What Employee Sanctions Are Appropriate?

The HIPAA Security and Privacy Rules were enacted to effectively address the privacy and security of patient information, and to make it easier for healthcare providers and their business associates to understand and implement the requirements. 

While countless providers have complied with the rules, many others have failed to do so either by design or by neglect. HIPAA violations can lead to serious privacy and security breaches resulting in fines, penalties, and sanctions. And very often, it is an individual employee who is responsible for the violation.

HIPAA Regulation and Enforcement

The U.S. Department of Health and Human Services (HHS) is responsible for maintaining HIPAA rules and regulations. Its Office for Civil Rights (OCR) is responsible for investigating reports of HIPAA violations and breaches, and for addressing non-compliance by imposing penalties, fines, and other sanctions on violators. For more than a decade, the OCR has published announcements of violations and breaches, and posted detailed press releases on their website.

Headline Violations

We’re all familiar with headlines announcing HIPAA violations by enterprises, hospital systems, healthcare insurers, medical practices, and their business associates. And we know that failure to comply with HIPAA Rules, whether deliberate or unintentional, can result in serious penalties, financial settlements, and reputational damage for violators.

In three landmark cases in 2020 alone, Aetna paid the OCR $1,000,000 to settle a PHI disclosure, Lifespan Health System paid $1,040,000 to settle a PHI breach caused by the theft of an unencrypted laptop, and Premera Blue Cross paid $6,850,000 to settle a breach of HIPAA Security and Privacy Rules that affected more than 10 million people.

In these and other cases, the OCR investigation found systemic non-compliance with HIPAA Rules, including failures to conduct companywide risk analyses, implement risk management controls, implement information system activity reviews, implement security incident procedures, implement access controls, and provide employees with security awareness training.

These incidents make for compelling headlines, no doubt.  However, violations that don’t often make the news are those committed by individual employees of healthcare entities. And yet individual actions are at the heart of many HIPAA violations, great and small.

Examples of HIPAA Violations by Employees

Following are six examples of actions taken by individual employees that have resulted in HIPAA violations. Most of these have to do with impermissible disclosure of protected health information (PHI). PHI may range from medical records, images, and test results, to credit card and payment information, to social security numbers and birth dates.

Each case below also describes corrective actions required by the OCR in response to each violation, as described on the HHS website.

Outpatient Facility. A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. The OCR investigation confirmed that the use and disclosure of the employee’s PHI by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. Corrective actions included:

1. A letter of reprimand was placed in the supervisor's personnel file
2. The supervisor received additional training about the Privacy Rule
3. The outpatient facility further counseled the supervisor as to appropriate and inappropriate uses of the medical information of a subordinate.

State Hospital. A nurse and an orderly discussed the HIV/AIDS status of a patient and the patient's spouse, within earshot of other patients, without making reasonable efforts to prevent the disclosure.  Corrective actions included:

1. The hospital placed both employees on leave
2. The orderly resigned his employment shortly thereafter
3. A memo documenting the incident was placed in the nurse’s personnel file
4. The nurse’s case was referred for peer review
5. The nurse was placed on probation for one year
6. The nurse underwent further training on the HIPAA Privacy Rule
7. The state attorney general's office agreed to a monetary settlement with the patient.

Doctor's Office. A patient's HIV status was improperly disclosed when office staff mistakenly faxed medical records to the patient's Employer rather than to their new Healthcare Provider. Corrective actions included:

1. The employee responsible for the disclosure received a written disciplinary warning
2. Both the employee and the physician apologized to the patient
3. OCR required the practice to revise their fax cover page to emphasize a confidential communication for the intended recipient
4. All office employees were informed of the incident and counseled on proper faxing procedures.

General Hospital. The PHI of an employee of the hospital who was also a surgical patient was impermissibly disclosed to her supervisor. The OCR investigation revealed that the hospital distributed an Operating Room (OR) schedule to employees via email, and that the OR schedule contained information about the upcoming surgery. A hospital employee shared the OR schedule with the employee’s supervisor inappropriately, as the supervisor was not part of the employee's treatment team and did not need the information for any permissible purpose. Corrective actions included:

1. The hospital employee who made the impermissible disclosure was disciplined and retrained.
2. The hospital undertook a complete review of the distribution of the OR schedule.
3. The hospital revised the distribution of the OR schedule by limiting it to those who have “a need to know” as required by HIPAA.

Major Health Insurer.  An employee failed to follow the insurance company’s authorization and verification procedures, and impermissibly disclosed the PHI of one of its insured members. Corrective actions included:

1. The insurer was required to train its staff on the applicable policies and procedures
2. The insurer was also required to mitigate the harm to the individual
3. The employee who made the disclosure was counseled and given a written warning.

Radiology Practice. A hospital patient’s imaging tests, including the test results, were submitted to the patient’s employer as a worker’s compensation claim. The OCR investigation found that the patient was not covered by worker’s compensation and had not specified that worker’s compensation was responsible for payment. It also found that the radiology practice had used incorrect billing information from the treating hospital when submitting the claim.  Corrective actions included:

1. The practice apologized to the patient
2. The employee responsible for the incident was sanctioned
3. All billing and coding staff were trained on appropriate claims submission procedures
4. The practice revised its policies and procedures to require a specific request from worker’s compensation carriers before submitting test results to them.

Employee Sanctions

In each of these cases, at least one individual employee was responsible for creating the HIPAA violation, and was sanctioned accordingly.

Sanctions are disciplinary measures imposed upon an employee for a HIPAA violation, regardless of whether the violation was intentional or accidental and whether it caused actual or potential harm. As we have seen in these six cases alone, sanctions may range from oral or written reprimands and warning letters, to paid or unpaid suspensions and probations, to termination of employment. Typically, the severity of the sanction(s) is proportionate to the severity of the violation.

Employers who witness their employees violating HIPAA requirements can use these cases as guidelines in determining how to effectively, and appropriately, deal with the violation and the employee. By managing violations proactively, employers may be able to stay out of the OCR spotlight.

The Smarter Way

The best way to stay out of the OCR spotlight, however, is to first comply with HIPAA requirements and then maintain and optimize all safeguards vigorously.  The extensive, well-informed effort this requires can be a burden for smaller healthcare practices as well as for many busy hospitals and their business associates.

Share the burden with a credentialed HIPAA Compliance firm, such as 24By7Security.  Your expert compliance partner will conduct a formal risk assessment to identify compliance gaps and provide clear guidance, and even assistance, for addressing each gap.

Expert employee training will ensure that required policies and procedures are fully understood, and regular retraining will keep compliant behaviors front and center for all employees every day. This smarter alternative will shine the spotlight on your culture of compliance, rather than on a violation that could become a public learning experience.

Summary

Members of the healthcare industry are required to comply with HIPAA Security and Privacy Rules. Most security and privacy breaches occur due to holes in information security programs, incomplete privacy policies, missing or outdated documentation, absence of access controls and other gaps for which an enterprise is responsible.

However, individual employees’ actions can create violations that cause actual or potential harm. In order to mitigate the harm and help prevent future violations, sanctions can and should be imposed on employees who violate HIPAA requirements. Six OCR cases describing individual employee violations and their consequences can serve as solid guidance for employers in imposing sanctions on employees.