HIPAA is a federal law that applies in the vast majority of healthcare settings, but what happens if you violate HIPAA? Can you lose your job or be fined? Can you go to jail? Unsurprisingly, there is a range of possible consequences for HIPAA violations, depending on whether you are an employee or a Covered Entity of Business Associate. We will give an overview of what happens if you violate HIPAA here.
HIPAA requires that all individuals who are under the “direct control” of a Covered Entity of Business Associate (CE or BA) are HIPAA compliant. They must be trained in their HIPAA-related workplace practices, and know how to handle and protect patient data. Failure to do this can result in a range of penalties.
Generally, the more severe the violation, the more severe the penalty. If an employee commits an accidental HIPAA violation where no patient data has been breached, they are unlikely to lose their job. Rather, they may face internal disciplinary proceedings, including extra training in HIPAA compliance or a probation period.
If an employee has committed several or several violations, they will usually face more severe penalties. They may be suspended or lose their job entirely. In the most extreme cases – for example, in an employee has deliberately violated HIPAA for personal gain – they may lose their license to practice.
None of the above actions are actually stipulated by HIPAA; they will all depend on the CE or BA\s internal policies. That is not to say that HIPAA has nothing to say about the penalties for violations. The Omnibus Final Rule – introduced in 2013 – updated the penalties that applied to CEs and BAs which violated HIPAA. These fines are payable to the Department for Health and Human Services’ Office for Civil Rights. The OCR is the primary enforcer of HIPAA.
The OCR can issue either civil or criminal penalties for HIPPA violations. However, for the latter, they must refer the case to the Department of Justice.
There are four tiers of civil penalties that can be applied:
- Tier 1: minimum of $100 per violation up to $25,000 for repeat violations. Applicable when a reasonable level of diligence could not have prevented the violation or where the individual had no knowledge of the violation.
- Tier 2: minimum of $1,000 per violation, up to $100,000 for repeat violations. Applicable when a reasonable amount of diligence could not have prevented the violation, and the individual should have been aware that the violation occurred.
- Tier 3: minimum of $10,000 per violation, up to $250,000 for repeat violations. Applicable when an individual wilfully neglects HIPAA rules, but the violation had been corrected.
- Tier 4: minimum of $50,000 per violation, up to $1.5 million for repeat violations. Applicable when there was wilful neglect, and no attempt at correction has been made.
As there is no private cause of action in HIPAA, patients cannot sue for HIPAA violations. However, they may be able to sue under federal legislation.
If the Department of Justice decides there was criminal activity behind the violation, then there are three possible tiers of criminal penalties:
- Tier 1: negligence; fine of up to $50,000 and up to one year in prison.
- Tier 2: obtaining PHI under false pretenses; fine of up to $100,000 and up to five years in prison.
- Tier 3: obtaining PHI with malicious intent; fine of up to $250,000 and up to 10 years in prison.