The Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) place a number of requirements on healthcare organizations and other covered entities, such as stipulating allowable uses and disclosures of Protected Health Information (PHI) and the measures that must be implemented to secure that information.
In 2006, the HIPAA Enforcement Final Rule gave the Department of Health and Human Services’ Office for Civil Rights (OCR) the authority to impose financial penalties on HIPAA Covered Entities (CEs) that fail to comply with HIPAA Rules.
The most recent update to the HIPAA Rules occurred in March 2013 with the introduction of the Omnibus Rule. This introduced changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The Omnibus Rule introduced higher penalties for HIPAA violations by healthcare providers, health plans, healthcare clearinghouses and all other CEs. Business Associates (BAs) of CEs were also now subject to HIPAA and could be fined directly if they are discovered to have violated the HIPAA Rules.
These financial penalties were created to encourage compliance with the HIPAA Rules and to ensure that CEs and BAs are held accountable for compliance failures. This helps ensure the privacy of patients is better protected and the confidentiality of health data is maintained.
The penalty structure of HIPAA violations is tiered. The tiers are based on the efforts made by the CE or BA to comply with HIPAA, the actions taken since the violation was discovered to correct the violation voluntarily, and – if a data breach has occurred – the measures put in place to mitigate the consequences of the data breach. OCR determines appropriate penalties is based on a range of “general factors” and the extent and severity of the HIPAA breach.
Ignorance of the HIPAA Rules is no excuse for noncompliance. It is the responsibility of all CEs and BAs to ensure they are fully compliant with all appropriate provisions of the HIPAA Rules. In cases where there is willful neglect of the HIPAA Rules, the maximum penalty will apply.
Categories of HIPAA Violation
The tiered structure for HIPAA violation penalties is as follows:
- Category 1:A violation that the CE or BA could not have realistically avoided having taken a reasonable amount of care to comply with the HIPAA Rules.
- Category 2:A violation that the CE or BA should have been aware of and should have avoided with a reasonable amount of care, but falling short of willful neglect of the HIPAA Rules.
- Category 3:A violation involving “willful neglect” of the HIPAA Rules, where an attempt has been made to correct the violation.
- Category 4:A violation of the HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.
In the case of violations where the CE or BA could not have realistically avoided having taken a reasonable amount of care, it may seem harsh for the CE or BA to be issued a fine. OCR acknowledges this and has the discretion to waive financial penalties. However, if there has been a willful violation of the Privacy, Security, or Breach Notification Rules, financial penalties will not be waived.
HIPAA Violation Penalty Structure
Each category of HIPAA violation has a different penalty structure. It is down to the discretion of OCR to determine a financial penalty within the appropriate range for each individual case. OCR considers a wide range of factors when determining an appropriate penalty. This includes the length of time over which the violation occurred, the number of people affected by the violation, the nature of the data breached, the organization’s cooperation with OCR during the investigation, and whether there is a pattern of noncompliance.
The guilty party’s prior history in regard to HIPAA compliance is also considered, as is the organization’s financial position and the level of harm caused by the violation. These factors could decrease or increase the financial penalty.
- Category 1:Minimum fine of $100 per violation up to $50,000 (Maximum $25,000)
- Category 2:Minimum fine of $1,000 per violation up to $50,000 (Maximum $100,000)
- Category 3:Minimum fine of $10,000 per violation up to $50,000 (Maximum $250,000)
- Category 4:Minimum fine of $50,000 per violation. (Maximum $1,500,000)
The fines are issued per violation category, for the duration of the violation. This could be calculated based on the number of days the organization was in violation of the HIPAA Rules.
A data breach or security incident that occurs due to any violation of the HIPAA Rules could result in separate fines being applied for each category of violation of the security and privacy standards. A penalty of $50,000 could be applied for any breach of the HIPAA Rules, regardless of the specific factors in involved in the case.
Attorneys General Can Also Issue HIPAA Fines
In February 2009, the HITECH Act was introduced. Section 13410(e) (1)) allowed state Attorneys General to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents. The Attorneys General also have the power to file civil actions with the federal district courts under this act. Statutory damages up to a maximum level of $25,000 per violation category, per calendar year are possible. The minimum fine applicable is $100 per violation.
Attorneys General in multiple states could potentially fine a single CE if that CE suffers a data breach affecting residents in multiple states. At present only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont, and Minnesota – have so far taken action against HIPAA offenders. AG offices are able to retain a percentage of the fines issued which may be an incentive for other state AGs to follow suit and become involved in HIPAA cases.
Criminal Penalties for HIPAA Violations
In addition to civil financial penalties, a HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of the HIPAA Rules. Criminal penalties for HIPAA violations are divided into their own tier system and are handled by the Department of Justice.
A judge considers the facts of each individual case and determines the sentence and an appropriate fine according to the tier in which the penalty falls. As with OCR, several general factors are considered when determining the sentence. If an individual has profited from the theft, access, or the disclosure of PHI, it may be necessary for all moneys received to be refunded in addition to payment of a fine.
The tiers for criminal penalties for HIPAA violations are:
- Tier 1: Reasonable cause or no knowledge of violation. Term: up to 1 year in jail.
- Tier 2: Obtaining PHI under false pretenses. Term: Up to 5 years in jail.
- Tier 3: Obtaining PHI for personal gain or with malicious intent Term: up to 10 years in jail.
In cases of aggravated identity theft, there is a mandatory 2 year jail term applied in addition to the above sentences.
There has been a recent increase in the number of employees in the healthcare sector with access to sensitive data being discovered to have stolen PHI. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals if data theft is considered to be an easy way to make money.
It is therefore essential for controls to be put in place to both limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to identify unauthorized access to and the theft of PHI.
All staff likely to come into contact with PHI should be informed by their employer of the penalties for HIPAA violations. It should be made clear that violations will not only result in loss of employment, but potentially loss of license to practice, a lengthy jail term, and substantial fine.
State Attorneys General have been placed under a great deal of pressure to tackle data theft in their states. Therefore, they are keen to make examples out of individuals found to have violated the HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely, as is a hefty financial penalty.
HIPAA Penalties for Employees
HIPAA covered entities and their business associates must have a sanctions policy in place that is applied when employees are discovered to have violated the HIPAA Rules. The majority of CEs and BAs will consider factors such as whether the violation was accidental or not, if the violation was self-reported by the employee as soon as it was discovered, and the magnitude of the violation. The sanctions can range from having to undergo additional training to being fired and have the violation reported to law enforcement and applicable professional boards.
Civil Penalties for Unknowingly Breaching HIPAA Rules
While OCR can opt to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations will not be seen as an acceptable excuse for a violation occurring. It is possible for a CE or BA to receive a civil penalty for negligently violating the HIPAA Rules.
State laws may permit individuals to bring legal actions against person(s) responsible for a HIPAA violation, but only if the HIPAA violation involved a violation of an equivalent state law. There is no private cause of action in HIPAA, which means lawsuits cannot be filed by individuals for HIPAA violations. However, individuals can use the regulations to establish a standard of care under common law.
Penalties for HIPAA Noncompliance
A data breach does not necessarily have to have taken place in order for a CE or BA to be fined by OCR. If a CE or BA is found not to have complied with the HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance. This is the case even if there has been no breach of PHI. It is predicted that, as OCR increases the number of HIPAA audits, this scenario will become increasingly common.
Penalties for HIPAA noncompliance can be imposed for a large number of reasons. The failure to maintain documented policies and procedures regarding HIPAA compliance efforts, the failure to conduct regular employee privacy and security training, and failing to provide patients with a copy of their healthcare data on request are all violations that could attract financial penalties.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Already, several CEs have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Omnibus Final Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance due to the failure to revise a BAA originally signed in March 2005.
OCR will be monitoring BAAs as a part of its audit program. These are contracts that lay out the permitted uses and disclosures of PHI and should be signed with every third-party service provider to whom PHI is disclosed. If a breach of PHI occurs, the CE and the BA could both be issued with penalties for HIPAA violations.