Is a HIPAA Violation Grounds for Termination?

A HIPAA violation can be grounds for termination depending on the nature of the violation, the consequences of the violation, the employee’s prior compliance history, and the sanctions policy of the employer.

In this article we tease out this question. You can also use request a copy of our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance.

Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations.

Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy?

Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination?

Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations.

When a HIPAA violation is reported – by an employee, colleague, or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for patients whose privacy has been violated, potential legal issues arising from the violation, and possible action by regulators. Healthcare organizations will be keen to take action to ensure that similar violations are prevented in the future.

When an employee is discovered to have knowingly or unknowingly violated HIPAA Compliance Rules there are likely to be repercussions for the individual concerned.

An unintentional acquisition, access, or use of protected health information by a workforce member in which the acquisition, access, or use was made in good faith and within the scope of authority would not be a reportable breach and may not necessarily result in disciplinary action.

Some healthcare organizations have strict rules on violations of HIPAA Rules and can terminate employees for HIPAA violations. Others have a policy of dealing with minor HIPAA violations internally. Depending on the nature of the violation, the incident may warrant disciplinary action against the individual concerned which could see the employee suspended pending an investigation. Termination for a HIPAA violation is a possible outcome.

The repercussions for a HIPAA violation will depend on the polices in place at an organization and the severity of the violation. A violation of the Minimum Necessary Information Standard may, depending on the circumstances, be considered a matter for internal disciplinary action and not termination. Viewing the medical records of any patient without authorization is likely to result in termination unless the incident is reported quickly, no harm was caused to the patient, and access was accidental or made in good faith.

Recent Cases Where Healthcare Providers Deemed a HIPAA Violation Grounds for Termination

• Employee terminated for sending PHI to business associates
• Nurse terminated for verbally disclosing medical condition of a patient to a physician
• Employee terminated for improper disposal of PHI
• Medical university terminates 13 employees in 2017 for HIPAA violations
• Scrub nurse fired for photographing and sharing images of patient’s genitals
• Healthcare worker fired for accessing medical records without authorization
• TikTok Live Incident Results in Termination and Board of Nursing Investigation

Criminal Penalties for HIPAA Violations

Termination may not be the worst that can happen when HIPAA Rules are violated by employees. Healthcare employees may be found criminally liable for HIPAA violations and cases can be referred to the Department of Justice for prosecution.

Criminal violations of HIPAA Rules can result in financial penalties and jail time for healthcare employees. A fine of up to $50,000 and one year in jail is possible when PHI is knowingly obtained and impermissibly disclosed. A fine of up to $100,000 and five years in jail is possible for violations involving false pretenses, and a fine of up to $250,000 and up to 10 years in jail is possible when HIPAA Rules have been violated for malicious reasons or for personal gain. A further 2 years can be added onto the sentence for aggravated identity theft.

HIPAA Violation Penalties for Employees

HIPAA violation penalties for employees vary from organization to organization. Generally, penalties are split into three or four tiers depending on factors such as whether the violation was unintentional or deliberate, the speed at which the violation was reported, the employee’s cooperation with any subsequent investigation, and whether it was the employee’s first violation.

At the lower end of the scale, HIPAA violation penalties for employees may consist of a verbal warning and/or additional training. As the severity or frequency of violations increases, so do the penalties. Employees may receive a written warning, a suspension, or – if the employee has already received a written warning – their contract may be terminated.

Automatic termination for first offenses is usually reserved for willful, unauthorized theft or disclosure of PHI with malicious or harmful intent that the employee attempts to conceal. In such cases, the employee may also be reported to a licensing board and law enforcement officials if the violation has resulted in a wrongful disclosure of PHI as defined by 42 USC § 1320d-6.

Is a HIPAA violation Grounds for Termination FAQ’s?

Can I get fired for an accidental HIPAA violation?

You can get fired for an accidental HIPAA violation if the violation is a serious offence and you have a history of previous accidental HIPAA violations. The decision whether or not you get fired for an accidental violation will depend on the contents of your employer’s sanctions policy; but, if you have already received verbal or written warnings for similar violations, the termination of your contract may be the next step.

What are the HIPAA violation penalties for employees?

The HIPAA violation penalties for employees are set by the employer in the HIPAA sanctions policy. In most cases, the penalty for a first violation with minor consequences will be a verbal warning and/or refresher training. However, if the violation is more serious in nature or follows a previous warning, the penalties can escalate to a written warning, a suspension, or termination of contract.

Does a HIPAA violation stay on your record?

In most cases a HIPAA violation does stay on your record so that, if you violate HIPAA again, your employer can look back to see your previous compliance history before applying an appropriate penalty according to the organization´s sanctions policy. In addition, if you get a criminal record due to violating §1177 of the Social Security Act, the violation will stay on your record indefinitely.

What should you do if you are accused of a HIPAA violation?

What you should do if you are accused of a HIPAA violation depends on who is accusing you and whether the accusation is justified. On the basis that two-thirds of complaints to HHS’ Office for Civil Rights are rejected because there is no case for enforcement, it is clear that a large proportion of the public do not understand what HIPAA is, what information is protected, and how it is protected.

Due to this lack of understanding, if you are accused of a HIPAA violation by a member of the public, the first thing you should do is escalate the complaint to a Privacy Officer. If the complaint is not justified, the Privacy Officer can explain why it is not justified to the member of the public. If it is justified, it is better the Privacy Officer knows about it sooner rather than later to mitigate the consequences.

If you are justifiably accused of a HIPAA violation by a colleague, you should also escalate the accusation to a Privacy Officer – even though you may be penalized for the violation. This is because it is better not to try to hide the violation from the Privacy Officer as the penalties for being found out later could be far worse than what they could be for just the violation alone.

Can you be rehired after a HIPAA violation?

You can be rehired after a HIPAA violation. However, if you were previously employed as a healthcare professional and your previous contract was terminated for a criminal HIPAA violation or a violation considered to be gross misconduct, your license to practice may also have been terminated. If your previous HIPAA violation was a minor offence, it should not prevent you from being rehired – although the previous violation may still be on your employment record.

What is a HIPAA violation in the workplace?

A HIPAA violation in the workplace is any failure to adhere to the policies implemented by an organization to comply with the Administrative Simplification Regulations (i.e., the HIPAA General, Privacy, Security, and Breach Notification Rules, and Part 162 Administrative Requirements). HIPAA violations in the workplace can only occur if the organization is a covered entity or business associate, and not all the HIPAA Rules apply in their entirety in all workplaces.

Will a HIPAA violation show up in a background check?

A HIPAA violation will show up in a background check if the violation relates to §1177 of the Social Security Act. This is because §1177 violations are considered criminal in nature and persons who wrongfully and knowingly acquire or disclose individually identifiable health information can be charged with a misdemeanor – or a felony if the acquisition or disclosure is made under false pretenses and/or was for personal gain, commercial advantage, or to cause malicious harm.

Can you get fired for a HIPAA violation if the violation occurred due to a lack of training?

You can get fired for a HIPAA violation if the violation occurred due to a lack of training if the nature of the violation is considered to be gross misconduct and was an incident you knew – or could reasonably be expected to know – was malicious in nature. For example, dozens of employees have been fired for mistreating care home residents, videoing the mistreatment, and posting the videos on social media. It is difficult to justify that these events – which were all HIPAA violations – occurred due to a lack of training.

Can I get fired for looking at my own medical record?

Whether you can get fired for looking at your own medical record depends on multiple factors. The first consideration is whether – as an employee of a covered entity – you had the authorization to access your medical records. Although HIPAA provides patients with rights to request copies of their medical records, if you did not have authorized access to your medical records you have violated HIPAA via your employer’s policies and procedures.

If you did not have authorized access, whether you get fired for looking at your own medical records depends on your employer’s sanctions policy. If this is your first violation of HIPAA, it is likely you will receive a verbal warning and have to undergo refresher training because the harm that resulted from the violation was minimal. However, if you have a history of violations, your employer could apply tougher sanctions – up to and including the termination of your employment contract.

Can I get fined for an employee HIPAA violation?

You can get fined for an employee HIPAA violation, but only if the nature of the violation is considered to be criminal under §1177 of the Social Security Act (“Wrongful disclosure of individually identifiable health information”). Otherwise, the sanctions for an employee HIPAA violation are as defined by your employer’s sanctions policy and usually consist of refresher training, verbal warnings, written warnings, and – for repeated or serious violations – termination of contract.

Can I sue my employer for a HIPAA violation?

You cannot sue your employer for a HIPAA violation because – under HIPAA – employers are not subject to HIPAA in their role as an employer and there is no private right of action. If your employer has used or disclosed your individually identifiable health information in violation of another state or federal law, it may be possible to sue your employer under that law – but not under HIPAA.

Is it a HIPAA violation if medical information is sent to the wrong person?

It is a HIPAA violation if medical information is sent to the wrong person if the individual sending the information works for a covered entity or business associate – unless the individual is sending the medical information in their role as an employer (for example, a team manager sending an employee’s sick note to the HR Department).

Similarly, it can be a HIPAA violation if non-medical information is emailed by a covered entity to multiple recipients using the “to” or “cc” function. This is because every recipient can see all the other recipients and identify that the other recipients have an implied treatment relationship with the covered entity.

How many nurses have been fired for HIPAA violations?

It is not known how many nurses have been fired for HIPAA violations because that nature of information is rarely in the public domain. When HIPAA violations involving nurses do make the headlines, it is most often for gross misconduct or criminal violations of HIPAA that result in jail sentences for those found guilty of obtaining PHI for personal gain.