Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Sanctions
Policy Number: IS-09 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Revision Date: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Policy and Privacy Services Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Drexel University (DU) requires compliance with the HIPAA Privacy and Security Program. Any Workforce Member found to have committed an actual Violation or Violations shall be subject to appropriate disciplinary action.
Violation is an actual or suspected violation of any DU HIPAA Privacy and Security Program compliance policy.
Any Workforce Member who is found to have committed an actual Violation or Violations shall be subject to appropriate disciplinary action, including removal from the premises, termination of employment and legal action. The level of such disciplinary action shall be determined by the Supervisor after consulting with the HIPAA Security Officer and/or Privacy Officer, who may convene a panel of Administration and HIPAA Compliance Personnel in order to make a decision about appropriate discipline.
Discipline shall be based upon a number of factors including, but not limited to, the following:
- the nature of the Violation or Violations;
- the employee's level of intent in committing such Violation or Violations (e.g., negligent, willful); and
- special circumstances surrounding or contributing to the Violation or Violations.
The disciplinary action(s) that may be taken against a Workforce Member who is found to have committed a Violation are spelled out in the Human Resources Policy Manual and generally include:
- written reprimand (which shall be included in the employee's personnel file);
- suspension; and
- employment termination.
In addition to the disciplinary action(s) set forth above, and on the advice of legal counsel, DU may turn a Workforce Member who has committed a Violation over to the appropriate authority for criminal prosecution, as appropriate or as required by law.
In addition to DU disciplinary actions, the Workforce Member may be held directly liable under HIPAA for Violations.
B. Access Control
DU also has the authority to control or refuse access to e-PHI to anyone who violates these procedures or threatens the rights of other users or the availability and integrity of the systems and the information.
Actions that may be taken under this authority include:
- deactivating accounts, access codes or security clearances;
- halting unauthorized or disruptive processes;
- deleting unauthorized or inappropriate files; and
- disabling access to computing, networking, telephone and other information resources.
- The HIPAA Security Officer and Privacy Officer will investigate all reports of violations.
- Findings from this investigation will be given to the department administrator (or Chair) and Human Resources for appropriate action.
- Based on the findings of such investigation, the Security Officer and Privacy Officer, with the Office of General Counsel, as appropriate, will take remedial action to ensure (1) that the Violation ceases immediately, and (2) that the Violation will be prevented from occurring in the future.
- Issues regarding faculty or staff above the departmental administrator level will be discussed with the Senior Vice President of Health Sciences, the Dean, and Human Resources as may be deemed appropriate.
45 CRF §§ 164.308(a)(1)(i)(ii)(C); 164.530(e)
Cross References: HR-43, Performance Improvement Process; HR-48, Termination; IS-O1, Access to e-PHI on DU Information Systems
Back to Top