If an eligible organization fails to comply with the Health Insurance Portability and Accountability Act (HIPAA), it could be subject to HIPAA violation penalties even if no harm results from the organization´s non-compliance. This article explains what constitutes a HIPAA violation, how the penalty classification system works, and what the consequences of a HIPAA violation might be.
Healthcare data is highly sought by criminals. It can be used to make fake medical claims, purchase prescriptions, and obtain medical treatment under a false name. It can also be used to steal patients´ identities in order to obtain credit, file taxes, and get work. Consequently, stolen healthcare data sells on the black market for considerably more than stolen credit cards and social security numbers.
Healthcare data cannot be “canceled” as easily as a credit card number, and criminals have a much larger window in which to exploit the data. Consequently, one of the objectives of the Healthcare Insurance Portability and Accountability Act was to create a set of national standards that protect healthcare data and prevent it from being disclosed without the patient´s knowledge or consent.
The national standards are now known as the HIPAA Privacy and Security Rules. These Rules not only stipulate how healthcare data should be protected, but also address issues such as staff training, patients´ rights, and document retention. There is also a separate Rule covering the reporting of data breaches to affected individuals and the Secretary of Health and Human Services.
What Constitutes a HIPAA Violation?
A HIPAA violation occurs whenever any part of the Privacy, Security, or Breach Notification Rule is not complied with by an organization subject to the HIPAA Rules. These organizations are known as Covered Entities; and not only are they responsible for ensuring their employees comply with the HIPAA Rules, but they are also responsible for ensuring third-party service providers (known as “Business Associates”), contractors, and agency staff comply with the HIPAA Rules.
The majority of HIPAA violations do not expose Protected Health Information (PHI) to theft, loss, or unauthorized disclosure. Indeed, although the most common complaint made to the Department of Health and Human Services (HHS) relates to impermissible uses and disclosures of PHI, the next three most common complaints are attributable to a Covered Entity failing to implement a required safeguard or failing to comply with Rules relating to patients´ rights:
HIPAA Violations Examples
- Impermissible uses and disclosures of PHI
- Lack of safeguards for physical PHI
- Lack of patient access to their PHI
- Lack of safeguards for electronic PHI
- Uses or disclosures of more than the minimum necessary PHI
HIPAA Violations Consequences
The HIPAA violations examples above are taken from the Enforcement Highlights page of the HHS website which states that, since the publication of the HIPAA Privacy Rule in 2003, the HHS´ Office for Civil Rights had received 272,923 complaints and initiated 1,101 compliance reviews. As of 31st August 2021, 98% of cases have been resolved, with only one hundred resulting in a financial penalty for a HIPAA violation. The vast majority were resolved by corrective action and technical assistance.
HIPAA Violation Fines
Although there have been only one hundred cases resulting in a financial penalty for a HIPAA violation, strictly speaking not many of the penalties have been HIPAA violation fines. Most HIPAA violation penalties are financial settlements in which the HHS´ Office for Civil Rights has come to an agreement with the Covered Entity in order to save time and costs reaching a resolution. The following section provides some examples of recent penalties for HIPAA violations.
Recent Penalties for HIPAA Violations
The HIPAA Violation Classifications
The dollar amount of HIPAA violation penalties is not arbitrary. The Office for Civil Rights classifies HIPAA violations into four categories; and, when HIPAA violation fines are appropriate, the amount of the fines is determined by the nature of the violation, the efforts made by the Covered Entity to prevent the violation, and the efforts made to correct- or contain the consequences of – the violation. The four categories used to calculate HIPAA violation penalties are:
- Category 1:A violation that the Covered Entity was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA.
- Category 2:A violation that the Covered Entity should have been aware of but could not have avoided even with a reasonable amount of care.
- Category 3:A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Category 4:A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
The HIPAA Violation Penalty Structure
While the HIPAA violation classifications listed above form the basis of for HIPAA violation penalties, the actual amount sanctioned can be influenced by the length of time the violation was allowed to continue, the amount of harm caused by the violation, the Covered Entity’s previous compliance history and the amount of cooperation provided by the Covered Entity during the Office for Civil Rights´ investigation. The guidelines for HIPAA violation penalties in each category are:
- Category 1:Minimum fine of $100 per violation up to $50,000
- Category 2:Minimum fine of $1,000 per violation up to $50,000
- Category 3:Minimum fine of $10,000 per violation up to $50,000
- Category 4:Minimum fine of $50,000 per violation, maximum $1,500,000
A data breach or security incident can see separate fines issued for different aspects of the violation under multiple security and privacy standards. Therefore, even a minor incident could result in a fine of $50,000 levied against a Covered Entity who could not have realistically avoided a violation had a reasonable amount of care had been taken to comply with HIPAA.
Attorney Generals and HIPAA
In 2009, the HITECH Act gave state Attorney Generals the power to hold Covered Entities accountable for violations of HIPAA when the PHI of state residents is exposed in a data breach. Attorney Generals can issue fines for HIPAA violations of up to $25,000 in addition to the HIPAA violation penalties imposed by HHS´ Office for Civil Rights and file civil actions against the Covered Entity with federal District Courts.
At present only the states of Connecticut, Massachusetts, Indiana, Vermont, and Minnesota have exercised the right to hold Covered Entities accountable for violations of HIPAA. However, since Attorney Generals´ offices can retain a percentage of the fines issued, more attorneys general may decide to issue penalties for HIPAA violations in the future.
HIPAA Criminal Penalties
When individuals are responsible for the theft, loss, or unauthorized disclosure of PHI, the most common consequence is the loss of employment. However, in the most serious HIPAA violations, criminal charges can be filed against the individual(s) responsible.
As with HIPAA violation penalties issued by the Office for Civil Rights, criminal penalties for HIPAA violations are divided into tiers and several factors are considered which will affect the criminal penalty. If an individual has profited from the theft, loss, or unauthorized disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to the payment of a fine and/or jail time. The tiers for HIPAA criminal penalties are:
- Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
- Tier 2: Obtaining PHI under false pretences – Up to 5 years in jail
- Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail
State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely, as this is a strong signal to those tempted by the potential financial gains. HIPAAJournal.com maintains a list of jail terms for HIPAA violations by employees.
Unknowing Violation of HIPAA
Ignorance of the HIPAA Rules is not regarded as a justifiable excuse for a Covered Entity who fails to implement the appropriate safeguards against violations occurring. An example of this occurred in 2017 when the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.
Because of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed as the result of an employee error. A laptop containing the data was stolen from a car parked outside the employee´s home. Office for Civil Rights Director Roger Severino described this incident as a case of the Covered Entity unknowingly violating HIPAA by disregarding security and not safeguarding the information properly.
HIPAA Compliance Audits and Penalties for HIPAA Violations
If the Office for Civil Rights conducts a HIPAA compliance audit, and a Covered Entity or Business Associate is found not to be in compliance with HIPAA, the Office for Civil Rights has the authority to issue penalties for HIPAA violations even if there has been no breach of PHI or no complaint.
The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many Covered Entities were struggling with compliance. The Office for Civil Rights provided technical assistance to help correct areas of noncompliance and no penalties for HIPAA violations were issued at the time. They were given several years to improve their performance before another audit was scheduled.
The audits discovered that the biggest areas of noncompliance with HIPAA Rules was the failure to conduct a comprehensive, organization-wide risk assessment. Risk assessments are critical to a Covered Entity´s compliance efforts. If a risk assessment is not conducted, a Covered Entity will be unaware of any vulnerabilities that pose a risk to the confidentiality, integrity, and availability of PHI.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can also result in penalties for HIPAA noncompliance. Several Covered Entities have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.
HIPAA Violation Penalties: FAQs
What is a HIPAA violation?
A HIPAA violation is a failure to comply with any of the standards set by the Privacy, Security, and Breach Notification Rules. There does not have to be a data breach for a HIPAA violation to occur, and penalties can be imposed for (for example) the failure to provide staff training, the failure to allow patients to review their PHI, and the failure to retain documents for the required time.
What constitutes a HIPAA violation?
The failure to develop and enforce HIPAA-compliant policies and procedures can also constitute a HIPAA violation. If there are no policies or procedures to guide staff on how to perform their roles compliantly, and a data breach subsequently occurs, Covered Entities will be sanctioned for the failure to develop policies and the failure to train staff on policies as well as for the data breach.
What are the consequences for violating HIPAA?
This depends on who violates HIPAA and how much harm results from the violation. If a violation occurs that “the Covered Entity was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA” the consequences will be relatively minor. However, if a individual violates HIPAA contrary to the policies enforce by their employer, they could lose their job and spend up to ten years in jail.
What is the civil penalty for unknowingly violating HIPAA?
The civil penalty for unknowingly violating HIPAA is no different from the civil penalty for knowingly violating HIPAA because there is no justification for a Covered Entity – or an individual trained on a Covered Entities policies – to be unaware of the Rules. Each Covered Entity is required to appoint a HIPAA Privacy Officer and a HIPAA Security Officer, and it is these Officers´ responsibility to ensure every employee and business associate is aware of their HIPAA compliance obligations.
What Rule sets the penalties for violating HIPAA regulations?
The penalties for violating HIPAA regulations were first established in the HIPAA Enforcement Rule in 2006. Subsequent amendments were included in the HITECH Act (2009) and the Omnibus Final Rule (2013) and the current penalties for violating HIPAA regulations are codified under 45 CFR § 160.404 and 45 CFR Part 102 – The Adjustment of Civil Monetary Penalties for Inflation.
What is the penalty for noncompliance with HIPAA?
As mentioned in the above article, the most common penalties for noncompliance with HIPAA include enforced changes to privacy practices, corrective action, and technical assistance. Fewer than 1-in-2,500 complaints received by the Office for Civil Rights result in a monetary penalty for noncompliance with HIPAA.
What are the fines for HIPAA violations?
When the Office for Civil Rights issues a monetary penalty for noncompliance with HIPAA, fines for HIPAA violations can range between $100 per violation to $1.5 million per violation depending on factors such as the nature of the violation, the precautions put in place to prevent the violation, the Covered Entity´s previous compliance history, and the amount of cooperation provided by the Covered Entity during the Office for Civil Rights´ investigation.