HIPAA Violation Corrective Actions Must Include Employee Sanctions

Health care employers are often tempted to “go easy” on an employee who has made an unwitting violation of the Health Insurance Portability and Accountability Act and related patient privacy laws (“HIPAA”) since it is difficult to find good providers and the law is complicated. However, an employer who fails to sanction an employee after the employee violates HIPAA is itself violating HIPAA.

As professionals in the Health care industry know, HIPAA contains detailed requirements concerning the privacy of an individual’s protected health information (“PHI”). These requirements include training a covered entity’s workforce on the policies and procedures with respect to PHI. This training requirement includes training any new members of the workforce within a reasonable period of time after a new employee joins the organization. The trainings should also be documented.

However, once a violation has occurred, the covered entities’ focus should shift to investigation, correction, and where appropriate, breach notification of affected parties. Too often, employers stop at this point and fail to follow through on the last requirement of the corrective process. HIPAA’s implementing regulations explicitly require that “A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of HIPAA’s privacy regulations.” These sanctions must be documented.

In applying appropriate discipline against an employee who has violated these privacy requirements, a covered entity must take into account various factors. These factors can include the severity of the violation, the employee’s past history of the same or other violations, the employee’s supervisory level within the organization, the frequency of such violations, prior training on the procedure violated, and whether any mitigating factors are present.

Sanctions may include, among other things, verbal warnings coupled with additional training, written warnings, suspension without pay, privilege revocation, or termination. Sanctions should bear a reasonable relationship to the incident in question, standardized, and proportional to the violation.

Employers should be mindful when sanctioning an employee to make sure that the employee understands what he or she did to receive the sanction, what they should have done, what the employee’s expectations are in the future, and the consequences for failing to meet those expectations. If you have any questions, please feel free to contact our firm.

Christopher Onstott
constott@kmtg.com | 916.321.4582