The Health Insurance Portability and Accountability Act of 1996 was enacted to establish guidelines and standards for maintaining health information security and confidentiality. Covered entities are mandated by HIPAA legislation to provide their employees with adequate training to ensure HIPAA rules and regulations are understood and diligently followed. Violations can lead to severe consequences such as suspension, loss of your license, and hefty fines. To help you and your staff understand the consequences of a violation better, here is what happens when one takes place.
Deciding on how a HIPAA violation will be handled depends on the offense’s overall seriousness and the crime’s essence. The actions of professional boards, employers, and in some cases, the Department of Justice will depend on certain factors, some of which are:
When a breach occurs, the three phases that follow are investigation, correction, and notification. Organizations look at what caused the breach during the investigation process. The employee involved must be questioned, and it must be handled professionally to make it clear that what happened was serious. After identifying what happened and who was involved, it’s time for corrective action.
Employee discipline for HIPAA violation depends entirely on the type of breach that occurred. Breach definitions, and the recommended disciplinary corrective actions should be in your policy manual. There are three levels of a breach, each with its penalty. Let’s have a look at what they are in more detail:
Disciplinary action isn’t severe at this level, and you shouldn’t terminate or suspend an employee unless they are repeat offenders. Disciplinary action for a level 1 breach should be an oral or written warning, retraining, and coaching.
Accessing the PHI of a high profile client usually leads to termination on the spot to save your reputation due to the story reaching headlines. However, if an employee accesses their family member’s PHI, a written warning will suffice if this is their first violation.
According to the HIPAA Breach Notification Rule, covered entities must notify all affected individuals in writing by first-class mail or email. If necessary, the Secretary of Health and Human Services (HHS) and the media must also be notified.
The requirements of the Breach Notification Rule vary based on the number of individuals affected – usually 500 or more individuals or fewer than 500 individuals. Suppose 500 or more individuals are affected by a breach of PHI. In that case, the covered entity must send a notification to the Secretary no later than 60 days from the discovery of the violation without reasonable delay. If fewer than 500 individuals are affected, the covered entity must submit the notice to the Secretary annually.
Now that we know more about the delivery of notifications let’s look at Civil and Criminal Penalties.
The Department of Health and Human Services Office for Civil Rights can issue civil penalties for HIPAA violations.
Criminal penalties for HIPAA violations can be severe. These cases can be referred to the Department of Justice by The Office for Civil Rights, and penalties are also determined based on a tiered structure, which is set out as follows:
Some of the most common HIPAA violations are:
Should you think you have accidentally violated HIPAA rules or become aware that your employer or a colleague is not complying with the regulations, you should report the matter immediately. If a violation is discovered and corrected internally, it minimizes the chances of penalties imposed by the HHS’ Office of Civil Rights and will prevent a recurrence.
Your employer should have a process for reporting HIPAA breaches, so you should know which steps to follow. Usually, you would report the violation to a manager or supervisor. If you are uncomfortable speaking to that specific person for whatever reason, you should be able to talk to the HIPAA Privacy Officer. Suppose you report a violation internally, and no action is taken. In that case, the matter can be escalated, and a complaint can be filed with HHS’ Office for Civil Rights – the primary enforcer of HIPAA rules.
Now that we know what happens if the HIPAA law is breached and what the consequences and reporting procedures are let’s take a look at what you can do to ensure your company is HIPAA compliant.
Here are some tips to make sure your practice is HIPAA compliant:
Ensuring your company or practice is compliant with the HIPAA law will reduce the risks of breaches and fines. Make sure each new staff member is trained and repeat the training annually. Keeping your staff trained and informed will minimize your risk of being found non-compliant.
Coggno has a wide range of online corporate training courses relating to the HIPAA act. Get started today!