System is a Texas state agency and has adopted policies that direct the mechanism by which System employees may be disciplined. System will utilize the System policies and procedures for the imposition of sanctions it is required by HIPAA to impose for failure to comply with the HIPAA Privacy Standards or the policies and procedures set forth in this Manual. Sanctions shall not be imposed upon persons who Disclose PHI in furtherance of compliance with the HIPAA Privacy Standards. System shall never discipline or sanction an employee for reporting a HIPAA violation or a violation of this Manual.
8.5(1) Individuals Who May Be Subject to Sanctions
Employees, volunteers or other individuals considered part of the Health Care Components Workforce may be subject to sanctions under this Section. Independent contractors are not considered members of the Health Care Components’ staff and are therefore not subject to discipline under this Section.
8.5(2) Types of Sanctions.
Sanctions shall be imposed upon employees who violate these policies in accordance with the applicable System employee disciplinary policies and procedures.
Volunteers or other Workforce members who are not subject to System’s employee disciplinary policies shall receive a reprimand, retraining or both if the violation was (i) not intentional; (ii) the result of inadequate training; (iii) resulted in no actual harm; (iv) and/or the violation is such that it is reasonably likely that the Workforce member can avoid future violations. For a violation involving any other factors or a subsequent violation, the Workforce Member shall be permanently prohibited from any further access to any System PHI in that person’s capacity as a volunteer or other non- employee Workforce member. Such persons have no right to appeal a sanction.
8.5(3) Parties Responsible for Imposing Sanctions
The official imposing the sanction must have, or act in consultation with the Privacy Officer or others who have sufficient knowledge of the HIPAA Privacy Standards to assess the extent and impact of any violations that have occurred. All other sanctions shall be imposed by the Privacy Officer in consultation with the director of the office utilizing the volunteer or other Workforce Member that committed the violation.
8.5(4) Considerations in Imposing Employee Discipline for A HIPAA Violation
In addition to other factors that must be considered under System’s applicable disciplinary policies, System must take into consideration the circumstances surrounding the violation and the best way to ensure that System remains in compliance with the HIPAA Privacy Standards and that Individual’s HIPAA rights are protected.
8.5(5) When Violations Will Prompt Consideration of Disciplinary Action
8.5(6) Existence of Appeal Process
In the event that a sanction triggers any process of appeal under the applicable System employee disciplinary policies and procedures such process shall be made available to the employee. However, in the event that the party hearing the appeal is not authorized by this Manual and or the HIPAA Privacy Standards to have access to PHI, the identity of the individual whose privacy rights were violated shall be removed to the extent feasible or, if that is not possible, other measures must be taken to ensure HIPAA compliance prior to providing the party with PHI.
8.5(7) Documentation of Disciplinary Actions
45 C.F.R. §§ 164.502(j), 164.512(f)(2)(i), 164.530(e), (g)
65 Fed. Reg. at 82,501-02, 82,562, 82,636-37, 82,747 (Dec. 28, 2000)