Any entity found to have violated the Health Insurance Portability and Accountability Act (HIPAA) Rules can face massive financial penalties and administrative sanctions.
For this reason it is crucial for employees to have an in-depth knowledge of the legislation with respect to their work duties and to be made aware of the consequences they face if they are discovered to have violated HIPAA. Providing staff members with appropriate training is essential and also a requirement of the HIPAA Privacy and Security Rules.
All HIPAA-covered entities – health insurers, healthcare providers, healthcare clearinghouses – and their business associates, should ensure they have an effective training program in place that is tailored for each employee role. Regular refresher training sessions also need to be provided to reinforce the requirements of HIPAA and the need for compliance.
There will always be isolated incidents where employees deliberately violate the HIPAA Rules and breach patient privacy, but by providing regular training and monitoring employee activity (as required by HIPAA), an organization will be compliant and insulated from penalties and sanctions.
What Happens When an Employee is Responsible for a HIPAA Violation?
There are four possible ramifications for employees responsible for a HIPAA violation occurring:
- An internal investigation into the HIPAA breach will be conducted to ascertain how the breach was allowed to happen.
- Depending on the circumstances of the breach, your employer may consider firing the employee responsible.
- There is a chance that the employee responsible could be disqualified from practicing by professional boards.
- A criminal conviction is possible in cases where an employee violated HIPAA for personal gain or to cause malicious harm.
The outcome for an employee will depends on the nature and severity of the HIPAA breach. This is determined by taking the following factors in to account:
- The extent of the breach.
- If the individual was conscious that they were violating the HIPAA Rules.
- Measures that were implemented to mitigate any negative consequences.
- Whether the employee displayed malicious intent or violated HIPAA for personal gain.
- Damage or harm caused as a result of the breach.
- The number of individuals affected.
- Whether the breach constituted a criminal act.
Minor violations may result in internal sanctions for the employee such as a verbal or written warning, or may simply be dealt with by providing further training. More serious violations could result in suspension or termination, with the most serious cases referred to law enforcement for criminal proceedings.
Civil Penalties for HIPAA Violations
The HHS’ Office for Civil Rights and state Attorneys General have the authority to impose civil penalties for HIPAA violations. The penalties are tiered based on the extent to which the covered entity was aware that HIPAA Rules had been violated. The penalties are:
- Tier 1 – Unknowing violation – $100 to $50,000 per violation (maximum $25,000)
- Tier 2 – Reasonable cause – $1,000 to $50,000 per violation (maximum $100,000)
- Tier 3 – Willful neglect (corrected) – $10,000 to $50,000 per violation (maximum $250,000)
- Tier 4 – Willful neglect (not corrected) – $50,000 per violation (maximum $1.5 million)
HIPAA Breaches & Criminal Penalties
There are stringent criminal penalties for HIPAA violations and the penalties are tiered. At the lowest level, where HIPAA Rules have been knowingly violated and PHI has been obtained or disclosed, a financial penalty of up to $50,000 is possible. When PHI has been obtained under false pretenses, the maximum fine increases to $100,000. When an individual obtains PHI with the intent to sell, use, or otherwise disclose the information for personal gain, to achieve a commercial advantage, or to cause malicious harm, the maximum financial penalty increases to $250,000.
Restitution may also need to be paid to the individuals whose PHI has been misused. In addition to fines for criminal violations of the HIPAA Rules, jail terms are possible. The maximum jail term is also dictated by the nature of the HIPAA violation.
A maximum one-year jail term for criminal HIPAA violations involving knowingly obtaining or using PHI.
A maximum five-year jail term for collecting protected health information under false pretenses.
A maximum ten-year jail term for knowingly breaching HIPAA Rules to cause malicious harm, to gain a commercial advantage, or for personal gain.
A mandatory two-year jail term for aggravated identity theft.
All criminal violations of the HIPAA Rules are handled by the U.S. Department of Justice.
Identifying HIPAA Breaches
There are many ways that violations of the HIPAA Rules are discovered. Commonly, covered entities and business associates discover internal breaches when colleagues report violations by co-workers to their HIPAA officer and when the IT department reviews access logs to see who has accessed medical records without authorization.
The HHS’ Office for Civil Rights (OCR) may discover HIPAA violations during investigations of complaints or data breaches, or during a HIPAA audit or compliance review. An individual whose privacy has been violated may discover their PHI has been impermissibly accessed or disclosed and may report it to the appropriate covered entity, law enforcement, or the HHS. It is also common for third parties such as security researchers to discover applications and cloud storage services containing PHI that have not been secured. OCR and state Attorneys General can conduct investigations into any potential breach of the HIPAA Rules and can impose financial penalties if violations are discovered.
In the event that HIPAA Rules are discovered to have been breached as a result of a lack of training, the covered entity will be deemed to be at fault rather than employees. HIPAA covered entities have a legal requirement to conduct training “as necessary and appropriate for employees in order for them to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule).
To prevent any disputes about whether appropriate training was provided to employees, employers must keep a record of all training provided together with the date of the training and the content of the training course. Ideally, employees should sign a document to confirm they have completed a training course.
If you are conscious that a HIPAA breach has occurred as an employee of a HIPAA covered entity or business associate, you should follow your organization’s process for reporting potential HIPAA violations. This is typically alerting your supervisor and the HIPAA officer. Action will need to be taken to assess whether HIPAA Rules have been violated and if so, steps must be taken to correct the violation and minimize any harm.
The easiest way to prevent HIPAA breaches is by ensuring all staff members receive comprehensive HIPAA and security awareness training and make sure that the training is regularly re-enforced.