • Potential violations of the WU HIPAA Policy should be reported to the WU HIPAA Privacy Office. The HIPAA Privacy Office will notify the HIPAA Security Office if a violation of a HIPAA Security Policy is involved. A workforce member who becomes aware of a potential violation should immediately notify his/her supervisor and/or the HIPAA Privacy Office. Reports may also be made anonymously to the HIPAA Privacy Office (866-747-4975) or the WU Compliance Hotline (314-362-4998).
  • Upon notification of a potential violation of a WU HIPAA Policy, the HIPAA Privacy Office will investigate, review and assess the alleged violation. The investigation may necessitate, among other things, workforce member interviews, computer audit trails, telephone log reviews, etc. The HIPAA Privacy Office will determine whether and what sanctions are appropriate in consultation with relevant administrators from the workforce member’s department or other business unit, Human Resources and/or the Office of the Executive Vice Chancellor & General Counsel, and the HIPAA Security Office if the matter involves a breach of the HIPAA Security Policy.
  • Disciplinary actions will be documented in writing and maintained in the appropriate personnel record. Disciplinary action may be appropriately delayed if the action could adversely affect or compromise patient care.

Last Revision Date: February 8, 2012