The Health Insurance Portability and Accountability Act was established in 1996 and covers many aspects of patient privacy. To help enforce the Act, the Enforcement Rule of 2006 was added that gave the Office for Civil Rights the ability to prosecute for HIPAA violations. The hope was that by issuing financial – and sometimes criminal – penalties for HIPAA violations the Office for Civil Rights (OCR) would underscore the importance of patient privacy. They would also act as a deterrent for violating HIPAA, upping the rate of compliance amongst CEs.
As well as the OCR, State Attorneys may also fine CEs for HIPAA non-compliance. Though this is rarer, with State Attorneys from only a handful of States using this power so far, it is expected that this will become more prevalent in the future.
It is important to note that alongside financial penalties, the OCR requires that all CEs found to be violating HIPAA must adopt a correct action plan to prevent further breaches.
HIPAA Penalty Structure
Data breaches are defined based on the following criteria that will go on to determine how penalties are applied:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Based on this assessment, financial penalties will be dealt as detailed below. However, it is often the case that fines will be waived for the first two categories, with the OCR instead opting for corrective action plans and other associated training.
For each fine detailed below, the maximum penalty that can be applied for multiple versions of the same violation is $1.5 million.
|Description||Financial Penalty (per violation)|
|Category 1||The CE or BA were unaware of the violation and could not have otherwise prevented it.
They have also taken steps to mitigate any damage.
|Category 2||The CE or BA were not aware of the breach when it occurred, though they should have been. However, they could not have prevented the breach.||Minimum: $100
|Category 3||The violation was the result of wilful neglect by the CE or BA, but the party did take steps to mitigate damage.||Minimum: $10,000
|Category 4||The violation was the result of wilful neglect with no attempts at mitigation or correction.||Minimum: $50,000|
When issuing fines for HIPAA violations, the OCR will largely look at the nature of the breach when considering the financial penalties. However, this is not the only thing to be taken into consideration: the OCR will look at the negligent party’s history of HIPAA compliance, how cooperative they are with the OCR’s investigation, past risk analyses etc..
In serious cases, criminal charges may be brought against negligent CEs or BAs. In this instance, there is a tiered criminal penalty system. The HIPAA violations are assessed in a similar manner to the above cases, with the resulting penalties detailed below.
|Tier 1||Reasonable cause/no knowledge of violation||Up to 1 year jail sentence|
|Tier 2||Obtain PHI under false pretences||Up to 5 year jail sentence|
|Tier 3||Obtain PHI with malicious intent.||Up to 10 year jail sentence|