Health System updates disciplinary policy for protecting patient information

Starting March 15, the U-M Health System is implementing a newly-revised disciplinary policy for violations of patient privacy and information security at our institution.  The new policy language is based on the Medical Staff Policy that has been in place for the past six years and will be familiar to the medical staff and physician assistants.

UMHS is committed to consistently addressing violations of privacy and information security standards, and these revisions were put in place to meet this commitment. The revised policy outlines investigative and disciplinary action to enforce privacy and information security policies in order to promote the availability, confidentiality and integrity of UMHS restricted information.  Doing so ensures compliance with state and federal laws and regulations – including the Health Information Portability & Accountability Act (HIPAA) –and upholds institutional principles.

The revised policy applies to all members of the UMHS workforce and to all patient information, whether in verbal, printed or electronic form, and whether individually controlled, shared or networked.  Disciplinary action determinations cannot be solely made by a supervisor or manager under the revised policy. All disciplinary action determinations must be made in consultation with the Office of Clinical Affairs and Human Resources, which will investigate all alleged violations.

The four levels of violations and their associated disciplinary actions are as follows:

Level 1: Unintentional Negligent or Careless Act – This level of violation occurs when a workforce member unintentionally or carelessly does something that leaves confidential information susceptible to being overheard, accessed, used by or disclosed to unauthorized individuals.
Disciplinary Action: Verbal coaching, or verbal warning with documentation.

Level 2: Negligent Act resulting from not following UMHS policy and procedures – This level of violation occurs when a workforce member takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual unauthorized use of PHI or disclosure of information privacy or security.
Disciplinary Action: Written warning documented in appropriate employee file.

Level 3: Deliberate Unauthorized or Inappropriate Access or Use – This level of violation occurs when a workforce member deliberately accesses, uses or discloses confidential information or systems, without documented authorization to do so, generally out of curiosity or concern, for reasons other than personal gain or malicious intent.
Disciplinary Action: Corrective action up to and including probation or disciplinary lay off.

Level 4: Intentional Blatant Disregard for Confidentiality – This level of violation occurs when a workforce member accesses, uses or discloses confidential information for personal use or gain or with malicious intent or fails to comply with information security safeguards that result in loss of availability, integrity and confidentiality of systems or data.
Disciplinary Action: Corrective action up to and including termination of clinical privileges or discharge from non-clinical position.

How can you report a suspected PHI violation?
All actual or even suspected patient privacy and information security violations must be reported to the UMHS Compliance Office. Reporting can be made directly to the UM Compliance Hotline at 1-866-990-0111, to the UMHS Compliance Office (Phone 615-4400 or e-mail, or through your manager.

What are some examples of privacy violations?
The UMHS Compliance Office website contains a lot of information about HIPAA privacy, actions that violate HIPAA, and information security requirements. Click here for more information.

How can I protect patient data?
Read this Health System Headlines article on securing your smartphone, tablet and other devices. More tips are available in the article Loose Lips Sink Ships—Protect patient information and What are you using to store patient information or other sensitive data?

For additional resources, including process documents, FAQs, Discipline Grid, Supervisor tips and the entire revised policy, visit the Human Resources site, or search Policy 01 04 390 from the Internal Home Page.