HIPAA Violations and Employee Discipline: What Should You Do?

HIPAAViolationEmployeeDiscipline_620.jpg

You found out recently that one of your employees committed a HIPAA violation.

Although all of their background knowledge from the training you gave them on the law tells them what is and isn’t allowed, they made a mistake. Their error could end up costing your organization thousands of dollars in fines and a loss in your reputation as a healthcare provider.

You’re facing a dilemma in this situation, though, because you put in a lot of time and resources into this employee and they’re one of the most valuable members of your team.

How do you discipline them in this situation?

Believe it or not, the scenario I just mentioned above happens often. As a manager or administrator of a healthcare organization, you have a lot of responsibility placed on you to ensure your team is proactive and productive. However, every once in awhile certain circumstances will present themself that put you in a hard spot. Among those is a HIPAA violation.

Depending on the infraction, your organization might face a penalty so big that it could force you to close your doors. Worse yet, jail time isn’t off the table either.

But there’s also a sociology aspect to it as well. You don’t want your employees to clean out their desk and leave on the spot because you chewed them out, that won’t help your organization grow.

So what do employee penalties for violations look like? Well, it depends.

It could take days, weeks, months, or even years before an organization realizes a HIPAA violation happened. Luckily, cybersecurity technology and compliance process are far enough along that most modern practices know right when a breach occurs.

When a breach occurs, three phases happen afterward…

  • Investigation

  • Correction

  • Notification (if necessary)

The third bullet point listed, although important, extends beyond the scope of this blog post so I’m only going to touch on the first two.

During the investigation stage, organizations look at who and what caused the breach.

This oftentimes requires questioning employees. Of course, you’ll want to stay as professional as possible during this step to help those in question realize that what happened was serious.

After you’ve identified those involved, it’s time for a corrective action. That’s what this entire blog is all about.

Employee discipline for a HIPAA violation depends on the type of breach that occurred. Breach definitions and their recommended disciplinary action should exist within your policy manual.

There are three levels of a breach that we’ve defined, each of which has its own employee penalty.

Table of Contents

Level 1: Unintentional

A level 1 breach occurs when one of your employees accidentally or carelessly accesses, uses, discloses, or otherwise misuses protected health information (PHI).

These are the minor breaches…

  • Talking about PHI in public spaces of your organization like elevators, lobbies, cafeterias, and printer rooms

  • Leaving PHI open or available for others to access like at an unlocked computer or left on an unattended desk

  • Mailing patient bills and statements to the wrong address

  • Attaching PHI to emails without encryption services

At this level, you most likely won’t have to report the breach to the Department of Health and Human Services (HHS). But they do still require some form notification and corrective actions.

Even though the breach occurred because of a careless employee, some of the blame also lands on you.

The biggest reason why the breach occurred in the first place is probably because your organization doesn’t have the adequate HIPAA training in place.

HIPAAViolationEmployeeDiscipline_2_620.png

Maybe you’ve implemented annual training but they’re viewed more as a waste of time than a helpful session by your employees. If that’s the case, then you’ll have to re-tool these sessions so that they’re more engaging.

At any rate, disciplinary action for a level 1 breach isn’t severe in nature. You shouldn’t terminate or suspend an employee over a level 1 breach unless they’re a frequent, repeat offender.

Instead, employee discipline for a level 1 breach should include an oral or written warning, coaching, and retraining.

Believe it or not, these simple “punishments” will go a long way since it’s not an overly complicated violation.

Level 2: Curiosity and/or Concern With No Personal Gain

You might be wondering, “Why would someone want to snoop into the PHI of people at your organization out of curiosity?” Actually, this type of violation happens more often than you might think.

Level 2 violations happen when a team member…

  • Accesses a family members PHI

  • Accesses the PHI of a high-profile patient

  • Gossips about PHI outside of the organization

Have you ever seen a news story about a healthcare professional getting fired for snooping into a celebrity’s medical file?

When those headlining breaches happen the employee involved gets terminated on the spot. Level 2 violations are similar to level 3 but they don’t happen for personal gain. Instead, curiosity gets the best of the employee and they can’t help but look at the medical history of the professional athlete, government official, pop star, or actor that checked into your facility.

Since the example I’m using ends up grabbing national attention, termination or suspension are the only options in order to save your reputation.

HIPAAViolationEmployeeDiscipline_3_620.png

However, that’s not the only option.

If the employee accesses their family member’s information, a written warning would suffice if this is their first-ever violation. That way it’s recorded in the event that something like this happens again.

Level 3: Personal Gain or Malicious Intent

Unfortunately, employees may sometimes go out of their way to harm the individuals coming to your organization by accessing their PHI for ulterior reasons.

Level 3 breaches happen when an employee…

  • Knowingly accesses PHI in violation of organizational policies

  • Shares PHI outside of the organization to unauthorized members

  • Uses PHI to harass or harm patients

  • Accesses PHI with the intent to sell for profit or gain

  • Uses PHI for identity theft or another form of criminal activity

This is the worst type of violation that could occur due to an employee. It also has the harshest penalties that lead to immediate termination and, in some cases, jail time.

HIPAAViolationEmployeeDiscipline_4_620.png

An example of this type of breach would be if an employee went into your electronic health record (EHR) system, downloaded as much PHI as they could, and sold that information as “kits” on the dark web. In this case, you would have no choice but to terminate the employee and involve law enforcement.

Usually, reporting for a level 3 HIPAA violation also requires the involvement of legal counsel in order to protect your organization. 

Although a rare type of breach, these happen. They’re unforeseeable but it comes down to who you hire. By having a comprehensive hiring process in place, the chances of this kind of breach happening is low.

Conclusion

Even to the most skilled compliance or human resources manager, coming up with the appropriate disciplinary action on the spot for a HIPAA violation isn’t realistic. There are too many factors involved.

But by classifying different levels of severity and defining their penalties through a policy, you’re making the process easier and more efficient. Compliance can’t happen without policies. 

HIPAA breaches happen at a rate of 1.4 times per day. So even if you haven’t experienced a violation, it’s important that you know how to handle them properly, including how to discipline your employees.

It’s not easy to discipline your employees for something they did on accident, but you simply can’t let HIPAA violations slide.

You’ve invested a lot of time and resources into your employees, they need to reciprocate by operating your business in a lawful manner.

Featured
[ANSWERED] Do HIPAA Laws Apply to Employers?
[ANSWERED] Do HIPAA Laws Apply to Employers?

In this blog post we explore if HIPAA laws apply to employers and how.

Read More →
The Ultimate HIPAA Security Risk Assessment Template
The Ultimate HIPAA Security Risk Assessment Template

What does a HIPAA risk assessment look like? Is there a specific template to follow? In this blog, we will go over what exactly a risk assessment is, why you need it, and steps to take to create your own risk assessment template.

Read More →
HIPAA Security vs. Privacy: What's the Difference?
HIPAA Security vs. Privacy: What's the Difference?

So how do you go about upholding these guidelines to protect all of this information? Why, through the HIPAA Privacy and Security Rules of course! These terms may sound interchangeable, but don’t let them fool you! They both have their own distinct roles to play when it comes to HIPAA as a whole.

Read More →

It's time to protect your bottom line.