5 Real HIPAA Violation Consequences

Many sources discussing HIPAA violation consequences tend to focus on civil monetary penalties and criminal charges – which affect fewer than 1% of non-compliant organizations – and ignore the real HIPAA violation consequences of delayed payments, worse workforce morale, increasing cybersecurity insurance prmiums, and the costs to victims of identity theft.

In its most recent HIPAA report to Congress, the Department of Health and Human Services (HHS) reported that, in calendar year 2021, the Office for Civil Rights received 64,180 notifications of data breaches and 34,077 complaints about Privacy Rule violations.

Yet, in 2021, the Office for Civil Rights issued two civil monetary penalties for data breaches and eleven civil monetary penalties for right of access failures. In 714 other cases, the agency “obtained assurances” that corrective action had been taken.

Although a percentage of complaints were rejected because the alleged violations were unjustified, the data in the HIPAA report to Congress implies HIPAA violation consequences affected fewer than 1% of non-compliant covered entities and business associates.

The recorded criminal consequences of HIPAA violations are even rarer. However, this may be because, when a case is referred to the Department of Justice, it is easier to obtain a conviction on a (for example) computer fraud charge than it is on a HIPAA violation charge.

5 Real Consequences of HIPAA Violations

While a “fewer than 1%” penalty rate suggests a small likelihood of HIPAA violation consequences, this is not the case. HIPAA violations can have consequences for patients, workforce members, and covered entities/business associates in the following ways.

1.      Part 162 HIPAA Violation Consequences

Part 162 of the HIPAA Administrative Simplification Regulations governs what codes are used for covered transactions. Violations of Part 162 are most often accidental, but when they are due to continued non-compliance, HHS’ Centers for Medicare and Medicaid Services (CMS) has the same authority to impose civil monetary penalties and correct action plans as HHS’ Office for Civil Rights.

CMS has never imposed a financial penalty for a Part 162 HIPAA violation, but this does not mean there are no consequences of a Part 162 HIPAA violation . When an eligibility check or authorization request is miscoded, it can delay the provision of treatment to a patient with potentially significant health consequences. Similarly, miscoding can result in incorrect medications being administered.

For covered entities, Part 162 HIPAA violations can also have financial consequences. If, for example, the provision of a service is miscoded, it can delay payment or result in a claim being denied. In the case of services being unbundled in violation of Part 162, the HIPAA violation consequences can include reputation damage – which could delay the processing of all future Part 162 transactions.

2.      Workforce HIPAA Violation Consequences

Unless a HIPAA violation by a member of the workforce results in a criminal charge or is mentioned in a Data Breach Report, you rarely hear about workforce HIPAA violations. This is because HHS’ Office for Civil Rights does not publish sufficiently granular data on the nature of complaints it receives each year, and because most workforce HIPAA violations are resolved internally.

Workforce HIPAA violations are usually resolved according to each covered entity’s sanctions policy. Sanctions policies often have a three or four-tiered structure, with sanctions increasing in severity depending on the nature and impact of the violation. The frequency of violations or repeated violations of the same type can also increase the severity of sanctions. For example:

Tier 1 Violation – Unintentional violation caused by carelessness, lack of adequate training, or human error (for example, leaving paper documents unsecured or disclosing PHI without verifying the recipient’s identity).

• Example Sanction – Additional HIPAA training and/or verbal warning.

Tier 2 Violation – Violations attributed to poor job performance or failure to understand/follow policies (for example, sharing passwords, transmitting PHI insecurely, or failing to report a Tier 1 violation).

• Example Sanction – Additional HIPAA training and/or written warning.

Tier 3 Violation – Intentional violation due to curiosity or failure to understand access/authorization policies (for example, accessing or sharing PHI without authorization or business need but with no harmful intent).

• Example sanction – Final written warning, suspension, or termination.

Tier 4 Violation – HIPAA violations with the intent to cause patient or organization harm (for example, the willful, unauthorized publication of PHI on social media with malicious or harmful intentions).

• Example sanction – Termination, reported to licensing board, and reported to law enforcement.

While these HIPAA violation consequences impact the individual responsible, they can also impact other members of the workforce if the sanctions are not imposed fairly and equally. If some members of the workforce are perceived to be receiving preferential treatment, it can affect workforce morale, which could also impact workforce recruitment and retention.

3.      Violations of Patients’ HIPAA Rights

A common reason for complaints to HHS’ Office for Civil Rights is violations of patients’ HIPAA rights (right of access, right to correct, etc.). However, many covered entities “encourage” patients to contact them directly with complaints of this nature. See, for example, the phrasing of the “Complaints” section in John Hopkins’ Notice of Privacy Practices and the limited reference to HHS.

While there is nothing technically wrong with this practice, it is important covered entities keep on top of complaints and respond to them promptly with an explanation of why the patient’s HIPAA rights have not been violated, or – if they have – an acceptable resolution. This is because the failure to keep on top of patient complaints can have significant HIPAA violation consequences.

The primary consequence of failing to respond to complaints is that patients are free to change providers and – since the publication of CMS’ Interoperability and Patient Access Final Rule – take their healthcare information with them. In the worst case scenario, a flood of poor reviews on social media could result in an exodus of patients – affecting an organization’s profitability.

4.      The Consequences of Data Breaches (1)

It was mentioned in the introduction that civil monetary penalties for data breaches are a rarity, but this does not mean there are not financial consequences for data breaches attributable to HIPAA violations. It was calculated in 2021 that the average cost of a data breach for healthcare organizations was $9.23 million – since when the cost has likely increased to more than $10 million.

To protect themselves against the cost of a data breach, it has been claimed more than half of healthcare providers in the United States have taken cybersecurity insurance. However, recent reports suggest coverage against cybersecurity events is getting harder to find, the cost of premiums is skyrocketing, and the list of exclusions is getting longer with each new policy.

Consequently, if a covered entity or business associate experiences a data breach due to an avoidable HIPAA violation, the insurance carrier will likely refuse to pay out – especially if the data breach is attributable to the failure to conduct an accurate and thorough risk analysis (as required by §164.308) or encrypt ePHI whenever deemed appropriate (as required by §164.312).

5.      The Consequences of Data Breaches (2)

The last of our real HIPAA violation consequences – medical identity theft – affects everybody. It has been estimated that more than 2 million individuals suffer medical identity theft each year, with at least one-third of victims incurring out-of-pocket expenses as a result. Additionally, individuals have subsequently been denied treatment or misdiagnosed due to inaccuracies in their medical records.

According to a Ponemon survey, more than half of medical identity theft victims lose trust in their healthcare providers, which can limit how much personal information they are willing to disclose. With less information, healthcare providers cannot make well-informed decisions, leading to worse patient outcomes, higher readmissions, and treatment delays due to the strain on resources.

Worse patient outcomes increase healthcare costs and health insurance premiums for everyone. They create more work for healthcare providers, yet reduce workforce morale and job satisfaction – leading to burnout and retention issues. In many cases, the indirect HIPAA violation consequences can cost more than the amount of any financial penalty imposed by HHS’ Office for Civil Rights.

How to Protect against Real HIPAA Violation Consequences

There is no silver bullet HIPAA covered entities and business associates can deploy to prevent all HIPAA violations, but it is possible to protect against many real HIPAA violation consequences. For example:

• Covered entities and business associates conducting Part 162 transactions should implement professional billing software to mitigate the likelihood of an avoidable error attributable to human error.
• Workforce training should go beyond the minimum requirements to ensure all members of the workforce understand basics such as what PHI is, when it can be used and disclosed, and why it should be protected.
• Workforce training should also cover patients’ rights so employees understand what rights exist, how patients can exercise them, and how patients should be told when a right they think they have does not exist.
• Sanction policies should be applied fairly and equally – and transparently – so that no member of the workforce feels unfairly treated or feels that other members of the workforce are receiving preferential treatment.
• If covered entities encourage patients to complain directly to them, they must ensure complaints are handled quickly and clearly so patients are assured their concerns are being listened to and resolved where necessary.
• If an organization takes insurance to cover the cost of a data breach, it is important to understand the exclusions, and – if noncompliance with HIPAA invalidates a policy – make sure the organization complies with HIPAA.
• Do everything possible to reduce the chances of a data breach, implement measures to mitigate the HIPAA violation consequences of a data breach, and be prepared to quickly notify individuals of a data breach to prevent ID theft.

In conclusion, there are far more serious and costly HIPAA violation consequences than a civil monetary penalty from HHS’ Office for Civil Rights. Consequently, covered entities and business associates should review their compliance efforts and fill gaps where gaps are identified.

Covered entities and business associates that struggle to review their compliance efforts or fill compliance gaps due to a lack of knowledge or a lack of resources should seek advice from a HIPAA compliance professional.