What Happens if You Break HIPAA Rules?

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules?

What Happens if You Break HIPAA Rules?

If you break HIPAA Rules there are four potential outcomes:

  1. The violation could be dealt with internally by an employer
  2. You could be terminated
  3. You could face sanctions from professional boards
  4. You could face criminal charges which include fines and imprisonment

What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:

  1. The nature of the violation
  2. Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
  3. Whether action was taken to correct the violation
  4. Whether there was malicious intent or HIPAA Rules were violated for personal gain
  5. The harm caused by the violation(s)
  6. The number of people impacted by the violation
  7. Whether there was a violation of the criminal provision of HIPAA

Civil Penalties for HIPAA Violations

Civil penalties for HIPAA violations start at $100 per violation by any individual who violates HIPAA Rules. The fine can rise to $25,000 if there have been multiple violations of the same type. These penalties are applied when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply.

Please see the HIPAA Journal Privacy Policy

Criminal Penalties for HIPAA Violations

The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules.

As with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers.

Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in jail. There is also a mandatory two-year jail term for aggravated identity theft.

What Happens if You Break HIPAA Rules FAQs

What happens if you break HIPAA rules due to a lack of training?

If you break HIPAA rules due to a lack of training, your employer is at fault because he or she has a legal requirement to provide training “as necessary and appropriate for members of the workforce to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule). To prevent any dispute about whether appropriate training has been provided, employers are required to document what training has been provided, when it was provided, and who attended.

Can I get in trouble for disclosing more than the minimum necessary information?

This depends on the circumstances, how much information was disclosed, and whether it had a negative impact on the patient. The Privacy Rule does allow for incidental disclosures – which are “by-products of another permissible use or disclosure” – provided the minimum necessary rule has been applied with respect to the primary use or disclosure.

Please see the HIPAA Journal Privacy Policy

Who is to blame for inadvertent disclosures caused by a computer error?

Covered Entities and Business Associates are required to implement administrative, technical, and physical safeguards to prevent events such as computer errors. If the inadvertent disclosure is attributable to a Covered Entity or Business Associate failing to implement safeguards – or failing to provide instruction on how to use the computer securely – the employer is at fault. If, however, the inadvertent disclosure is attributable to operator error, the employee is at fault.

How are breaches of HIPAA identified?

Breaches of HIPAA can be identified in various ways. The Covered Entity or Business Associate can find them during a risk analysis, the HHS Office for Civil Rights can find them during a HIPAA audit, or the patient(s) whose data has been disclosed without authorization can report it. Third parties scouring the Internet for vulnerable applications and storage volumes can also identify breaches of HIPAA.

What if I am aware of a colleague breaking HIPAA rules?

Your employer should have a process for reporting breaches of HIPAA that include when a colleague breaks the rules. Usually you would report the breach to a supervisor, manager, or departmental head; but, if you are uncomfortable speaking with somebody in your department – or that person is the colleague breaking HIPAA rules – you should be able to speak with the HIPAA Privacy Officer.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.