A HIPAA violation can cost you your career. Barely a day goes by without a news report of a HIPAA violation committed by a hospital, health plan, or healthcare professional. Whether intentionally or unintentionally, breaking the HIPAA rules has become very common, something that healthcare professionals and staff members need to address. But what is a HIPAA violation, and what are the penalties for violating the law?
What does a HIPAA violation mean?
The Health Insurance Portability and Accountability Act (HIPAA) is a monumental piece of legislation that was introduced to simplify healthcare administration, prevent fraud in healthcare, mitigate wastage, and ensure that employees could maintain healthcare coverage when they are switching jobs or are dismissed.
Since the passage of HIPAA, there have been notable changes to the law to improve privacy protections of patients and health plan members throughout the years which help to ensure healthcare data is safeguarded and patient privacy is protected. These changes include the HIPAA Privacy Rule, HIPAA Security Rule, the HIPAA Breach Notification Rule, and the Omnibus Rule.
A HIPAA violation occurs when a HIPAA-covered entity or a business associate fails to comply with one or more provisions of the rules mandated by HIPAA, which are the Privacy, Security, and the Breach Notification Rule. To learn more about what aspects of HIPAA standards and provisions can be a violation of HIPAA rules, click here: 45 CFR Parts, 160, 162, and 164.
There are as many as hundreds of ways of violating the HIPAA rules. Nevertheless, these are some of the most common ways HIPAA rules are violated:
- Disclosing Protected Health Information (PHI) without permission.
- Disposing of PHI improperly.
- Unencrypted laptops being stolen or lost.
- Unencrypted smartphones being stolen or lost.
- Unencrypted USB devices being stolen or lost.
- Posting on social media.
- Breach of Electronic Health Record (EHR).
- Not providing HIPAA security awareness training.
- Failure to conduct a HIPAA risk analysis.
- Not implementing appropriate safeguards to ensure the confidentiality, integrity, and availability of PHI.
- Not providing copies of PHI to the patients on request.
- Discussing or sharing PHI outside the facility or to an unauthorized individual.
- Sending PHI to the wrong patient or person.
- Not implementing access controls to restrict who can view PHI.
- Theft of patient’s records.
- Not executing Business Associate Agreements (BAA) with vendors before providing access to PHI.
- Not properly documenting compliance efforts.
What are the Penalties for breaking the HIPAA law?
A HIPAA violation may be deliberate or unintentional, nevertheless, penalties for violations are severe. The U.S. Department of Health and Human Services (HHS) has repeatedly increased the penalties for non-compliance over the years. There are two categories of penalties for non-compliance. They are civil penalties and criminal penalties.
Civil Penalties are classified into four categories. This is how the penalties are structured per category:
- Tier 1: This is when an organization did not have a way of knowing or was unaware that a violation could occur given that the organization had taken necessary precautions: A minimum fine of $100 per violation, up to $50,000, and a maximum of $25,000 per year.
- Tier 2: A violation where an organization was or should have been aware of but could not have prevented it from happening, even with a sufficient amount of care, but not willfully neglecting HIPAA Rules: A minimum fine of $1000 per violation, up to $50,000 and a maximum of $100,000 per year.
- Tier 3: This is when an organization was aware of the violation yet did not take the necessary steps to avoid it. This type of violation is classified as the direct result of willfully neglecting HIPAA rules, although attempts to rectify the violation have been made in some cases: A minimum fine of $10,000 per violation, up to $50,000, and a maximum of $250,000 per year.
- Tier 4: A violation where an organization was fully aware of the violation, willfully neglecting it, and made no attempt to rectify the problem: A minimum fine ranging from $50,000 with an annual maximum of $1.5 million per violation.
As for criminal penalties, the fines can be anywhere between $50,000 and 1 year in jail, up to $250,000 and 10 years in jail. Quite intimidating, and it shows why HIPAA should be taken more seriously.
Ensure compliance and avoid violations with HIPAAReady
It is only natural that HHS increases penalties for HIPAA violation so that people take it more seriously. However, it is important to realize that these common violations can be mitigated by implementing an effective HIPAA compliance program while simplifying your workflow.
HIPAA Ready is a one-stop HIPAA compliance solution that will provide you with the tools to confidently satisfy the law and keep your organization safe. Our HIPAA compliance software with guidance and ongoing support allows organizations to easily manage training. HIPAAReady helps organizations address regulatory issues, all while developing an effective compliance program tailored to the organization’s needs.