Section 31 : Discipline and Dismissal; Non-retaliation
Violation of the University’s HIPAA Privacy Policies or the HIPAA Privacy Rule is unacceptable conduct. Individuals who commit such violations are subject to sanctions in accordance with this policy.
a. The Sanction Process
Sanctions for violations of the University’s HIPAA Privacy policies and procedures by faculty or staff shall be imposed by the University in accordance with its employment policies and procedures for faculty and staff, as applicable; and in the case of violations committed by a student member of the workforce, in accordance with University policies and procedures for student discipline. The Callier Center Executive Director and Privacy Officer shall review and determine all sanctions to be imposed on volunteers.
b. Potential Sanctions
Sanctions shall take into account the nature and severity of the violation and may range from a written reprimand to termination, or in the case of students, suspension or expulsion.
c. When Sanctions Shall and Shall Not Be Imposed
1.Persons may be subject to discipline, up to and including termination of employment, for violations of either (i) the HIPAA Privacy Standards or (ii) the policies and procedures set forth in this Manual. Managers or supervisors may also be subject to discipline, up to and including termination of employment, if their lack of diligence or lack of supervision contributes to a subordinate’s privacy violation.
2. A person shall not be subject to discipline as a result of performing one or more of the following:
i. Filing a complaint with the Secretary for suspected violation of the HIPAA Privacy Standards;
ii. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing in connection with the “Administrative Simplification” provisions of HIPAA;
iii. Opposing any act or practice made unlawful by the HIPAA Privacy Standards, provided that (I) the person has a good faith belief that the practice opposed is unlawful; and (II) the manner of the opposition is reasonable and does not involve a Disclosure of PHI in violation of the HIPAA Privacy Standards;
iv. Disclosing PHI if (I) the person believes in good faith either that University has engaged in conduct that is unlawful or otherwise violates professional or clinical standards or that the care, services, or conditions provided by University potentially endanger one or more Individuals, workers, or the public; and (II) the Disclosure is either to a Health Oversight Agency or Public Health Authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of University, to an attorney retained by or on behalf of the individual for the purpose of determining the person’s legal options with regard to the relevant conduct of persons, or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by University; or;
v. Disclosing PHI to a law enforcement official in compliance with this Manual.
The University shall document all sanctions it imposes and retain such records in a designated file for a minimum of six years in addition to any documentation required by other University employment or student disciplinary records.
UT Dallas will comply with the appropriate faculty, staff, volunteer, and student policies when mitigating violations of the HIPAA Privacy Manual.
Business Associates will be required to follow their own policies with respect to violations committed by their Workforce member and take any other necessary steps to ensure their compliance with the HIPAA Privacy Rule and the Business Associate Agreement in place between the University and the Business Associate (as applicable).