It Was an Innocent Mistake. Is it Also a HIPAA Breach?

A Kantola Learning Minute

A hospital HR department asks about sanctions or disciplinary procedures when there's been a breach of patient privacy. How about when it was an unintentional breach? Find out in this week's Kantola Learning Minute with workplace trainer Linda Garrett, JD.

Hi, my name's Linda Garrett. We had a question from a hospital HR department about the application of sanctions, or disciplinary procedures when there's been a breach of patient privacy. The reason they ask is that the HIPAA regulations require sanctions any time there is a breach of patient privacy, and their particular situation involved an unintentional breach. It happened by accident; it didn't involve an employee deliberately snooping in a chart. It involved an employee who didn't realize that a second sheet of paper was stuck to the first, and she accidentally mailed a piece of patient information to another person.

In cases like that, it's good to remember that even though the rule requires sanctions, how we apply them and the severity, level of sanctions, depends on the situation we're facing. So we can use discretion to decide, 'Is this a case that merely needs retraining? Is this a case that everyone would benefit from some education?" If so, that would be the appropriate sanction. On the other hand, if you do have a more serious matter where an employee was reckless or careless with information and didn't remember if she locked a file cabinet but was in a hurry to leave so left anyway, that might require more serious discipline. And, certainly, if you have an employee who has deliberately gone into a record to snoop on a next door neighbor or snoop on an ex-boyfriend, that's probably the most serious situation you're going to have, and, typically, the sanction there is going to be termination of employment.

Thanks for watching.

Watch More Learning Minutes