Human Resource Blog

Where HR Professionals Seek Answers

A Practical Source For Your Daily HR Needs.Lets Build An HR Blog Community Together! Want To Share Your HR Knowledge Or Gain Knowledge Through Other Professionals?Lets Discuss HR!


Employee Violated HIPAA

I have an employee who I believe is giving personal information out on residents specifically who is ill or hospitalized, who has had visitors, etc. as well as changes that have been made within the home such as coping memos to pass along, updates on current and new staff, etc., to a former employee who knows all of the residents. This information has also been passed on to a resident’s family member. I am pretty sure the information on residents is a HIPAA violation. Do I need proof to fire the employee and or report her? Thank you.

The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities comply with requirements to protect the privacy and security of health information. Covered entities are healthcare plans, healthcare providers, healthcare clearinghouses and their business associates. Common covered entities include doctors, clinics, company health plans and government programs that pay for healthcare.

The HIPAA Privacy Rule protects “individually identifiable health information”, including data that relates to:

  • an individual’s past, present or future physical or mental health or condition,
  • the provision of health care to an individual, or
  • the past, present, or future payment for the provision of health care to an individual;

and data that identifies an individual or for which there is a reasonable basis to believe it can be used to identify an individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

It sounds like your employees perform direct care to residents and have access to residents’ medical information; thus, you’re most likely required to comply with HIPAA. Under HIPAA’s Breach Notification Rule, covered entities must provide notification to appropriate patients following an impermissible use or disclosure of protected health information. There are exceptions to the notification rule which can be viewed at Also, reporting a breach to the Department of Health & Human Services is required if it affects a large number of people.

There is no requirement under HIPAA that an employee be terminated for a violation. But, you still must conduct an investigation to determine if a breach occurred. So, gather any physical evidence (i.e. emails, phone logs etc) to validate your claim and meet with anyone you believe may have information about the situation.

Hopefully, after the investigation is complete you will have a good understanding of the employee’s conduct. Then, the appropriate disciplinary action should be taken.

Many companies will consider outright violations of HIPAA to warrant termination. If there is not enough evidence to prove a HIPAA violation occurred, then you should consider if the employee’s conduct violated any internal company policies or procedures. If so, the regular disciplinary action for such should be followed. If your investigation yields absolutely no evidence of the suspected wrongdoing then it’s best to ensure the employee is adequately trained on her duties and responsibilities under both HIPAA and company policies/procedures.

Lastly, part of being HIPAA compliant is training employees on their responsibilities under the law, having plans/policies in place to prevent violations, and imposing corrective actions and consistently applied disciplinary measures when a violation has occurred.


This entry was posted on Monday, March 13th, 2017 at 6:46 pm and is filed under
Human Resources Management.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

Leave a Reply

  • [ Back ]
  • WP-SpamFree by Pole Position Marketing

Home Ask a Question Archives

© 2008, All Rights Reserved