Privacy and Information Security Sanction Policy

Investigation

The Chief Privacy or Security Officer will investigate reported violations of Privacy and/or Information Security policies or the HIPAA Rules with the assistance of the workforce member’s department, General Counsel, and others as deemed necessary. Investigations may include interviews of complainant, patients or staff, review of work schedules, auditing electronic information systems, medical information reviews, and other related processes or documents.

If it is confirmed that a violation has occurred, the findings of the investigation, with a recommendation in accordance with this policy, including potential mitigating factors, will be reviewed with the sanctioning authority as identified above to make the final determination of appropriate sanction(s).

The Sanctions Review will include the Chief Privacy Officer, Chief Human Resources Officer, Faculty Affairs or Student Dean and department administrator as appropriate. Office of General Counsel will provide legal or regulatory guidance, including potential financial and legal exposure associated with any disciplinary decision.

Sanctions as a Result of a Violation

Sanctions as a result of a violation of CUHC Information Security or Privacy policies or the HIPAA Rules shall be imposed consistently across the organization. Sanctions shall be appropriate to the severity of the infraction and may take into account aggravating and mitigating factors, including but not limited to the following:

• unintentional vs. deliberate violation
• good faith vs. harmful intent
• workforce member promptly reported the breach or violation when detected/identified and cooperated with the investigation
• number of individuals affected
• potential risk to the individuals affected and Columbia
• repeated vs. first such violation by the workforce member

Sanction Guidelines

To assist in determining the significance and impact of a violation, four (4) categories of potential violations, including examples of violations and appropriate disciplinary actions for each category, are identified below. This is not an exhaustive list. Review the relevant Privacy and Information Security policy for additional information.

1. Category 1: Unintentional violation caused by carelessness, lack of adequate training or human error
   • Example Violations: Accidental or Inadvertent Violation
     • Fax, mail or email to the wrong patient
     • Leaving paper documents unsecured
     • Leaving computer workstations or IT application with PHI/sensitive data open and unattended
     • Discussing confidential patient information in a public area or in an area where the public can overhear the conversation
     • Sending PHI to the wrong address or patient
     • Leaving detailed PHI on an answering machine
     • Disclosing PHI without verifying identity of requestor
   • Example Actions:
     • Mandatory remedial education course
       Verbal or written warning
       Note: A second occurrence of such a violation or a single occurrence that results in the misdirection of numerous patient records should be treated as a Category 2 violation
2. Category 2: Violations attributed to poor job performance or failure to understand/follow policies
   • Example Violations: Failure to Comply with Privacy and Information Security policies and procedures:
     • Releasing PHI without proper patient authorization
     • Failure to safeguard portable devices
     • Sharing user ID and/or passwords
     • Transmitting PHI using an unsecured method
     • Improper disposal
     • Failure to report a privacy or security violation
     • Failure to follow other security policies
   • Example Actions:
     • Written warning
     • Mandatory remedial education course
     • Additional sanction if appropriate
     • Note: A second occurrence of such a violation or a single occurrence that results in the misdirection of or risk to numerous patient records should be treated as a Category 3 violation
3. Category 3: Intentional violation due to curiosity or failure to understand access/authorization
   • Example Violations: Deliberate or purposeful violation without harmful intent:
     • Unauthorized access of CUHC records without a business need, without harmful intent
     • Accessing/sharing PHI of a co-worker and patient with a friend or family member of the patient, where all parties are genuinely concerned about the patient
     • Posting PHI to a social media account without written authorization using the CUIMC HIPAA Media Authorization form
     • Taking a photograph or video of a patient for personal use and without proper written authorization
     • Discussing confidential information with an unauthorized person including on messaging platforms (e.g., WhatsApp)
     • Disclosing PHI to the media
   • Example Actions:
     • Final written warning
     • Mandatory remedial education course
     • Suspension
     • Termination, depending on the circumstances
4. Category 4: Intentional violations causing patient or organizational harm
   • Example Violations: Willful unauthorized disclosure of and/or access to PHI with malicious or harmful intent:
     • Unauthorized access or disclosure of PHI for identity theft, fraud, or other intent to use or sell for personal or financial gain
     • Unauthorized access of PHI to use against the patient in a dispute, revenge, legal proceeding or to otherwise extort, embarrass or humiliate a patient or a friend or family member of the patient
   • Example Actions:
     • Termination

In addition, these guidelines apply to all categories of sanctions:

• The mandatory remedial education course must be completed within 14 days of the issuance of sanction.
• A subsequent violation after receiving a final written warning should result in termination.
• No penalty involving dismissal or other serious sanctions may become effective except in accordance with the provisions of the University’s Code of Academic Freedom and Tenure
• The sanctions imposed may be one or more from the relevant category.
• In addition to any sanctions imposed, the workforce member may be reported to the appropriate licensing board, if required and as appropriate. Reports to law enforcement may be warranted and appropriate depending on the nature of the violation.

Documentation of Sanctions

Documentation of sanctions will be maintained by the Chief Privacy Officer and reported to the Response Team as required. Documentation of sanctions will be maintained for a minimum of six years.

Workforce members are prohibited from retaliating

Workforce members are prohibited from retaliating against a workforce member who acts in good faith to report a practice they believe is unlawful, in accordance with the Columbia University Non-Retaliation Policy. In addition, no sanction may be applied against a workforce member on the basis that he/she:

• Believes in good faith that CUHC has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by CUHC potentially endangers one or more patients, workers, or the public, and the disclosure of PHI is to:
  • A Health Oversight Agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of CUHC;
  • An appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by CUHC; or
  • An attorney retained by or on behalf of the workforce member for the purpose of determining the legal options of the employee with regard to potential privacy violations or other misconduct.

Individuals who are suspected of retaliating against a workforce member will be subject to disciplinary action up to and including termination.

Responsibilities

The Privacy Office, Office of Information Security, Human Resources, Faculty Affairs, and General Counsel

• Educate workforce members about policy
• Investigate policy violations
• Establish sanctions in consultations with HR, OGC, Faculty Affairs, CPO and CISO
• When a student is the subject of a Privacy or Information Security investigation the designated Student Dean will be notified and participated in the investigation and, if required, determine the appropriate sanction for the student.

Definitions

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

HIPAA Rules means the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act and related regulations.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.