What is an Employer HIPAA Violation?

One of the oldest principles of United States law, dating back to the founding of the country, is that “When there is a right, there is a remedy.” This means that when a law gives someone a right, the person is entitled to a remedy if that right is violated. The remedy may be in the form of money obtained in a civil lawsuit; imprisonment of the person who violated the right; or a court order requiring the person who violated the right to take certain action. In the case of HIPAA, both the HIPAA Security Rule and the HIPAA Privacy Rule give employees the right to report suspected HIPAA violations to management. If a person exercises that right, and is retaliated against for doing so, the person has a remedy. HIPAA requires employers to refrain from engaging in retaliatory action against employees who have exercised the right to report or complain about their employers’ HIPAA compliance. While HIPAA itself does not give employees the right to sue the employer for money damages, state law often does. Employers in many states are prohibited from retaliating against employees for refusing to participate in activities that are illegal under state or federal law or regulations. This includes retaliating against employees who exercise their right to report concerns to their employer about the employer’s compliance with the HIPAA privacy and security regulations. The subject of what is an employer HIPAA violation is discussed in greater detail below.

HIPAA Laws in the Workplace

HIPAA Employer

HIPAA laws in the workplace provide employees with rights and remedies. Under the HIPAA Privacy Rule, covered entities must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures under the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. Covered entities must also provide a process for employees to make complaints about the covered entities’ compliance with those Rules.

The Privacy Rule also provides that “a covered entity or business associate employer may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by the Privacy Rule or Breach Notification Rule.” An employer HIPAA violation occurs when the employer retaliates against an individual who has made a complaint using the employer’s complaint process. 

There are additional HIPAA laws in the workplace. HIPAA contains a general compliance provision, applicable to covered entities and business associates. 

Under this provision, 45 CFR 160.316, covered entities and business associates may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for:

  • Filing a complaint with the HHS Secretary;
  • Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing, that relates to a claim that an employer may have violated the HIPAA regulations; and
  • Opposing violations of the HIPAA regulations, provided that the individual who opposes the violations has a good-faith belief that the activity his or her employer is opposing is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Rule. This means that an employee who discloses PHI to the media or friends is not protected from retaliation. 
    • In some circumstances, an employee may divulge PHI without violating HIPAA. An employee’s PHI disclosure will constitute protected “whistleblowing” activity if the employee makes the PHI disclosures to either an appropriate healthcare accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the employer. An employee also engages in protected whistleblowing activity when the PHI disclosure is made to a health oversight agency or public health authority that has the authority to investigate or oversee the employer’s conduct. Finally, an employee may disclose PHI, and be protected as a whistleblower, when the employee makes the PHI disclosure to an attorney retained by or on behalf of the employee for the purpose of determining the legal options of the employee with regard to the conduct alleged to be improper.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance