In accordance with the Health Insurance Portability and Accountability Act (HIPAA) Security Final Rule and HIPAA Privacy Final Rule, all Medical Center workforce members with access to Electronic Protected Health Information (EPHI) must comply with all applicable security policies and procedures


To provide information on the process that all organizations within the University must follow regarding sanctions of its workforce members.


This guideline applies to the Health System, UVa Academic Agency and University Physicians Group.


Each organization, Medical Center (209), UVA Academic Agency (207), and University Physicians Group (UPG) must have a formal, documented process for applying appropriate sanctions to workforce members who do not comply with these security policies and procedures.  Sanctions must be commensurate with the severity of the non-compliance with the security policies and procedures.

Employees of third party vendors and contractors with access to EPHI must comply with all applicable security policies and procedures. (See Medical Center Policy No. 0013: Vendor, Sales and Service Representatives) Those employees found in violation will lose all electronic access, and will be reported to their applicable contract administrator for follow-up.

Additional Policies and Resources:

Human Resources Policy No. 707: Violations of Confidentiality

University of Virginia Policy IRM 003: Data Protection of University Information

University Data Protection Standards

Summary of HIPAA Privacy Rule

Summary of HIPAA Security Rule

Document Supporting Resources