The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general can issue HIPAA violation penalties. Along with financial sanctions, covered entities must to adopt a corrective action plan to bring policies and procedures up to the standards required by HIPAA.
The Health Insurance Portability and Accountability Act put in place a number of requirements on HIPAA-covered entities to secure the Protected Health Information (PHI) of patients, and to strictly control when PHI can be shared, and to whom it can be shared with.
OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules, since the Enforcement Final Rule of 2006 was signed into law.
Financial penalties for HIPAA violations were updated by the HITECH Act and incorporated into HIPAA in the Omnibus Final Rule. The Omnibus Rule took effect on March 26, 2013.
Since the Omnibus Rule, the new financial penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses and business associates (BAs) of covered entities that are discovered to have violated HIPAA Rules.
It is hoped that financial penalties will be a deterrent to prevent breaches of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack thereof – when it comes to safeguarding the privacy of patients and the confidentiality of health data.
The penalty structure for a breach of HIPAA laws has a number of tiers, based on the awareness a covered entity had of the violation. OCR establishes the penalty based on a number of “general factors” and the seriousness of the HIPAA breach.
Not being knowledgeable of HIPAA Rules is not an acceptable excuse for failing to adhere to HIPAA Rules. It is the responsibility of each covered entity to ensure that HIPAA Rules are comprehended and adhered to. In scenarios when a covered entity is determined to have committed a wilful violation of HIPAA laws, the maximum fine will be applicable.
What is a HIPAA Violation?
The media is full of reports HIPAA violations, but what exactly is a HIPAA violation? A HIPAA violation is when a HIPAA covered entity – or a business associate – does not adhere with one or more of provisions of the HIPAA Privacy, Security, or Breach Notification Rules. Non-compliance with the HIPAA Administrative Simplification regulations is also a HIPAA violation, although compliance with that aspect of HIPAA is enforced by the Centers for Medicare and Medicaid Services (CMS).
A violation may be intentional or accidental. An example of an unintentional HIPAA violation is when too much PHI is disclosed, in vilation of the HIPAA Minimum Necessary Standard. When PHI is shared, it must be restricted to the minimum necessary information to achieve the purpose for which it is disclosed. Financial sanctions for HIPAA violations can be issued for accidental HIPAA violations, although the penalties will be at a lower rate than deliberate violations of HIPAA Rules. Willful violations of HIPAA Rules are when the covered entity is aware that HIPAA is being violated. These intentional violations attract higher penalties, with the maximum penalty amounts for willful violations that have not been corrected in a reasonable time frame.
Many HIPAA violations happen due to negligence, such as the failure to complete an organization-wide risk assessment. Financial sanctions for HIPAA violations have frequently been applied for risk assessment failures.
HIPAA violation penalties can be issued for all HIPAA breaches, although OCR usually resolves most cases through voluntary compliance or issuing technical guidance. Financial sanctions for HIPAA violations are typically reserved for the most serious breaches of HIPAA Rules.
What Happens HIPAA is Violated? – Classification of HIPAA Violations
What happens when you violate HIPAA? The answer to this depends of the severity of the breach that occurred. OCR prefers to settle HIPAA violations using non-punitive actions; however, if the violations are serious, have been permitted to go on for a long time, or if there are multiple areas of noncompliance, financial sanctions may be deemed necessary.
There four categories of HIPAA violations, each of which has a different penalty structure:
- Category 1: A violation that the covered entity was unaware of and could not have realistically know was a violation by exercising a reasonable amount of due diligence.
- Category 2: A violation that the covered entity should have been aware of but could not have prevented even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3: A violation that occurred due to “willful neglect” of HIPAA Rules, in cases where efforts have been made to address the violation within 30 days
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no efforts have been made to correct the violation in a reasonable time frame
With unknown violations, where the covered entity could not have been expected to prevent a data breach, it may seem unreasonable for financial penalties to be issued. OCR accepts this, and has the discretion to decide not to issue a penalty. The penalty cannot be waived if the violation involved deliberate neglect of the HIPAA Privacy, Security and Breach Notification Rules.
Structure of HIPAA Violation Penalties
Each category of HIPAA violation carries a different HIPAA penalty range. It is up to OCR to determine a financial penalty within that range. OCR considers a number of factors when calculating penalties, such as the duration of time a violation was allowed to continue, the number of people affected and the nature of the data exposed, the harm caused as a result of the violation, and previous compliance history. An organization’s willingness to help with an OCR investigation is also taken into account as is the ability to pay a fine.
- Category 1: $100 minimum fine per violation, $50,000 maximum fine
- Category 2: $1,000 minimum fine per violation, $50,000 maximum fine
- Category 3: $10,000 minimum fine per violation, $50,000 maximum fine
- Category 4: $50,000 minimum fine per violation
A data breach or security incident that occurs due to any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, possibly, be issued for any violation of HIPAA rules; however small.
A HIPAA fine may also be issued on a daily basis. For example, if a covered body has been denying patients the right to access copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered body has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been denied access to their medical records.
The HIPAA penalty fines are issued per violation, although there are caps on the total fines for violations of the same provision. The financial penalties for HIPAA were increased by the HITECH Act to act as a more powerful deterrent and to encourage covered entities to deterrent and the maximum annual penalty for violations of the same provision was capped at $1.5 million across all four penalty tiers. On April 28, 2019, the HHS announced that it had reviewed the HITECH Act and reinterpreted the maximum annual penalties and reduced the maximum annual penalty in three of the four penalty tiers. This will be addressed in further rulemaking, but the HHS will be using the penalty structure below until further notice.
HIPAA Violation Fines Can Also Be Issued by State Attorneys General
Since the HITECH Act (Section 13410(e) (1)) became effective in February 2009, state attorneys general have had the power to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and initiate civil actions over those violations. HIPAA violation fines can be applied up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
A covered entity suffering a data breach affecting residents of multiple states may be ordered to pay a HIPAA violation penalty fines to attorneys general in multiple states. At present only a small number of U.S states have so far taken legal action against HIPAA offenders, but since attorneys general are able to keep a percentage of the fines issued, more attorneys general may decide to fine covered entities in the future. The number of states issuing fines for HIPAA violations is increasing.
Criminal Penalties for HIPAA Violations
Along with civil financial penalties for HIPAA violations, criminal charges can be filed against the persons responsible for violations of HIPAA Rules. Criminal penalties for HIPAA violations are split into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each single case. Criminal penalties are handled by the Department of Justice.
As with OCR, a number of general factors are taken into account which influence the fines and jail term. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be given back, in addition to the payment of a HIPAA violation penalty fine, up to a maximum of $250,000.
The different tiers for HIPAA criminal penalties are:
Tier 1: Reasonable cause or no knowledge of violation – a maximum of 1 year in jail
Tier 2: Obtaining PHI under false pretenses – a maximum of 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail
In the last few years, the number of employees found to be accessing or stealing PHI – for various reasons – has risen. The value of PHI on the black market is high, and this can be a big temptation for some people. It is therefore vital that security controls are put in place to limit the potential for individuals to steal patient data, and for systems and policies to be implemented to ensure improper access and theft of PHI is identified quickly.
All staff members that may come into contact with PHI as part of their work duties should be made aware of the HIPAA criminal penalties and that violations of HIPAA may not just result in termination.
Civil Penalties for Unknowingly Violating HIPAA
Although it was referred to above that OCR has the discretion to waive a civil penalty for unknowingly breaching HIPAA, ignorance of HIPAA regulations is not thought of as a justifiable excuse for not implementing the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for not fully understanding HIPAA requirements and subsequently failing to complete a thorough risk assessment.
Due to the incomplete risk assessment, the PHI of 1,391 individuals was potentially impermissibly disclosed when a laptop containing PHI was stolen from a car parked outside an employee’s home. Speaking after details of the fine had been revealed, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for not considering security protections.
There is also potential for a CE or BA to receive a civil penalty for unknowingly breaching HIPAA if the state in which the violation happens allows citizens to bring legal action against the person(s) or entity responsible for the violation. Although HIPAA lacks a private cause of action, people can still use the regulations to establish duty of care under common law.
Penalties for HIPAA Violations May Be Issued for HIPAA Compliance Audit Failures
If a CE or BA is found not to have adhered to HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance even if there has been no breach of PHI or no complaint filed.
After some delay, OCR has carried out the second phase of its HIPAA compliance audit program. The audits were not carried out specifically to find HIPAA violations and to issue financial penalties, although if serious breaches of HIPAA Rules are found, financial penalties may be deemed necessary.
The first phase of HIPAA compliance audits was finished in 2012 and showed many covered entities were having difficulties with compliance. OCR gave technical assistance to help those entities address areas of noncompliance and no penalties for HIPAA violations were applied.
Five years on, HIPAA covered entities have had plenty of time to develop their compliance programs. OCR is not expected to be as lenient on this occasion.
One of the largest areas of noncompliance with HIPAA Rules found during the first phase of compliance audits was the failure to complete a comprehensive, organization-wide risk assessment.
The risk assessment is important for developing a good security posture. If a risk assessment is not completed, a covered entity will be unaware whether any security weaknesses exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be controlled and reduced to an acceptable level.
The failure to enter into Business Associate Agreements (BAAs) with third-party service providers can attract financial penalties for HIPAA noncompliance. Several covered entities have been fined for not revising BAAs written before September 2014, when all existing BAAs were made invalid by the Final Omnibus Rule. In September 2016, the Care New England Health System was issued with a fine for $400,000 for HIPAA noncompliance that included the failure to update a BAA originally completed in March 2005.
BAAs are a key area that OCR will be reviewing throughout its audit program. BAAs – contracts that lay out the allowable uses and allowable disclosures of PHI – should be signed with every third party with whom PHI is disclosed (including lawyers) to ensure they are made aware of their responsibilities with respect to HIPAA.