Share this article on:
Penalties for HIPAA violations can be determined by the Office for Civil Rights and by state Attorney Generals – and might not be exclusively financial.
The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-Covered Entities (CEs) to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom.
Since the Enforcement Final Rule of 2006, the Department of Health and Human Services’ Office for Civil Rights (OCR) has had the power to issue financial penalties (and/or action plans) to CEs that fail to comply with HIPAA Rules.
Financial penalties for HIPAA violations had previously been established; however these were updated following the introduction of the Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013.
Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations are applied to healthcare providers, health plans, healthcare clearinghouses and all other CEs – including Business Associates (BAs) of CEs – that are found to have violated HIPAA Rules.
Financial penalties are intended to act as a deterrent, while also ensuring that CEs are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and confidentiality of health data.
The penalty structure is tiered, based on the knowledge a covered entity had of the violation. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
Ignorance of HIPAA Rules is no excuse for a rule violation. In cases where there was willful neglect of HIPAA Rules, the maximum fines apply.
HIPAA Violation Classifications
The four categories used for the penalty structure are as follows:
- Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
In the case of unknown violations, where the CE could not have been expected to avoid a data breach, it may seem unreasonable for a CE to be issued with a fine. The OCR appreciates this, and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.
HIPAA Violation Penalty Structure
Each category of violation carries a separate HIPAA penalty. It is up to the discretion of the OCR to determine a financial penalty within the appropriate range. The OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected and the nature of the data exposed. An organization´s willingness to assist with an OCR investigation is also taken into account.
The general factors that can affect the level of financial penalty also include prior history, the organization’s financial condition and the level of harm caused by the violation. These factors could decrease or increase the financial penalty issued.
- Category 1: Minimum fine of $100 per violation up to $50,000
- Category 2: Minimum fine of $1,000 per violation up to $50,000
- Category 3: Minimum fine of $10,000 per violation up to $50,000
- Category 4: Minimum fine of $50,000 per violation
The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000.
A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules; however minor.
A fine may also be applied on a daily basis. For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the CE has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.
Attorney Generals Can Also Issue HIPAA Fines
Since the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state Attorney Generals have the authority to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents, and can file civil actions with the federal district courts. Statutory damages can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
A CE suffering a data breach affecting residents in multiple states may be ordered to pay fines to Attorney Generals in multiple states. At present only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have so far taken action against HIPAA offenders, but since AGs offices are able to retain a percentage of the fines issued, it is likely to be just be a matter of time before other state AGs follow suit.
Criminal Penalties for HIPAA Violations
In addition to civil financial penalties, a HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of PHI. Criminal penalties for HIPAA violations are divided into three separate tier, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case. As with the OCR, a number of general factors are considered which will affect the penalty. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to payment of a fine.
The tiers for criminal penalties for HIPAA violations are:
Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail
These penalties apply if the individual is punished for the HIPAA violations; however different states have different laws. Fines and prison terms may be higher or lower depending on the criminal charges against the individual.
In recent months the number of employees discovered to be accessing or stealing PHI – for various reasons – has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is therefore essential that controls are put in place to both limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to enable improper access and theft of PHI to be rapidly identified.
All staff likely to come into contact with PHI as part of their work duties should be informed of the penalties for HIPAA violations and that violations will not only result in loss of employment, but potentially also a lengthy jail term and fine.
State Attorney Generals are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely.
Penalties for HIPAA Noncompliance
Importantly, a violation of HIPAA does not necessarily have to have taken place in order for a CE or BA to be fined by the OCR. If a CE or BA is found not to have complied with the HIPAA regulations, the OCR has the authority to issue penalties for HIPAA noncompliance – even if there has been no breach of PHI. This scenario is likely to occur more frequently as the OCR increases the volume of HIPAA audits.
Penalties for HIPAA noncompliance can be imposed for a large number of reasons. The failure to maintain documented policies and procedures regarding HIPAA compliance can be considered noncompliance with the regulations, as can the failure to conduct employee privacy and security training on a regular basis – and document that the training has taken place.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Indeed, several CEs have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.
BAAs are a key area that the OCR will be keeping an eye on throughout its audit program. BAAs – contracts that lay out the permitted and required uses of PHI – should be signed with every third party service provider to whom PHI is disclosed (including lawyers), and should have a start date and end date. If a breach of PHI occurs, the CE and the BA could be issued with both penalties for HIPAA violations and penalties for HIPAA noncompliance.