Inconsistent corrective disciplinary actions. Organizations
have reported terminating some staff while issuing lesser reprimands or suspensions to higher-level staff for the same type of
offense. Staff may interpret this to mean that it is acceptable to
breach privacy or security rules as long as an individual holds
a certain status in the organization. The healthcare industry
should nurture an image of solidarity in enforcing the privacy
and security of protected health information (PHI) in a standardized approach across the workforce, from file clerks to
medical staff members.
Poor compliance. Staff in organizations with less stringent
enforcement may weigh the level of risk to themselves against
the potential advantages; for example, taking home PHI in order to catch up on work over the weekend. Staff who perceive a
lower risk may ignore security and privacy policies designed to
protect PHI. Inequity in sanction application encourages poor
compliance by individuals who know they will escape serious
consequences for breaching privacy and security policies.
Delayed response in applying sanctions. A delayed response
to a violation might imply a lack of commitment to protecting
patient privacy. Delays in applying sanctions place the organization at risk, allowing security risks and violations to go unaddressed. Sanctions must be prompt and suitable to the severity
of the violation so that employees understand the organization
is serious about information privacy and security enforcement.
Erosion of public trust. Public trust is eroded when significant variation is blatantly apparent in how healthcare organizations prevent and manage privacy or security violations both
within and across entities and systems. The public must feel assured their PHI has sufficient protections across the healthcare
spectrum, particularly in this era of HIE.
Weakened position for dispute resolutions. Inequitable application of sanctions can affect the outcome of personnel actions at arbitration and grievance proceedings. Unequal penalties for similar offenses undermine the organization’s ability to
prevail in dispute resolutions.
Vulnerability to civil actions and lawsuits. Healthcare organizations leave themselves open to both individual and class action lawsuits when they do not have a strong, consistent privacy
and security compliance program. Under HITECH, state attorneys general are now authorized to bring civil suits against covered entities on behalf of individuals. The Office for Civil Rights
(OCR) has funded training for attorneys general on how to bring
these suits forward. This new provision strengthens the capabilities of the states and empowers OCR’s overall enforcement.
Vulnerability to penalties and fines. OCR will continue to
increase its enforcement activities, and the federal judiciary is
becoming engaged in enforcing privacy and security violations
and imposing ever-increasing fines. Inconsistent application of
sanctions at the organizational setting may affect how OCR and
the federal judiciary view such issues.
More regulation. Poor and inconsistent implementation of
privacy and security safeguards invites further state and federal
intervention. States are beginning to impose more stringent re-
porting obligations and stiffer penalties on healthcare organizations, business associates, and individuals. Such laws place
an additional administrative and financial burden on organizations. If the industry does not self-correct, then it leaves open
the door to state and federal government intervention. HITECH
has increased the likelihood of federal intervention by requiring regular privacy and security audits as a measure of OCR’s
Research integrity. The validity of research may be called into
question when privacy or security violations are not handled
consistently and expeditiously. Patients are less likely to participate in research studies with an organization that has an inconsistent sanction policy for privacy and security breaches.
It is in the organization’s best interest to address these privacy
and security compliance issues in a proactive manner through
development and agreement on sanction practice guidelines.
Aside from the necessity to ensure patient privacy as an ethical obligation, it is smart business. Failure to do so may result
in harm to the patient as well as the organization. Data breach
notification laws in most states require an organization notify
breach victims, which can damage its reputation.
Healthcare organizations should categorize sanctions according to the nature of the privacy or security incident.† Categorization helps standardize corrective action determinations, assists with trending privacy and security violations, and makes
reporting easier. Two models are depicted below:
Model 1—Categories of Privacy and Security Incidents
In the first model, an organization creates categories defining
the significance and impact of the privacy or security incident to
help guide its corrective action and remediation steps:
x Category 1: Accidental or inadvertent violation. This
is an unintentional violation of privacy or security that
may be caused by carelessness, lack of knowledge, lack of
training, or other human error. Examples of this type of
incident include directing PHI via mail, e-mail, or fax to
a wrong party or incorrectly identifying a patient record.
x Category 2: Failure to follow established privacy and
security policies and procedures. This is a violation due
to poor job performance or lack of performance improve-
ment. Examples of this type of incident include release
of PHI without proper patient authorization; leaving de-
tailed PHI on an answering machine; failure to report
privacy and security violations; improper disposal of PHI;
failure to properly sign off from or lock computer when
leaving a work station; failure to properly safeguard pass-
word; failure to safeguard portable device from loss or
theft; or transmission of PHI using an unsecured method.
x Category 3: Deliberate or purposeful violation without
harmful intent. This is an intentional violation due to
curiosity or desire to gain information for personal use.
Examples of this type of incident include accessing the in-