There is no standard answer to what to do if accused of a HIPAA violation because what you should do depends on your responsibility for HIPAA compliance, who is accusing you of a HIPAA violation, and the violation you are being accused of.
In 2021, HHS’ Office for Civil Rights received 34,077 complaints alleging violations of HIPAA. 78% of the complaints were “resolved” without requiring an investigation – mostly due to the party being complained about not being a HIPAA covered entity or a business associate, or because the alleged violation was a use or disclosure of PHI permitted by HIPAA.
The percentage of unjustified complaints may have been a little higher than the average (around 67%), but it demonstrates that, if you are accused of a HIPAA violation, there is a strong possibility the accusation is unjustified. Therefore, if you are a member of a covered entity’s workforce, the first thing you should do is check whether the accusation is justified.
You can do this by speaking with your organization’s Privacy Officer if the accusation is made by a member of the public or a work colleague, or by speaking a with an independent advisor (or union rep) if the accusation is made by your organization’s Privacy Officer after they have investigated a complaint from a patient or an internal report made by a work colleague.
What Will Happen if You Are Accused of a HIPAA Violation?
If you are a member of a covered entity’s or business associate’s workforce, what will happen if you are accused of a HIPAA violation depends on whether the accusation is justified, whether the event you are accused of was covered in HIPAA training, the seriousness of the event, and the content of your employer’s sanctions policy. For example:
- If you were not told you had to get a receipt of acknowledgement when giving a patient a Notice of Privacy Practices, you will likely find this subject comes up when you next attend a HIPAA training session.
- If the minimum necessary standard was explained to you in training, but you elaborated on a patient’s past health condition to a visitor, you may be given a verbal warning and required to take further training.
- If you shared your EHR login credentials with a colleague who had fewer permissions than you, even though you knew this was a violation, you could be given a written warning – or a final warning if this has happened before.
- if you took photos of a patient and posted the photos on social media without the patient’s authorization after being told this is a violation of HIPAA, your employment contract will likely be terminated.
Similarly, if you are a covered entity or business associate, what will happen if you are accused of a HIPAA violation by HHS’ Office for Civil Rights will depend on whether the accusation is justified and the seriousness of the event. The process for HIPAA investigations is covered in Subpart C of the HIPAA General Provisions, and the possible outcomes are:
- None – if no violation of HIPAA is found.
- Voluntary compliance – for most minor violations
- Corrective action plan – for more serious violations
- Civil monetary penalty – for violations attributable to willful neglect.
The amount of civil monetary penalties for HIPAA violations ranges from $127 per violation to $1,919,173 per violation (as of March 2023) depending on the degree of culpability. Additionally State Attorneys General can also take civil action against covered entities and business associates – potentially resulting in far greater fines than imposed by HHS’ Office for Civil Rights.
How to Avoid Accusations of HIPAA Violations
The way to avoid accusations of HIPAA violations depends on the nature of the accusations. In some cases, it may be necessary for a covered entity to revise its privacy policies and procedures, a business associate to implement additional technology safeguards or reconfigure existing safeguards, or for workforce members to undergo more comprehensive HIPAA training.
If a member of a covered entity’s or business associate’s workforce has violated HIPAA by not complying with the policies and procedures they were told about in training, it is important that appropriate sanctions are applied – even if the violation and the sanctions are relatively minor. It is also important the sanction is known to have been applied by other members of the workforce.
As mentioned at the start of this article, there is no standard answer to what to do if accused of a HIPAA violation. Individuals or organizations unsure of what to do in specific circumstances – or unsure about how to respond to an accusation – should seek advice from a HIPAA compliance professional.