HIPAA violation penalties for nurses who breach HIPAA Rules can range from disciplinary action, to termination, and in some cases, financial penalties and imprisonment. In this article we explain the types of penalties that can be issued for HIPAA violations and the implications for nurses who violate HIPAA Rules.
HIPAA Penalties Issued by the Office for Civil Rights for HIPAA Violations
In general, HIPAA violation penalties are based on the level of negligence, the severity of the violation, the harm caused, and whether it was known that HIPAA Rules were being violated. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to deliberate neglect of HIPAA Rules.
Financial penalties for HIPAA violations are not always issued. The Department of Health and Human Services’ Office for Civil Rights has discretion over financial penalties and tends only to issue penalties for the most severe violations. OCR prefers resolving HIPAA violations through voluntary compliance. Where a covered entity recognizes that HIPAA Rules were violated and takes action to correct the violations within 30 days of discovery. In some cases, technical guidance is issued to help covered entities correct HIPAA compliance issues, especially for complex areas of HIPAA which can be considered ‘open to interpretation’ or when HIPAA is not abundantly clear.
When financial penalties are deemed appropriate, it is usually the covered entity that is fined, rather than the individual responsible for the violation. It is the covered entity – or business associate – that is responsible for training employees to make sure they are aware of HIPAA Rules and to monitor compliance to make sure that everyone is following HIPAA Rules. The highest possible penalty for a single case of a HIPAA violation is $50,000 per violation or per record, with an annual maximum fine of $1.5 million per violation category.
The penalties for HIPAA violations for covered entities and business associates are based on the penalty tiers detailed in the infographic below:
Are HIPAA Violation Penalties for Nurses Possible?
HIPAA violations are relatively common. Most are accidental and are not committed with intent to cause harm. When they are discovered by a covered entity, or reported by a colleague or patient, they must be investigated and sanctions must be applied. Sanctioning employees who violate HIPAA is actually a requirement of HIPAA. The possible sanctions should be detailed in a a HIPAA-covered entity’s policies and should be explained to employees during initial training and reiterated periodically, such as in refresher training sessions on HIPAA.
For accidental and minor violations, employees may simply have to be retrained to ensure that HIPAA Rules are understood. Verbal or written warnings may be appropriate for more serious violations, and termination is a possibility especially for violations such as snooping on patient records, theft of PHI, and impermissible disclosures with intent to cause malicious harm.
Serious violations of HIPAA Rules can result in criminal charges for HIPAA violations, which can involve having to pay restitution to victims, financial penalties, and even imprisonment. Criminal violations of HIPAA Rules are dealt with by the U.S. Department of Justice.
Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. If an offense is committed under false pretenses, the criminal penalties increase to a maximum fine of $100,000 and up to 5 years jail time. If there is intent to sell, transfer, or illegally use PHI for personal profit, commercial advantage, or to cause malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years jail time.
When it can be shown that there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act necessitates a mandatory minimum prison term of two years in addition to the sentence for other violations.