Can employees be fired if they accidentally commit a HIPPA violation? The answer to this question will depend on a range of factors, not least the nature of the HIPAA violation, how the employee responded, and the employer’s own workplace policy.
Whether accidental or not, HIPAA violations are serious events. A HIPAA violation occurs when any healthcare data that contains one of the 18 HIPAA identifiers (such as name, address, license plate etc.) is shared with unauthorized individuals. The presence of these identifiers means that the data is considered to be protected health information (PHI) under HIPAA. This PHI often contains very sensitive material, and it it gets into the wrong hands it could lead to identity theft or insurance fraud. Even without those severe consequences, a patient has the right to keep their medical diagnoses private.
The HIPAA Privacy Rule lays out how PHI can be used and to whom it can be disclosed. Failing to adhere to either of these stipulations is considered a HIPAA breach, even if it was an accident on the part of the employee.
It may be a cliché, but everyone makes mistakes. Accidental HIPAA violations can occur through a variety of means. Falling for a phishing attack, for example, that left PHI exposed would be considered an accidental violation. Sending information to the incorrect recipient (for example, accidentally cc’ing someone or typing the incorrect phone number) would also result in a HIPAA violation.
It is important to note that these are distinct from incidental HIPAA violations, which occur despite the best efforts of those involved. For example, if a doctor walked into the waiting room of a clinic and recognized one of the patients, that would be considered an incidental violation.
As soon as an accidental HIPAA violation is discovered, the organization’s HIPAA Privacy Officer (or, equivalently, their HIPAA Compliance Officer), should be notified. They will be able to assess the magnitude of the breach, and potentially mitigate any further harms. Though it is mandatory to report such violations, doing so quickly can help the employee’s case against termination.
Whilst it is not unprecedented that employees will be fired for HIPAA violations, the penalty will vary between scenarios. The Department for Health and Human Services (DHSS) does not stipulate the remedial actions to be undertaken by employers if someone in their workforce accidentally violates HIPAA. Instead, it will depend on the employer’s own workplace policy.
For more minor violations that are limited in scope (for example, if it only involves a few patients’ PHI, or where the PHI was not made public), the employee may be put on additional HIPAA training courses. More severe cases with broader scope may result in suspension, or even termination. In 2021, a nurse who worked in Jackson Memorial Hospital posted a photograph of a baby with gastroschisis on her Facebook account. This was a clear-cut violation of HIPAA and resulted in the nurse’s termination.
Therefore, whilst there are a range of disciplinary actions that may result from accidental HIPAA violations, it will ultimately depend on the nature of the violation, its scope, and the employee’s record. Nevertheless, it is possible to be fired for accidentally violation HIPAA.