Human error makes mistakes hard to avoid, but can you get fired for an accidental HIPAA violation? Unfortunately, there is no straightforward answer to this question. Still, here we will outline some of the potential consequences that covered entities (CEs) or their Business Associates (BAs) if their employees accidentally violate HIPAA.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and its subsequent amendments, set out the standards and procedures necessary to safeguard any patient health information that contains one of the 18 HIPAA identifiers (rendering the information Protected Health Information, PHI). Without these protections, patient data could be used maliciously, potentially resulting in insurance fraud or leaving them vulnerable to identity theft.
This is why HIPAA violations, whether accidental or otherwise, are taken very seriously. An accidental HIPAA violation when PHI is shared with, viewed by, or otherwise accessed by unauthorized individuals. There are a number of ways this could happen. If PHI is being transferred over an email, the sender could email it to the incorrect recipient. Companies often have “bring your own device” (BYOD) policies, so employees use their personal devices in the workplace. If these devices have PHI stored on them and are stolen or lost, it is an accidental HIPAA violation. Even something as simple as leaving emails open on a desktop in the view of members of the public is considered a violation.
Obviously, these differ in terms of their severity. Whenever a HIPAA breach occurs, it is essential that it is reported to the CE’s HIPAA Privacy Officer. They will then be able to start mitigating any damages and, if needed, notify the Department for Health and Human Services (DHSS). The sooner this is done, the more likely the breach can be contained, potentially reducing any penalties incurred.
The Department of Health and Human Services does not stipulate what penalties should be in place for employees that violate HIPAA. Instead, this will fall under the remit of the healthcare organization’s workplace policies. It is likely that the workplace will consider the context of the HIPAA violation, as well as other factors such as the individual’s employment record and whether any similar violations have occurred before.
If it is a first-time violation and the result of a genuine error, the employee may be given extra HIPAA training to prevent further violations. If the breach was very serious (for example, involving hundreds of records or involving the public distribution of information), the employer may choose to suspend the employee’s contract. In some cases, such as repeat offenses or major breaches, the employee may be fired for an accidental HIPAA violation.
It is not unprecedented that employees will lose their jobs for violating HIPAA. In 2018, an employee was terminated after they were tricked by a phishing attack. The mistake meant an unauthorized individual could access over the PHI of 16,000 patients. This case highlights the importance of providing employees with both HIPAA compliance training and cybersecurity awareness training.
In some cases, employees can be fired for accidental HIPAA violations. However, this will strongly depend on the CE’s workplace policy, the employee’s track record, and the severity of the breach. If it was minor, quickly acted upon, or an anomaly in the employee’s performance record, it is less likely to lead to termination.