UNIVERSITY OF MAINE SYSTEM HIPAA GENERAL OPERATING POLICY #32 SANCTIONS
I. In General
A HCC must have and apply appropriate sanctions against members of its workforce and Business Associates who fail to comply with the University’s HIPAA privacy and security policies and procedures or the requirements of the Privacy and Security Rules. This standard does not apply to members of the workforce who are whistleblowers, victims of crime or who have filed a complaint, participated in an investigation or opposed an unlawful act or practice. When imposing sanctions for the inappropriate use and disclosure of PHI, consideration should be given to whether the use or disclosure was made as a result of (a) carelessness or negligence, (b) curiosity or concern, or (c) the desire for personal gain or malice. A HCC must document any sanctions that are applied.
II. Employees
Any investigations of a violation of the University’s HIPAA privacy or security policies and procedures by an employee must be conducted and any sanctions must be imposed in accordance with existing University disciplinary procedures and any applicable Collective Bargaining Agreement. The sanction imposed for a violation of the HIPAA privacy or security policies and procedures will depend on the severity of the violation.
III. Students
Students who violate the University’s HIPAA privacy or security policies and procedures will be subject to sanctions, which may include, but are not limited to: probation, suspension or dismissal. The type of sanction imposed will depend on the severity of the violation. Sanctions will be imposed on students in accordance with applicable University policies and procedures.
IV. Volunteers
Volunteers who materially violate the University’s HIPAA privacy or security policies and procedures will not be permitted to provide further assistance to the University as a volunteer.
V. Business Associates
If the University knows of a pattern of activity or practice of a business associate that constitutes a material breach or violation of the business associate's obligations under his/her/ its contract with the University, the University will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, will take action to terminate the agreement or notify the Secretary of DHHS as described in the agreement.
VI. Documentation
Documentation regarding any sanction imposed for a violation of the University’s HIPAA privacy or security policies and procedures should be retained for at least six (6) years. Copies of such documentation should be forwarded to the Privacy Official or Security Official who also should maintain such documentation for the minimum retention period. Documentation of any sanction imposed against a business associate should be retained by the Privacy Official for the minimum retention period.
Revised 05-06-05