All healthcare workers should be aware of HIPAA, and be provided with regular training in HIPAA compliance. But what happens if you violate HIPAA? What penalties can be applied, and to whom do they apply?
Perhaps unsurprisingly, the penalties that are applied in the case of a HIPAA violation will depend on the nature of the violation. Violations where patient data has been breached will, for example, be treated much more severely than “accidental” violations that only have a limited scope.
Everyone who is under the “direct control” of a Covered Entity (CE) or a Business Associate (BA), including employees, contractors, volunteers, and students, is required to be HIPAA compliant. If any of these individuals breach HIPAA, they can face a range of disciplinary actions.
For less serious violations – for example, if no data has been breached, or if it was the product of an honest mistake – the employee may simply be required to carry out additional training. If a breach has occurred, and patient data has been accessed by unauthorized individuals, then the employee may be put on probation or even suspended. In the most severe cases – for example, if there were multiple violations, or the employee access patient data for personal gain – then the employee may lose their job or even their professional license.
HIPAA violations must be reported to the Office for Civil Rights (OCR), part of the Department for Health and Human Services. They will then conduct an investigation and propose a resolution. Often, these resolutions will involve voluntary compliance actions on the part of the CE or BA, such as implementing an action plan.
However, the OCR has the power to issue civil penalties for HIPAA violations. These are paid by the CE or BA rather than the individual who committed the violation. There are four tiers of civil penalties:
- Tier 1: $100 per violation up to $25,000 for repeat violations. Applies when a reasonable level of precaution could not have prevented the violation or where the individual did not realise that a violation took place.
- Tier 2: $1,000 per violation, up to $100,000 for repeat violations. Applies when a reasonable amount of care could not have prevented the violation, but the individual should have been aware that the violation occurred.
- Tier 3: $10,000 per violation, up to $250,000 for repeat violations. Applies when an individual wilfully neglects HIPAA rules, but the violation has been corrected within a certain time period.
- Tier 4: $50,000 per violation, up to $1.5 million for repeat violations. Applies when there was wilful neglect, and no attempt at correction has been made.
Protected Health Information has a high retail value on the black market, making it an attractive target for criminals. If criminal activity is suspected, then the OCR can pass the case on to the Department of Justice. There are three tiers of criminal penalties, all of which apply to the individual who committed the violation:
- Tier 1: fine of up to $50,000 and up to one year in prison. Applicable where the individual was negligent.
- Tier 2: fine of up to $100,000 and up to five years in prison. Applicable where PHI was obtained under false pretences.
- Tier 3: fine of up to $250,000 and up to 10 years in prison. Applicable where the individual has obtained PHI for personal gain or with malicious intent.
There is no private cause of action in HIPAA, so individuals whose data have been breached cannot sue the CE or BA responsible. However, they may be protected under other state laws.