The goal of this standard is to outline and provide guidance for times when a privacy violation occurs and how to approach the disciplinary action that may result from the violation. Disciplinary actions may vary depending on the severity of the violation, other related facts of the incident and level of an employee or contractor’s failure to comply with Tenet’s Information Privacy and Security Program policies, Tenet’s Standards of Conduct, applicable state privacy laws and federal privacy laws. Any reported or suspected privacy violations will be investigated in accordance with organizational practices.
Contact the facility HR officer or Tenet Labor Relations for employees covered by a collective bargaining agreement (CBA) as it relates to disciplinary actions.
- Verbal Counseling/Coaching
- Verbal Counseling/Written
- Written Warning
- Final Written
- Decision Making Leave/Suspension
- Termination
- Severity Level I
- Leaving documents containing PHI in public areas
- Leaving computer screen unattended with unsecured PHI in accessible area
- Discussing PHI in public areas with colleagues in a volume higher than needed
- Discarding PHI into the trash instead of a secure shred container
- Authorized texting patient identifiable info, images or PHI to an unauthorized party
- Other violation resulting from unintentional error or oversight
- Severity Level II
- Sending PHI via mail, facsimile or electronic mail to incorrect location/recipient
- Accidental electronic transfer/e-mail of patient data to unintended vendors
- Employee access, view or retrieval of PHI via Cerner, HPF or other electronic systems for personal reasons
- Entering information into a patient’s account/medical record for the wrong patient
- Allowing co-worker to use your workstation/log-in credentials, sharing passwords or other log-in credentials
- Accessing paper or electronic medical record of a family member or friend to print their results for them
- Inadvertent disclosure of PHI to the incorrect patient
- Discussing PHI with colleagues or vendors that do notneed to know
- Discussing PHI with family or visitors of the patient without first letting the patient consent or object to disclosure
- Loss of paper records, lap top, computer,blackberry, iPhone, iPad, flash drive, unsecured assets or any electronic device that contains PHI
- Repeated Level 1 violations
- Severity Level III
- Accessing medical records of a patient when not a member of the treatment team or do not have an operational, billing entry or coding purpose
- Knowingly and intentionally releasing PHI to unauthorized individuals without the patient’s consent
- Releasing parts of a patient’s medical record/ prescription information to non-intended recipient
- Posting patient information, images or PHI on social media web sites
- Repeated Level 2 violations
- Severity Level IV
- Accessing medical records of a patient, family member, co-worker’s or other member of the public for personal gain
- Selling, releasing, or otherwise disclosing for personal gain or with malicious intent
- Accessing PHI to compile a mailing list for personal use or to sell
- Taking a laptop or patient file that contains PHI for personal use or to sell
- Stealing any Tenet asset that contains PHI
- Unauthorized texting of patient identifiable info, images or PHI intentionally to an unauthorized party
- Repeated Level 3 violations
- Severity Level 1
- Verbal warning/coaching and documented on a performance improvement plan
- Severity Level 2
- Written warning and documented on a performance improvement plan
- Severity Level 3
- Final written warning and a three-day suspension without pay
- Severity Level 4
- Immediate termination of employment and civil or criminal penalties initiated by the organization or an external agency
- Is this a repeat occurrence for this employee?
- Did the employee complete privacy training within the last year?
- Was the violation intentional or accidental?
- Did the employee fail to self-disclose?
- Does this employee have other documented performance issues?
- Performance Management Actions
- May include mandatory re-education, suspension/ termination of employment, reporting to authorities and reporting to licensing/certification and registrati on agencies
- Facility HR
- Assists and guides Leadership, Supervisors and Employees
- Facility Supervisor
- Consults with HR to consistently enforce disciplinary actions for involved employees
- Recommended Disciplinary Action
- May result in a verbal warning/coaching documented in personnel file.
- Scenario 1
- You leave a hard copy or electronic screen shot of patient information in an area which is readily accessible for review by unauthorized personnel, patients or the public (assuming no one saw the PHI).
- Scenario 2
- You are a nurse and a patient comes to you upset and alleges that another nurse on your floor has inappropriately gossiped about the patient’s substance abuse treatment with another nurse.
- Recommended Disciplinary Action
- May result in a written warning documented on a performance improvement plan.
- Scenario 1
- You receive a call from a physician’s office stating that the office just received a fax from your department containing information of a patient that is not their patient.
- Scenario 2
- You work in the business office and you receive a call from a patient stating that they not only received their bill, but also the bill of another patient. The bill contains medical information as well as patient account information.
- Scenario 3
- You are contacted by a patient who states they were recently discharged from the hospital and when they arrived home they noticed the nurse provided them with another patient’s discharge instructions.
- Scenario 4
- A family member of an employee needs his son’s immunization history before he can attend school. He appeals to you to look it up. You search the medical record to get the information
- Recommended Disciplinary Action
- May result in a final written warning and a three-day suspension without pay.
- Scenario 1
- You work in Patient Access and know that an adult member of your family (e.g. your spouse and/or adult child) visited the Emergency Department. Curious about your relative’s diagnosis and treatment, you access their PHI using the electronic medical record system.
- Scenario 2
- You notice a note on your manager’s desk from a coworker requesting time-off for a medical procedure. As to relieve your co-workers’ anxiety about the pending exam you access her medical record to ensure she is okay. Relieved that it was nothing serious you tell your coworkers about the procedure and that there is nothing for them to worry about.
- Recommended Disciplinary Action
- May result in immediate termination of employment.
- Scenario 1
- You are related to a patient that has expired in the ER. You do not work in ER but have access to HPF. You access HPF documents, including physician notes, copy them and give to an attorney looking for evidence of malpractice.
- Scenario 2
- You share information on a patient’s medical condition, room location, family contacts or personal history with unauthorized personnel, the public, the press or investigative personnel.