The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities and business associates to keep electronic protected health information (ePHI) secure. Any violations of HIPAA regulations are subject to financial penalties and/or corrective action plans enforced by the Health and Human Services' Office of Civil Rights.
These sanctions were designed to prevent organizations from violating HIPAA laws and hold them accountable for their actions.
What Constitutes a HIPAA Violation?
An organization that handles ePHI is said to have made a HIPAA violation when they fail to comply with one or more of the regulations of the HIPAA Security, Privacy, and Breach Notification Rules. Violations can be either unintentional or deliberate.
Many unintentional HIPAA violations are due to the accidental disclosure of private patient information. An example of this is when a healthcare professional shares a rounds schedule, which may contain patients' names, on Facebook. Another instance that can result in an unintentional violation is forgetting to sign a business associate agreement with a third-party contractor.
On the other hand, deliberate violations include intentional delays in notifying patients whose ePHI were compromised.
Classification of HIPAA Violations & Fines
HIPAA violations are divided into four categories depending on their severity, the length of time elapsed before corrective actions were taken, or if there are multiple areas of noncompliance.
|
Category |
Type of Violation |
Fine |
|
Tier 1 |
Unintentional or unavoidable violations committed by covered entities despite taking the appropriate measures to comply with HIPAA regulations |
$117 to $58,490 per violation |
|
Tier 2 |
Violations that covered entities should have been mindful of but couldn't fully prevent even while observing an acceptable amount of care |
$1,170 to $58,490 per violation |
|
Tier 3 |
Violations that are the result of willful neglect of HIPAA regulations, but corrective actions were taken to deal with the violation |
$11,698 to $58,490 per violation |
|
Tier 4 |
Violations that are the direct result of willfully neglecting HIPAA regulations, without making any attempts to resolve the violation |
$58,490 to $1,754,698 per violation |
|
Related article: 7 things you need to know about the HIPAA compliance certification |
HIPAA violations can cost up to several millions of dollars, as was the case with Premera Blue Cross and Aetna. These organizations were sanctioned for committing several violations, including failing to prevent unauthorized access to ePHI, not conducting risk assessments, and lacking the appropriate cybersecurity measures to protect ePHI .
On the other hand, HIPAA violation fines may be only a few thousand dollars. In 2020, Riverside Psychiatric Medical Group paid only $25,000, but this is still a relatively large amount that could drain a small business's finances and cause it to shut down.
Criminal Sanctions for HIPAA Violations
In addition to paying fines, healthcare professionals can also face criminal charges for stealing ePHI for financial gain and wrongful exposure of ePHI with the intent to cause harm. The criminal penalties for HIPAA violations are categorized into three tiers, and violators are prosecuted by the Department of Justice.
|
Tier |
Type of Penalty |
Jail Sentence |
|
Tier 1 |
Penalties involving workers/users/organizations with no knowledge of the HIPAA violation committed |
Up to one year in prison |
|
Tier 2 |
Penalties for procuring ePHI under false pretenses |
Up to five years in prison |
|
Tier 3 |
Penalties for acquiring ePHI with malicious intent or for personal gain |
Up to 10 years in prison |
In some cases, HIPAA violations can lead to imprisonment. For example, a former Florida clinic worker impermissibly accessed the ePHI of patients and sold them to identity thieves. The worker was sentenced to 48 months in federal prison for one count of wire fraud and two counts of fraud with identification documents.
Meanwhile, a former University of Pittsburgh Medical Center patient care coordinator used ePHI for a campaign of vengeance against a former employer. The suspect received a 12-month prison sentence followed by three years of probation.
HIPAA violations are costly and, in some cases, can even result in jail time. To ensure that your organization is HIPAA-compliant, partner with a reliable managed IT services provider like Charles IT. Our HIPAA assessment will help you identify compliance risks and provide you with recommendations on how to address them. Call us today to learn more.
