Employee Consequences of Violating HIPAA

HIPAA requires covered entities to conduct training for employees in order to ensure that they completely understand what their obligations are in relation the the Healthcare Information Portability and Accountability Act (HIPAA) 1996.

Breaching HIPAA can result in massive penalties for HIPAA covered entities. Every healthcare insurers, provider, clearing house of business associate should be doign everything in their power to ensure that they have a team of employees that are 100% aware of what actions result in a HIPAA violations. As part of this training it must be relayed what the consequences are of a breach occurring.

In the even that as aspect of HIPAA is breached there are four ways that it can impact a member of staff:

  • You will be subjected to an internal investigation into the HIPAA breach
  • Your employer may consider firing you
  • You could be disqualified from professional boards and memberships
  • Depending on the extent of the breach you could be tried as a criminal and be convicted

Which of these outcomes takes place depends on the severity of the HIPAA breach. This is determined by taking the following factors in to account:

  • The extent of the breach
  • If the individual was conscious that they were breaching HIPAA Rules
  • Measures that were implemented to mitigate the breach
  • Did the employee display malicious intent or seek to make a personal gain
  • Damage as a result of the breach and the amount of individuals impacted by it
  • If there was a breach of the criminal provision of HIPAA

HIPAA Breaches & Civil Penalties

The starting point for civil penalties for HIPAA violations is $100 per violation by any person who breaks HIPAA Rules. The fine be increased as high as $25,000 if there have been a number of breaches of the same type. These penalties are sanctioned when the employee was fully conscious that HIPAA Rules were being breached.

However, if there was no willful neglect of HIPAA Rules and the breach was addressed corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not be sanctioned.

HIPAA Breaches & Criminal Penalties

There are stringent criminal penalties for HIPAA breaches  and the lowest for willful breaches of HIPAA Rules is set at $50,000. The highest criminal penalty for a HIPAA breach by an individual is $250,000. There may also be some compensation to be to the victims and the possibility of a jail term is likely for a criminal violation of HIPAA Rules. Similar to the fines for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers in place for situations like this:

  • A maximum one-year jail term for criminal HIPAA breaches that happen due to negligence
  • A maximum five-year jail term for collecting protected health information under false pretenses
  • A maximum ten-year jail term for knowingly breaching HIPAA Rules with malicious intent or for personal profit
  • A mandatory two-year jail term for aggravated identity theft

Identifying HIPAA Breaches

The main ways that a HIPAA breach can be identified are as follows:

  • The Covered Entity or Business Associate can find them during a risk analysis
  • The HHS Office for Civil Rights can find them during a HIPAA audit
  • The patient(s) whose data has been disclosed without authorization can report it
  • Third parties searching the Internet for vulnerable applications and storage volumes can also identify HIPAA violations

In the event that HIPAA rules are breached as a result of a lack of training, your employer will be to blame as they have a legal requirement to conduct training “as necessary and appropriate for employees in order for them to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule). To stop any dispute about whether appropriate training has been conducted, employers must are record that it was conducted, when and by whom.

Additionally if a computer error results in a HIPAA breach taking place it is referred to as an inadvertent disclosure. This is the responsibility of the Covered Entity or Business Associate and a result of them neglecting to implement safeguards – or failing to provide instruction on how to use the computer safely. However, the inadvertent disclosure took place due to an operator error, the employee to blame.

If you are conscious that a HIPAA breach is after taking place then you should follow the company process for reporting breaches of HIPAA. You can report it to your supervisor or the person given the responsibility for dealing with this.

The severity of the punishment for breaches of HIPAA mean that it is crucial that staff are being trained to understand HIPAA and that the company is doing everything possible to provide this.  HIPAA covered entities may be reluctant to invest in HIPAA training but it must be recognized that the cost of training is far less than that cost of sanctions for a breach taking place – not to mention the reputational that could also be a result of a breach being allowed to occur.