| workforce
disciplinary actions (HIPAA)
Every covered
entity must "have and apply appropriate sanctions
against members of its workforce
who fail to comply" with HIPAA
rules or with the organization's own privacy policies and
procedures.
(Compliance failures
by a member of the workforce of a business
associate are handled according to the specifications
of that contractual arrangement.)
Most organizations
will already have policies in place relating to inappropriate
workplace conduct, including specification of sanctions for
inappropriate use or disclosure of information. If so, HIPAA
adds only a requirement that these be formally documented,
along with specification of the procedures by which they are
to be applied.
The degree and
kinds of sanctions associated with various mis-, mal- and
non-feasance related to protected
health information (PHI) will vary according to each institution's
sensibilities about discipline. HIPAA does not provide any
specific requirements as to penalties.
Any system of penalties
should be reasonable in relation to the violations to which
they apply, particularly with regard to deterrence. It can
be expected that organizations which do suffer from violations
will be judged, in part, on the plausibility of their disciplinary
system.
HIPAA has a three-level
sanction structure for
its own penalties: different fines and jail time obtain for
simple violations, violations under false pretenses, and violations
with intent of personal or commercial gain.
Most organizations
will also have a multi- (though not necessarily three-) level
sanction structure for violations, such as:
- training, but
no disciplinary action, for inadvertent violations;
- disciplinary
action, but not loss of employment, for minor deliberate
violations; and
- immediate loss
of employment for a serious deliberate violation (or multiple
minor ones).
Obviously any attempt
to use or disclosure information for personal or commercial
gain falls into the last of these categories. "Browsing"
in PHI-containing records where there is no legitimate business
need might fall in the second category in some organizations,
or in the third where there is a "zero tolerance"
policy. And so forth.
Whatever the policy,
it is important that employees be fully and clearly informed
in advance of the sanctions structure. This may be done as
part of the workforce
training efforts required by HIPAA.
See also:
Last modified:
11-May-2005
[RC]
|
