HIPAA violation penalties for nurses who breach HIPAA Rules can range from disciplinary action, to termination, and in some cases, financial penalties and imprisonment. In this article we explain the types of penalties that can be issued for HIPAA violations and the implications for nurses who violate HIPAA Rules.
HIPAA Penalties Issued by the Office for Civil Rights for HIPAA Violations
In general, HIPAA violation penalties are based on the level of negligence, the severity of the violation, the harm caused, and whether it was known that HIPAA Rules were being violated. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to deliberate neglect of HIPAA Rules.
Financial penalties for HIPAA violations are not always issued. The Department of Health and Human Services’ Office for Civil Rights has discretion over financial penalties and tends only to issue penalties for the most severe violations. OCR prefers resolving HIPAA violations through voluntary compliance. Where a covered entity recognizes that HIPAA Rules were violated and takes action to correct the violations within 30 days of discovery. In some cases, technical guidance is issued to help covered entities correct HIPAA compliance issues, especially for complex areas of HIPAA which can be considered ‘open to interpretation’ or when HIPAA is not abundantly clear.
When financial penalties are deemed appropriate, it is usually the covered entity that is fined, rather than the individual responsible for the violation. It is the covered entity – or business associate – that is responsible for training employees to make sure they are aware of HIPAA Rules and to monitor compliance to make sure that everyone is following HIPAA Rules. The highest possible penalty for a single case of a HIPAA violation is $50,000 per violation or per record, with an annual maximum fine of $1.5 million per violation category.
The penalties for HIPAA violations for covered entities and business associates are based on the penalty tiers detailed in the infographic below:
Are HIPAA Violation Penalties for Nurses Possible?
HIPAA violations are relatively common. Most are accidental and are not committed with intent to cause harm. When they are discovered by a covered entity, or reported by a colleague or patient, they must be investigated and sanctions must be applied. Sanctioning employees who violate HIPAA is actually a requirement of HIPAA. The possible sanctions should be detailed in a a HIPAA-covered entity’s policies and should be explained to employees during initial training and reiterated periodically, such as in refresher training sessions on HIPAA.
For accidental and minor violations, employees may simply have to be retrained to ensure that HIPAA Rules are understood. Verbal or written warnings may be appropriate for more serious violations, and termination is a possibility especially for violations such as snooping on patient records, theft of PHI, and impermissible disclosures with intent to cause malicious harm.
Serious violations of HIPAA Rules can result in criminal charges for HIPAA violations, which can involve having to pay restitution to victims, financial penalties, and even imprisonment. Criminal violations of HIPAA Rules are dealt with by the U.S. Department of Justice.
Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. If an offense is committed under false pretenses, the criminal penalties increase to a maximum fine of $100,000 and up to 5 years jail time. If there is intent to sell, transfer, or illegally use PHI for personal profit, commercial advantage, or to cause malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years jail time.
When it can be shown that there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act necessitates a mandatory minimum prison term of two years in addition to the sentence for other violations.
Nurse violations: FAQ
Can patients sue nurses for HIPAA violations?
No, patients that have had their PHI breached as a result of a HIPAA violation cannot sue the CE or BAA responsible for the violation. This is because there is no “private cause of action” in HIPAA; no private citizen can seek compensation for a violation. However, they may be able to seek compensation under other state legislations.
Can nurses lose their jobs over HIPAA violations?
HIPAA does not explicitly stipulate how employers should penalize employees for HIPAA violations. Instead, they leave it at the discretion of the workplace. Penalties will likely vary depending on the severity of the violation, and in extreme cases – for example, where employees have deliberately exposed PHI for personal financial gain – termination is a possible consequence.
What happens if a nursing student commits a HIPAA violation?
Again, HIPAA does not have any clear guidance on what would happen if a nursing student violated HIPAA. As with violations made by fully-fledged nurses, what penalties will ensue will depend on a variety of factors – was the student being adequately supervised? What safeguards were in place? Was it an accidental breach?
What is an incidental vs accidental HIPAA violation?
Incidental exposures of PHI are those that could not have been reasonably prevented despite employees’ best efforts. For example, if two nurses were discussing a patient in a private room, and another nurse walked in and overheard part of the conversation, that would be considered an incidental exposure. Incidental breaches are often the by-product of other aspects of patient care. By contrast, accidental exposure occurs as the result of carelessness or oversight. If a nurse unknowingly emails PHI to the incorrect recipient, that would be considered an accidental exposure.