Do you know the saying “no risk, no reward”? We’d like to formally announce that it’s the worst possible advice regarding navigating HIPAA compliance. There’s zero room for risky business when dealing with federal law. But unfortunately, compliance can get tricky, and threats creep into even the slightest of gaps. So, what happens if something goes wrong and slips through the cracks? We’ve compiled your go-to HIPAA penalty guide to help you know what to expect, what to avoid, and when to fear the worst.
Who’s in the line of fire?
No use in letting your imagination run wild. When it comes to compliance, clarity is critical. So, let’s clear up the facts.
HIPAA’s Privacy Rule clearly distinguishes who is subject to mandatory HIPAA compliance and who is not. The Privacy rule puts the responsibility on two key entities; Covered Entities and Business Associates. Therefore, the first step in knowing what happens in the event of a breach is knowing if you’re subject to regulatory compliance. If you need HIPAA compliance, it’s critical to note that it’s each organization’s responsibility to ensure that they’re compliant and meet all the HIPAA rules and regulations.
It’s important to understand that violations can also occur due to the actions of an organization’s business associates, making it essential for covered entities to ensure their partners are also compliant.
What constitutes a HIPAA violation?
A HIPAA violation constitutes any event that results in Protected Health Information (PHI) being wrongfully obtained, protected, viewed or shared. The validity and severity of a violation stands whether the breach or violation occurred willfully or inadvertently. Violations happen when there is non-compliance. However, non-compliance is a spectrum, and not all violations result in the same consequences. If there is suspicion of a violation or non-compliance, the Office for Civil Rights (OCR) will conduct an official audit and investigation after being notified.
Critical elements add to the complexity of mitigating violations or breaches, such as:
- Organizations may not be aware that they are subject to the Privacy Rule and must comply with HIPAA rules and regulations.
- Employees aren’t well-trained in identifying risks and following security protocols, leaving PHI vulnerable.
It’s also important to understand the different types of PHI and ensure all forms, whether electronic, paper, or oral, are adequately protected.
What happens if you violate HIPAA? – HIPAA violation classifications
There are two overarching types of HIPAA violations; civil and criminal charges. However, in certain circumstances, organizations can expect a combination of both depending on the offense. Within these two categories, there are graded tiers that determine the penalties.
Financial penalties
There are four tiers to HIPAA’s financial penalties, also known as civil penalties. Each level considers an organization’s intent behind the violation, whether or not the organization did due diligence, and if it followed the correct breach protocol. The four distinct levels are graded as follows.
Tier one: The organization could not have known about the violation or prevented it even with due diligence. The minimum penalty per violation starts at $127.
Tier two: There is no proof of willful neglect, but the organization could have prevented it. The minimum penalty per violation starts at $1,280
Tier three: There is evidence of willful neglect. However, once discovered, the organization corrected the violation within 30 days. The minimum penalty per violation starts at $12,794
Tier four: There was willful neglect, but the organization did not correct the violation within 30 days. The minimum penalty per violation starts at $63,973
This applies to cases assessed on or after March 17, 2022.
It is important to note that these penalties are per violation, and multiple violations can significantly increase the total penalty amount.
The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is imposing civil monetary penalties for covered entities and business associates violating the rules.
Criminal charges:
When it comes to criminal charges, there are three tiers.
Tier 1: Fines can range up to $50,000 and/or up to one year in prison for wrongful disclosure of PHI.
Tier 2: Fines can range up to $100 000 and/or up to five years in prison for Wrongful disclosure of PHI under false pretenses.
Tier 3: Fines can range up to $250,000 and/or up to ten years in prison for wrongful disclosure of PHI under false pretenses with malicious intent
What to expect: Most common HIPAA violations
There’s a common misconception that HIPAA violations only include significant security threats or cyberattacks to large organizations. Unfortunately, you’re never off the radar regarding threats, violations or data breaches. HIPAA violations are also very rarely isolated events and mean that a deeper underlying issue needs addressing. Some of the most common HIPAA violations include
Incorrect filing and record-disposal procedures
Out of sight, out of mind, right? Not quite. One of the most common HIPAA violations revolves around the improper filing and disposal of documents. HIPAA guidelines set clear instructions on how to dispose of records to protect the PHI or ePHI. To best comply with these rules, many covered entities use third parties (business associates) to ensure correct record disposal. However, organizations are responsible for ensuring that their business associates know their roles and liability regarding compliance.
Releasing patient information outside of the authorized period
Patients are entitled to complete transparency and easy access to their records. However, strict processes and regulatory requirements are involved when releasing patient information. New updates to the HIPAA privacy law state that Covered Entities (CEs) must respond to patient requests for records within 15 days of the request as opposed to the previous 30-day period. Failure to comply within the given time frame constitutes a direct HIPAA violation. If you do not fulfill the request in time, you must request a new HIPAA authorization form. Authorization forms have an expiry date, so organizations must take all precautions to check the release form date. If a request comes in after expiration and you release information, it also constitutes a HIPAA violation.
Losing devices
Losing information has always been a risk when working with PHI. However, the digitization of record-keeping has become one of the more significant and common risks to HIPAA compliance. Whether it’s a work device or a personal device, you could be held liable for a potential HIPAA violation if it’s used to access information and is lost or stolen.
Due diligence plays a critical role in protecting your organization against fines and penalties. The Security Rule sets out guidelines and controls regarding administrative, physical, and technical security protections that must be in place to comply with HIPAA Rules and Regulations.
What to do when you suspect a breach or violation
In the event of a suspected breach or violation, it’s crucial to follow one golden rule: don’t ignore it. Unfortunately, HIPAA breaches and violations won’t get better with age. If you don’t come clean, the consequences are far more significant. The HIPAA Breach Notification Rule (BNR) sets out a clear procedure for what to do in the event of a suspected breach or violation. Failure to follow the process constitutes a violation.
But not all breaches are equal, and the breach protocol and reporting obligations will also differ depending on how many people were impacted by the breach. If the breach involves 500 or more patients, organizations must notify the following within 60 days of the violation:
- All affected individuals
- The HHS OCR
- The media in their jurisdiction
Additionally, all major breaches (500 or more) will be made public on the OCR breach site. Breaches that affect less than 500 individuals must also be reported to the patients involved and the OCR. However, it will not need to go public or on the OCR breach portal.
It’s essential to keep in mind here that not all suspected breaches constitute a reportable offense. Still, the OCR must be notified and investigate each suspicion to confirm the suspicion or not.
Avoid HIPAA violations by getting clued up on compliance
Avoid getting caught in a HIPAA compliance nightmare and protect your organization and PHI in one fell swoop with automation.
