What is an Employer HIPAA Violation?

The HIPAA law and employers have a long-standing principle in United States law that ensures individuals have the right to a remedy if their rights are violated. Both the HIPAA Security Rule and the HIPAA Privacy Rule grant employees the right to report suspected violations, with protection against retaliation from employers. 

While HIPAA itself does not provide the right to sue for damages, state laws often prohibit retaliatory actions by employers, including those related to reporting concerns about HIPAA compliance. This article explores what constitutes an employer HIPAA violation in more depth.

HIPAA Laws in the Workplace

HIPAA laws in the workplace provide employees with rights and remedies. Under the HIPAA Privacy Rule, covered entities must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures under the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. Covered entities must also provide a process for employees to make complaints about the covered entities’ compliance with those Rules.

The Privacy Rule also provides that “a covered entity or business associate employer may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by the Privacy Rule or Breach Notification Rule.” An employer HIPAA violation occurs when the employer retaliates against an individual who has made a complaint using the employer’s complaint process. 

There are additional HIPAA laws in the workplace. HIPAA contains a general compliance provision, applicable to covered entities and business associates. 

Under this provision, 45 CFR 160.316, covered entities and business associates may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for:

  • Filing a complaint with the HHS Secretary;
  • Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing, that relates to a claim that an employer may have violated the HIPAA regulations; and
  • Opposing violations of the HIPAA regulations, provided that the individual who opposes the violations has a good-faith belief that the activity his or her employer is opposing is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Rule. This means that an employee who discloses PHI to the media or friends is not protected from retaliation. 
    • In some circumstances, an employee may divulge PHI without violating HIPAA. An employee’s PHI disclosure will constitute protected “whistleblowing” activity if the employee makes the PHI disclosures to either an appropriate healthcare accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the employer. An employee also engages in protected whistleblowing activity when the PHI disclosure is made to a health oversight agency or public health authority that has the authority to investigate or oversee the employer’s conduct. Finally, an employee may disclose PHI, and be protected as a whistleblower, when the employee makes the PHI disclosure to an attorney retained by or on behalf of the employee for the purpose of determining the legal options of the employee with regard to the conduct alleged to be improper.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

HIPAA Employee Rights

An employer HIPAA violation occurs when HIPAA employee rights are violated, by the employer’s taking retaliatory action against complaining employees. Since employees have this right, what is their remedy?

There are several types of remedies for an employer HIPAA violation of employee rights. The first remedy for violation of HIPAA employee rights is provided by HHS. HHS is empowered to investigate any allegation of retaliation for filing a complaint. If HHS finds that an employer violated the anti-retaliation rules mentioned above, the organization is subject to civil monetary penalties and corrective action plans. HHS may permit an organization to settle for a specified amount in lieu of imposing civil monetary penalties.

The second type of remedy for an employer HIPAA violation in the form of retaliation, is monetary damages obtained through filing a whistleblower lawsuit in state court. Many states’ laws or courts permit a HIPAA whistleblower to sue for being punished for reporting an employer HIPAA violation. For example, Texas courts have held that the Texas state law Whistleblower Act prevents certain healthcare organizations from retaliating against employees for making good-faith complaints of violations of the Privacy Rule. Other states give whistleblowers the right to sue under state whistleblower laws as well. Generally, to prevail in these cases, a plaintiff must demonstrate that the retaliation occurred because of the whistleblowing, as opposed to some other reason (such as the employee having engaged in theft).  

In a recent New Hampshire case involving a whistleblower, the whistleblower was terminated after refusing to provide data to a supervisor for what the whistleblower deemed to be an unauthorized use of PHI. The judge found that the employee’s claim for wrongful termination could go to trial. The judge held that allowing the whistleblower to file a wrongful termination complaint would serve the important government policy of protecting the confidentiality of health records. Employee rights include, in a growing number of states, the right to pursue a wrongful termination claim under state law, whether the law is a whistleblower law or a wrongful termination law.

HIPAA Termination Procedures

The subject of what is an employer HIPAA violation would not be complete without discussing when an employee CAN be terminated under HIPAA. The HIPAA Privacy Rule requires covered entity employers to have and apply appropriate sanctions against members of the workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this Privacy Rule or Breach Notification Rule. HIPAA termination procedures allow a provider to terminate an employee for violation of the regulations.

The HIPAA Security Rule also contains language about HIPAA termination procedures. Under the administrative safeguards requirement of the HIPAA Security Rule, an employer must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. Learn more about HIPAA privacy rules for employers and more on our website.