The Health Insurance Portability and Accountability Act (HIPAA) sets out the rules and regulations surrounding access to and disclosure of protected health information (PHI). HIPAA Violations can result in costly fines and lost business. In this post we’ll cover everything you need to know to navigate HIPAA violations, all the way from what is a violation to managing violations once they occur.
What is a HIPAA violation?
At its simplest, a HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI, according to the guidelines in the HIPAA Privacy Rule. HIPAA violations can occur in different ways, regardless of whether or not individuals and companies understand they are making a violation. Because HIPAA safeguards PHI in numerous ways – physically, administratively, and technically – many steps are necessary to maintain compliance and avoid a violation. Willful neglect is the worst type of violation. But even an accidental HIPAA breach will often result in a fine. With more and more healthcare providers and their business associates – who are also obligated to uphold HIPAA rules – transmitting and providing access to PHI using electronic technology, avoiding a violation has become more complex in recent years. To avoid penalties, your company needs to understand what a violation is, how it can occur, and what to do if you find yourself in contravention of HIPAA’s rules.
What are the penalties for HIPAA violations?
The penalties for a HIPAA violation can be severe. Both civil and criminal penalties can be enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Generally speaking, breaches that fall under reasonable cause range from $100 to $50,000 per breach. Willful neglect cases range from $10,000 to $50,000 and often result in criminal charges being brought against the people involved. Here is a quick chart that shows how the range of civil penalties that can reach a maximum of $1.5 million per violation.
|Violation||Minimum Penalty||Maximum Penalty|
|Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA||$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to reasonable cause and not due to willful neglect||$1,000 per violation, with an annual maximum of $100,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to willful neglect but violation is corrected within the required time period||$10,000 per violation, with an annual maximum of $250,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation is due to willful neglect and is not corrected||$50,000 per violation, with an annual maximum of $1.5 million||$50,000 per violation, with an annual maximum of $1.5 million|
Criminal penalties can also be applied when HIPAA violations are knowingly committed with increases in the fine per violation and imprisonment. Criminal penalties are divided into three tiers:
|Tier||Potential Jail Term|
|Reasonable cause or no knowledge of violation||Up to one year|
|Obtaining PHI under false pretenses||Up to five years|
|Obtaining PHI for personal gain or malicious intent||Up to ten years|
Common HIPAA ViolationsEven though there are many ways for HIPAA violations to occur, the most common violations come from:
- Lost or stolen devices
- Unsecured records
- Unauthorized disclosure
Lost or stolen devicesPart of protecting PHI involves employee education. Everyone in your workforce needs to understand when and how data can be accessed. If data needs to remain on-site, make that very clear. Often, HIPAA violations come about when an employee brings unencrypted patient information home for after-hours work. But even if a device is stolen, the covered entity may still be held liable for a HIPAA violation as Beth Israel Deaconess Medical Center found out. In May 2012, Beth Israel Deaconess Medical Center violated HIPAA after an unencrypted personal laptop sitting unattended on a desk in the hospital was stolen. The hospital also failed to notify patients about the breach until August that year. In 2014, the hospital was ordered to pay a $100,000 fine. Attorney General Martha Coakley said “The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure. To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.” The Boston hospital could have mitigated their liability if they had encrypted the stolen laptop so data was protected.
Unsecured recordsRecently, Advocate Health Care Network in Illinois agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan after multiple potential violations of HIPAA. Among the list of violations, one was the failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Just the increased risk that the laptop could be stolen and compromise PHI was enough to warrant judgement. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Office of Civil Rights director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Proper employee training also extends beyond securing equipment and data. Staff should be made aware of the potential risk in disclosing PHI improperly. This is especially a danger when the patient is in the public eye and reporters are trying to gain access to information. Social media usage must also be accompanied by clear boundaries. In 2010, a nurse working at Oakwood Hospital in Dearborn, Michigan was fired after revealing identifying patient information on her Facebook page, posing a huge HIPAA risk to her employer. To avoid similar issues, set out clear security policies. Train employees to follow the procedures you have set out, and ensure that your business associates are doing the same. Every company you use to store or transfer PHI needs to maintain the same HIPAA compliance as you. Whether it is your email provider, your web host, or a cloud backup service, they must be in a position to implement and maintain the security rules required by HIPAA. But that doesn’t mean you should refuse to disclose information electronically. Patients are allowed to access their health information. If a request comes in, you must provide electronic copies of medical records on demand. According to the HHS website, “The Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more designated record sets maintained by or for the covered entity.” Be aware of all the ways a breach can occur, and safeguard against violations with clear, enforced policies.
What to do in the event of a HIPAA violation or breachEven the best security practices can’t prevent violations from occurring 100% of the time. If a violation or breach does occur, take immediate action, even if you only suspect that you may be in breach of HIPAA. Your organization should immediately conduct a risk assessment to determine what PHI was involved, its nature, and the extent of the privacy breach. Investigate to whom the PHI was disclosed and whether it was acquired or viewed, or at risk of being acquired or viewed. This assessment will also tell you if and how any risk to the information has already been mitigated. For example, sending information to an unauthorized healthcare provider is far different from having a backup file compromised by a hacker. Depending on the result of your risk assessment, you may be required by law to notify HHS, and all affected individuals. In this case, you would have to inform the patient of:
- the breach and when it occurred
- the details of the PHI involved
- what they can do to protect themselves from harm (safeguarding against identity theft, for instance)
- the steps you’ve taken to deal with the breach
- contact information for the organization
How you inform the HHS is different depending on the extent of the breach. If the violation affects fewer than 500 patients, you can log the incidents and provide notice of all breaches that took place in a calendar year, within 60 days of the year’s end. When it affects more than 500 people, however, the situation is more complex and HHS must be notified immediately. A mistake that’s often made when a HIPAA violation occurs when the covered entity fails to notify HHS and affected individuals in time. HHS requires extensive documentation within ten days of a data breach, with at least 15 elements relating to the covered entity’s internal investigation, physical safeguards, policies and procedures, risk assessment, and breach notification.
Clearly, the risks of a HIPAA violation occurring in your organization, and the penalties attached, can’t be ignored. Protect your organization, your staff, and your patients or clients by implementing strong, easily understood policies that keep everyone in line with HIPAA’s rules.
Contact us today to learn how Paubox can reduce the risk of HIPAA violations for your organization by securing your email.