The HIPAA Enforcement Rule allowed the HHS’ Office for Civil Rights to penalize healthcare organizations that have violated the HIPAA Rules. But what about the employees who violated HIPAA and patient privacy, whether accidentally or deliberately? Should their violation be enough grounds for termination?
All HIPAA violations should be investigated and acted upon by healthcare organizations. Not all cases are the same. Hence, investigators need to find out how the violation occurred, what are the implications on patients’ privacy, what are the potential legal issues resulting from the violation, and what action can regulators take. It is expected that healthcare organizations will do something to prevent a similar occurrence in the future.
When the investigation reveals that an employee has knowingly or unknowingly violated HIPAA Rules, there are consequences as far as the employee is concerned. If the access or use of protected health information is unintentional, or if it was made in good faith and with proper authorization, it is not considered a reportable breach and would not necessitate disciplinary action.
There are healthcare organizations that implement strict rules, terminating employees that violate HIPAA rules. But there are others that settle minor HIPAA violations internally. Depending on the nature of the HIPAA violation, an employee may be suspended pending investigation as disciplinary action. His termination is also possible if deemed necessary after the investigation is complete.
Hence, the repercussions for a HIPAA violation depends on the organization’s policies and the violation’s severity. Some violations may just need internal disciplinary action and no termination of erring employee. But violations involving the viewing of patient medical records without authorization will most likely result to termination of employee. If the incident is reported immediately, or the patient did not suffer any harm, or if the access was accidental or committed in good faith, it’s possible that the employee will not be terminated.
What’s even worse that could happen to an employee is to be found criminally liable for violating HIPAA Rules. Such cases are handled by the Department of Justice for prosecution. Violating employees may be fined as follows:
- $50,000 and one year in jail if they knowingly access and disclosed PHI.
- $100,000 and five years in jail if the violation involved false pretenses.
- Up to $250,000 and up to 10 years in jail if the violation had malicious intent or for personal gain.
- Two years may be added to the sentence if there was aggravated identity theft involved.