A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches. It may feel like a never-ending and thankless task, but consider the alternatives. It can be tempting to adopt a “no harm, no foul” approach to employee sanctions. But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things. To that end, your HIPAA Compliance Checklist must also address employee sanctions.
HIPAA is all about protecting PHI
There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI. And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.
- The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule. Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised. But if it cannot reach that conclusion, it is required to comply with the applicable breach notification provisions. And this is the case even if there is no evidence that the PHI was viewed by anyone else.
- An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen. There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
- In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI. This was because the school had left its firewalls disabled for over 10 months! Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.
These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all. In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.
HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches
It is certainly possible to have an unauthorized disclosure that is not a reportable breach. The definition of a breach is the acquisition, access, use or disclosure of protected health information. This is done in a manner not permitted under the regulations. And the disclosure compromises the security or privacy of the protected health information.
These days, employees are often the source of breaches. They include events from lost laptops to including PHI in social media posts occurring almost daily. It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist. An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure. But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.
A HIPAA compliance checklist for employee sanctions policies should address several issues
- The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
- Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
- Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended. Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI. Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
- Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.
Employee Sanctions should be standardized
Organizations usually strive to administer most disciplinary policies in a consistent, standardized way. Employee sanctions for HIPAA violations are no different. Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.
One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.
The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization. While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.
Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently! Healthcare Compliance requirements must be truly effective.