WHILE SERVING AS a system privacy officer for a Wisconsin- based healthcare system, the author of this article met regu- larly with the organization’s president to review privacy and security compliance. This time was spent reviewing breaches that members of the workforce were directly responsible for, as well as the consequences for Health Insurance Portability and Accountability Act (HIPAA) sanctions that resulted from their actions. At one point, the president thoughtfully commented that “curiosity not only kills the cat, it can also kill the career.” This profound summation reflected the professional and personal impact of a workforce member’s decision to ignore internal policies as well as state and federal privacy and security regulations. This reflection quickly inspired a new series of
HIPAA awareness training and tools, which were rolled out with
the eye-catching title “Curiosity Killed the Career.” Subsequent
modifications to HIPAA affirmed the need for ongoing training.
Privacy Laws and Potential Fines
The HIPAA Privacy Rule became effective in 2003, and was followed by the HIPAA Security Rule in 2005. The HIPAA Privacy
and Security Rules dramatically changed the way healthcare
organizations create, manage, safeguard, retain, and destroy
confidential protected health information (PHI). They required healthcare organizations to have processes in place to
apply appropriate sanctions to workforce members who fail to
comply with HIPAA and internal policies.
As the HIPAA Privacy Rule evolved, greater emphasis was di-
Personal Risk Key Part of HIPAA
rected toward unauthorized access, use, and disclosure of pa-
tients’ PHI—or breaches, as they are commonly known. Fur-
ther revisions occurred in 2009 with the Health Information
Technology for Economic and Clinical Health (HITECH) Act
and the 2013 HIPAA Final Omnibus Rule. Together, these rules
expanded direct accountabilities to the level of the individual
workforce member. As a result, no longer did the healthcare
organization have to bear sole responsibility for the acts of a
rogue workforce member.
The Department of Justice assigns criminal penalties for in-
dividuals who knowingly or maliciously misuse patient PHI.
The penalties are structured as follows:
Covered entities/individuals that “knowingly” obtain or
disclose PHI can face a fine of up to $50,000, as well as im-
prisonment up to one year.
Covered entities/individuals who commit offenses under
false pretenses face penalties of up to a $100,000 fine, with
up to five years in prison.
Finally, offenses committed with the intent to sell, trans-
fer, or use individually identifiable health information
for commercial advantage, personal gain, or malicious
harm can face fines of $250,000 and imprisonment up to
10 years. 1
Regardless of established administrative, physical, and technical safeguards, a healthcare organization cannot always
control the actions of the rogue workforce member. Until
HIPAA directed compliance responsibilities to the individual level, the healthcare organization was often left standing
alone as the responsible party for a HIPAA breach. Once it became clear that an individual workforce member could suffer
personal consequences as a result of their failure to safeguard
PHI, it raised the stakes considerably.
In 2009, Huping Zhou of Los Angeles, CA was sentenced to
By Nancy Davis, MS, RHIA, CHPS