The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. These fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of
$1.5 million per year for each violation. (Dec 19, 2018)
What are the Penalties for HIPAA Violations?
October 1, 2017
Editor HIPAA Articles, HIPAA Updates
The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general can issue HIPAA violation penalties breaches. Along with financial sanction, covered bodies must to adopt a corrective action plan to bring
policies and procedures up to the standards required by HIPAA.
The Health Insurance Portability and Accountability Act of 1996 put in place a number of requirements on HIPAA-covered
entities to secure the Protected Health Information (PHI) of patients, and to strictly control when PHI can be shared,
and to who it can be shared with.
OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply
with HIPAA Rules, since the Enforcement Final Rule of 2006 was introduced.
Financial penalties for HIPAA violation penalties were updated by the HIPAA Omnibus Rule, which brought in charges in
line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule
became active on March 26, 2013.
Since the Omnibus Rule was brought in, the new financial penalties for HIPAA violations apply to healthcare providers,
health plans, healthcare clearing houses and all other covered bodies, as well as business associates (BAs) of
covered bodies that are shown to have violated HIPAA Rules.
It is hope that financial penalties will be a deterrent to prevent breaches of HIPAA laws, while also ensuring covered
bodies are held accountable for their actions – or lack thereof – when it comes to safeguarding the privacy of patients
and the confidentiality of health data and allowing patients to access to their health records when they wish to.
The penalty structure for a breach of HIPAA laws has a number of tiers, based on the awareness a covered entity had
of the violation that was incurred. The OCR estiablishes the penalty based on a number of “general factors” and
the seriousness of the HIPAA breach.
Not being knowledgeable of HIPAA Rules is not an acceptable excuse for failing to adhere to HIPAA Rules. It is the
responsibility of each covered body to ensure that HIPAA Rules are comprehended and adhered to. In scenarios
when a covered body is seen to have committed a wilful violation of HIPAA laws, the maximum fines will be applicable.
What is a HIPAA Violation?
The media is full of reports HIPAA violations recently, but what defines a HIPAA violation? A HIPAA violation is when a
HIPAA covered body – or a business associate – does not adhere with one or more of the provisions of the
HIPAA Privacy, Security, or Breach Notification Rules.
A violation may be intentional of accidental. An example of an unintentional HIPAA violation is when too much PHI is made available and the minimum necessary information standard is breached. When PHI is shared, it must be restricted to the minimum necessary information to achieve the purpose for which it is disclosed. Financial sanctions for HIPAA violations
can be issued for accidental HIPAA violations, although the penalties will be at a lower rate than deliberate violations
of HIPAA Rules.
Unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum time frame of
60 days following the discovery of a breach to issue notifications is an example of a wilful violation of the HIPAA Breach Notification Rule.
Many HIPAA violations happen due to negligence, such as the failure to complete an organization-wide risk assessment. Financial sanction for HIPAA violations have frequently been applied for risk assessment failures.
HIPAA violation penalties can also be issued for all HIPAA breaches, although OCR usually resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered body or business associate’s plan to address
the violations and change policies and procedures to prevent future breaches from happening. Financial sanctions for
HIPAA violations are reserved for the most serious breaches of HIPAA Rules.
What Happens HIPAA is Violated? – Classifications of HIPAA Violation
What happens when you violate HIPAA? The answer to this depends of the severity of the breach that occurred. OCR
prefers to settle HIPAA violations using non-punitive actions, such as with voluntary compliance or providing technical
guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been
permitted to go on for a long time, or if there are multiple areas of noncompliance, financial sanctions may be necessary.
The four categories of HIPAA violations used for the penalty structure are as follows:
Category 1: A violation that the covered body was unaware of and could not have realistically prevented, had a reasonable amount of care had been taken to adhere to HIPAA Rules
Category 2: A violation that the covered body should have been aware of but could not have prevented even with a
reasonable amount of care. (but coming up short of wilful neglect of HIPAA Rules)
Category 3: A violation that occurred due to “wilful neglect” of HIPAA Rules, in cases where efforts have been made to
address the violation
Category 4: A violation of HIPAA Rules constituting wilful neglect, where no efforts have been made to correct the violation
With unknown violations, where the covered body could not have been expected to prevent a data breach, it may seem unreasonable for covered bodies to be issued with a financial penalty. OCR accepts this, and has the discretion to decline
a financial penalty. The penalty cannot be waived if the violation involved deliberate neglect of Privacy, Security and Breach Notification Rules.
Structure of HIPAA Violation Penalties
Each category of HIPAA violation carries a different HIPAA penalty. It is up to OCR to determine if a financial penalty within
the proper range. OCR considers a number of factors when calculating penalties, such as the duration of time a violation
was allowed to continue, the number of people affected and the nature of the data exposed. An organization´s willingness
to help with an OCR investigation is also taken into account. The general factors that can affect the level of financial
penalty also include previous history, the organization’s financial status and the level of harm caused by the HIPAA violation.
Category 1: $100 minimum fine per violation, $50,000 maximum fine
Category 2: $1,000 minimum fine per violation, $50,000 maximum fine
Category 3: $10,000 minimum fine per violation, $50,000 maximum fine
Category 4: $50,000 minimum fine per violation
The HIPAA penalty fines are issued per violation category, per year that the violation was allowed to continue. The
maximum fine per violation category, per year, is $1,500,000.
A data breach or security incident that occurs due to any violation could see separate fines issued for different aspects
of the breach under multiple security and privacy standards. A fine of $50,000 could, possibly, be issued for any violation
of HIPAA rules; however small.
A HIPAA fine may also be issued on a daily basis. For example, if a covered body has been denying patients the right
to access copies of their medical records, and had been doing so for a period of one year, the OCR may decide to
apply a penalty per day that the covered body has been in violation of the law. The penalty would be multiplied by 365,
not by the number of patients that have been denied access to their medical records.
HIPAA Violation Fines Can Also Be Issued by Attorneys General
Since the HITECH Act (Section 13410(e) (1)) became active in February 2009, state attorneys general have the power
to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and initiate file civil actions
with the federal district courts. HIPAA violation fines can be applied up to a maximum level of $25,000 per violation
category, per calendar year. The minimum fine applicable is $100 per breach.
A covered body suffering a data breach harming residents of multiple states may be ordered to pay HIPAA violation
penalty fines to attorneys general in multiple states. At present only a small number of U.S states – Connecticut,
Massachusetts, Indiana, Vermont and Minnesota – have so far taken legal actions against HIPAA offenders,
but since attorneys general offices are able to keep a percentage of the fines issued, more attorneys general
may decide to apply penalties for HIPAA violations.
Criminal Penalties for HIPAA Violations
Along with civil financial penalties for HIPAA violations, criminal charges can be filed against the people(s) responsible
for a breach of PHI. Criminal penalties for HIPAA violations are split into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each single case.
As with OCR, a number of general factors are taken into account which will affect the penalty issued. If an individual
has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be given back,
in addition to the payment of a HIAA violation penalty fine.
The different tiers for HIPAA criminal penalties are:
Tier 1: Reasonable cause or no knowledge of violation – a maximum of 1 year in jail
Tier 2: Obtaining PHI under false pretences – a maximum of 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail
In the last few months, the number of employees found to be accessing or stealing PHI – for various reasons – has risen.
The value of PHI on the black market is high, and this can be a big temptation for some people. It is therefore vital that
security controls are put in place to limit the potential for individuals to steal patient data, and for systems and policies
to be implemented to ensure improper access and theft of PHI is identified quickly.
All staff that may come into contact with PHI as part of their work duties should be made aware of the HIPAA criminal
penalties and that violations will not only lead to a loss of employment, but potentially also a long jail term and a heavy fine.
State attorneys general are focusing on data theft and are keen to make examples out of people found to have breached
HIPAA Privacy Rules. A jail term for the theft of HIPAA data is highly probable.
Civil Penalties for Unknowingly Violating HIPAA
Although it was referred to above that OCR has the discretion to waive a civil penalty for unknowingly breaching HIPAA,
ignorance of the HIPAA regulations is not thought of as a justifiable excuse for not implementing the appropriate
safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for not fully
understanding the HIPAA requirements and subsequently failing to complete a thorough risk assessment.
Due to the incomplete risk assessment, the PHI of 1,391 individuals was possibly disclosed without authorization
when a laptop storing the data was stolen from a car parked outside an employee´s home. Speaking after details
of the fine had been revealed, OCR Director Roger Severino described the civil penalty for unknowingly violating
HIPAA as a penalty for not regarding security.
There is also potential for a CE or BA to receive a civil penalty for unknowingly breaching HIPAA if the state in which
the violation happens allows citizens to bring legal action against the person(s) behind the violation. Although HIPAA
lacks a private right of action, people can still use the regulations to set up a standard of care under common law.
Many cases of this nature are currently taking place.
Penalties for HIPAA Violations are likely following HIPAA Compliance Audits
If a CE or BA is found not to have adhered with HIPAA regulations, OCR has the authority to apply penalties for HIPAA noncompliance – even if there has been no breach of PHI or no complaint filed.
After some delay, OCR is now carrying out the second phase of HIPAA compliance audits. The audits are not being carried
out specifically to find HIPAA violations and to issue financial penalties, although if serious breaches of HIPAA Rules
are found, financial penalties may be deemed necessary.
The first phase of HIPAA compliance audits was finished in 2011/2012 and showed many covered bodies were having
difficulties with compliance. OCR gave technical assistance to help those entities address areas of noncompliance
and no penalties for HIPAA violations were applied.
Now, five years later, HIPAA covered entities have had plenty of time to develop their compliance programs. OCR
is not expected to be as lenient on this occasion.
One of the largest areas of noncompliance with HIPAA Rules found during the first phase of compliance audits was
the failure to complete a comprehensive, organization-wide risk assessment.
The risk assessment is important for developing a good security posture. If a risk assessment is not completed,
a covered body will be unaware whether any security weaknesses exist that pose a danger to the confidentiality, integrity,
and availability of ePHI. Those dangers will therefore not be controlled and reduced to an acceptable level.
A look at the HIPAA violation penalties issued by OCR shows just how common risk assessment violations happen. Risk assessment failures often attract financial penalties.
The failure to complete Business Associate Agreements (BAAs) with third-party service supplier can attract financial
penalties for HIPAA noncompliance. Several covered bodies have been fined for not revising BAAs written before
September 2014, when all existing contracts were made invalid by the Final Omnibus Rule. In September 2016,
the Care New England Health System was issued with a fine for $400,000 for HIPAA noncompliance that
included the failure to update a BAA originally completed in March 2005.
BAAs are a key area that OCR will be reviewing on throughout its audit program. BAAs – contracts that lay out the
allowable uses and allowable disclosures of PHI – should be signed with every third party service supplier with
whom PHI is disclosed (including lawyers) to avoid HIPAA violation penalties.
| To Top |
Let us show you where your data/money is most at risk!