Can You Go To Jail for a HIPAA Violation?

Can You Go To Jail for a HIPAA Violation? HIPAAGuide.net

You can go to jail for a HIPAA violation if you knowingly and wrongfully use or disclose – or cause to be used or disclosed – individually identifiable health information maintained by a covered entity. In addition, an individual or organization can be fined and/or added to the HHS OIG Exclusion List.

The penalties for violating HIPAA vary depending on the “HIPAA status” of the individual or organization responsible for the violation and the nature of the violation. The penalties can also be affected by the degree of harm, the number of people affected, and the compliance history of the individual or organization responsible for the violation.

HIPAA Statuses Explained

In the context of the penalties for HIPAA violations, the term “HIPAA status” refers to the amount of responsibility an individual or organization has for HIPAA compliance.

Individuals can be a sole proprietor or single-member LLC that qualifies as a covered entity or business associate, or a workforce member of either a covered entity or business associate. Organizations are more likely to be corporations or multi-member LLCs that qualify as a covered entity or as a business associate if the service provided for a covered entity involves the creation, receipt, storage, or transmission of Protected Health Information.

Compliance Responsibilities for Covered Entities

If an individual or organization is a covered entity, they must comply with all applicable HIPAA standards – including conducting due diligence on business associates, developing policies to comply with HIPAA, providing appropriate HIPAA training to the workforce, and enforcing the policies via a sanctions policy. The failure to comply with any applicable HIPAA standard is a HIPAA violation even if the violation does not result in a data breach.

Compliance Responsibilities for Business Associates

If an individual or organization is a business associate, they are required to comply with the standards of the Security Rule, plus any applicable Privacy or Breach Notification Rule standards stipulated in the Business Associate Agreement. The failure to comply with a Security Rule standard or a term of the Business Associate Agreement is a HIPAA violation – unless the covered entity is at fault for the violation or no Business Associate Agreement exists.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Compliance Responsibilities for Workplace Members

If an individual is a member of a covered entity’s or business associate’s workforce, they are required to comply with the policies developed by the covered entity or business associate to comply with HIPAA. The failure to comply with a workplace policy or procedure is not a HIPAA violation unless it involves the knowing and wrongful use or disclosure of individually identifiable health information in violation of the Social Security Act §1177.

Civil Penalties for HIPAA Violations

HHS’ Office for Civil Rights is most often alerted to a HIPAA violation via a complaint or the notification of a data breach. The agency will review the complaint or notification and – depending on the nature of the violation – conduct a compliance review. If the review identifies compliance failures, HHS’ Office for Civil Rights will offer technical assistance to correct the failures or allow the individual/organization to correct them voluntarily.

If more serious failures are identified, the violation has caused significant harm, and a large number of people have been affected, HHS’ Office for Civil Rights will look at the compliance history of the individual or organization. If there is a history of non-compliance and/or previous technical assistance has been ignored, the agency will impose a Corrective Action Plan and/or a civil monetary penalty, or reach a settlement involving both.

Penalties for Workplace Violations

If you are a member of a covered entity’s or business associate’s workforce the penalties for workplace violations are set by the sanctions policy. In most cases, sanctions policies have a tiered structure in which a minor violation is punishable by a verbal warning or additional training, while more serious violations can result in written warnings, suspension, or termination of contract. Healthcare practitioners can also be reported to their licensing body.

In cases where workforce members have knowingly and wrongfully used or disclosed individually identifiable health information without authorization, a covered entity or business associate must notify the individual(s) whose information has been disclosed and HHS’ Office for Civil Rights. In such cases, HHS’ Office for Civil Rights will notify the Department of Justice, who will pursue a criminal conviction for a violation of the Social Security Act.

You Can Go To Jail for a HIPAA Violation

The penalties for a violation of the Social Security Act vary depending on the motive for the violation. All violations can result in a fine of up to $50,000 and/or imprisonment for up to one year. You can go to jail for a HIPAA violation for up to five years and/or be fined up to $100,000 if the violation was committed under false pretenses, or for up to ten years if the motive was to sell, transfer, or use the information for personal gain or malicious harm.

Both workforce members and company executives can go to jail for a HIPAA violation under the Social Security Act §1177; and, if a workforce member is found guilty of a criminal violation which was due to a compliance failure by a covered entity or business associate, the covered entity or business associate may still be fined by HHS’ Office for Civil Rights. Examples of workforce members that had to go to jail for a HIPAA violation can be found on this page.

The HHS OIG Exclusion List

The HHS OIG Exclusion List is a list of individuals and organizations that are prohibited from participating in publicly funded healthcare programs. Any individual or organization found guilty of committing a healthcare-related felony offense or fraud against the Federal government is automatically added to the list for a minimum of five years. The HHS Office of Inspector General also has the authority to impose discretionary exclusions for misdemeanor offenses.

The existence of the list means that, even if an individual or company executive does not have to go to jail for a HIPAA violation, they can still be excluded from working in healthcare. It is important to note that healthcare providers are prohibited from employing or contracting goods or services from anybody on the list. Healthcare providers that fail to check the HHS OIG Exclusion List, and subsequently engage a prohibited person, can themselves be sanctioned.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/