Journal of AHIMA - October 2011

Inconsistent corrective disciplinary actions. Organizations have reported terminating some staff while issuing lesser reprimands or suspensions to higher-level staff for the same type of offense. Staff may interpret this to mean that it is acceptable to breach privacy or security rules as long as an individual holds a certain status in the organization. The healthcare industry should nurture an image of solidarity in enforcing the privacy and security of protected health information (PHI) in a standardized approach across the workforce, from file clerks to medical staff members.

Poor compliance. Staff in organizations with less stringent enforcement may weigh the level of risk to themselves against the potential advantages; for example, taking home PHI in order to catch up on work over the weekend. Staff who perceive a lower risk may ignore security and privacy policies designed to protect PHI. Inequity in sanction application encourages poor compliance by individuals who know they will escape serious consequences for breaching privacy and security policies.

Delayed response in applying sanctions. A delayed response to a violation might imply a lack of commitment to protecting patient privacy. Delays in applying sanctions place the organization at risk, allowing security risks and violations to go unaddressed. Sanctions must be prompt and suitable to the severity of the violation so that employees understand the organization is serious about information privacy and security enforcement.

Erosion of public trust. Public trust is eroded when significant variation is blatantly apparent in how healthcare organizations prevent and manage privacy or security violations both within and across entities and systems. The public must feel assured their PHI has sufficient protections across the healthcare spectrum, particularly in this era of HIE.

Weakened position for dispute resolutions. Inequitable application of sanctions can affect the outcome of personnel actions at arbitration and grievance proceedings. Unequal penalties for similar offenses undermine the organization’s ability to prevail in dispute resolutions.

Vulnerability to civil actions and lawsuits. Healthcare organizations leave themselves open to both individual and class action lawsuits when they do not have a strong, consistent privacy and security compliance program. Under HITECH, state attorneys general are now authorized to bring civil suits against covered entities on behalf of individuals. The Office for Civil Rights (OCR) has funded training for attorneys general on how to bring these suits forward. This new provision strengthens the capabilities of the states and empowers OCR’s overall enforcement.

Vulnerability to penalties and fines. OCR will continue to increase its enforcement activities, and the federal judiciary is becoming engaged in enforcing privacy and security violations and imposing ever-increasing fines. Inconsistent application of sanctions at the organizational setting may affect how OCR and the federal judiciary view such issues.

More regulation. Poor and inconsistent implementation of privacy and security safeguards invites further state and federal intervention. States are beginning to impose more stringent re-

Practice Brief

porting obligations and stiffer penalties on healthcare organizations, business associates, and individuals. Such laws place an additional administrative and financial burden on organizations. If the industry does not self-correct, then it leaves open the door to state and federal government intervention. HITECH has increased the likelihood of federal intervention by requiring regular privacy and security audits as a measure of OCR’s enforcement.

Research integrity. The validity of research may be called into question when privacy or security violations are not handled consistently and expeditiously. Patients are less likely to participate in research studies with an organization that has an inconsistent sanction policy for privacy and security breaches.

It is in the organization’s best interest to address these privacy and security compliance issues in a proactive manner through development and agreement on sanction practice guidelines. Aside from the necessity to ensure patient privacy as an ethical obligation, it is smart business. Failure to do so may result in harm to the patient as well as the organization. Data breach notification laws in most states require an organization notify breach victims, which can damage its reputation.

Sanctioning Models

Healthcare organizations should categorize sanctions according to the nature of the privacy or security incident.† Categorization helps standardize corrective action determinations, assists with trending privacy and security violations, and makes reporting easier. Two models are depicted below:

Model 1—Categories of Privacy and Security Incidents

In the first model, an organization creates categories defining
the significance and impact of the privacy or security incident to
help guide its corrective action and remediation steps:
x Category 1: Accidental or inadvertent violation. This
is an unintentional violation of privacy or security that
may be caused by carelessness, lack of knowledge, lack of
training, or other human error. Examples of this type of
incident include directing PHI via mail, e-mail, or fax to
a wrong party or incorrectly identifying a patient record.
x Category 2: Failure to follow established privacy and
security policies and procedures. This is a violation due
to poor job performance or lack of performance improve-
ment. Examples of this type of incident include release
of PHI without proper patient authorization; leaving de-
tailed PHI on an answering machine; failure to report
privacy and security violations; improper disposal of PHI;
failure to properly sign off from or lock computer when
leaving a work station; failure to properly safeguard pass-
word; failure to safeguard portable device from loss or
theft; or transmission of PHI using an unsecured method.
x Category 3: Deliberate or purposeful violation without
harmful intent. This is an intentional violation due to
curiosity or desire to gain information for personal use.
Examples of this type of incident include accessing the in-