Even thought the US Office for Civil Rights (OCR) has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations is not a justifiable excuse for failing to implement the appropriate security measures.
It may also be possible to be given a civil penalty for unknowingly breaching HIPAA if the state in which the violation occurs allows people to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, people can still use the regulations to establish a standard of care under common law.
However, OCR prefers to resolve HIPAA breaches using non-punitive measures, such as with voluntary compliance or issuing technical guidance to allow covered entities address areas of non-compliance. A HIPAA violation may occur due to a deliberate act or could take place completely unintentionally by the organization or person responsible. A good example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is breached.
When PHI is shared, it must be kept to the minimum necessary information to reach the purpose for which it is disclosed. Financial penalties for HIPAA violations can be sanctioned for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules.
However, if the HIPAA breaches violations are more serious in nature, have been allowed to go on occuring for a long time, or if there are many different areas of noncompliance witnessed, financial penalties may have to be applied.
The two HIPAA penalty categories relevant in relation to unknowingly violating HIPAA are as follows:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
When calculating the financial penalty to be applied, an organization’s willingness to help with an OCR investigation is also taken into account. The general factors that can impact the level of financial penalty also include previous history, the organization’s financial state and the level of harm caused by the violation.
- Tier 1: Minimum fine of $100 per violation up to $50,000
- Tier 2: Minimum fine of $1,000 per violation up to $50,000