Updated May 28, 2019
Thousands of patient records breached. Millions of dollars in fines following nightmarish lawsuits. The news is full of harrowing stories of healthcare organizations caught in HIPAA violations, exposing sensitive patient data, and worse. Maybe you watch these stories unfold, biting your nails and hoping no such disaster befalls your organization.
But what determines the severity of a HIPAA violation? Why are some penalties much greater than others? It’s important to know what your organization may be up against if you violate HIPAA rules. Therefore, this post will answer some key questions about HIPAA violations, fines, and penalties:
- How does HITECH support HIPAA enforcement?
- What is a HIPAA violation?
- Who investigates HIPAA complaints?
- Who enforces HIPAA fines and penalties?
- What are the fines and penalties for HIPAA violations?
Q: How does HITECH support HIPAA enforcement?
A: The Health Information Technology for Economic and Clinical Health (HITECH) Act was implemented in 2009 to promote the adoption and meaningful use of health information technology, such as electronic medical records. HITECH also gave “teeth” to HIPAA by strengthening the civil and criminal enforcement of the HIPAA rules.
Complaints about #HIPAA violations have increasingly forced healthcare organizations to change their privacy&security policies in the last 2 years. Most complaints were due in part to the HITECH Act requirements to report breaches¬ify patients…. https://t.co/FQuKygvkDZ
— HIPAAtrek (@hipaatrek) April 1, 2019
Q: What is a HIPAA violation?
A: A HIPAA violation is a failure to comply with any part of the HIPAA Privacy or Security Rules. There are four violation categories, or tiers. This four-tier categorization system takes into account if the violation was accidental or intentional, as well as the organization’s actions in response to the violation.
- Category 1: The covered entity (CE) or business associate (BA) did not know about the violation and would not have known about it, even by exercising reasonable diligence.
- Category 2: The CE knew about the violation or should have known about it by exercising reasonable diligence, which constitutes reasonable cause.
- Category 3: The violation was due to willful neglect of the HIPAA rules, and the CE corrected it within 30 days of learning of the violation.
- Category 4: The violation was due to willful neglect, and the CE did not correct it within 30 day of learning of the violation.
Q: Who investigates HIPAA complaints?
A: The U.S. Department of Health and Human Services Office for Civil Rights (HHS/OCR) investigates HIPAA complaints. Investigations involve audits that may uncover HIPAA violations, leading to civil fines or referral to the Department of Justice (DOJ) for criminal penalties.
Q: Who enforces HIPAA fines and penalties?
A: The OCR issues civil fines, and the DOJ can impose criminal penalties for HIPAA violations.
Q: What are the fines and penalties for HIPAA violations?
A: The 2013 Omnibus Rule finalized the HIPAA violation penalty structure. Depending on the violation, a CE may get a civil fine, criminal fine/penalty, or both. These penalties are supposed to hold CEs accountable and deter them from violating HIPAA laws.
Civil Fines for HIPAA Violations
The OCR bases civil fines on the severity of the violation according to the four-tier categorization system. Previously, fines reached a maximum of $1.5 million per violation category per year. However, the OCR has recently changed the cap on fines. See the breakdown below.
Criminal Penalties for HIPAA Violations
The DOJ categorizes HIPAA violations into three tiers, which determine the criminal penalty. See below.
Attorneys General Fines for HIPAA Violations
In 2010, Connecticut State Attorney General Richard Blumenthal became the first state AG to file a HIPAA enforcement action under the HITECH Act. A massive data breach had prompted this pioneering legal action. Health Net, a health insurance company, had lost an unencrypted hard drive containing the protected health information (PHI) of 250,000 plan members. If this wasn’t bad enough, Health Net deliberately delayed notifying victims of the breach for six months, placing patients in even greater danger.
A provision in the HITECH amendments allows state AGs to pursue HIPAA enforcement actions to protect the best interests of state residents. An AG can sue in federal district court to obtain monetary damages on behalf of state residents or to enjoin further violations of HIPAA. Damages are a minimum of $100 per violation and can reach a maximum of $25,000 per violation category per year.
Clearly, the OCR and DOJ take HIPAA compliance seriously. These fines and penalties are meant to hold HIPAA-covered organizations accountable for the privacy and security of patients’ private information and deter them from practices that threaten PHI.