The Health Insurance Portability and Accountability Act – HIPAA – is federal legislation concerning employees and organizations in the healthcare industry. It enforces privacy and security rules for safeguarding medical data by asking organizations to take administrative, physical, and technical precautions.
So, what happens if an individual or organization fails to follow the precautions and meet a violation? It results in civil or criminal penalties and progressive disciplinary actions depending on the history of violations. That’s why HIPAA Compliance must stay significant in your organization’s security toolkit.
That said, how much are the penalties? What are the disciplinary actions? Let’s discuss these and more such questions regarding the violations of HIPAA.
What is HIPAA?
HIPAA — The Health Insurance Portability and Accountability Act — is a federal law in the US that enforces data privacy and security regulations for protecting the medical information of the people. It requires organizations to enact policies and procedures to safeguard the privacy of people’s healthcare data.
The legislation directs organizations to protect the availability, confidentiality, and integrity of Personally Identifiable Information (PII) and Protected Health Information (PHI) of the people. These two information categories cover almost all data generated or owned by a person including their medical history.
That means it enforces restrictions on the access and use of medical data, i.e., who can access or copy the medical data and how the medical data can be used. Then, it also provides patients the right to get copies of their medical data.
But who is responsible for enforcing the rules? U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) takes charge of enforcing the privacy and security rules and regulations mandated by the HIPAA.
What if You Violate HIPAA Rules?
What happens if you violate a rule mentioned by HIPAA? There are four potential outcomes of breaking a rule; however, the end result will depend on the severity of the violation and its after-effects. That said, here are the four outcomes:
1. The problem could be solved by the employer itself.
2. You could be dismissed from the job by the employer.
3. You could face punishment from professional boards.
4. You could face charges including fines and imprisonment.
Moreover, the final judgment of your employer, federal regulators, professional boards, and the Department of Justice will depend on some factors such as:
1.The nature and severity of the violation.
2.Whether the violation happened knowingly or unknowingly — especially when you’re expected to exercise due diligence.
3.Whether actions were taken to amend the violation.
4.Whether there was any malicious or personal intent.
5.The harm and its severity caused by the violation.
6.The number of persons affected by the violation.
7.Whether the violation was under criminal provisions.
You now know the outcomes and the factors responsible for picking an outcome in response to a violation of HIPAA. So now, let’s check the possible penalties.
HIPAA Violations and their Penalties
HIPAA sets privacy and security rules, which may get violated by an individual or an organization. In either case, there is a probability of a civil or criminal penalty based on the nature of the violation and if it was done for personal profit.
Civil Violations and Penalties
An individual may be charged with a civil penalty for violating HIPAA. He can be imposed a minimum penalty of $100 for an unaware or unknown violation. It can go up to a maximum of $25,000 if he is found to violate the rules repeatedly.
The penalty may rise to a minimum of $1,000 to a maximum of $100,000 in cases of probable cause. If a rule was neglected wilfully but corrections were made, fine can be between $10,000 to $250,000; but if the corrections were not made, the penalty can go as high as $50,000 to $1.5 million (whopping penalty).
Criminal Violations and Penalties
The penalty is usually based on the extent an employee was aware of breaking the rules of HIPAA. In the lowest tier, the maximum penalty can be $50,000 or up to a year of imprisonment or both. It goes up to $100,000 and/or up-to 5 years of imprisonment if the violations were made under pretenses.
However, the penalty rises to $250,000 or up to 10 years of imprisonment if the data was breached for causing harm or gaining a commercial advantage or personal profit; let’s say, by selling or transferring the healthcare data.
HIPAA Violations in the Recent Years
Since you now understand the penalties for violating HIPAA, let’s check out some recent violations and their outcomes (penalties). It will help you to understand the risks a person or organization take if he/it doesn’t follow HIPAA.
Anthem [$16 Million]
Let’s start with the biggest penalty in the history of HIPAA. Anthem, Inc. paid $16 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in 2018 to settle the violations of HIPAA. Its violations led to a number of cyberattacks, causing the biggest health data breach in history.
Advocate Health Care Network [$5.55 Million]
Now, let’s discuss the second biggest penalty in the history of HIPAA. Advocate agreed to pay $5.55 million to HSS OCR for multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) in August 2016. Its violations involved leak of Electronic Protected Health Information (ePHI).
Memorial Healthcare Systems [$5.50 Million]
Memorial Healthcare System (MHS) paid $5.5 million to HSS OCR to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) in February 2017. It’s surprising: MHS had to pay such a huge penalty while being a nonprofit corporation, but it proves the significance of HIPAA.
That’s all about the Health Insurance Portability and Accountability Act (HIPAA), its possible violations with examples, and their relevant penalties or outcomes. Did you find it helpful? Please write a comment below to leave your feedback.