What happens if HIPAA is violated? What are the possible consequences for covered entities and their employees if a violation occurs? In reality, this will depend on a number of factors, discussed here.
HIPAA violations can occur despite the best effort of staff. The HIPAA Security Rule stipulates the minimum administrative, technical, and physical safeguards required to maintain the integrity of Protected Health Information (PHI), but even with these barriers in place, breaches can occur. The breaches will have different consequences for employees and their employers.
If a breach occurs, it should be reported to the CE’s HIPAA Compliance Officer. They can then assess the magnitude of the breach. If the breach involves the records of more than 500 patients, then the Department of Health and Human Services must be notified within 60 days of the discovery of the breach. Prominent media outlets must also be notified. Breaches of fewer records do not need to be reported to the DHSS, though the patients affected must still be notified.
Human error is one of the biggest threats to the security of PHI, leading to accidental HIPAA violations. Depending on the severity of the breach, such accidental HIPAA violations can have very different consequences. HIPAA does require specific penalties to be applied if violations are committed by employees, though each covered entity (CE) will likely have its own internal policy. Those who accidentally – or incidentally – violate HIPAA may receive a warning, or be given additional training on compliance.
However, if HIPAA is knowingly and deliberately violated by an employee and results in a breach of PHI, more severe sanctions may be given, including termination. The employee may also be reported to a licensing board, risking their license to practice medicine.
Only HIPAA violations that result in a breach of PHI are reportable to the DHSS. These HIPAA violations may incur either civil or criminal penalties for the CE, though often the DHSS will opt to require that additional training or “action plans” be implemented by the CE.
The civil and criminal penalties are stratified based on the severity of the violation.
The civil penalties are stratified as followed with a cap of $1.5 million irrespective of the tier:
- Tier 1: accidental or incidental HIPAA violations where reasonable level of diligence would not have prevented the violation. The minimum penalty is $100 per violation up to a maximum of $25,000 for repeat violations.
- Tier 2 applies when the employee should have been aware, but where reasonable diligence would not have prevented the breach. A minimum fine of $1,000 per violation, up to $100,000 for repeat violations.
- Tier 3 applies to violations involving willful neglect, but the violation has been corrected within the required time period. The minimum fine is $10,000 per violation up to a maximum of $250,000 for repeat violations.
- Tier 4: willful neglect of HIPAA Rules with no attempt to correct the violation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.
Though rarer, criminal penalties if HIPAA is violated are as follows:
- Tier 1 is for negligence/reasonable cause. Can receive a fine of up to $50,000 and up to one year in prison
- Tier 2 is when PHI has been obtained under false pretenses. Can receive a fine of up to $100,000 and up to 5 years in prison
- Tier 3 is when PHI is brached for personal gain or malicious intent. Can receive a fine up to $250,000 and up to 10 years in prison