The Health Insurance Portability and Accountability Act (HIPAA) has been the law of the land in the United States since 1996 when it was enacted to help streamline the movement of medical records from one health care provider to another as people switched jobs.
In addition, HIPAA created a set of patient rights designed to protect people’s right to privacy in regards to their medical records. In 2003, HIPAA was amended by the HIPAA Privacy Rule, which outlined protected health information (PHI). HIPAA was further amended in 2005, by the HIPAA Security Rule. That update introduced new safeguard provisions for information stored or transported electronically.
HIPAA is governed by the U.S. Department of Health and Human Services (HSS). The Office for Civil Rights, a unit of HSS, enforces the rules and determines the financial penalties for violation, while the Department of Justice has jurisdiction over criminal penalties.
Protecting Patient Privacy
To fully protect that privacy, healthcare organizations were tasked with investing time and money in to not only putting safeguards into place to ensure that patient privacy was being respected. It also meant investing in education around the new HIPAA guidelines to make sure healthcare organizations were in strict compliance.
While HIPAA has had a definite impact on both healthcare organizations and their patients, it has definitely created an additional sense of security as it relates to patient privacy. Maintaining that security entails very real penalties if HIPAA rules and guidelines are violated.
Violations of HIPAA rules and guidelines are taken very seriously, and penalties include civil and criminal remedies. The Enforcement Final Rule added to HIPAA in 2006 also introduced financial penalties.
Defining HIPAA Violations
Spend any time around any healthcare organization, and you are sure to hear the phrase “HIPAA violation.” But what actually constitutes a violation of patient privacy rights?
Simply put, a violation occurs any time a HIPAA-covered entity fails to comply with privacy, security or breach notification rules. An individual or entity does not have to knowingly have breached protocol to be found in violation of HIPAA. Knowledge does have an effect, however, on the severity of the punishment.
A HIPAA-covered entity is any company or organization that transmits PHI.
- Healthcare plan administrators
- Healthcare clearinghouses
- Nursing homes
- Medicare and Medicaid
Penalties can be issued for any violation. Typically, violations are resolved through voluntary compliance, technical guidance or the acceptance of an entity’s updated plan to address the source of the violation.
HIPAA Financial Penalties
Violations of HIPAA to be punished through fines are defined by a set of classifications determined by how serious the offense is. They are broken down into four categories.
- Category 1: A Minimum fine of $100 up to $50,000. Usually, the result of an unknowing HIPAA violation.
- Category 2: Minimum fine of $1,000 up to $50,000. Category 2 violations deal with reasonable cause violations.
- Category 3: Minimum fine of $10,000 up to $50,000. This category involves infractions due to willful neglect, but that was corrected within a certain time period.
- Category 4: A Minimum fine of $50,000. These fines involve willful neglect that went uncorrected.
Fines can be enforced on a daily or per-violation basis, meaning that even Category 1 fines can add up if allowed to persist over time.
HIPAA Criminal Penalties
Just like the financial penalties, criminal punishments for HIPAA violation are separated into tiers.
- If a healthcare-related entity knowingly obtained and disclosed PHI, there’s a possible one-year prison term and $50,000 fine.
- If an entity or individual working for that entity lied in order to obtain information to be used inappropriately, there’s a possible $10,000 fine and 10-year prison sentence.
- For any violation involving the intent to sell, transfer or use PHI for personal or commercial gain, or to do malicious harm, the fine can total $250,000 and 10 years in prison.
Criminal cases involving HIPAA violations have been exceedingly rare. The OCR usually chooses to directly address the causes of the problem in order to help organizations return to compliance.
For example, in January of 2018, there were over 170,000 HIPAA violation complaints registered with the OCR. Those complaints resulted in 871 compliance reviews, with 53 cases meriting civil financial penalties.
Avoiding HIPAA Violations
One of the best ways to avoid HIPAA violations is through automation. Taking the chance of human error out of the PHI communication equation is perhaps the best way for organizations to stay compliant.
Being completely transparent as to where patient data resides, and how that data is encrypted is also important. Organizations should also be upfront about who has access to PHI data, and how those privileges are maintained.
This article has been written by Ken Lynch, an enterprise software startup veteran and founder of ReciprocityLabs.com