Can Employees Who Violate HIPAA Rules Be Terminated?

The HIPAA Enforcement Rule gave the HHS’ Office for Civil Rights the authority to penalize healthcare organizations that have violated the HIPAA Rules. But what about employees who violate HIPAA and patient privacy? What action can be taken against those individuals and is a HIPAA violation sufficient grounds for termination?

All HIPAA violations should be investigated and acted upon by healthcare organizations. It is a requirement of HIPAA for covered entities to have a sanctions policy in place, and for all healthcare employees to be trained on the requirements of HIPAA and told of the consequences of a HIPAA violation. Naturally, not all HIPAA violations are equal. If a healthcare employee accidentally discloses too much PHI, that would be a violation of the HIPAA Minimum Standard but it would not be as severe as viewing patient records without authorization (snooping). The former would most likely result in further training, while the latter is grounds for termination.

When a covered entity or business associate is made aware of a HIPAA violation, an internal investigation should be conducted. Investigators will need to find out how the violation occurred, whether there are implications for individuals whose privacy was violated, if the violation exposed the company to risks, whether there are potential legal issues that may result from the violation, if the violation must be reported to regulators, and whether the violation was an isolated incident or if there are widespread compliance issues. The investigation will inform the covered entity’s decision about the corrective actions that must be taken to ensure the violation does not happen again. 

When the investigation reveals an employee has knowingly or unknowingly violated the HIPAA Rules, there will be consequences for the employee. If the accessing, use, or disclosure of protected health information occurred in good faith, it is not considered a reportable breach and would not usually necessitate disciplinary action. The issue would normally be resolved by providing further training on the requirements of HIPAA for employees.

Depending on the nature of the HIPAA violation, an employee may be suspended pending an investigation, which could end with a verbal or written warning or termination. The repercussions of a HIPAA violation will depend on the organization’s sanction policies and the seriousness of the violation.

Some violations may just necessitate internal disciplinary action, but violations such snooping of patient medical records will result in termination. If the incident is reported immediately, the patient did not suffer any harm, and especially if the access was accidental or committed in good faith, it is probable that disciplinary action will not result in termination.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The penalties for HIPAA violations may not be confined to internal disciplinary action or termination. Serious violations of the HIPAA Rules could be reported to state licensing boards and may result in the loss of license to practice. Criminal penalties for HIPAA violations are possible. An employer is obliged to report any criminal activity to law enforcement and the Department of Justice may choose to pursue criminal charges for HIPAA violations. While investigating data breaches of complaints, if the HHS’ Office for Civil Rights or State Attorneys General discover criminal violations, the case will also be referred to the Department of Justice.

The penalties for criminal violations of the HIPAA Rules can be severe. In addition to having to pay restitution to victims, fines can be issued and lengthy jail terms are possible. As with all HIPAA violations, the penalties are tiered based on the level of culpability.

The maximum penalties for criminal violations of the HIPAA Rules for individuals are:

  • A financial penalty up to $50,000 and up to one year in jail for knowingly accessing and disclosing PHI.
  • A financial penalty up to $100,000 and up to five years in jail if the violation was committed under false pretenses.
  • A financial penalty up to $250,000 and up to 10 years in jail if the violation involved malicious intent or was committed for personal gain.
  • Two years will be added to any sentence if there was also aggravated identity theft.

FAQs

Can all HIPAA violations result in termination?

There is no simple answer to this question. While all violations should be taken seriously, it goes without saying that some will have more severe consequences than others. Accidental disclosure will usually be treated very differently than the deliberate sharing of information with a wide audience, for example. Usually, an organization will have its own standards for which HIPAA violations could lead to termination.

Who decides if an employee should be terminated as the result of an investigation?

Though the Department for Human Health and Services can penalize organizations for HIPAA violations, they do not dictate whether an individual should lose their job over it. This decision rests with the employer, who will consider factors such as the severity of the breach and the factors that led to it. The more severe the breach, and the more responsibility that lies with the employee, the more likely it is that they will terminate the employee’s contract.

Can employees be fired for accidental HIPAA violations?

No matter whether the HIPAA breach was accidental or malicious, the consequences for the patient are the same. Their right to privacy was violated and they were exposed to potentially negative consequences. However, employers may be more likely to treat violations that were the product of genuine human error more leniently than intentional violations. For example, if a doctor accidentally disclosed too much PHI to another doctor when asking for advice (breaching the HIPAA Minimum Standard), the employer may choose to offer the employee more training.

Can an individual who was fired for violating HIPAA get another job in the healthcare sector?

Again, this will depend on the nature of the violation. If you were terminated for a series of minor violations, or because a HIPAA violation contributed negatively to your overall performance review at that organization, this may be overlooked by future employers. However, if you lost your medical license alongside your job, you will likely have to find a job in a different field.

Can you contest a termination for HIPAA violations?

If you believe that you were not at fault for a HIPAA violation (for example, if it was the action of a colleague that caused the breach, or you were not adequately trained by your employer), you should consult a legal expert for advice on the next steps.