Not all HIPAA breaches are the same, although any breach of HIPAA Rules is a serious matter that calls for investigation and action by healthcare groups.
When a HIPAA violation is submitted – by an employee, co worker or client – healthcare groups will review the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for patients whose privacy has been breached, potential legal problems arising from the violation and possible sanctions by regulators. Healthcare groups will be keen to take action to ensure that similar violations are stopped in the future.
When a staff member is found to have knowingly or unknowingly breached HIPAA Rules there are likely to be repercussions for the individual involved.
An unintentional acquisition, access, or use of protected health information by a member of staff in which the acquisition, access, or use was made in good faith and within the scale of authority would not be a reportable breach and may not necessarily lead to disciplinary action.
Some healthcare groups have strict rules on breaches of HIPAA Rules and regularly sack employees for HIPAA violations. Others have a policy of dealing with minor HIPAA violations internally. Depending on the manner of the breach, the incident may warrant disciplinary action against the individual involved which could see the worker suspended pending an investigation. Termination for a HIPAA breach is a possible outcome.
Ultimately the ramifications for a HIPAA violation will depend on the polices in place at a group and the severity of the violation. A violation of the Minimum Necessary Information Standard may, depending on the specifics, be considered a matter for internal disciplinary action and not sacking. Viewing the medical records of any patient without permission likely to result in termination unless the incident is reported quickly, no harm was inflicted on the patient, and access was accidental or made in good faith.
HIPAA Violations & Criminal Penalties
Sacking may not be the worst outcome after HIPAA Rules have been violated by employees. Healthcare workers may be found criminally liable for HIPAA violations and cases can be referred to the Department of Justice for prosecution.
Criminal breaches of HIPAA Rules can result in fines and jail time for healthcare staff. A fine of up to $50,000 and one year in jail may be applied when PHI is knowingly obtained and impermissibly shared. A fine of up to $100,000 and five years in jail is possible for breaches involving false pretenses, and a fine of up to $250,000 and up to 10 years in jail can be applied when HIPAA Rules have been violated for malicious reasons or for personal profit. An additional two years can be added onto the sentence for aggravated identity theft.