Healthcare Privacy and Information Security Sanctions Policy

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Policy

PURPOSE:

To establish the framework and define the sanctions that may be imposed for violations of University policies and procedures related to the Health Insurance Portability and Accountability Act (HIPAA), healthcare privacy, and information security.

APPLIES TO:

Workforce members: University employees, volunteers, students, trainees, and other persons whose conduct in the performance of work for the University is under the direct control of the University in its capacity as a healthcare provider or as a HIPAA covered entity or business associate of a HIPAA covered entity.

CAMPUS:

Lawrence, Edwards, Leavenworth, Juniper Gardens, Parsons, Pittsburg, Salina (KUL), Topeka, Wichita (KUL), Yoder, Medical Center (KUMC), Salina (KUMC), Wichita (KUMC)

DEFINITIONS:

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, including its implementing regulations that govern the privacy and security of protected health information (PHI).

Individually Identifiable Health Information (IIHI): Information, including demographic data, that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or payment for health care, and that identifies the individual or can reasonably be used to identify the individual.

Protected Health Information (PHI): Individually identifiable health information held or transmitted by a HIPAA-covered entity or its business associate, in any form or medium—electronic, paper, or oral. For a hybrid entity like the University of Kansas, PHI refers to IIHI created, received, maintained, or transmitted by its HIPAA-covered components, or by University units acting as business associates in support of those components or external HIPAA-covered entities.

POLICY STATEMENT:

The University of Kansas (KU) is dedicated to protecting the privacy and security of individually identifiable health information (IIHI), including protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. All workforce members may be subject to sanctions for failure to comply with KU privacy and information security policies, as well as HIPAA, where applicable. Sanctions may include, but are not limited to, disciplinary action and/or termination.

Reporting

Workforce members must promptly report any suspected or known violations of HIPAA requirements or violations of University privacy and information security policies and procedures, including but not limited to the related policies identified in this policy. Reports should be directed to the University Privacy Officer, submitted through the institutional compliance hotline, or made to the relevant campus Information Security Office in accordance with its incident response policy.

Examples of Policy Violations:

Access Violations

  • Accessing a patient’s IIHI without a legitimate work-related reason (e.g., looking up a colleague’s records).
  • Viewing IIHI for a family member or friend without authorization.
  • Sharing login credentials or using someone else’s access to view IIHI.
  • Failing to log out of a system that displays IIHI, allowing others to access it.

Use & Disclosure Violations

  • Emailing IIHI to the wrong recipient.
  • Sending IIHI to a personal email account or personal device.
  • Sharing IIHI with unauthorized individuals.
  • Discussing IIHI in hallways, elevators, or public areas.
  • Posting or referencing IIHI on social media, even indirectly.
  • Releasing IIHI without proper patient authorization or outside minimum necessary use.

Security & Safeguards Failures

  • Losing a device (laptop, phone, USB drive) that contains unencrypted IIHI.
  • Improperly disposing of printed IIHI, such as throwing it in regular trash instead of shredding.
  • Leaving printed or digital IIHI unattended in public or shared areas.
  • Using unsecure methods (like regular text messages or non-encrypted email) to transmit IIHI without proper patient authorization.

Intentional Misconduct

  • Willful disclosure of IIHI (e.g., selling social security numbers or diagnosis data).
  • Retaliating against someone using their IIHI.
  • Falsifying or altering records that contain IIHI for personal or financial gain.
  • Accessing IIHI after employment termination or without proper authorization.

Sanctions

Violations of HIPAA requirements or University privacy and information security policies and procedures—including, but not limited to, the related policies identified in this policy—may result in sanctions determined on a case-by-case basis with consideration of the following factors:

  • The severity of the violation;
  • Whether the violation was intentional;
  • Whether the violation indicates a pattern or practice of improper use or disclosure of confidential information; or
  • Other relevant considerations.

Investigation Process

Upon receiving a report of suspected or known violations of privacy or information security, the Privacy Officer and the appropriate University of Kansas campus Information Technology Security Office initiates a coordinated investigation of the incident. At the conclusion of the investigation, the Privacy Officer informs the relevant supervisor of the outcome and provides recommendations and requirements for any corrective or remedial action, if appropriate. Supervisors must work with Human Resources to determine appropriate sanctions and implement any recommendations or requirements resulting from the investigation.

Regardless of whether a sanction is imposed, the Privacy Officer may assign corrective or remedial actions, including re-training, as part of a corrective action plan. Such training may be delivered through a University-approved learning management system, through training provided externally by a vendor or sponsor approved by the Privacy Officer, or through other methods deemed appropriate by the Privacy Officer.

Some violations may require notification to federal or state agencies or other regulatory bodies, which may result in additional corrective actions.

Any student who violates this policy may be subject to disciplinary action in accordance with the Code of Student Rights and Responsibilities (for the Lawrence campus) or other applicable student conduct policies or procedures in place at the University of Kansas Medical Center.

Retaliation

In accordance with the Whistleblower Policy, KU prohibits anyone from threatening, intimidating, coercing, or taking any retaliatory actions against individuals who, in good faith, make a report or participate in a review process under this policy. Individuals who take retaliatory action are subject to disciplinary action.

EXCLUSIONS OR SPECIAL CIRCUMSTANCES:

Dually employed faculty who jeopardize the privacy and security of protected health information (PHI) of The University of Kansas Health System (UKHS) may also be subject to sanctions under applicable and relevant UKHS policies. 

CONTACT:

University Privacy Officer
Office of Integrity & Compliance
University of Kansas
913-588-0940
Lawrence campus and all reporting units:
privacy@ku.edu
University of Kansas Medical Center and all reporting units:
compliance-kumc@kumc.edu

Chief Information Security Officer
Information Technology Security Office
University of Kansas
785-864-9003
itsec@ku.edu

RESPONSIBLE UNIT: 

Office of Audit, Risk & Compliance

APPROVED BY:  

Chancellor

APPROVAL DATE:  

10/29/2025

EFFECTIVE DATE:  

10/29/2025

REVIEW CYCLE:  

1 year

BACKGROUND:

45 CFR § 164.530(e)
45 CFR § 164.308(a)(1)(ii)(C)

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

University of Kansas Medical Center (KUMC Login Required)

Sensitive Information in Electronic and Paper-Based Systems

Breach of Protected Health Information Notification

Acceptable Use of Information Systems

Data Classification Policy

Use of Safeguards for Protected Health Information by (KUMC) Internal Business Support

RELATED PROCEDURES:

CR SOP HIPAA: Confidentiality, Privacy and Security of Data (KUMC Login Required)

CHANGE HISTORY:

10/29/2025: New Policy published in Policy Library.

TITLE: 

Healthcare Privacy and Information Security Sanctions Policy

Was this helpful?
0 reviews
Print Article

Related Articles (7)

Acceptable Use of Electronic Information Resources
This policy outlines the expectations for the use of electronic information resources at the University of Kansas.
Code of Student Rights and Responsibilities (Student Code)
The Code of Student Rights and Responsibilities outlines the rights of students and many of the standards of conduct expected within the University of Kansas community.
Data Classification and Handling Policy
Information is a valuable University asset and is critical to the mission of teaching, research, and service to Kansans.Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage.Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.
HIPAA Compliance Policy
To describe the requirements pertaining to the handling of Protected Health Information (PHI) on the Lawrence and Edwards campuses.
Information Access Control Policy
To ensure the security and integrity of university data and information assets as well as safeguard the information of its constituents. All Kansas University technology resources will adhere to a uniform access control standard and framework.
IT Security Incident Response Policy
The Information Technology (IT) Security Incident Response Policy defines the responsibilities of KU Lawrence campus and all reporting units staff when responding to or reporting security incidents.
Whistleblower Policy: Reporting Suspected Wrongdoing and Protection from Retaliation
The general purpose of this policy is to protect any University employee or other member of the University community who makes a good-faith disclosure of suspected wrongful conduct. This policy establishes the appropriate reporting mechanisms to be used for notification of known or suspected wrongdoing and protection from retaliation.