Can an employee be fired for a HIPAA violation?

Could a member of staff find themselves out of a job following a violation of the Health Insurance Portability and Accountability Act, commonly known as HIPAA? If a HIPAA covered entity finds out that an employee has broken or disregarded HIPAA rules, can that employee be fired?

The HIPAA Enforcement Rule came into law in March 2006. Since that time, the United States’ Department of Heath and Human Services’ Office for Civil Rights has been invested with the power to impose and collect fines on actors who are found to have violated HIPAA rules. This applies to entities who may be found to have been negligent in the implementation of the provisions required to stay within the bounds of the defined law, or who may be found to have wilfully or recklessly broken HIPAA rules. Such organizations can be liable for large financial penalties. However, many individual employees also wonder or worry about whether they themselves could be held liable or face similar penalties for breaching HIPAA or endangering patient privacy.

Do HIPAA covered Entities see HIPAA breaches as terminable offences?

Do organizations in the healthcare space regard HIPAA violations as grounds for dismissing an employee? To a certain degree, this may depend on the severity of the violation, as well as the circumstances and the individual organization. In any case, all HIPAA violations should be thoroughly investigated by the organization, as one HIPAA violation may hide another, or be indicative of a more significant or recurrent problem.

On receiving notification of a possible HIPAA breach, be this from an employee, a patient, or another party, HIPAA covered entities will commence an investigation to first of all determine whether a violation did indeed occur. If the reports are found to be accurate and there has been a breach of a HIPAA rule or rules, they will continue their investigation to find out how the incident happened, as well as what it could mean for the patient who has had their protected health information improperly treated. They will also consider what legal questions may be relevant in each case and how regulators are likely to respond. It is important for healthcare organizations to prevent similar breaches from occurring in the future as to be seen to be repeating the same mistakes is even worse than being seen making the mistake in the first place.

If an employee accesses protected patient data unintentionally, in good faith and within their remit e.g. a doctor opening and reviewing the file of the wrong patient, this is not considered a reportable HIPAA breach and likely would not lead to disciplinary action, especially if the file was correctly stored and transmitted.

Other violations are not so innocuous and not easily tolerated. Different organizations will follow different rules. Employees can and have lost their jobs following HIPAA violations. Beyond being fired, individuals may also face legal sanctions or sanctions from the professional governing body, such as Nursing boards or other similar entities.