Should a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) be violated, the Office for Civil Rights (OCR) determines the penalties to be paid. The OCR, part of the Department of Health and Human Services, may issue financial penalties alongside corrective action plans to raise standards in the negligent organisation.
The power to levy financial penalties was awarded to the OCR as part of the Enforcement Final Rule of 2006. The fines can be issued against both the covered entities (CEs) and their business associates.
After the creation of the Health Information Technology for Economic and Clinical Health Act, the financial penalties payable due to HIPAA violations were updated. The update came in the form of the Omnibus Rule, which took effect from March 2013. Now, the penalties are applicable to healthcare clearinghouses, health plans, healthcare providers, all CEs and their business associates.
Financial penalties serve two primary purposes. First, they are a major deterrent to those who may violate HIPAA legislation. They also ensure that the CEs are held accountable for their negligent actions, again safeguarding against a breach of patient privacy. Ignorance is not considered a legitimate excuse for breaching HIPAA legislation, though it will usually attract a lesser fine than willful violation.
What counts as a HIPAA violation?
When a CE, or one of their associates, does not follow the rules and regulations stipulated by HIPAA, they are considered to have violated the act. Such breaches may be accidental – for example, bad judgement could lead to an excess of information or personal identifiers being shared with a third party. As HIPAA requires that the minimum amount of information possible must be shared in any circumstance, this would be a breach of the HIPAA Privacy Rule.
Occasionally, willful violations will occur. This often comes in the form of breaking the Breach Notification Rule, whereby any HIPAA violations must be reported within 60 days of the discovery of the violation. Negligence, such as a lack of organisation-wide risk assessments – may also attract fines.
Most violation cases are resolved without financial penalties, which are reserved for serious violations. Instead, companies are charged with changing policies and procedures to ensure future compliance. The OCR may also issue technical advice on maintaining the integrity of private information.
Penalties for non-compliance
HIPAA violations are tiered with regard severity and penalties due. Since 2009, both the OCR and Attorney Generals can issue penalties. The latter are more restricted in the penalties they can issue, with a minimum fine of $100 per violation to a maximum fine of $25,000 per violation category. Thus far, only Connecticut, Massachusetts, Indiana, Vermont and Minnesota have prosecuted HIPAA violators, but that number is likely to increase.
There are four categories of HIPAA violation. They are as follows:
Category 1: Violation due to ignorance, where the employee in question could not have reasonably avoided the breach. The company must have tried to abide by HIPAA regulation.
Fine: $100-$50,000 per violation.
Category 2: Violation where the CE should have known what was happening but could not have prevented the situation even with care.
Fine: $1,000-$50,000 per violation.
Category 3: Violation due to willful neglect, though steps have been taken to mitigate any damage.
Fine: $10,000-$50,000 per violation.
Category 4: Violation due to willful neglect, with no attempt to correct the breach.
Usually, for Category 1 violations, the fine is waived in place of other remedies. However, the financial penalty will never be waived in the case of willful neglect.
Minimum Fine: $50,000 per violation.
Each fine is issued per year that the violation is allowed to persist. The maximum annual fine per category is $1,500,000. It may also be applied on a daily basis – so, for example, the breach occurred for 40 days, the fine payable may be multiplied by 40.
Occasionally, HIPAA violations may turn into a criminal case. There are three tiers of criminal violations:
Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretences – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail.
Regrettably, criminal HIPAA prosecutions are becoming more common as employees are stealing health data to then sell for profit.
Regardless of whether non-compliance of HIPAA regulation resulted in a breach, the OCR can still issue penalties against the CE or their associates. Non-compliance is usually discovered during the course of a HIPAA audit. The penalties are not usually of a financial nature, though serious breaches may result in one. The usual cause of failure is a lack of organisation-wide risk assessment.