When it comes to HIPAA law, the sanction policy is one of the most important factors employees must be aware of. HIPAA does not mandate exactly how employers must discipline their employees in the workplace. So, we provide our suggested guidelines for HIPAA sanction policies.
In addition to the employer imposed HIPAA sanctions, there are civil and criminal penalties associated with violating HIPAA law.
Those who violate HIPAA may face fines from $100-250,000 per offense (with an annual cap at $1.5 million ) and/or a 1-10 year prison sentence . Employers may find it difficult to enforce sanctions on employees who break the rules. However, it is important to do so consistently for the wellbeing of the company.
Accidental exposures of PHI comprise the majority of these infractions. This includes employees sending PHI via unencrypted email or failing to log out of a database, therefore leaving PHI vulnerable. These offenses may seem small, but they could easily cause a breach.
For this type of violation, we recommend writing a letter of reprimand to the employee. The letter should notify them of their wrongdoing and warn them of punishments for further infractions. It should be stored in their file for 6 years.
If an employee makes the same type of mistake described above again after receiving a warning, their infraction is labeled category two. This also includes first-time serious offenses, like logging in to client/patient information of a neighbor or a relative.
If one of your employees commits a level two infraction, we recommend a written l etter of reprimand and one week’s suspension without pay.
The first and second kinds of infractions typically do not receive any publicity, but that does not make them any less important. In fact, business owners are more likely to have to deal with low-level offenses. These types of HIPAA violations may not seem as serious, but they have the potential to cause just as much harm as level three HIPAA violations.
This type of offense includes the following: repeating low-level mistakes for the third time in three years, repeat mid-level infractions, and very serious infractions intended to cause harm to many people. It is important to note that these violations do not necessarily happen in sequential order. An employee may commit an offense so serious that it is automatically classified as level three, even if it is their first infraction.
We advise employers to dismiss employees who commit this type of infraction. If the case is serious enough, the violation may need to be reported to state or federal authorities. Depending on the severity of the case, they may prosecute the offender.
Needless to say, there are serious penalties for violating HIPAA. Employers must protect their employees by providing them with the training they need to keep PHI safe.