Violations of Confidentiality
Date: September 23, 2020
Senior Associate Dean for Clinical Affairs
PO Box 8007937
PO Box 800793
Paid and unpaid employees of the School of Medicine(“SOM”), SOM volunteers, post-doctoral fellows, students enrolled in the SOM’sPhD and Masters programs, and vendors that are doing business with the SOM and that have access to protected health information.
Reason for Policy:
This policy outlines sanctions for violation(s) of confidentiality of Protected Health Information (PHI)
This policy outlines sanctions for violation(s) of confidentiality of Protected Health Information (PHI).
Personnel and students shall access and use only the Protected Health Information (PHI) that they have a need to know as part of their authorized role-related duties. Federal and institutional guidelines and policies describe measures to safeguard protected health information (PHI). Unauthorized individuals who access, use, and/or disclose PHI, attempt to access PHI, and/or assist others to access PHI when it is not authorized, will be sanctioned appropriately. As outlined in the procedures, a sanction may take the form of verbal counseling, written reprimand, or further disciplinary action, including mandatory leave without pay and/or termination.
Medical Center (“MC”) Policy No. 0021 (Confidentiality of Patient Information) outlines the requirements for confidentiality of patient information. SOM employees shall comply with all provisions of MC Policy No. 0021.
Definition of Terms:
Access–to obtain, open, retrieve, or otherwise handle a patient’s Protected Health Information, regardless of its format (“Access”).
A Single Access is Accessing a single patient’s record within a single twenty-four hour period.
A Multiple Access is:
- Accessing the records of two or more patients, regardless of the time frame within which the Access occurs; or
- Accessing the same patient’s record on more than one occasion within two or more twenty-four-hour periods (as measured from the time of the first access)
Authorized Access or Disclosure–Access to or disclosure of Protected Health Information that is necessary to support treatment, payment or business operations, when appropriately authorized by the patient, or as otherwise permitted by law and by SOM and MC policy.
Disclosure or Disclose–the revealing of Protected Health Information, regardless of the format by which the information is made known (“Disclosure” or “Disclose”). With respect to PHI, Disclosure includes revealing the name of a patient, or any other information which would reasonably inform another person of a patient’s identity, such as familial status, occupation and job title, address, names of acquaintances, etc.
(See MCPolicy No. 0021 “Confidentiality of Patient Information”)
EMR–electronic medical record used to document clinical care. This 68excludes MyChart.
HIPAA–Health Insurance Portability and Accountability Act of 1996. It contains provisions for protecting the privacy of patient Protected Health Information (PHI).
MyChart – an online, personalized, secure portal for accessing portions of one’s own medical information. A patient may authorize another individual to access his or her MyChart by filing a written proxy in advance of the other individual accessing the patient’s MyChart. My Chart is not the same as the EMR.
Protected Health Information(PHI) –All individually identifiable health and 81billing/payment information about a patient, regardless of its location or 82form.Such information is ‘individually identifiable’ if it includes any one of 83the identifiers listed in Appendix A of MCPolicy 0021.
Violation–Access to, Use, or Disclosure of PHI for purposes other than those for which the individual is authorized.The following outlines some, but not all, types of violations(“Violations”).
a. Level 1: An employee or student carelessly accesses PHI, that he/she has no need to know in order to carry out his/her job or educational program responsibilities, or carelessly Discloses information to which he/she has authorized Access. Examples of Level 1 Violations include, but are not limited to:
- Leaving PHI in a public area;
- Misdirecting faxes or emails that contain PHI;
- Discussing PHI that the employee or student is authorized to have Accessed in public areas where the discussion could be overheard;
- Leaving a computer or portable electronic device (e.g., smartphone, 101tablet, etc) accessible and unattended with PHI unsecured.
b. Level 2: An employee or student intentionally accesses PHI without authorization. A Level 2 Violation shall be considered acts of serious misconduct that constitute a serious violation of this policy. Examples of Level 2 Violations include, but are not limited, to:
- Intentional, unauthorized Accessing of a friend’s, relative’s(including minor child’s, adult child’s, spouse’s, or other family member’s), co-worker’s, public personality’s, or any other individual’s PHI(including searching for an address or phone number);
- Intentionally assisting another employee in gaining unauthorized access to PHI;
c. Level 3: An employee or student intentionally Accesses and Discloses PHI without authorization A Level 3 Violation shall be considered misconduct of such a severe nature that a first occurrence normally warrants termination or program dismissal. This is an extremely serious violation of this policy. Examples of Level 3 Violations include, but are not limited to:
- Unauthorized intentional Disclosure of a friend’s, relative’s (including minor child’s, adult child’s, spouse’s, or other family member’s), co-worker’s, public personality’s, or any other individual’s PHI;
- Unauthorized intentional delivery of any PHI to any third party.
Each employee or student must report all alleged, apparent, or potential Violations within no more than twenty-four hours to both his/her supervisor/designee and the Corporate Compliance and Privacy Officer for investigation and follow up. Any report of a Violation shall be investigated appropriately by the area supervisor/designee, the SOM Human Resources designee, and the Corporate Compliance and Privacy Officer.
Upon receiving report of a possible HIPAA violation, the Corporate Compliance and Privacy Officer will work with the appropriate associate deans and SOM Human Resources designee to conduct a confidential investigation of the alleged Violation. They are:
- Dean–for events related to clinical faculty
- Senior Associate Dean for Education –for events related to graduate or Masters students
- Associate Dean for Finance and Administration –for events related to any other individuals to whom this policy applies
A reasonable effort will be made during the investigation to include interviews of any person who may have knowledge of the event.
The appropriate deans are responsible for recommending the appropriate sanctions to the Dean. Results of the investigation and decision will be documented in writing and records retained in the employee’s official personnel file. Individuals may appeal the decision in accordance with existing policies and procedures. The Dean, or designee, will review any sanction involving suspension, dismissal, or termination before it is implemented, and retains final authority concerning sanctions.
In the event of a possible Violation involving both SOM and MC and /or University of Virginia Physicians Group (“UPG”) personnel, the investigation must be coordinated and any corrective actions or sanctions must be consistent among the organizations. The appropriate SOM dean, the appropriate MCChief, and the appropriate UPG Director shall cooperate and collaborate with University, SOM, UPG, and MCHuman Resources and with the Corporate Compliance and Privacy Officer in
reaching a determination of the matter.
The Corporate Compliance and Privacy Officer shall provide an annual report of all Violations to the Dean of the SOM, and the Chief Executive Officer of the MC.
The following will serve as guidelines for appropriate sanctions in circumstances where it has been determined that a violation has occurred.
Virginia law requires the reporting of specific matters related to licensed or certified healthcare practitioners to the Virginia Department of Health Professions (DHP). For all individuals who are licensed or certified by any of Virginia’s Health Regulatory Boards, all Level 2 and 3 Violations of HIPAA or Virginia law will be reported to DHP.
Paid and unpaid employees, post-doctoral fellows, volunteers
- A Level 1Violation shall result in verbal counseling; a written letter of counseling; and/or retraining. Multiple careless unintentional Level 1 Violation involving Disclosure and/or Multiple Access shall be subject to progressive disciplinary action up to and including termination.
- A Level 2Violation shall result in performance warning with a three-day leave without pay in most instances and required retraining for the first Level 2 Violation. Disciplinary action up to and including termination may be taken for multiple Level2 Violations, and for those Level 2 Violations where access was obtained under false pretenses.
- Level 3Violations, in most cases, shall result in immediate termination of employment, non-paid, or volunteer assignment.
Corrective action for Violations involving paid employees shall involve the appropriate dean and shall follow the process outlined in the Standards of Conduct for University and classified staff. When faculty are involved, the appropriate deans hall be consulted, and the faculty shall have the rights outlined in relevant faculty policies and grievance procedures.The services of a non-paid or volunteer may be terminated at will if recommended.
Students enrolled in the SOM’sPhD or Masters program
- A Level 1Violation shall result in verbal counseling; a written warning in the student’s file; and/or retraining. Careless unintentional Level 1 Violations involving Disclosure and / or Multiple Access shall be subject to progressive disciplinary action up to and including termination from the program of study.
- A Level 2Violation shall result a written reprimand in the student’s academic file and retraining. The student will be suspended from the program of study for three days and/or terminated from the program of study.
- Level 3Violations, in most cases, shall result in immediate termination from the program of study.
Corrective action for Violations involving students shall involve the Senior Associate Dean for Education. This policy does not apply to medical students; for events involving medical students, the procedures outlined in
the Policy on Academic and Professional Advancement shall be followed.
- A Level 1Violation may result in a verbal warning; written correspondence regarding the Violation; and/or a request that vendor representatives be certified that they have retrained for HIPAA privacy
- A Level 2Violation may result in written correspondence regarding the Violation; a request that vendor representatives certify that they have retrained in HIPAA privacy; a request that the company assign a new representative(s) to conduct its business with the
institution; and/or suspension of activity with the business associate for a period of time to be determined.
- A Level 3Violation will result in written correspondence regarding the Violation; a request that the company assign a new representative(s) to conduct its business with the institution; suspension of activity with the vendor for a period of time to be determined; and/or termination of the relationship with the vendor.
Corrective action for Violations involving vendors shall involve the Associate Dean for Finance and Administration and the Director of Procurement Services, and shall include review of the vendor’s contract.
UVa Medical Center Privacy Policies (including Confidentiality of Patient Information, Medical Center Policy 0021) are listed on this page:
Violations of Confidentiality, Medical Center Policy 707
SOM Required HIPAA Privacy Training
Policy on Academic and Professional Advancement
UVa Code of Ethics
Responsibilities of Principal Investigators
Policy on Disciplinary Suspension or Termination of Academic Faculty
Grievance Policy for Academic Faculty (tenured, tenure-track, and academic non-tenure-track faculty)
Grievance Procedure for Administrative General Faculty
HRM-027: Resolving Grievances for University Staff Employees
HRM-001, Authorization of Volunteers in the Workplace
SOM Policy: Volunteers in Research
Next ScheduledReview: September 2023
Revision History: Implemented July 23, 2007; revised 7/1/10, 12/21/12; administrative updates 1/26/15; 9/23/20
Approved on 9/23/20 by:
David S. Wilkes, MD
Dean, School of Medicine