Like most HIPAA-related questions, the answer to the question can I get fired for an accidental HIPAA violation is “it depends”. It depends on the nature of the violation, the consequences of the violation, and – most importantly – the content of your employer´s sanctions policy.
When you work for a business that has responsibilities to maintain the privacy of Protected Health Information (PHI), you share the responsibilities with your employer. Usually, your responsibilities with regards to HIPAA compliance are outlined in your job description, and the way in which you fulfil your responsibilities are communicated to you via HIPAA training.
To dissuade you from failing to fulfil your responsibilities with regards to HIPAA, your employer is required to give you a copy of its sanctions policy. This document describes the sanctions that can be imposed on you for violations of HIPAA or violations of the policies and procedures put in place by your employer to ensure a HIPAA-compliant workforce.
Sanctions policies often distinguish between knowing HIPAA violations and accidental HIPAA violations. Nonetheless, whether or not you can get fired for an accidental HIPAA violation will likely be dependent on the nature of the violation, the consequences of the violation, and whether or not you have a history of accidental HIPAA violations.
The Nature of HIPAA Violations and Their Consequences
When a HIPAA violation happens, the consequences can vary considerably. For example, if a healthcare professional accidently discloses more than the minimum necessary PHI in the course of a permissible disclosure, there may be no consequences at all. A colleague or supervisor may alert them to the violation, no further action is taken, and the violation never happens again.
However, if the same disclosure is overheard by a member of the public, and they make a complaint to HHS´ Office for Civil Rights. The agency may decide to investigate the complaint, and – if a HIPAA violation is confirmed – the healthcare professional´s employer could be sanctioned. This would have repercussions for the healthcare worker as well – if only mandatory training.
As a further example, a member of the IT team accidently deletes a database containing employees´ usernames and passwords. This would be a violation of HIPAA with potentially serious consequences because HIPAA requires Covered Entities and Business Associates to implement access and authentication controls, and maintain audit logs on all access to ePHI.
Without the database of usernames and passwords, employees might not be able to access systems maintaining ePHI without creating new login credentials that are not recorded and therefore not monitored. However, on this occasion, a backup of the database exists, and the member of the IT team is able to restore the database with a minimal gap in accessibility.
Can I Get Fired for an Accidental HIPAA Violation?
Bearing in mind that the consequences of the violation will have an impact on how the seriousness of the violation is perceived, most accidental HIPAA violations are classed as Level 1 violations by employers. The sanction for a level 1 violation is usually a verbal or written warning and retraining on the standard of HIPAA that was accidently violated.
However, once an employee has been retrained, if the same violation is repeated it may not be perceived as an accidental violation. Many HIPAA Covered Entities perceive a repeat violation of HIPAA as a “purposeful disregard” of the business´s HIPAA policies or Level 2 violation – for which the sanction could range from a final written warning to a suspension and further training.
In some employers´ sanctions policies, a further violation of the same HIPAA standard after a Level 2 sanction has been imposed is classed as a “malicious disregard” of the business´s HIPAA policies or Level 3 violation – for which the sanction would likely be termination of employment. Therefore, in this case, the answer to the question can I get fired for a HIPAA violation is “yes”.
How to Avoid Getting Fired for an Accidental HIPAA Violation
Although there is a very low likelihood an employee would get fired for a first or second accidental HIPAA violation, if the violations are repeated, there is a chance their employment could be terminated. Employees of Covered Entities and Business Associates can reduce the risk of getting fired for an accidental HIPAA violation by taking advantage of off-the-shelf HIPAA training.
Off-the-shelf HIPAA training does not cover each employer´s policies and procedures, but it does give employees a better understanding of HIPAA, why the Privacy and Security Rules exist, and what their objectives are. While not guaranteed to prevent accidental HIPAA violations, completion of off-the-shelf HIPAA training demonstrates an employee is taking some responsibility for maintaining the privacy of PHI, which can be a mitigating factor if an accidental HIPAA violation occurs.