It is quite crucial that healthcare providers, as well as those dealing with PHI, ensure that they are safeguarding PHI at all times. Not only will they face unwanted attention, administrative costs, and a mention in the HIPAA wall of shame, but they will face severe HIPAA violation consequences as well. To enforce that the HIPAA rules are being followed, the OCR (Office for Civil Rights) can issue penalties. Moreover, individuals who are violating HIPAA can be terminated as soon as their employer detects the violation. Thus, not only is the organization at risk, but employees who violate the rules and regulations are in danger as well.
HIPAA violations have been classified into four tiers.
- Tier 1: The organization was unaware of the violation and it would have been impossible to avoid it even if detected or if it did follow the HIPAA rules to the T. Tier 1 fines start from $100 and go up to $50,000 per violation, with a maximum of $1.5 million per year.
- Tier 2: The organization, or the individual, should have known about the violation but it was an unavoidable violation nonetheless. It can be seen as a violation occurring due to lack of due diligence and reaches quite close to “willful neglect”. The minimum fine is $1,000 and goes up to $50,000 per violation, with a maximum of $1.5 million per year.
- Tier 3: The organization violated HIPAA rule(s) and it was a result of “willful neglect”, but it also attempted to rectify the violation in question. This is where the fines get quite serious. Fines start from $10,000 to $50,000 per violation, maxing out to $1.5 million per year.
- Tier 4: HIPAA violation(s) occurred due to “willful neglect” and where the organization made no effort to rectify the violation. There is no range here – it is $50,000 per violation and it maxes out to $1.5 million a year.
Other than fines, there are also criminal penalties as consequences as well as potential jail sentences for individuals violating the rules. These are classified into three tiers.
- Tier 1: The person, unwittingly, or with reasonable cause, violated the rule(s). This can result in a jail sentence of up to a year and no financial penalties.
- Tier 2: The person used pretenses to gain access to the PHI, resulting in a sentence of up to 5 years in jail as well as a fine up to $100,000 per violation.
- Tier 3: The person accessed the PHI with malicious intent or for personal gain, resulting in jail time of up to 10 years as well as a fine of up to $250,000 per violation.
Source:
HIPAA Violations are Severe – Are You Ensuring Compliance?
