Graduate Medical Education


Graduate Medical Education Policies and Procedures

Policy on HIPAA and Computer Security Violations Disciplinary Guideline

This policy provides guidelines to program progress committees for managing residents who are not compliant with Health Insurance Portability and Accountability Act (HIPAA) requirements governing the confidentiality of protected health information (PHI). Protected health information is confidential and protected from access, use, or disclosure except to authorize individuals requiring access to such information. Attempting to obtain or use or assisting others to obtain or use PHI, when unauthorized or improper, will result in disciplinary action up to and including termination from the Residency Program. The University and its related institutions cannot tolerate the intentional or the unintentional breach of PHI security.

The four (4) levels of violations and associated corrective actions, arranged in order of increasing severity, and are outlined in the attached chart.

As residents-in-training are also bound to the HIPAA and/or Computer Security Violation policies of major affiliated institutions, a resident excluded from computer use at any one of these affiliated institutions will be unable to function as a resident physician and will be suspended from the program pending any further appeal.


PHI = Protected health information including all forms of patient-related data including demographic information. See the attached table.

Level of Violation


Minimum Disciplinary/Corrective Action

Level 1

  • Discussing PHI in a non-secure area (lobby, hallway, cafeteria, elevator)
  • Repeated episodes of failure to log off computers with PHI.

Oral warning from Site Coordinator or Associate Program Director, and note to Program Director and copy to Designated Institutional Official (DIO) for GME.


Level II

  • Requesting another individual to inappropriately access patient information
  • Accessing patient information without a legitimate reason
  • Password sharing
  • Signing on or allowing another person to use his/her code
  • Using another co-worker's access code without the co-worker's authorization

Written warning from Program Director and copy to Designated Institutional Official (DIO) for GME. Review by Residency Program Progress and Promotions Committee (RPPC).

Level III

  • Release of data for personal gain
  • Destroying or falsely altering data intentionally
  • Releasing data with the intent to harm an individual or the institution

Written notification of probation by Program Director and notification of Designated Institutional Official (DIO) for GME, for possible termination of computer access. Review by RPPC.

Level IV

  • Level I - III or where evidence clearly establishes malicious intent.
  • Second violation of Level I - III or repeated violation of Level I.

Written notification of suspension by Program Director and copy to Designated Institutional Official (DIO) for GME. Review by RPPC.

Approved by GMEC: 3/28/2014