The “Security Management Sanction Policy” for Trillium, an Oregon community health plan with about 100,000 members, is at the bottom of this post. Companies like Trillium deal with large amounts of sensitive health data, and under the federal HIPAA rules they must have a policy for disciplining employees who inadvertently or intentionally disclose that data to the wrong people. Trillium’s policy looks to be very standard, with definitions of violations and a list of sanctions for employees that increase with the type of offense. To get fired for a first offense, you’ve got to do something pretty bad, like
“1.3.6. Using and/or disclosing PHI/Ph I for commercial advantage, personal gain or malicious harm”
University Archives Director James Fox also had access to a lot of confidential information. So what got Fox fired?
In the letter below, Scott Coltrane says that Fox was fired because he broke UO policy – once – by allowing the archives to release documents from the UO President’s Office that should have first been “reviewed and sorted”. The counter-argument, of course, is that he was fired because he did his job as an archivist, by making the presidential archives available to the public in timely manner. We may never know which, because Coltrane still refuses to release the “independent” investigation report done by Amanda Walkup of Hershner Hunter.
It seems likely that under typical HIPAA compliant employment policies the punishment for James Fox would have been along the lines of a written reprimand, retraining, and a few days of unpaid suspension – even if confidential health records had been made public – which they were not.