12-10 HIPAA: Sanctions for Breach of Privacy and Security of PHI

• Effective date of this revision: October 26, 2018
• Contact for more information:  Office of HIPAA Compliance 989-774-2829, hipaa@cmich.edu

BACKGROUND

Central Michigan University is a covered entity under the HIPAA law and regulations. According to this law, CMU officers, employees, and agents must preserve the integrity and the confidentiality of individually identifiable health information (IIHI) pertaining to each patient, client or individual covered under a CMU self-insured health plan. This IIHI is protected health information (PHI) and shall be safeguarded in compliance with the requirements of the security and privacy rules and standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

PURPOSE

To ensure there are appropriate and consistent sanctions imposed to staff, faculty, students, volunteers and contracted entities who violate the requirements of Health Insurance Portability and Accountability Act of 1996 (HIPAA) and/or who violate Central Michigan University (CMU) HIPAA policies and procedures.

DEFINITIONS

The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

POLICY

1.0 CMU prohibits violations of HIPAA statutory and regulatory requirements, and these CMU policies and procedures have been adopted to uphold them. Any violation of HIPAA rules or CMU policy and procedures shall constitute grounds for disciplinary action.

2.0 The HIPAA Privacy Officer will determine if a reported incident results in a violation/breach.

3.0 The Associate Vice President of Human Resources, Executive Director of Faculty Personnel Services, or the Associate Vice President of Student Affairs, is the authorized official to enforce sanctions appropriate to the category of the person who has engaged in the violation.

4.0 If it is determined that a contractor has violated the contract requirements of following HIPAA rules and CMU policies and procedures, the Director of Contracting and Purchasing is the authorized official to terminate the contract.

5.0 In all cases, the authorized officials shall communicate and coordinate the enforcement of sanctions with the Vice President for Health Affairs.

6.0 Violations may be classified based on intent. Level I violations are general accidental. Level II violations are serious in nature and reflect purposeful disregard for the law and/or CMU policy. Generally, Level II violations result in more serious sanctions and may result in termination: Repeated Level I violations by the same person may also result in serious sanctions, up to and including termination.

7.0 The disciplinary process and sanctions that may be imposed for a violation of HIPAA law, regulations and/or CMU policies and procedures will vary according to the category of the person who has engaged in the violation.

a. Employees, including student employees, will be subject to the disciplinary processes already in place for their employee group. Disciplinary action may include termination. If the seriousness of the offense warrants such action, an employee may be terminated for the first breach of HIPAA law, regulation or CMU’s HIPAA policy and procedures.

b. Students who are engaged in clinical experiences at CMU work sites, giving them access to protected health information will be subject to discipline by the CMU work site, up to and including termination from the clinical work.

c. Students who are engaged in clinical experiences at non-CMU work sites, giving them access to protected health information, will subject to discipline as determined appropriate by the CMU authorized official responsible for student sanctions and in collaboration with the non-CMU site supervisor.

d. If the student is enrolled in a class, he/she will be subject to grading consequences according to the processes established by the applicable College/Department, and shall be referred to the Office of Student Conduct for review of Code of Conduct violation and determination of sanctions. Students enrolled in clinical programs may be further subject to review for their fitness for continuation in the clinical education program according to the criteria and processes established by that clinical program.

e. Contractors are subject to termination of the contract.

f. Other workforce members will be subject to disciplinary measures deemed appropriate for the violation, up to and including termination.

8.0 Violations of HIPAA law and regulations may also subject the violator to criminal prosecution.

9.0 No CMU officer, employee or agent shall intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual who files a complaint or reports a possible breach to the integrity or confidentiality of client or other sensitive information, or who cooperates in the investigation or disciplinary procedure arising out of a complaint or report.

10.0 All officers, employees, students, contractors and agents of CMU are expected to comply and cooperate with CMU’s investigation and sanctioning of violations of HIPAA law, regulations, and CMU HIPAA policy.

11.0 Any employee who knowingly falsely accuses another of a breach of HIPAA rules and policy shall be subject to disciplinary action up to and including termination.

12.0 Any person may report an alleged violation of HIPAA compliance by following the HIPAA Reporting and Investigating Privacy and Security Incidents/Complaints Policy 12-4.

13.0 If the investigation of an allegation of a violation concludes that one or more employees are responsible for the violation, they may be disciplined according to the established CMU procedures for disciplining an employee in that employee category. Serious or repeated violations may lead to termination.

14.0 If the investigation of an allegation of a violation concludes that a system or procedure or policy of CMU is responsible for the violation, the HIPAA Privacy Officer will oversee the implementation of needed changes, and if sanctions are necessary will refer to the appropriate authorized official.

15.0 Criminal Prosecution. Willful and grossly negligent breaches of HIPAA law or regulations may be referred to the appropriate authorities for an assessment of criminal liability.

a. Agency Cooperation with Criminal Prosecution. In the event that violation of CMU’s policies and standards for privacy and security of PHI constitutes a criminal offense under HIPAA or other federal or state laws, the violator should expect that CMU shall provide information concerning the violation to appropriate law enforcement personnel and will cooperate with any law enforcement investigation or prosecution.

16.0 CMU Involvement in Professional Discipline. In the event that violation of HIPAA law or rules or CMU’s HIPAA policies and standards for privacy and security of PHI constitutes a violation of professional ethics and is grounds for professional discipline, the violator should expect that CMU may report such violations to the appropriate licensure/accreditation agencies and will cooperate with any professional investigation or disciplinary proceedings.

17.0 Treatment of Agents and Contractors. CMU will seek to include violations of HIPAA law or rules or CMU’s HIPAA policies and procedures as grounds for termination of the contract and/or imposition of contract penalties.

18.0 Documentation of Sanctions. The HIPAA Privacy Officer will maintain a record of allegations received and their disposition, including sanctions that are applied. This documentation will be retained for six years from the date of its creation. In addition, the record of sanctions applied will be reviewed with the HIPAA Executive Steering Committee, as part of the annual HIPAA program review.

Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.