HIPAA ~ HIPAA Sanctions:
From Warnings To Termination, You Must Show Determination
Published on Mon Jan 01, 2007
With sanctions policies, 'shame on you' just won't do. Not having a sanctions policy in place means you're not only giving potentially harmful employees free rein to make damaging HIPAA abuses -- you're also breaking the law.
According to the reg, "a covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity...." That doesn't mean you have to spell out what disciplinary actions you'll take for Health Insurance Portability and Accountability Act (HIPAA) non-compliance, but it does require you to create -- and make available for employees -- your own policy.
But for an environment in which potential violations could run the gamut from minor to extreme, should disciplinary actions be spelled out? Yes, say many HIPAA experts -- but only when specificity is feasible.
"[Some] people set up their privacy rule violations on a grade where it's unintentional versus intentional," says Robert Markette, an attorney with Gilliland & Caudill in Indianapolis.
Get specific: Markette advises facilities to include the types of potential violations in their policies and procedures and to include in what manner employees would bedisciplined in specific situations. "Obviously, you'll have to improvise when something unanticipated comes up, but you need to put the employees on notice [about the most egregious violations]," he says.
While you may have to "improvise" when it comes to sanctioning an employee for a HIPAA breach, what's more critical is to make sure staff know there are consequences for improper disclosures and other HIPAA violations.
Enforcement a must: "If staff doesn't really believe there are going to be any consequences [for HIPAA breaches], then we're doomed," notes Patricia Johnston, a consultant with Texas Health Resources (THR) in Arlington.
Johnston says she makes an effort not to focus on the negative, but says employees must be reminded that there are consequences for non-compliance with the facility's policies that can include termination. Implement This 3-Level Policy Johnston tells Eli she's broken down THR's sanctions policy into three levels of non-compliance: 1) carelessness; 2) curiosity; and 3) maliciousness, willfulness or non-compliance for personal gain. Here's an example of each level: Level 1: An employee faxes PHI to the wrong location. This happens all the time at many facilities, says Johnston. Level 2: An employee knows he probably shouldn't be looking at a document or computer file he shouldn't have access to, but does so anyway. For example, the employee may recognize a patient as a neighbor and could take a peek at the latter's chart. Level 3: An employee willfully and maliciously obtains PHI for the purpose of selling the data or to defame someone. There's obvious harm intended in this situation. Johnston [...]
