Disciplinary Action Regarding a Breach of Confidentiality of Protected Health Information (PHI)

Background

Effective April 14, 2003, the Research Foundation of State University of New York must comply with the Health Insurance Portability and Accountability Act, Standards for Privacy of Individually Identifiable Health Information. Known as the Privacy Rule, it was designed to protect the confidentiality of all medical records and other health information held or disclosed by certain entities in any form, whether communicated electronically, on paper, or in oral conversations.

In accordance with the act, the Research Foundation and each member of its workforce is required to maintain confidentiality of Protected Health Information (PHI) and to establish and apply appropriate sanctions against members of its workforce who breach the confidentiality requirements of the privacy rules and procedures. Refer to the Research Foundation’s Confidentiality of Health Information Policy. There is also a new procedure titled Privacy and Security of Protected Health Information, which provides guidelines on maintaining the privacy and security of PHI.

Policy

It is the policy of the Research Foundation of State University of New York to establish and apply appropriate disciplinary actions against members of its workforce who breach the confidentiality of Protected Health Information. The disciplinary actions that are applied against members of the workforce must be documented in writing.

Right to Complain

As a member of the workforce of the Research Foundation of SUNY, you have the right to complain to the Research Foundation’s Privacy Officer or the Secretary of the Department of Health and Human Services if you believe that your rights regarding PHI have been violated or if you disagree with a decision that has been made about access to your PHI. Refer to the Notice of Privacy Practices, Sections IV and V.

If you file a complaint with the Research Foundation Privacy Officer or with the Secretary of the Department of Health and Human Services, we will not take any retaliatory action against you.

What Constitutes a Breach of Confidentiality?

The document titled Notice of Privacy Practices and the procedure titled Privacy and Security of Protected Health Information describe the legitimate uses or disclosures of protected health information. When these legitimate uses or disclosures are violated, a breach of confidentiality has occurred.

Any and all breaches of confidentiality should be reported to the area/department supervisor. Failure to report a breach will be considered a violation of the Confidentiality of Health Information Policy.

Determining Intent of Violation

The Research Foundation of SUNY is committed to investigating the cause of the breach of confidentiality and making a determination regarding the severity of the breach in accordance with the levels of violation described below.

The Research Foundation Privacy Officer or the Secretary of the Department of Health and Human Services is responsible for receiving, reviewing, and making a determination of the level of violation committed, if any. The Research Foundation has established that there are the following levels of violations: willful/intentional violation or inadvertent violation. A determination can also be made that no violation has occurred.

Willful/Intentional Violation – occurs when a member of the workforce knowingly uses or discloses PHI in violation of the privacy rules and reasonably knows the consequences of such an act.

Inadvertent Violation – occurs when a member of the workforce unintentionally uses or discloses PHI and does not reasonably know the consequences of such an act; or intentionally uses or discloses PHI, but does not reasonably know or understand the consequences of such an act.

No Violation Has Occurred.

Disciplinary Actions for Violations

The following are the disciplinary actions for violations:

Willful/Intentional Violation. If the breach of confidentiality of PHI is determined to be egregious, the member of the workforce will be subject to disciplinary action, up to and including termination of employment.

If the breach is determined to be less severe than egregious, the member of the workforce will be subject to the following disciplinary action:

Documenting Violations

In accordance with the regulations set forth in the Privacy Rule, all disciplinary actions that are applied against members of the workforce must be documented in writing.

Change History

 

 

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Copyright © 2012 The Research Foundation for The State University of New York