A HIPAA violation is the unauthorized disclosure of protected health information or the failure to provide timely access to patient data to authorized individuals against the mandates of the Health Insurance Portability and Accountability Act, or HIPAA. Those who follow Healthcare IT news will often see stories about large HIPAA settlements enforced by the US Department of Health & Human Services (HHS). The biggest violation so far in 2021 is Lifetime Healthcare Companies‘ violation, where 9.3 million people were affected and a $5.1 million fine was enforced. In 2020, Premera Blue Cross was the biggest violation; 10.4 million people were impacted and a $6.9 million fine was handed down. Show
No HIPAA violation situation is ever the same as another, and not all penalties will be as severe as the examples above. If your organization is found to be in violation of HIPAA, you won’t necessarily have to pay millions of dollars. Such massive penalties are only for the very worst offenders, but what are the general parameters for violations? Summary of OCR HIPAA Settlements 2021At the time of writing, October 2021, there have been eight settlements with the OCR so far this year. The majority of settlements are for healthcare organizations failing to give timely access to medical records, which is a mandatory requirement of HIPAA. Historical OCR Settlements (2016-2020)Source: HIPAA Journal Legislative BasisThe OCR and Centers for Medicare & Medicaid (CMS) are authorized to enforce HIPAA. The amount of some penalties can be frighteningly high, including civil and criminal judgments. The stimulus package that was adopted in 2009, called the American Recovery and Reinvestment Act (ARRA), detailed the specific minimum and maximum limits for healthcare privacy and security violations. “The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty,” according to the American Medical Association, “based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.” However, there is an exception: if the agency determines that you were not purposely neglectful, you will have one full month to rectify the situation. Consequences of HIPAA Violations – Civil Penalties for HIPAA Non-Compliance HIPAA ViolationMinimum PenaltyMaximum PenaltyScenario #1The organization or employee was unaware that they were in violation of the law, despite operating soundly$100 for each instance of noncompliance, up to $25,000 total (the highest amount that can be assessed by an attorney general at the state level)$50,000 for each instance, totaling up to $1.5 millionScenario #2The company was noncompliant not because of purposeful neglect but because of unexpected causes$1000 for each instance, up to $100,000 total$50,000 for each instance, totaling up to $1.5 millionScenario #3Purposeful neglect occurred, but the company took corrective action within an acceptable time window$10,000 for each instance, up to $250,000 total$50,000 for each instance, totaling up to $1.5 millionScenario #4Purposeful neglect occurred, and the company did not implement the steps of a corrective plan$50,000 for each instance, up to $1.5 million total$50,000 for each instance, totaling up to $1.5 millionHIPAA Non-Compliance Criminal Penalties – Can You Be Imprisoned?According to data published by the HHS, up to 31st August 2021, the OCR has received nearly 273,000 compliance-related complaints, with over 1101 being investigated. However, in only 100 cases the OCR has settled or imposed a civil money penalty (since 2008), totaling $130,980,482.00 so far. Jail terms are rare, but not unheard of. In February 2017, Jeffery Luke was jailed for stealing PHI from his employer’s secured Google Drive accounts. In January 2020, Stacey Lavette Hendricks was imprisoned for 48 months for PHI identity theft. “Covered entities and specified individuals … who ‘knowingly’ obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000,” explained the AMA report, “as well as imprisonment up to one year.” Sentencing can be more severe, though. Anything that violates the law and involves deception carries a maximum sentence of $100,000 and/or five years imprisonment. Violations that occur because individual plans to use the data for their own gain or for malevolent reasons are penalized with judgments up to $250,000, accompanied by prison sentences as high as ten years. Covered Entities & Individual PeopleThe Department of Justice decided that if it is determined that a crime has been committed, covered entities (healthcare plans, data clearinghouses, and providers) can be held directly liable. Leadership at a covered entity can also be subject to criminal investigation and sentencing by piercing the corporate veil. Even if someone in an executive position at a company where misuse takes place didn’t do anything that was specifically non-compliant, they still may be guilty as a co-conspirator or accomplice. “Knowingly”The Department of Justice specifically targeted a word within the HIPAA crime provisions that are a source of confusion: what does knowingly mean? Knowingly refers to the highest criminal penalty situation listed above, the “for their own gain” scenario (bolded above). According to Law360, “Under the statute, covered entities and individuals who ‘knowingly’ obtain or disclose individually identifiable health information with the intent to” profit from it or hurt someone face the stiffest penalties. The Department of Justice clarified in 2005 that the word referred to knowledge of HIPAA law rather than knowledge of a particular instance of noncompliance. Exclusion & Upholding the LawThe federal government can remove any healthcare plan, provider, or clearinghouse from the Medicare system if they have not adopted a universal, standardized medical code. In terms of enforcement, the OCR identifies and punishes HIPAA privacy violations. The Centers for Medicare & Medicaid (CMS) oversees security and uniform code. Choosing a Compliance PartnerAs you see above, the consequences of violating HIPAA can be extreme. Even if you don’t get fined millions, it’s not a productive way to spend money, and it’s not fun to end up on the HIPAA Wall of Shame. That’s why it’s extraordinarily important to choose a technological partner that specializes in healthcare HIPAA Compliance Hosting like Atlantic.Net. Our Virtual Private Servers offer a 100% uptime guarantee and can launch in under 30 seconds. Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, visit us at www.atlantic.net, call 888-618-DATA (3282), or email us at . What are the 4 most common HIPAA violations?5 Most Common HIPAA Violations. The 5 Most Common HIPAA Violations.. HIPAA Violation 1: A Non-Encrypted Lost or Stolen Device. ... . HIPAA Violation 2: Lack of Employment Training. ... . HIPAA Violation 3: Database Breaches. ... . HIPAA Violation 4: Gossiping and Sharing PHI. ... . HIPAA Violation 5: Improper disposal of PHI.. What are the possible consequences of a HIPAA violation quizlet?Violating HIPAA can result in civil or criminal penalties. Civil penalties include fines of up to $1.5 million for repeated violations of a single requirement in a calendar year.
What can be the consequences of HIPAA violations?Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
What is a deliberate HIPAA violation?An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications – A violation of the HIPAA Breach Notification Rule.
|