The HIPAA Enforcement Rule gave the HHS’ Office for Civil Rights the authority to penalize healthcare organizations that have violated HIPAA Rules. But what about employees who violate HIPAA and patient privacy? What action can be taken against those individuals and is a HIPAA violation sufficient grounds for termination?
All HIPAA violations should be investigated and acted upon by healthcare organizations. This is actually a requirement of HIPAA. There must be a sanctions policy in place. Naturally, not all HIPAA violations are equal. If a healthcare employee accidentally discloses too much PHI that would be a violation of the HIPAA Minimum Standard and that would not be of the same severity as snooping on patient records.
When a covered entity or business associate is made aware of a HIPAA violation, an internal investigation should be launched. Investigators will need to find out how the violation occurred, whether there are implications for individuals whose privacy was violated, if the violation exposed the company to risks, whether there are potential legal issues that may result from the violation, if the violation must be reported to regulators, and whether the violation was an isolated incident or if there are widespread compliance issues. The investigation will inform the covered entity’s decision about the corrective actions that must be taken to ensure the violation does not happen again.
When the investigation reveals that an employee has knowingly or unknowingly violated HIPAA Rules, there are consequences as far as the employee is concerned. If the accessing, use, or disclosure of protected health information was unintentional and made in good faith, it is not considered a reportable breach and would not necessitate disciplinary action. The issue could be resolved through further training.
Depending on the nature of the HIPAA violation, an employee may be suspended pending an investigation, which could end with a verbal or written warning or termination. The repercussions of a HIPAA violation will depend on the organization’s sanction policies and the seriousness of the violation.
Some violations may just necessitate internal disciplinary action, but violations such as the viewing of patient medical records without authorization (snooping) will most likely result in termination. If the incident is reported immediately, the patient did not suffer any harm, and especially if the access was accidental or committed in good faith, it is probably that disciplinary action will not result in termination.
The penalties for HIPAA violations may not be confined to internal actions and terminations. Criminal penalties for HIPAA violations are possible. When regulators discover potential criminal violations of HIPAA Rules, the cases are referred to the Department of justice to pursue.
The Department of Justice can pursue criminal violations of HIPAA rules and the maximum penalties can be severe. In addition to having to pay restitution to victims, the maximum penalties for criminal violations of HIPAA Rules are:
- A financial penalty up to $50,000 and up to one year in jail for knowingly accessing and disclosing PHI.
- A financial penalty up to $100,000 and up to five years in jail if the violation was committed under false pretenses.
- A financial penalty up to up to $250,000 and up to 10 years in jail if the violation involved malicious intent or was committed for personal gain.
- Two years may be added to the sentence if there was also aggravated identity theft.