Penalties for HIPAA breaches can be applied by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Along with financial penalties, covered bodies are required to implement a corrective action plan to bring policies and procedures up to the standards necessary by HIPAA.
The Health Insurance Portability and Accountability Act of 1996 enshrined a number of requirements on HIPAA-covered bodies to secure the Protected Health Information (PHI) of patients, and to strictly control when PHI can be shared, and to whom.
Since the Enforcement Final Rule of 2006, OCR has can issue financial penalties (and/or corrective action plans) to covered bodies that fail to adhere with HIPAA Rules.
Financial penalties for HIPAA breached were updated by the HIPAA Omnibus Rule, which brought in charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule was enforceable from March 26, 2013.
Since the introduction of the Omnibus Rule, the new fines for HIPAA violations apply to healthcare suppliers, health plans, healthcare clearinghouses and all other covered bodies, as well as business associates (BAs) of covered bodies that are found to have breached HIPAA Rules.
Financial penalties are intended to behave as a deterrent to stop the violation of HIPAA laws, while also ensuring covered bodies are held accountable for their actions – or absence of them – when it comes to safeguarding the privacy of patients and the confidentiality of health data, and supplying patients with access to their health records on request.
The penalty hierarchy for a violation of HIPAA laws is tiered, calculated considering the knowledge a covered entity had of the breach. The OCR calculates the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
Not being aware of HIPAA Rules is no excuse for failing to adhere with HIPAA Rules. It is the responsibility of each covered body to ensure that HIPAA Rules are understood and adhered to. In cases when a covered body is found to have committed a willful violation of HIPAA laws, the maximum fines are applicable.
What Makes up a HIPAA Violation?
There is much discussion regarding HIPAA violations in the media, but what makes up a HIPAA violation? A HIPAA violation is when a HIPAA covered body – or a business associate – does not comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.
A violation may be intentional or unintentional. An example of an unintentional HIPAA violation is when too much PHI is shared and the minimum necessary information standard is breached. When PHI is shared, it must be restricted to the minimum necessary information to achieve the aim for which it is disclosed. Financial penalties for HIPAA violations can be applied for unintentional HIPAA violations, although the fines will be at a lower rate to willful violations of HIPAA Rules.
An example of a deliberate violation is unnecessarily slowing down the issuing of breach notification letters to patients and exceeding a duration of 60 days after the discovery of a breach to issue notifications – a breach of the HIPAA Breach Notification Rule.
Many HIPAA breaches are due to negligence, such as the failure to perform a group-wide risk assessment. Financial penalties for HIPAA breached have often been issued for risk assessment failures.
Fines for HIPAA violations can possibly be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered body or business associate’s plan to make up for the violations and change policies and procedures to stop future violations from happening. Financial penalties for HIPAA violations are only applied in the most serious violations of HIPAA Rules.
HIPAA Violation Classifications Explained
What happens if you violate HIPAA? That depends of the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
The four categories used for the penalty structure are as follows:
- Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for a covered entities to be issued with a fine. OCR appreciates this, and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.
HIPAA Violation Penalty Structure
Each category of violation has a different HIPAA penalty. It is up to OCR to calculate a financial penalty within the appropriate range. OCR considers a number of factors when calculating penalties, including the length of time a violation was allowed to persist, the number of people impacted and the nature of the data exposed. A group’s willingness to help with an OCR investigation is also considered. The general factors that can impact the level of financial penalty also include previous history, the group’s financial condition and the level of harm caused by the breach.
- Category 1: Lowest fine of $100 per breach up to $50,000
- Category 2: Lowest fine of $1,000 per breach up to $50,000
- Category 3: Lowest fine of $10,000 per breach up to $50,000
- Category 4: Lowest fine of $50,000 per breach
The fines are issued per breach category, per year that the violation was allowed to take place. The maximum fine per violation category, in a calendar year, is $1,500,000.
A data breach or security incident that happens due to any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any breach of HIPAA rules; however small.
A fine may also be implemented on a daily basis. For instance, if a covered body has been denying patients the right to access copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in breach of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical histories.
HIPAA Violations and Criminal Penalties
Criminal penalties for HIPAA violations are split into three separate tiers, with the term – and an accompanying fine – calculated by a judge using the facts of each individual case. As with OCR, a number of general factors are taken into account which will affect the penalty applied. If an individual has made money from from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be given back, in addition to the payment of a fine.
The levels of criminal penalties for HIPAA violations are:
Level 1: Reasonable cause or no knowledge of breach – Up to 1 year in prison
Level 2: Obtaining PHI under false pretenses – Up to 5 years in prison
Level 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in prison
In recent times, the number of workers found to be accessing or stealing PHI – for various reasons – has risen. The value of PHI on the black market is considerable, and this can be a big temptation for some people. It is therefore vital that controls are put in place to restrict the opportunity for individuals to illegally take patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified swiftly.
All staff likely to have access to PHI as part of their work duties should be advisedof the HIPAA criminal penalties and that violations will not only result in loss of employment, but potentially also a lengthy jail term and a heavy penalty.
State attorneys general are targeting data theft and are keen to make examples out of people found to have violated HIPAA Privacy Rules. A prison sentence for the theft of HIPAA data is therefore highly probable.