You found out recently that one of your employees committed a HIPAA violation.
Although all of their background knowledge from the training you gave them on the law tells them what is and isn’t allowed, they made a mistake. Their error could end up costing your organization thousands of dollars in fines and a loss in your reputation as a healthcare provider.
You’re facing a dilemma in this situation, though, because you put in a lot of time and resources into this employee and they’re one of the most valuable members of your team.
How do you discipline them in this situation?
Believe it or not, the scenario I just mentioned above happens often. As a manager or administrator of a healthcare organization, you have a lot of responsibility placed on you to ensure your team is proactive and productive. However, every once in awhile certain circumstances will present themself that put you in a hard spot. Among those is a HIPAA violation.
Depending on the infraction, your organization might face a penalty so big that it could force you to close your doors. Worse yet, jail time isn’t off the table either.
But there’s also a sociology aspect to it as well. You don’t want your employees to clean out their desk and leave on the spot because you chewed them out, that won’t help your organization grow.
So what do employee penalties for violations look like? Well, it depends.
It could take days, weeks, months, or even years before an organization realizes a HIPAA violation happened. Luckily, cybersecurity technology and compliance process are far enough along that most modern practices know right when a breach occurs.
When a breach occurs, three phases happen afterward…
Investigation
Correction
Notification (if necessary)
The third bullet point listed, although important, extends beyond the scope of this blog post so I’m only going to touch on the first two.
During the investigation stage, organizations look at who and what caused the breach.
This oftentimes requires questioning employees. Of course, you’ll want to stay as professional as possible during this step to help those in question realize that what happened was serious.
After you’ve identified those involved, it’s time for a corrective action. That’s what this entire blog is all about.
Employee discipline for a HIPAA violation depends on the type of breach that occurred. Breach definitions and their recommended disciplinary action should exist within your policy manual.
There are three levels of a breach that we’ve defined, each of which has its own employee penalty.
Table of Contents
Level 1: Unintentional
A level 1 breach occurs when one of your employees accidentally or carelessly accesses, uses, discloses, or otherwise misuses protected health information (PHI).
These are the minor breaches…
Talking about PHI in public spaces of your organization like elevators, lobbies, cafeterias, and printer rooms
Leaving PHI open or available for others to access like at an unlocked computer or left on an unattended desk
Mailing patient bills and statements to the wrong address
Attaching PHI to emails without encryption services
At this level, you most likely won’t have to report the breach to the Department of Health and Human Services (HHS). But they do still require some form notification and corrective actions.
Even though the breach occurred because of a careless employee, some of the blame also lands on you.
The biggest reason why the breach occurred in the first place is probably because your organization doesn’t have the adequate HIPAA training in place.
Maybe you’ve implemented annual training but they’re viewed more as a waste of time than a helpful session by your employees. If that’s the case, then you’ll have to re-tool these sessions so that they’re more engaging.
At any rate, disciplinary action for a level 1 breach isn’t severe in nature. You shouldn’t terminate or suspend an employee over a level 1 breach unless they’re a frequent, repeat offender.
Instead, employee discipline for a level 1 breach should include an oral or written warning, coaching, and retraining.
Believe it or not, these simple “punishments” will go a long way since it’s not an overly complicated violation.
Level 2: Curiosity and/or Concern With No Personal Gain
You might be wondering, “Why would someone want to snoop into the PHI of people at your organization out of curiosity?” Actually, this type of violation happens more often than you might think.
Level 2 violations happen when a team member…
Accesses a family members PHI
Accesses the PHI of a high-profile patient
Gossips about PHI outside of the organization
Have you ever seen a news story about a healthcare professional getting fired for snooping into a celebrity’s medical file?
When those headlining breaches happen the employee involved gets terminated on the spot. Level 2 violations are similar to level 3 but they don’t happen for personal gain. Instead, curiosity gets the best of the employee and they can’t help but look at the medical history of the professional athlete, government official, pop star, or actor that checked into your facility.
Since the example I’m using ends up grabbing national attention, termination or suspension are the only options in order to save your reputation.
However, that’s not the only option.
If the employee accesses their family member’s information, a written warning would suffice if this is their first-ever violation. That way it’s recorded in the event that something like this happens again.
Level 3: Personal Gain or Malicious Intent
Unfortunately, employees may sometimes go out of their way to harm the individuals coming to your organization by accessing their PHI for ulterior reasons.
Level 3 breaches happen when an employee…
Knowingly accesses PHI in violation of organizational policies
Shares PHI outside of the organization to unauthorized members
Uses PHI to harass or harm patients
Accesses PHI with the intent to sell for profit or gain
Uses PHI for identity theft or another form of criminal activity
This is the worst type of violation that could occur due to an employee. It also has the harshest penalties that lead to immediate termination and, in some cases, jail time.
An example of this type of breach would be if an employee went into your electronic health record (EHR) system, downloaded as much PHI as they could, and sold that information as “kits” on the dark web. In this case, you would have no choice but to terminate the employee and involve law enforcement.
Usually, reporting for a level 3 HIPAA violation also requires the involvement of legal counsel in order to protect your organization.
Although a rare type of breach, these happen. They’re unforeseeable but it comes down to who you hire. By having a comprehensive hiring process in place, the chances of this kind of breach happening is low.
Conclusion
Even to the most skilled compliance or human resources manager, coming up with the appropriate disciplinary action on the spot for a HIPAA violation isn’t realistic. There are too many factors involved.
But by classifying different levels of severity and defining their penalties through a policy, you’re making the process easier and more efficient. Compliance can’t happen without policies.
HIPAA breaches happen at a rate of 1.4 times per day. So even if you haven’t experienced a violation, it’s important that you know how to handle them properly, including how to discipline your employees.
It’s not easy to discipline your employees for something they did on accident, but you simply can’t let HIPAA violations slide.
You’ve invested a lot of time and resources into your employees, they need to reciprocate by operating your business in a lawful manner.
In this blog post we explore if HIPAA laws apply to employers and how.