Hypo: Should we use zero tolerance?

Facts:You are the CCO at a large hospital. The hospital has suffered a number of brand hits lately due to privacy breaches. The CEO has communicated a very strong “zero tolerance” policy for any privacy breach. An administrative assistant recently posted a picture of some Valentine flowers on her Facebook page and inadvertently had a computer screen in the background with the scheduling information for 2 patients. The screen showed their name and time of appointment in the Oncology department. Since the start of the “zero tolerance” policy a few months ago, you are aware of three enforcement actions related to Privacy: One “serial breach” by a revenue analyst who accessed the records of 87 community members out of curiosity who was terminated. One physician who posted a negative story about a difficult patient to her twitter account including PHI and was provided “coaching.” One coordinator in a particularly short-staffed area that received a notice level of corrective action after mistakenly mailing 120 letters with scheduling information to the wrong addresses. Previous to the “zero tolerance” approach the hospital had very inconsistent precedent for privacy breach enforcement and did not have strong “tone at the top” in compliance generally. HR has asked that you provide a memo to the CHRO and CEO with your advice on this particular case. The CEO is the final decisionmaker. This is a clear violation of HIPAA. The law and hospital policies prohibit posting of PHI to social media and require only “appropriate discipline.”