Paubox blog: HIPAA compliant email made easy

What are the penalties for HIPAA violations?

Written by Kapua Iao | May 23, 2023

Whether from intentional or accidental breaches, HIPAA violations may result in costly civil and criminal penalties. So, what are the penalties for HIPAA violations, and how can they be avoided? 

The Health Insurance Portability and Accountability Act (HIPAA) sets out the rules and regulations surrounding access to and disclosure of protected health information (PHI). All healthcare organizations and their business associates are subject to HIPAA guidelines.

RelatedHIPAA compliant email: The definitive guide

 

HIPAA violation: a summary

HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI. The HIPAA Privacy Rule establishes national standards to protect individuals' PHI. This rule, along with the Security Rule, sets limits and conditions on PHI exposure without patient authorization. HIPAA safeguards patients' PHI physically, administratively, and technically.

Organizations must use layers of cybersecurity measures to maintain compliance and avoid violations. There are numerous ways that organizations could violate HIPAA, including:

  • Unauthorized access
  • Inadequate security measures
  • Mishandling of PHI

Willful neglect is the worst type of violation, but even an accidental HIPAA breach can result in a penalty.

The agency tasked with enforcing HIPAA is the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR's primary responsibilities include investigating complaints, conducting compliance reviews, and enforcing penalties to ensure adherence to HIPAA. The OCR learns about violations from organizations themselves or through complaints. In either circumstance, the agency will investigate to determine the nature of the breach and subsequent actions.

 

What are the penalties for HIPAA violations?

The Enforcement Final Rule (2006) gave OCR the power to issue penalties to non-compliant organizations. If the OCR identifies a violation during an investigation, it can impose a range of consequences, including criminal charges. Such penalties accordingly act as deterrents while holding covered entities accountable.

 

1. Corrective action plans

corrective action plan (CAP) aims to identify the underlying security issues within an organization that caused a breach in the first place. With this plan, healthcare organizations can adjust their cybersecurity measures to ensure such violations do not happen again. CAPs may cost a healthcare organization money, time, and work. 

Depending on the nature of the violation, a CAP may focus on how a healthcare organization: 

  • Implements policies and procedures
  • Monitors policies and procedures
  • Manages business associates
  • Reports failures
  • Trains employees

RelatedWhat is a HIPAA resolution agreement?

 

2. Monetary penalties

In some cases of noncompliance, the OCR may impose significant fines on the violating party. The Omnibus Rule (2013) brought financial penalties in line with the HITECH Act (2009), increasing previous monetary penalties. Along this line, OCR added a fourth tier to its penalty system. Moreover, the new fines not only applied to healthcare providers, health plans, and healthcare clearinghouses. Business associates became liable for violations of HIPAA and could be fined.

OCR bases its fines on the amount of knowledge a healthcare organization had of a violation. The agency adjusts the fines annually for inflation though OCR has yet to release its update for 2023.

 

Penalty tier

Level of culpability

Min. fine per violation

Max. fine per violation

Annual penalty cap

Tier 1

Lack of knowledge

$127

$31,987

$31,987

Tier 2

Reasonable cause

$1,280

$63,973

$127,974

Tier 3

Willful neglect

$12,794

$63,973

$319,865

Tier 4

Willful neglect (not corrected within 30 days)

$63,973

$63,973

$1,919,173

 

State Attorneys General can add additional fines on top of those given by OCR. These fines range from $100 (per affected resident) to $25,000 per violation (per affected resident).

 

3. Criminal penalties

The Enforcement Final Rule gave OCR the power to bring criminal charges against certain offenders. Such criminal violations are typically knowingly committed. For example, a criminal complaint may be made due to PHI theft for financial gain. Or it may be due to PHI disclosure with intent to cause harm. Or it may be due to failure to implement a CAP within the time allotted.

Penalty tier

Level of culpability

Potential jail term

Tier 1

Reasonable cause or no knowledge of the violation

Up to one year

Tier 2

Obtaining PHI under false pretenses

Up to five years

Tier 3

Obtaining PHI for personal gain or malicious intent

Up to 10 years

 

In extreme cases, OCR refers violations to the U.S. Department of Justice for prosecution. Criminal violations can also include monetary penalties of up to $250,000.

 

HIPAA penalties 2023

Over the past few years, we have seen an increase in how HHS and OCR approach and fine HIPAA violations. Particularly when it comes to its Right of Access initiative to give patients more control over accessing their PHI.

RelatedHow Paubox can help with HIPAA Right of Access

OCR is expected to continue its aggressive approach to PHI access and to enforcing HIPAA in 2023. In fact, the OCR recently created a new Enforcement Division to handle investigations and compliance issues more swiftly. Other changes expected shortly ensure individuals remain protected and in control of their medical records under federal laws. This includes incentives to individuals for reporting HIPAA violations.

 

How to avoid penalties due to HIPAA violations

Healthcare organizations can avoid penalties by focusing on compliance through up-to-date policies and procedures, employee awareness training, and cybersecurity measures. Avoiding a HIPAA violation means actively and continuously finding the right combination of security features to safeguard patients and ultimately focus on patient care.

A proactive approach reduces the likelihood of OCR enforcement actions, ensuring the protection of patients' PHI. Providers must actively monitor and strategize for blocking and fixing security risks. Having a plan in place can keep a healthcare organization from incurring penalties, whether a breach is intentional or accidental.

Even if compliant, an organization may be audited by the OCR after a breach, which is why documenting compliance is vital. OCR prefers to resolve violations by issuing technical guidance or accepting an organization's plan to prevent future violations.

Generally, the OCR seeks to resolve most violations through voluntary compliance.

 

Understand HIPAA to stay compliant

Finally, providers must be diligent in understanding all HIPAA provisions. This means utilizing a correct mix of cybersecurity measures and staying on top of changes and amendments.

Healthcare entities must be on the lookout for updates to ensure they always remain compliant. Proactively pursuing HIPAA compliance is far less expensive than spending millions of dollars in fines and CAPs. Or facing time in jail.