Sanctions for Violations

Op10.03-18 Sanctions for Violations

Applies to the Administrative Requirements of the Health Insurance Portability and Accountability Act of 1996. 45 CFR 164.530(c)


Members of Missouri State University’s workforce authorized to access PHI have a responsibility to limit their uses and disclosures to those that are permitted by the participant (authorization) or under the Privacy Rule and to limit their uses and disclosure to those that are appropriate for their specific position responsibility. Persons who are authorized to use or disclose information also have the responsibility to safeguard access to this information. Individuals who fail to uphold these responsibilities will be sanctioned.


  • Individuals who perform Employee Benefit Plan functions are provided with training and retraining as necessary to ensure they understand the Employee Benefit Plan's privacy policies and procedures, the requirements of the Privacy Rule and the expectation that they will comply with them.
  • Sanctions are applied against any workforce member who violates the Employee Benefit Plan's privacy policies and procedures or the Privacy Rule.
  • Appropriate sanctions are determined based on the nature of the violation, its severity and whether it was intentional or unintentional. Examples:
    • Carelessness. This level of breach occurs when a person unintentionally or carelessly reveals health information to him/herself or others without a legitimate need to know the patient information. Examples include, but are not limited to: discussing health information in a public area; leaving a copy of health information in a public area; leaving a computer unattended in an accessible area with unsecured health information.
    • Curiosity or Concern (no personal gain). This level of breach occurs when a person intentionally accesses or discusses health information for purposes other than treatment, payment, or health care operations or other authorized purposes but for reasons unrelated to personal gain. Examples include, but are not limited to: looking up birth dates or addresses of friends or relatives without proper authorization.
    • Personal Gain or Malice. This level of breach occurs when a person accesses, reviews, discusses, or distributes patient information for personal gain or with malicious intent. Examples include but are not limited to: compiling a mailing list for personal use or to be sold; inappropriately providing information to the media.
  • Sanctions may include verbal warnings, written warnings, probationary periods or termination.
  • Any sanctions applied are documented and retained for a period of six (6) years.
  • Sanctions are not applied against workforce members who lodge a complaint with any entity regarding a privacy violation or who refuse to follow a policy or procedure that they believe, in good faith, violates the Privacy Rule.
  • When a breach of privacy/confidentiality occurs, the Employee Benefit Plan with the assistance of the Privacy Official and Director of Human Resources will mitigate, to the extent practicable, any harmful effect known to result from the breach. This sanction policy is part of the mitigation process for the Employee Benefit Plan.

Effective Date: April 14, 2003