Things Employees and Employers Should Know About HIPAA Sanction Policies

Health care is a highly regulated industry when it comes to protecting private information. Employees and patients have come to expect that medical practitioners and other healthcare companies have adequate measures to protect their personal data.

All the workforce members, including employers and employees, are expected to comply with the privacy and information security policies and the HIPAA Rules.

Both employers and employees shall be subject to sanctions, including termination for failure to comply with the established policies and procedures or the HIPAA Rules.

Violations of information security policies or privacy and procedures or the HIPAA Rules will result in an appropriate sanction to be determined on a case-by-case basis.

The type of sanction to be meted out depends on the severity of the violation. It checks whether the HIPAA violation was intentional or unintentional, whether the violation indicates a pattern of improper use or disclosure of PHI, and other relevant considerations.

What Does HIPAA Stand For?

Photo by Francisco Venâncio on Unsplash

HIPAA rule was established by the Health Insurance Portability and Accountability Act of 1996.

According to the U.S. Department of Health and Human Services (HHS), HIPAA allows for the necessary sharing of information to ensure individuals receive high-quality health care while protecting their right to privacy.

Any company or provider with access to protected health information must put measures to comply with HIPAA.

Does HIPAA Apply to All Employers?

Photo by National Cancer Institute on Unsplash

No, however, there are circumstances in which employers are subject to HIPAA regarding safeguarding the integrity, confidentiality, and security of Protected Health Information. These circumstances may be few, but it is vital employers are aware of their compliance obligations when they occur.

HIPAA imposes a range of requirements, but the provisions relevant to all subject entities pertain to the security and privacy of health-related information.

By understanding applicable HIPAA rules for employers, it is possible to identify your potential risks and put a plan to help mitigate your exposure.

What Is the HIPAA Sanction Policy?

The sanction policy intends to specify enforcement, penalty, sanction, and disciplinary actions that may result from a violation of policies regarding the privacy and protection of an individual’s information and offer guidance on how to comply with the required standards.

Factors That May Modify the Application of Sanctions:

Sanctions may be modified based on mitigating factors. Factors may reflect more significant damage caused by the breach, thus working against the offender, and increasing the penalty.

Examples include:

• Multiple offenses
• Harm to the breach victim(s)
• Breach of specially protected information such as HIV-related, psychiatric, substance abuse, and genetic data
• A high volume of people or data affected
• High exposure to the institution
• Large organizational expenses incurred, such as breach notifications
• Hampering the investigation
• The negative influence of actions on others

Factors That Could Mitigate Sanctioning Could Include:

• The breach occurred because of attempting to help a patient
• Victim(s) suffered no harm
• The offender voluntarily admitted the breach and cooperated with the investigation
• Offender showed remorse
• The action was taken under pressure from an individual in a position of authority
• An employee was inadequately trained

Sanction process

The HIPAA regulations require that imposed sanctions be consistent across the board irrespective of the violator’s status, with comparable discipline imposed for similar violations. This practice will enable the application of general principles that will lead to fair and consistent outcomes.

Sanction implementation will follow the following steps. However, depending on the Category level of the incident, an escalated process can be followed if the cause is shown:

• Documented conference with recommendations for additional, specific, recorded training, if necessary.
• First written warning (and training, as above, if warranted).
• Final warning, with or without suspension, with or without pay (training included if warranted).
• Severance of formal relationship: employment, contract, medical staff privileges, volunteer status.

Becoming HIPAA compliant

Photo by Luis Melendez on Unsplash

Although HIPAA’s main aim is to improve the manageability and continuity of healthcare insurance plans, employers should still gain a familiarity with the law and potential areas that may affect them.

Employers’ HIPAA compliance can often result in stronger data security and standardized processes that benefit an employer’s benefits administration procedures.

What are some common HIPAA violations?

 The following types generally categorize reported incidents:

• IT/hacking incidents: inappropriate data access because of an outside intrusion in the form of malware or other system break-ins.
• Loss/theft: For instance, when a device storing protected health information is lost or stolen.
• Unauthorized disclosure/access: Disclosing an individual’s private information to a third party without proper approval to receive such information.
• Improper removal: The disposal of protected health information without the implementation of reasonable safeguards, such as shredding paper documents.

HIPAA rules for employers

Photo by National Cancer Institute on Unsplash

There are five rules employers should pay close attention to in the HIPAA law, and they need to consider them carefully when it comes to compliance.

Privacy and personal health information rule

HIPAA defines PHI broadly. However, it typically includes demographic and contact information, such as name and address, and a Social Security number related to an individual’s past, present, or future health status.

HIPAA rules mandated that covered entities should provide notice regarding privacy practices and how PHI may be shared or used. The law is specific when it comes to patient rights, what must be included and when information must be presented.

Electronic security rule

This rule requires physical, technical, and administrative safeguards to be put into place to protect individuals’ health information. Covered entities and their business associates are responsible for securing protected health information electronically.

Compliance is taken very seriously by the regulators, with penalties ranging up to $50,000 per violation and the potential of enforcement action in egregious cases.

Breach notification rule

Under this rule, covered entities and business associates must report any breach that compromises an individual’s protected health information.

Administrative simplification regulation

The administrative simplification provisions maintain the standard of the electronic exchange of healthcare information. National standards were set for code sets, electronic transactions, and unique identifiers. Employers must use their Employer Identification Number for tax reporting as their identifier for all HIPAA transactions.

Omnibus rule

The Omnibus expanded liability for business associates and instituted bigger punishment for noncompliance. Additional rules prevent employers from sharing certain information about an employee’s health plan when they pay for medical services out of pocket. 

Companies that may be defined as business associates will need to understand how their responsibilities have changed and make appropriate adjustments to their HIPAA policies or procedures.

HIPAA considerations for employees

Employees who have access to protected health information should be educated on their responsibilities and be given information on how to report a suspected breach. To reduce the risk of a HIPAA violation on the part of employees, their training should include the following:

• Never share your password.
• Never transmit sensitive information via text message.
• Check ID badges of those requesting private health information.
• Do not leave your work area without locking your securing data or computer screen.

Conclusion

The purpose of sanction policies is to furnish a framework of consistent and appropriate sanctions for violations of Privacy and Information Security policies and procedures. In line with any related Human Resource disciplinary policies, the HIPAA Rules will be enforced against workforce members in violation of the HIPAA Rules.

Violating the HIPAA rules can result in anything from a small fine to jail time. That is why it is important to know the penalties for HIPAA violations.

While you do not want to commit any violation, you should mitigate it. Then, you can lower your potential fines and take steps to prevent future problems.