We see it on the news constantly and it goes something like this, “[insert healthcare organization here] experienced a breach in their data this week after [insert reason here] took place. That story and more at 11 pm.”

I know what you’re thinking, “Was the author of this blog post a journalist at one point? That was well done.”

No, I just watch a lot of TV.

The point I’m trying to make is that we see HIPAA violations often, some experts within the industry think that they’re inevitable. As a result, organizations implement policies, trainings, cybersecurity safeguards and sometimes hire entire departments to ensure that they remain compliant.

Even with all of those safeguards implemented, though, a violation could still happen. The bottom line is that an organization’s employees are the biggest HIPAA risk. When it comes down to brass tax, it doesn’t matter how many heavily detailed rules you’ve drafted, employees may still violate HIPAA.

After that point, I could go on and on about what could happen to the organization after a breach occurs or how they should discipline the employee who caused the violation. But, there are thousands of blog posts discussing that, I’ve even written a few myself.

Instead, what I am going to go over is what happens to the employee that committed a breach and answer the question, “Can you get a job after a HIPAA violation?”

• The Severity of The Violation

• What Your Current Employer Decides

• External Licensing Agencies

• Future Employer’s Process

• Conclusion

What happens to the employee who commits a breach depends largely on its severity. Of course, that’s the answer because of the complexity of the question.

The reality is that, although some violations happen out of spite, the majority of breaches are unintentional.

You could reiterate the phrase, “Ignorance of the law is no excuse.” Although that does hold true within this context, so does precedent. Not every breach requires a federal investigation and calls for the perpetrator to resign from their position. 

Yes, if an employee goes through the electronic health record (EHR) system looking for the health information of celebrities that might’ve checked in at the organization they should get fired.

Alternatively, though, should an employee who accidentally saw PHI that they shouldn’t have because they clicked on the wrong file? No.

The Department of Health and Human Services’ Office for Civil Rights ultimately determines and doles out penalties. They’ve classified violations into four tiers all determined based on severity and organizational response. The first example I explained would either fall under a Tier 3 or Tier 4 whereas the second example qualifies as a Tier 1 or Tier 2.

The larger the tier, the higher the chance an employee has to face termination.

A lower-tier might only require the employee who committed the breach to have a meeting with the compliance department where they go over what happened and why it was wrong. In other words, the organization has control over the employee’s punishment.

A higher tier, though, might end up getting noticed and covered by news outlets across the country depending on its severity. Thus, what happens to the employee depends on what a federal judge decides.

As an example, Linda Sue Kalina used to work as the patient information coordinator for the University of Pittsburgh Medical Center (UPMC). While at her job she accessed 111 PHI files illegally as a part of a revenge plot on her former employer. She ended up releasing a handful of the individual’s sensitive information. Initially, she faced an 11-year sentence and $350,000 fine that later got reduced due to her cooperation. Her final sentence was to serve 1 year in jail.

After serving her sentence, she’s now considered a felon. Thus, it’s going to be near impossible for her to get another job within healthcare. Of course, felons can still get jobs but it’s much harder, especially when you consider their unemployment rate is around 30%.

It’s worth noting that penalties for HIPAA violations have only gotten harsher over the years. 

There’s a solid trendline in the chart above showing OCR penalties for HIPAA violations every year, even if you remove the outlying year (2016).

Beyond the numbers, though, it makes sense that the government doles out larger fines over time. Their harsh jurisdiction motivates organizations to implement stricter policies, stronger training sessions and more fortified cybersecurity systems.

It also means more responsibility lands on the employees of an organization. Thus, making the individual consequences for causing the breach for severe.

If that trend continues, then having any history of violating HIPAA will make it much harder to find a job.

Working as a healthcare professional has benefits that go beyond the financial earnings that come along with it. There are state and national agencies devoted to educating, licensing, and disciplining the different careers within the medical field.

As an example, registered nurses join their state’s Board of Nurses only after passing the NCLEX.

It’s almost like a “high-society” perk of being at the forefront of the most prestigious industries on the globe. I’d say those professionals earned it after enduring so many years of medical school. 

My point after all of this is to bring to light one of the specific duties of these agencies and connect it to HIPAA violations. Yes, each state’s board of nurses is different, but they all agree with a nurse’s role in protecting PHI.

As an example, the Kentucky Board of Nursing states that it, “recognizes that nurses have a duty to maintain confidentiality of patient information.” They also provide point out one of the more modern risks healthcare professionals need to understand, social media.

It’s great that the board agrees with federal law, but what happens if a nurse practicing in Kentucky breaks it via a HIPAA violation?

In that same document, the Kentucky Board of Nursing states that if a nurse cannot remain true to the guidelines related to patient confidentiality, then they’re subject to “potential disciplinary action”. The organization leaves room for ambiguity, stating, “...each complaint is considered on a case-by-case basis. The specific facts of each situation are evaluated on an individual basis.”

If you’ve just committed a small, unintentional breach as a nurse in Kentucky, odds are that you’re not going to lose your license and continue your career within this field.

Let’s say that you’re a nurse and were the source of a HIPAA violation for your previous employer. I specifically included the word “previous” because they let you go as a conclusion of their internal investigation.

However, the breach that you caused isn’t considered “big”, at least in the terms for required notification sent to the HHS. The main reason why your previous employer terminated you happened because it was your third strike and they had to according to their policy. It turns out that they were pretty strict.

Well, because of the less-severe nature of what you committed, your state’s Board of Nursing determined that they won’t revoke your license. You’re still a practicing nurse. Awesome.

You start applying for jobs and hear back from another healthcare organization rather quickly. Time to put on your formal “hire me” clothes and head to your first interview. Of course, during the cross-examination, the representative from the hiring organization asks you, “Why did you leave your previous employer?”

You can’t blame them for asking you that question. They have a right to know why that relationship no longer exists in your professional career. You can’t lie to them so you confess that you violated HIPAA.

As a result, they decide that you’re not a fit for their organization.

The scenario above is something that previously terminated medical professionals may face after a HIPAA violation.

If it doesn’t happen in-person, during the interview stage, it will when the hiring organization calls up the applicant’s references or past employer.

All hope is not lost, though, as some organizations may look past it and view it as a learning experience. But, everything depends on their policies and safeguards surround patient privacy.

I imagine when after you read the introduction to this blog post you thought to yourself, “Of course the answer to my question is ‘it depends’. That’s so generic.”

Trust me, when I tell you that I spent hours trying to come up with an alternative answer instead of “it depends”. I hate it too.

But, there’s just too much involved with a HIPAA violation to determine whether or not you’ll be able to get a job within healthcare again. It depends on…

• The severity of the breach

• How your employer at the time views the violation

• What (if any) external organization you’re a part of

• The hiring practices of future employers

If it turns out that the violation you committed was egregious, negligent and/or on purpose then you could face a massive fine, license suspension and jail time. Thus, making it harder to get a job in the future.