Complying with HIPAA1 regulations is essential for healthcare practices of all sizes. Even though the regulations change often and compliance isn’t very easy, not staying compliant can be very expensive for the medical facility. Violating HIPAA guidelines may result in fines from $100 to $4 million.
Before we look at some of the examples of HIPAA violations and possibly how to remain compliant, let’s first understand it is.
The Department of Health and Human Services (HHS)2 in the US issued the HIPAA, or the Health Insurance Portability and Accountability Act, in 1996 to ensure the privacy of patient health data. HIPAA privacy rules apply to healthcare providers of all sizes, entities that pay for or provide health plans, healthcare clearinghouses, and business associates who provide services for an entity covered by HIPAA privacy rules.
A HIPAA violation occurs when the access, disclosure, acquisition of the use of the patient’s health data puts the privacy of the patient at significant risk. Such disclosure of Protected Health Information (PHI) covers everyone who works with healthcare data such as prescription card sponsors, healthcare clearinghouses, health plans, service providers that store and deliver claims electronically, and other individuals and entities that support other facilities covered by PHI.
Civil and criminal are two types of infractions. The difference between both is malicious intent and hence have different fine systems.
When HIPAA violations are committed due to neglect or the individuals were unaware of what they are doing, the fines range between $100 and $50,000 per violation. If individuals were not aware of the infraction, the fine is $100. However, the fines go up if the individuals knew and still went ahead. For reasonable cause but no willful neglect, the fine is %$1,000. For willful neglect and later resolving the issue, the fine is $10,000 and for willful neglect and not resolving the issue, the fine stands at $50,000.
Criminal penalties are levied when the individual commits the violation with malicious intent. If the PHI is disclosed, the fine is limited to $50,000 and jail up to one year. Infractions committed by falsifying data attract fines up to $100,000 and jail time up to 5 years, and under personal gain get fines of $250,000 and jail time for 10 years.
Quite often, violations continue for years before they are identified. The penalties are decided based on how long it has been going on. Hence, individuals and organizations covered under HIPAA must conduct compliance reviews at regular intervals to identify and correct potential infractions in time.
HIPAA violations are identified in three primary ways –
- State attorneys general or OCR conduct investigations into a potential data breach.
- HIPAA may initiate compliance audits.
- HIPAA may conduct an investigation if it receives complaints about covered business associates and entities.
If violations are uncovered during OCR investigations, settlements are decided based on the duration for which it has persisted, how many violations have been identified, and the financials of the entity. Read more about a list of infractions below:
The Privacy Rule permits access to patient health records for treatment, healthcare operations, and payments only. Checking out records of friends, family, celebrities, co-workers, and neighbors is quite a common violation. Such breaches, when discovered, may lead to termination and include criminal charges for the employee(s) involved. Financial penalties are not levied on the medical facility. One such example is the University of California Los Angeles3. A fine of $865,000 was levied on the facility, and the employee involved was given prison time of 4 months.
When organizations do not conduct a facility-wide HIPAA risk analysis, vulnerabilities to integrity and confidentiality exist and may often continue for years and result in hefty financial penalties. Availability of PHI may exist and hackers may steal vital patient information. Premera Blue Cross4 paid $6,850,000 and Oregon Health and Science University5 paid $2.7 million for failure to conduct an organization-wide risk assessment.
Patients have the right to view and obtain copies of their records on request. This lets patients check for errors. They may even share their health data with other individuals and entities. Overcharging, denying, or failure to give them access to their health data is a HIPAA violation and was enforced in 2019. Banner Health6 was fined $200,000, NY Spine7 was penalized with $100,000, and Cignet Health of Prince George’s County8 paid penalties amounting to $4,300,00 for denying or delaying patients copies of their health records.
The above are some of the examples of HIPAA violations and HIPAA ensures that medical facilities put patient privacy first. HIPAA compliance is mandatory and if medical facilities do not follow the rules, they may lose their Medicare payments. As a result, healthcare facilities take measures to keep their processes in check and conduct facility-wide checks.