Standard for HIPAA Discipline & Mitigation

1. If a member of the Ohio University staff knows that an employee, student, or agent of Ohio University or a business associate of Ohio University has used or disclosed Protected Health Information (PHI) in a way that violates the HIPAA privacy regulations, Ohio University's Notice of Privacy Practices, or Ohio University’s HIPAA standards and procedures, he or she will notify the HIPAA Privacy Officer.
2. The HIPAA Privacy Officer will direct, to the extent practicable, mitigation of the harmful effects of a violation of which he or she becomes aware.   
3. Discipline will be imposed upon any employee, student, or agent who violates the HIPAA privacy regulations, Ohio University’s Notice of Privacy Practices, or Ohio University’s HIPAA standards and procedures.
   1. The HIPAA Privacy Officer will determine, on a case-by-case basis, appropriate discipline based on the nature of the violation, its severity, and whether it was intentional or unintentional; and
   2. Discipline will be imposed in accordance with Ohio University’s discipline process for staff, students, and agents as applicable, which may include but not be limited to verbal warnings, written warnings, probationary periods, suspension or termination of employment.
4. No discipline will be imposed upon an employee, student, or agent as a result of filing a complaint regarding any violations of the HIPAA privacy regulations, Ohio University’s Notice of Privacy Practices, or Ohio University’s HIPAA standards and procedures.
5. Any discipline will be documented and retained for a period of six (6) years or, longer, if required by Ohio University’s record retention guidelines.

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.