The HIPAA Enforcement Rule gave the HHS’ Office for Civil Rights the authority to penalize healthcare organizations that have violated the HIPAA Rules. But what about employees who violate HIPAA and patient privacy? What action can be taken against those individuals and is a HIPAA violation sufficient grounds for termination?
All HIPAA violations should be investigated and acted upon by healthcare organizations. It is a requirement of HIPAA for covered entities to have a sanctions policy in place, and for all healthcare employees to be trained on the requirements of HIPAA and told of the consequences of a HIPAA violation. Naturally, not all HIPAA violations are equal. If a healthcare employee accidentally discloses too much PHI, that would be a violation of the HIPAA Minimum Standard but it would not be as severe as viewing patient records without authorization (snooping). The former would most likely result in further training, while the latter is grounds for termination.
When a covered entity or business associate is made aware of a HIPAA violation, an internal investigation should be conducted. Investigators will need to find out how the violation occurred, whether there are implications for individuals whose privacy was violated, if the violation exposed the company to risks, whether there are potential legal issues that may result from the violation, if the violation must be reported to regulators, and whether the violation was an isolated incident or if there are widespread compliance issues. The investigation will inform the covered entity’s decision about the corrective actions that must be taken to ensure the violation does not happen again.
When the investigation reveals an employee has knowingly or unknowingly violated the HIPAA Rules, there will be consequences for the employee. If the accessing, use, or disclosure of protected health information occurred in good faith, it is not considered a reportable breach and would not usually necessitate disciplinary action. The issue would normally be resolved by providing further training on the requirements of HIPAA for employees.
Depending on the nature of the HIPAA violation, an employee may be suspended pending an investigation, which could end with a verbal or written warning or termination. The repercussions of a HIPAA violation will depend on the organization’s sanction policies and the seriousness of the violation.
Some violations may just necessitate internal disciplinary action, but violations such snooping of patient medical records will result in termination. If the incident is reported immediately, the patient did not suffer any harm, and especially if the access was accidental or committed in good faith, it is probable that disciplinary action will not result in termination.
The penalties for HIPAA violations may not be confined to internal disciplinary action or termination. Serious violations of the HIPAA Rules could be reported to state licensing boards and may result in the loss of license to practice. Criminal penalties for HIPAA violations are possible. An employer is obliged to report any criminal activity to law enforcement and the Department of Justice may choose to pursue criminal charges for HIPAA violations. While investigating data breaches of complaints, if the HHS’ Office for Civil Rights or State Attorneys General discover criminal violations, the case will also be referred to the Department of Justice.
The penalties for criminal violations of the HIPAA Rules can be severe. In addition to having to pay restitution to victims, fines can be issued and lengthy jail terms are possible. As with all HIPAA violations, the penalties are tiered based on the level of culpability.
The maximum penalties for criminal violations of the HIPAA Rules for individuals are:
- A financial penalty up to $50,000 and up to one year in jail for knowingly accessing and disclosing PHI.
- A financial penalty up to $100,000 and up to five years in jail if the violation was committed under false pretenses.
- A financial penalty up to $250,000 and up to 10 years in jail if the violation involved malicious intent or was committed for personal gain.
- Two years will be added to any sentence if there was also aggravated identity theft.