The HIPAA Privacy Rule is in place to establish national standards to protect people’s medical records and other health information that can identify them. Due to the sensitive nature of this information, it is crucial that it is kept confidential and doesn’t fall into the wrong hands.
Unfortunately, HIPAA compliance is often violated, resulting in personal information being exposed. Statistics show that between November 2020 and October 2021, there were 655 reported HIPAA breaches involving more than 500 records.
HIPAA rules are taken very seriously and carry serious consequences when they are violated. We’re going to take a closer look at what can be classified as a HIPAA violation as well as the penalties that go along with it
What is a HIPAA Violation?
A HIPAA violation happens when there is a failure to follow an aspect of HIPAA standards and provisions. Violations happen when someone’s Protected Health Information (PHI) is either used, accessed, or acquired in such a way that it puts the patient at risk.
The U.S. Department of Health and Human Services Office for Civil Rights is responsible for enforcing HIPAA Privacy and Security rules.
Types of HIPAA Violations
There are many different types of HIPAA violations that the Department of Health and Human Services Office for Civil Rights has outlined. These include, but are not limited to:
- Impermissible disclosure of protected health information (PHI)
- Unauthorized access of PHI
- Inappropriate disposal of PHI
- Failure to keep or monitor PHI access logs
- Failure to provide patients with copies of their PHI when requested
- Texting PHI
Any of these actions and more can result in a HIPAA violation complaint. If you are found guilty, you can face a variety of penalties.
Intentional vs. Accidental HIPAA Violations
While any type of HIPAA violation is not welcomed, not all are malicious. Some are accidental. An example of an accidental HIPAA violation may occur if you don’t log out of a patient’s medical records when leaving a computer. This is clearly different from an intentional violation where personal information is intentionally shared with people who should not access it.
How Are HIPAA Violations Discovered
HIPAA violations can be discovered in several ways. Sometimes, businesses that recognize they have violated HIPAA rules will self-report. Employers who believe their employees have violated the rules may also report them. In other cases, alleged victims will file a complaint. If it is determined that a violation did occur, it can be classified as criminal or civil.
Criminal HIPAA Violations
When HIPAA violations are intentional, they are classified as criminal. These can come in several different forms.
Theft of Patient Information
When a patient’s information is stolen with the intent to sell to a third party, it is a crime. If information is obtained for any purposes outside of what is intended, it can be considered theft.
Wrongful disclosure occurs when a person purposely uses a person’s name, social security number, or another piece of personal identifying information to get PHI or give it to someone who shouldn’t have it. Penalties for violating HIPAA will be greater if they are done under false pretenses. There are also stricter penalties when PHI is obtained for personal gain.
Penalties for Violating HIPAA Compliance
Those who violate HIPAA compliance without malicious intent typically will only face civil penalties. Someone may have forgotten to put a file away or may have not known they were doing something wrong, resulting in a HIPAA violation.
Civil penalties can include:
- $100 fine per violation if an individual was unaware they were violating HIPAA rules
- Minimum $1,000 fine if someone had reasonable cause for their actions and were not willfully negligent
- Minimum $10,000 fine per violation for anyone who was acting with willful neglect, as long as they fixed the issue afterward
- Minimum $50,000 fine per violation if someone acted with willful neglect and failed to fix the issue
Criminal penalties for HIPAA violations are much harsher than those for civil violations. They include:
- Fine of up to $50,000 or up to one year in jail for those who deliberately obtain and disclose PHI without permission
- Fine of up to $100,000 and up to 5 years in jail for those who commit violations under false pretenses
- Fine of up to $250,000 and up to 10 years in jail for those who commit the violation for personal gain
As you can see, the penalties for HIPAA violations can be costly and severe. This is why it is in everyone’s best interest to avoid them.
Penalties for HIPAA violations are based on tiers. Each tier represents the severity of the offense. Here’s an explanation of the various tiers.
This first category covers those who could not prevent the violation. Violations under this tier include those who have done whatever they can to protect PHI. Fines for this tier can range from $100 to $50,000 per violation.
Those who know of the violation fall under this category. But, the violation may still have been inevitable. Willful neglect of HIPAA rules does not fall under this category.
Penalties for violations in this category can range from $1,000 to $50,000 per violation.
If a violation is the result of a willful neglect of HIPAA rules, it would fall under this category. The person must also have to try to correct the issue.
This type of violation carries a penalty of $10,000 to $50,000 per violation. The level of harm can impact the exact amount.
The main difference with this category is that violations that fall under Tier 4 involve those who don’t try to correct the issue when they recognize it. Consistently not logging out of a computer or leaving patient records out in the open can fall under this category.
Since it is the most serious offense, it carries the greatest punishment. Each violation faces a minimum fine of $50,000 and may also include jail time.
Penalties can be issued by the Office for Civil Rights or Attorneys General. If an employer notices a violation, they may choose to penalize employees at their discretion.
How to Avoid HIPAA Compliance Violations
Avoiding HIPAA compliance violations is not difficult if you first understand the rules. Businesses should be aware of what constitutes a violation so that they can avoid that action. Other actions to avoid HIPAA compliance violations include:
Completing a Risk Assessment
Checking WiFi security as well as looking at other safeguards can help prevent violations. When a risk is identified, it’s important to do everything possible to reduce it.
Be sure all employees are aware of HIPAA rules and how to follow them. A company-wide training session can be helpful as well as having rules posted around the workplace.
In the end, being aware of HIPAA laws and the penalties they carry can help businesses avoid getting into undesirable situations. Educating employees about the rules can also help prevent these violations and keep private information safe and from getting into the wrong hands.