HIPAA requires that healthcare providers, insurance companies, and other so-called “covered entities” implement sanctions against employees who violate HIPAA-related policies and procedures. A sanction policy outlines the circumstances under which a covered entity will impose a penalty on an employee, and specifies the nature of the action to be taken. It’s critically important that workers understand such policies, and by extension, that they understand the full implications of violating HIPAA’s Privacy Rule.

HIPAA does not dictate the specific disciplinary actions that employers must take against workers who break the rules, but covered entities should be clear about the actions that will be taken, and should always aim to enforce the rules consistently. 

Organizations that violate HIPAA could face fines and penalties ranging from $100 to several million dollars, depending on three factors:

  • Was the disclosure of protected health information (PHI) intentional or accidental?
  • Was it part of a larger pattern of negligence or malicious behavior?
  • Was the information merely exposed, or was it used for nefarious purposes?

If covered entities are lax in their efforts to safeguard PHI, they could face especially steep fines. HIPAA penalties are generally applied on a “per incident” basis. If poor practices result in multiple patient records being exposed (or even potentially exposed), the fines could quickly add up to six-figures or even seven-figures or more. 

The Penalty Should Fit the Infraction

Just as the Office of Civil Rights (OCR) imposes stiffer penalties in cases where there is a broad pattern of negligence, and or where there is malicious intent, – covered entities should consider sanction policies that apply the appropriate level of penalty for any given situation.

An employer might, for instance, create a three-tiered approach in which a “Level I Violation” amounts to an accidental oversight, with limited consequences to the privacy of PHI. Examples of such infractions might include leaving a computer workstation unattended without first locking the screen, sharing one’s password with another employee, or requesting that another employee access PHI on their behalf.

These kinds of infractions should be taken seriously, but generally merit a warning or additional training rather than harsher penalties, – especially if it’s a first offense.

Level II infractions might include release of PHI without proper authorization, accessing PHI without a legitimate reason, or using another employee’s credentials to access PHI. In this case, penalties might include a more stern warning or temporary suspension. 

The most serious infractions might include using PHI for personal gain, deliberately releasing PHI to unauthorized parties, or destroying PHI without permission. In these cases, termination of employment would be appropriate.

In every case, violations and sanctions should be recorded and made part of the employee’s human resources file. In the case of repeat violations, this information may be needed to document a pattern of neglectful behavior to support a case for terminating the employment relationship. 

Exceptions to a HIPAA Sanction Policy

When writing a HIPAA sanction policy, it’s also a good idea to specify the kinds of situations that merit exception. If an employee is engaged in whistleblower activities, for example, the organization may need to carve out some narrow exceptions. If employees are actively participating in a formal investigation, likewise, limited exceptions to a HIPAA sanction policy might apply.

In any case, exceptions should be fairly specific, and must be crafted narrowly, such that they do not provide loopholes for employees who legitimately violate the organization’s HIPAA policies and procedures.