DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page

DHHS POLICIES AND PROCEDURES

_______________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

HIPAA Violation Sanction Policy

Current Effective Date:

July 2, 2013

Revision History:

 

Original Effective Date:

 

_______________________________________________________________________________________________________________

Purpose

The North Carolina Department of Health and Human Services (NC DHHS) has adopted this Sanctions policy in order to comply with our duties under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA requires that covered entities have and apply appropriate sanctions against members of their workforce who fail to comply with the requirements of the Rule (45 CFR SS 164.530(e)(1)). Any employee, volunteer, intern or business associate of the DHHS who works for a division/office that is a covered entity or a hybrid entity, under the definition of HIPAA, must also review and sign the Department’s HIPAA Sanctions Policy.  DHHS shall impose appropriate measures, including disciplinary measures on any workforce member who violates this policy. Sanctions will be determined on a case by case basis, consistent with DHHS policies and procedures on disciplinary actions.

Policy

The NC DHHS has adopted a HIPAA privacy and security policy that requires the NC DHHS, its officers, employees and agents to protect the confidentiality and integrity of medical information relating to the public. Client and/or employee protected health information (PHI) will be considered confidential, and may not be used or disclosed except to authorized users for approved purposes. DHHS will investigate any violations of this policy and will impose disciplinary measures, up to and including dismissal on any workforce member who violates this policy. Violations and any subsequent disciplinary action shall be documented and reported to the appropriate human resources (HR) manager, the entity’s Privacy Officer and a copy of such documentation shall be maintained in the workforce member’s personnel file in accordance with DHHS policies and procedures on disciplinary actions.

Exceptions

Sanctions will not be applied to disclosures by employees who are acting in the capacity of a whistleblower or who are victims of a crime, or where the totality of the circumstances do not warrant sanctions.

Implementation

Violations of the HIPAA Privacy and Security Policy include, but are not limited to:

  1. Accessing PHI data that you do not need in order to perform your work functions;

  2. Discussing confidential information with an unauthorized individual;

  3. Failing/refusing to cooperate with an investigation by the division/facility Privacy and Security officer or the DHHS Privacy and Security officer;

  4. Copying PHI without authorization;

  5. Unauthorized disclosure or use of PHI;

  6. Unpermitted use of another person’s computer access in order to obtain PHI;

  7. Obtaining PHI under false pretenses; and

  8. Using and/or disclosing PHI for commercial gain, advantage or malicious harm;

  9. Retaining PHI for commercial gain, advantage or malicious harm.

Violations of the DHHS HIPAA privacy and security policy may be considered unacceptable personal conduct as defined by the North Carolina State Personnel Manual, and may result in disciplinary action up to and including dismissal. Violations may also carry federal civil and/or criminal penalties, and state criminal penalties.

HIPAA VIOLATION SANCTION POLICY/ACKNOWLEDGEMENT OF RECEIPT

I, the undersigned, hereby acknowledge receipt of a copy of the HIPAA Violation Sanction Policy for DHHS.

Dated this _____ day of _____________________, 20 ____.

____________________________________   _____________________________________
Signature   Organization

cc: Personnel File

Previous PageTop Of PageNext Page



 

     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback