What are HIPAA violation fines?
The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general have the power to issue penalties for HIPAA violations. Alongside the financial penalties, covered entities (CEs) are further required by law to adopt a corrective action plan to bring policies and procedures up to the standard. These standards are by HIPAA legislations.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created requisites and standards to which HIPAA-covered entities were to adhere. The aim of this legislation was to keep Protected Health Information (PHI) of patients private. HIPAA offers strict guidelines as to with whom the PHI can be shared, and under what circumstances this is appropriate.
Enforcement Final Rule of 2006 gave the OCR the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. In March 2013, the HIPAA Omnibus Rule introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH), thus updating the policies and financial penalties.
The new penalties introduced by the Omnibus rule state that HIPAA violations now apply to healthcare providers, health plans, healthcare clearinghouses and all other covered entities, as well as business associates (BAs) of covered entities that are found to have violated HIPAA Rules.
The primary function of these penalties is to act as a deterrent to those tempted to violate HIPAA laws. If the laws are violated, they provide a means of ensuring covered entities are held accountable when they have failed in their duty of protecting the privacy of patients and the confidentiality of health data.
The penalty structure for a violation of HIPAA laws is tiered. The tiers are broadly divided by the amount of knowledge a covered entity had of the violation of HIPAA laws. The OCR considers the circumstances in which the violation took place, and sets the penalty based on several “general factors” and the seriousness of the HIPAA violation. However, the OCR does not consider ignorance as an excuse for committing a HIPAA violation.
What Constitutes a HIPAA Violation?
A HIPAA violation is defined to be when a HIPAA covered entity – or one of their business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.
A violation may be deliberate or unintentional. A deliberate violation will result in the maximum possible fine being levied against the organisation. When PHI is disclosed to another party, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. If more information than necessary is given, this constitutes a violation.
There are many rules which of which CEs must be aware. One of which is the HIPAA Breach Notification Rule. A breach of this rule may be the CE unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications. This may be accidental, or deliberate. Another rule that is frequently broken is the requirement for CEs to perform organization-wide risk assessments.
Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance. They do this by issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules.
The HIPAA Violation Classifications
The outcome of a HIPAA violation depends heavily on the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. If the violations are serious, or have been repeated several times, the OCR deems financial penalties to be appropriate.
The four categories used for the penalty structure are as follows:
- Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
The OCR could waive a violation in the case of unknown violations. These are situations in which the covered entity could not have been expected to avoid a data breach. The penalty cannot be waived if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.
HIPAA Violation Penalty Structure
The penalty levied to CEs who have violated HIPAA depends on the severity of the crime. The OCR considers many factors when determining penalties, such as the length of time a violation persisted, the number of people affected and the nature of the data exposed. The OCR will also consider the CEs willingness to cooperate when issuing the fine, as well as their current financial situation. General factors that can affect the level of financial penalty also include prior history, the organization’s financial condition and the level of harm caused by the violation. In general, the fines are issued per violation category, per year that the violation persists by the CE.
- Category 1: Minimum fine of $100 per violation up to $50,000
- Category 2: Minimum fine of $1,000 per violation up to $50,000
- Category 3: Minimum fine of $10,000 per violation up to $50,000
- Category 4: Minimum fine of $50,000 per violation, maximum $1,500,000
A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. Therefore, even a minor incident could result in a fine of $50,000 levied against the CE.
In certain circumstances, a fine may also be applied daily instead of yearly. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.
Attorneys Generals and HIPAA
In February 2009, the HITECH Act (Section 13410(e) (1)) was introduced. This allowed state attorneys general to have the authority to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents. They can also file civil actions with the federal district courts. HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
As a result, a CE suffering a data breach affecting residents in multiple states may be ordered to pay HIPAA violation fines to attorneys general in multiple states. At present only the states of Connecticut, Massachusetts, Indiana, Vermont and Minnesota have acted against HIPAA offenders to date. However, since attorneys general offices can retain a percentage of the fines issued, more attorneys general may decide to issue penalties for HIPAA violations in the future.
HIPAA Criminal Penalties
In addition to civil financial penalties for HIPAA violations, in serious cases criminal charges can be filed against the individual(s) responsible for a breach of PHI. Like financial penalties, criminal penalties for HIPAA violations are divided into tiers. A judge decides the terms of the sentence, along with the financial penalty, on a case-to-case basis. As with OCR, several general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to the payment of a fine.
The tiers for HIPAA criminal penalties are:
Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretences – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail
There has been a sharp rise in number of employees discovered to be accessing or stealing PHI. PHI has considerable financial value, particularly on the black. It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.
All staff likely to encounter PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment, but potentially also a lengthy jail term and a heavy fine. It is the CE’s responsibility to ensure that their employees act in a responsible manner.
State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely, as this is a strong signal to those tempted by the potential financial gains.
Unknowing Violation of HIPAA
As previously mentioned, the OCR can waive a civil penalty for those who unknowingly violated HIPAA. However, ignorance of the HIPAA regulations is not regarded as a justifiable excuse for an organisation who failed to implement the appropriate safeguards against violations occurring.
An example of this occurred earlier this year. The remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.
Because of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without official authorisation. This was the result of a simple employee error; a laptop containing the data was stolen from a car parked outside the employee´s home. OCR Director Roger Severino described this incident as a case of the CE unknowingly violating HIPAA by disregarding security and not safeguarding the information properly.
HIPAA Compliance Audits and Penalties for HIPAA Violations
If an audit is completed and a CE or BA is found not to have complied with HIPAA regulations, the OCR has the authority to issue penalties for HIPAA noncompliance. This can occur even if there has been no breach of PHI or no complaint.
The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many covered entities were struggling with compliance. OCR provided technical assistance to help those entities correct areas of noncompliance and no penalties for HIPAA violations were issued. They were given several years to improve their performance before another audit was scheduled.
Now, 5 years on, the OCR is in the process of conducting this second phase of audits. The audits are not being conducted with the specific aim of finding HIPAA violations and issuing financial penalties, although if serious violations of HIPAA Rules are discovered, financial penalties may be deemed appropriate. CEs have had ample time to develop their compliance programs. This time around, OCR is not expected to be so lenient.
The audits have discovered that the biggest areas of noncompliance with HIPAA Rules discovered during the first phase of compliance audits was the failure to conduct a comprehensive, organization-wide risk assessment.
The risk assessment is of the upmost importance to the organisation’s security. If a risk assessment is not conducted, a covered entity will be unaware whether any security vulnerabilities exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be managed and reduced to an acceptable level. The OCR will frequently enforce financial penalties if they have found inadequate risk assessments being performed.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can also results in penalties for HIPAA noncompliance. Several covered entities have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.
BAAs are a key area that OCR will be keeping an eye on throughout its audit program. BAAs – contracts that lay out the permitted uses and allowable disclosures of PHI – should be signed with every third-party service provider with whom PHI is disclosed (including lawyers).
Recent Penalties for HIPAA Violations
Between January and March 2017, OCR agreed eight settlements to resolve HIPAA violations discovered during investigations of data breaches and complaints. One civil monetary penalty has also been issued.
The purpose of these penalties for HIPAA violations is in part to punish covered entities for serious violations of HIPAA Rules, but also to send a message to other healthcare organizations that noncompliance with HIPAA Rules is not acceptable.
A summary of the 2017 penalties for HIPAA violations are detailed below: