Both the HIPAA Security Rule and the HIPAA Privacy Rule require Covered Entities and Business Associates to document the disciplinary policy and apply sanctions against members of the workforce who violate the respective regulations.
Sanctions may be applied if you:
- Access PHI that is not necessary for your job – this includes activities like viewing patient records, copying PHI, or printing PHI
- Share your computer access credentials, such as your username and password, with others
- Leave your computer unattended but are logged into systems and applications
- Use or disclose PHI/ePHI without authorization
- Discuss confidential information in a public area or in an area where the public could overhear the conversation
- Discuss confidential information with an unauthorized person
- Fail to cooperate with the Information Security Officer or Privacy Officer during an investigation, emergency situation, or similar incident
- Fail to comply with a resolution team recommendation about your conduct
Sanctions may include:
- Verbal Warning
- Written Warning
Ensure you know all the policies and what constitutes reasonable use of protected data for your job.
Contact your Privacy Officer, Security Officer or Department Manager to get more details.