Each organization, Medical Center (209), UVA Academic Agency (207), and University Physicians Group (UPG) must have a formal, documented process for applying appropriate sanctions to workforce members who do not comply with these security policies and procedures. Sanctions must be commensurate with the severity of the non-compliance with the security policies and procedures.
Employees of third party vendors and contractors with access to EPHI must comply with all applicable security policies and procedures. (See Medical Center Policy No. 0013: Vendor, Sales and Service Representatives) Those employees found in violation will lose all electronic access, and will be reported to their applicable contract administrator for follow-up.
Additional Policies and Resources:
Human Resources Policy No. 707: Violations of Confidentiality
University of Virginia Policy IRM 003: Data Protection of University Information
Institutional Data Protection Standards
Summary of HIPAA Privacy Rule
Summary of HIPAA Security Rule