At a recent HIPAA seminar in Dallas, a seminar attendee asked me what I thought about zero tolerance for HIPAA violations by workforce members. I answered that I did not approve of the concept and told her why.
But before we could consider the issue, we had to define what she meant by zero tolerance. She meant that, if you commit a HIPAA violation, the covered entity will fire you—zero tolerance for any HIPAA violations, including violations of the covered entity’s policies and procedures for protecting PHI. By that definition, I believe that a zero tolerance policy is a mistake. But if, however, you define zero tolerance to mean that a workforce member who violates HIPAA or your HIPAA policies and procedures faces appropriate disciplinary action under your sanction policy, I’m all for it.
The required sanction policy under the Security Rule’s administrative security standards is a statement of progressive discipline, such as a verbal warning, written reprimand, suspension of access privileges, suspension of employment (without pay, of course—otherwise, it sounds like a vacation to me), termination of employment, and, in an appropriate case, referral to law enforcement or professional licensure or disciplinary authorities. You select an appropriate sanction based on the past record of the offender and the seriousness of the offense.
The problem with zero tolerance as defined by the question is that it does not consider the past record of the offender and the seriousness of the offense but, rather, punishes everybody the same way: termination of employment. Why fire a good employee who has never messed up before but who forgets to log off, in violation of your workstation use policy, when you discover the breach within 20 seconds and no unauthorized person was in the vicinity to see what was on the screen? Such a breach of your policy did not result in a breach of confidentiality although it could the next time it happened. Thus, you should take some disciplinary action, but termination? A verbal warning not to do it again or you are going to get more serious or a written reprimand and/or some additional HIPAA training would appear to be more appropriate. Save the termination for the transcriptionist who is discussing a patient’s genital herpes at a party where the patient is present.
If you fire people for forgetting to log off where no harm results, that termination brings discussing a patient’s STD at a party down to the same level when it is clearly a much more serious breach. Or as happened recently, to the same level as when a doctor posts how dumb her patient is on Facebook. (She was fired and fined by her licensure authority).
So your “zero tolerance policy” should consist of thoroughly investigating any report of a breach and taking appropriate disciplinary action under your sanction policy rather than having a “knee jerk” reaction—“HIPAA violation, fire them! “HIPAA violation, fire them!” Save termination and, in an appropriate case, referral to law enforcement or professional licensure or disciplinary authorities for the serious breaches. See my most recent book, How to Handle HIPAA Breaches, Complaints, and Investigations: Everything You Need to Know, for more details on how to investigate and handle a breach. It’s coming soon.