HIPAA states that covered entities must provide training to staff so that HIPAA Rules and regulations are fully comprehended. During HIPAA training, healthcare staff should be conscious of the possible ramifications for HIPAA breaches, but what are these penalties and what will occur if you break HIPAA Rules?
Consequences of Breaking HIPAA Rules
If you break HIPAA Rules there are four possible results:
- The violation could be handled with internally by an employer
- You could be sacked from your position
- You could be hit with sanctions by professional bodies
- You could be charged criminally or hit with a fine
What takes place if you break HIPAA Rules will depend on the extent of the violation. The actions of employers, professional bodies, federal regulators, and the Department of Justice will depend on a number of factors:
- The extent of the violation
- Whether it was known that HIPAA Rules were being breached, or by using due diligence, it should have been obvious that HIPAA Rules were being violated
- Whether steps was taken to address the violation
- Whether there was malicious intent or HIPAA Rules were breached for personal profit
- The harm inflicted by the violation(s)
- The amount of people affected by the violation
- Whether there was a breach of the criminal provision of HIPAA
HIPAA Violations & Civil Penalties
Civil penalties for HIPAA violations begin at $100 per violation for any person who breaches HIPAA Rules. The fine can go as high as $25,000 if there have been many violations of the same sort. These penalties are applied when the individual was conscious that HIPAA Rules were being breached or should have been aware had due diligence been used. If there was no willful neglect of HIPAA Rules and the violation was amended within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not be used.
HIPAA Violations & Criminal Penalties
The criminal penalties for HIPAA violations can be harsh. The minimum fine for willful violations of HIPAA Rules is $50,000. The highest criminal penalty for a HIPAA violation by one person is $250,000. Restitution may also need to be issued to those impacted. Along with the financial penalty, a prison sentence is likely for a criminal violation of HIPAA Rules.
As is the case with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are different levels of penalty.
Criminal violations that take place due to negligence lead to a prison term of up to 12 months. Obtaining protected health information under false pretenses brings a longest prison term of five years. Knowingly breaching HIPAA Rules with malicious intent or for personal profit can lead to a prison term of up to 10 years. There is also a mandatory two-year jail term applicable in relation to aggravated identity theft.