The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general can issue HIPAA violation penalties breaches. Along with financial sanction, covered bodies must to adopt a corrective action plan to bring policies and procedures up to the standards required by HIPAA.
The Health Insurance Portability and Accountability Act of 1996 put in place a number of requirements on HIPAA-covered entities to secure the Protected Health Information (PHI) of patients, and to strictly control when PHI can be shared, and to who it can be shared with.
OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules, since the Enforcement Final Rule of 2006 was introduced.
Financial penalties for HIPAA violation penalties were updated by the HIPAA Omnibus Rule, which brought in charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule became active on March 26, 2013.
Since the Omnibus Rule was brought in, the new financial penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearing houses and all other covered bodies, as well as business associates (BAs) of covered bodies that are shown to have violated HIPAA Rules.
It is hope that financial penalties will be a deterrent to prevent breaches of HIPAA laws, while also ensuring covered bodies are held accountable for their actions – or lack thereof – when it comes to safeguarding the privacy of patients and the confidentiality of health data and allowing patients to access to their health records when they wish to.
The penalty structure for a breach of HIPAA laws has a number of tiers, based on the awareness a covered entity had of the violation that was incurred. The OCR estiablishes the penalty based on a number of “general factors” and the seriousness of the HIPAA breach.
Not being knowledgeable of HIPAA Rules is not an acceptable excuse for failing to adhere to HIPAA Rules. It is the responsibility of each covered body to ensure that HIPAA Rules are comprehended and adhered to. In scenarios when a covered body is seen to have committed a wilful violation of HIPAA laws, the maximum fines will be applicable.
What is a HIPAA Violation?
The media is full of reports HIPAA violations recently, but what defines a HIPAA violation? A HIPAA violation is when a HIPAA covered body – or a business associate – does not adhere with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.
A violation may be intentional of accidental. An example of an unintentional HIPAA violation is when too much PHI is made available and the minimum necessary information standard is breached. When PHI is shared, it must be restricted to the minimum necessary information to achieve the purpose for which it is disclosed. Financial sanctions for HIPAA violations can be issued for accidental HIPAA violations, although the penalties will be at a lower rate than deliberate violations of HIPAA Rules.
Unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications is an example of a wilful violation of the HIPAA Breach Notification Rule.
Many HIPAA violations happen due to negligence, such as the failure to complete an organization-wide risk assessment. Financial sanction for HIPAA violations have frequently been applied for risk assessment failures.
HIPAA violation penalties can also be issued for all HIPAA breaches, although OCR usually resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered body or business associate’s plan to address the violations and change policies and procedures to prevent future breaches from happening. Financial sanctions for HIPAA violations are reserved for the most serious breaches of HIPAA Rules.
What Happens HIPAA is Violated? – Classifications of HIPAA Violation
What happens when you violate HIPAA? The answer to this depends of the severity of the breach that occurred. OCR prefers to settle HIPAA violations using non-punitive actions, such as with voluntary compliance or providing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been permitted to go on for a long time, or if there are multiple areas of noncompliance, financial sanctions may be necessary.
The four categories of HIPAA violations used for the penalty structure are as follows:
- Category 1: A violation that the covered body was unaware of and could not have realistically prevented, had a reasonable amount of care had been taken to adhere to HIPAA Rules
- Category 2: A violation that the covered body should have been aware of but could not have prevented even with a reasonable amount of care. (but coming up short of wilful neglect of HIPAA Rules)
- Category 3: A violation that occurred due to “wilful neglect” of HIPAA Rules, in cases where efforts have been made to address the violation
- Category 4: A violation of HIPAA Rules constituting wilful neglect, where no efforts have been made to correct the violation
With unknown violations, where the covered body could not have been expected to prevent a data breach, it may seem unreasonable for covered bodies to be issued with a financial penalty. OCR accepts this, and has the discretion to decline a financial penalty. The penalty cannot be waived if the violation involved deliberate neglect of Privacy, Security and Breach Notification Rules.
Structure of HIPAA Violation Penalties
Each category of HIPAA violation carries a different HIPAA penalty. It is up to OCR to determine if a financial penalty within the proper range. OCR considers a number of factors when calculating penalties, such as the duration of time a violation was allowed to continue, the number of people affected and the nature of the data exposed. An organization´s willingness to help with an OCR investigation is also taken into account. The general factors that can affect the level of financial penalty also include previous history, the organization’s financial status and the level of harm caused by the HIPAA violation.
- Category 1: $100 minimum fine per violation, $50,000 maximum fine
- Category 2: $1,000 minimum fine per violation, $50,000 maximum fine
- Category 3: $10,000 minimum fine per violation, $50,000 maximum fine
- Category 4: $50,000 minimum fine per violation
The HIPAA penalty fines are issued per violation category, per year that the violation was allowed to continue. The maximum fine per violation category, per year, is $1,500,000.
A data breach or security incident that occurs due to any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, possibly, be issued for any violation of HIPAA rules; however small.
A HIPAA fine may also be issued on a daily basis. For example, if a covered body has been denying patients the right to access copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered body has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been denied access to their medical records.
HIPAA Violation Fines Can Also Be Issued by Attorneys General
Since the HITECH Act (Section 13410(e) (1)) became active in February 2009, state attorneys general have the power to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and initiate file civil actions with the federal district courts. HIPAA violation fines can be applied up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per breach.
A covered body suffering a data breach harming residents of multiple states may be ordered to pay HIPAA violation penalty fines to attorneys general in multiple states. At present only a small number of U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have so far taken legal actions against HIPAA offenders, but since attorneys general offices are able to keep a percentage of the fines issued, more attorneys general may decide to apply penalties for HIPAA violations.
Criminal Penalties for HIPAA Violations
Along with civil financial penalties for HIPAA violations, criminal charges can be filed against the people(s) responsible for a breach of PHI. Criminal penalties for HIPAA violations are split into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each single case.
As with OCR, a number of general factors are taken into account which will affect the penalty issued. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be given back, in addition to the payment of a HIAA violation penalty fine.
The different tiers for HIPAA criminal penalties are:
Tier 1: Reasonable cause or no knowledge of violation – a maximum of 1 year in jail
Tier 2: Obtaining PHI under false pretences – a maximum of 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail
In the last few months, the number of employees found to be accessing or stealing PHI – for various reasons – has risen. The value of PHI on the black market is high, and this can be a big temptation for some people. It is therefore vital that security controls are put in place to limit the potential for individuals to steal patient data, and for systems and policies to be implemented to ensure improper access and theft of PHI is identified quickly.
All staff that may come into contact with PHI as part of their work duties should be made aware of the HIPAA criminal penalties and that violations will not only lead to a loss of employment, but potentially also a long jail term and a heavy fine.
State attorneys general are focusing on data theft and are keen to make examples out of people found to have breached HIPAA Privacy Rules. A jail term for the theft of HIPAA data is highly probable.
Civil Penalties for Unknowingly Violating HIPAA
Although it was referred to above that OCR has the discretion to waive a civil penalty for unknowingly breaching HIPAA, ignorance of the HIPAA regulations is not thought of as a justifiable excuse for not implementing the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for not fully understanding the HIPAA requirements and subsequently failing to complete a thorough risk assessment.
Due to the incomplete risk assessment, the PHI of 1,391 individuals was possibly disclosed without authorization when a laptop storing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been revealed, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for not regarding security.
There is also potential for a CE or BA to receive a civil penalty for unknowingly breaching HIPAA if the state in which the violation happens allows citizens to bring legal action against the person(s) behind the violation. Although HIPAA lacks a private right of action, people can still use the regulations to set up a standard of care under common law. Many cases of this nature are currently taking place.
Penalties for HIPAA Violations are likely following HIPAA Compliance Audits
If a CE or BA is found not to have adhered with HIPAA regulations, OCR has the authority to apply penalties for HIPAA noncompliance – even if there has been no breach of PHI or no complaint filed.
After some delay, OCR is now carrying out the second phase of HIPAA compliance audits. The audits are not being carried out specifically to find HIPAA violations and to issue financial penalties, although if serious breaches of HIPAA Rules are found, financial penalties may be deemed necessary.
The first phase of HIPAA compliance audits was finished in 2011/2012 and showed many covered bodies were having difficulties with compliance. OCR gave technical assistance to help those entities address areas of noncompliance and no penalties for HIPAA violations were applied.
Now, five years later, HIPAA covered entities have had plenty of time to develop their compliance programs. OCR is not expected to be as lenient on this occasion.
One of the largest areas of noncompliance with HIPAA Rules found during the first phase of compliance audits was the failure to complete a comprehensive, organization-wide risk assessment.
The risk assessment is important for developing a good security posture. If a risk assessment is not completed, a covered body will be unaware whether any security weaknesses exist that pose a danger to the confidentiality, integrity, and availability of ePHI. Those dangers will therefore not be controlled and reduced to an acceptable level.
A look at the HIPAA violation penalties issued by OCR shows just how common risk assessment violations happen. Risk assessment failures often attract financial penalties.
The failure to complete Business Associate Agreements (BAAs) with third-party service supplier can attract financial penalties for HIPAA noncompliance. Several covered bodies have been fined for not revising BAAs written before September 2014, when all existing contracts were made invalid by the Final Omnibus Rule. In September 2016, the Care New England Health System was issued with a fine for $400,000 for HIPAA noncompliance that included the failure to update a BAA originally completed in March 2005.
BAAs are a key area that OCR will be reviewing on throughout its audit program. BAAs – contracts that lay out the allowable uses and allowable disclosures of PHI – should be signed with every third party service supplier with whom PHI is disclosed (including lawyers) to avoid HIPAA violation penalties.