In order to safeguard the Protected Health Information (PHI) of patients, the Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-Covered Entities (CEs) . Furthermore, the act strictly controls when PHI can be divulged, and who can receive such information.
The Department of Health and Human Services’ Office for Civil Rights (OCR) was granted the ability to issue financial penalties (and/or action plans) to CEs that fail to comply with HIPAA Rules, according to the Enforcement Final Rule of 2006.
Violating HIPAA rules have always come with a financial penalty. Recently, these were updated following the introduction of the Omnibus Rule in March 2013. This introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH).
Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations are applied to healthcare providers, health plans, healthcare clearinghouses and all other CEs. This includes Business Associates (BAs) of CEs who are also guilty of violating HIPAA Rules.
These financial penalties are intended to act as a deterrent to those who may consider breaking HIPAA rules.They also ensure that CEs are held accountable for their actions. This aids in the protection of the privacy of patients and confidentiality of health data.
The penalty structure is tiered. The tiers are divided based on many different factors, including the scope of knowledge a covered entity had of the violation. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
Ignorance of HIPAA Rules is no excuse for a rule violation. In cases where there was wilful neglect of HIPAA Rules, the guilty party will be levied with the highest penalty.
Categories of HIPAA Violation
The tiered structure for penalties can be described as follows:
• Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
In the case of unknown violations, where the CE could not have been expected to avoid a data breach, it may seem unreasonable for a CE to be issued with a fine. The OCR appreciates this, and has the discretion to waive a financial penalty. However, if there was a wilful violation of privacy, Security and Breach Notification Rules, the fine shall not be waived.
HIPAA Violation Penalty Structure
Each category of violation carries a separate HIPAA penalty. It is up to the discretion of the OCR to determine a financial penalty within the appropriate range for each individual case. The OCR considers a wide range of factors when determining the appropriate penalty. This includes the length of time over which violation occurred, the number of people who were victims of the violation, and the nature of the data exposed. An organization´s willingness to assist with an OCR investigation is also taken into account.
The guilty party’s prior history in regards to HIPAA compliance is also accounted for. So is the organization’s financial condition and the level of harm caused by the violation. These factors could decrease or increase the financial penalty issued.
• Category 1: Minimum fine of $100 per violation up to $50,000
• Category 2: Minimum fine of $1,000 per violation up to $50,000
• Category 3: Minimum fine of $10,000 per violation up to $50,000
• Category 4: Minimum fine of $50,000 per violation
The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.
A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, regardless of how minor the incident was or how insignificant the data involved is.
In certain circumstances, the fine may also be applied on a daily basis. For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the CE has been in violation of the law instead of by the number of patients affected. Therefore, in this case, the penalty would be multiplied by 365.
Attorney Generals Can Also Issue HIPAA Fines
In February 2009, the HITECH Act (Section 13410(e) (1)) was introduced. This allowed the state Attorney Generals to have the authority to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents. The Attorney Generals also have the power to file civil actions with the federal district courts under this act. Statutory damages can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
Attorney Generals in multiple states may be able to fine a single CE if that CE is suffering a data breach affecting residents in multiple states. At present only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have so far taken action against HIPAA offenders. However, AGs offices are able to retain a percentage of the fines issued. This is likely to act as an incentive for other state AGs follow suit and become involved in HIPAA offenders.
Criminal Penalties for HIPAA Violations
In addition to civil financial penalties, a HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of PHI. Criminal penalties for HIPAA violations are divided into their own tier system. A judge considers the facts of each individual case, and determines the term and an appropriate fine according to the tier to which the penalty belongs. As with the OCR, a number of general factors are considered which will affect the penalty. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to payment of a fine.
The tiers for criminal penalties for HIPAA violations are:
Tier 1: Reasonable cause or no knowledge of violation. Term: up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses. Term:Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent Term: up to 10 years in jail
As different states have different laws, there will be a wide variety in the different penalties for such violations. Fines and prison terms may be higher or lower depending on the criminal charges against the individual and the circumstances surrounding the case.
There has been a recent surge in the number of employees in the healthcare sector with access to sensitive data stealing such PHIs. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals for a relatively easy profit. It is therefore essential that controls are put in place to both limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to enable improper access and theft of PHI to be rapidly identified.
All staff likely to come into contact with PHI should be informed by their employer of the penalties for HIPAA violations. It should be made clear that violations will not only result in loss of employment, but potentially also a lengthy jail term and fine, which should act as a strong incentive against this behaviour.
State Attorney Generals have been placed under a great deal of pressure to tackle data theft in their states. Therefore, they are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely, as is a hefty financial penalty.
Penalties for HIPAA Noncompliance
A violation of HIPAA does not necessarily have to have taken place in order for a CE or BA to be fined by the OCR. If a CE or BA is found not to have complied with the HIPAA regulations, the OCR has the authority to issue penalties for HIPAA noncompliance. This is the case even if there has been no breach of PHI. It is predicted that, as the OCR increases the volume of HIPAA audits, this scenario will become increasingly common.
Penalties for HIPAA noncompliance can be imposed for a large number of reasons. The failure to maintain documented policies and procedures regarding HIPAA compliance can be considered noncompliance with the regulations. The failure to conduct employee privacy and security training on a regular basis can also be seen as HIPAA noncompliance, and thus those responsible would face penalties.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Already, several CEs have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.
The OCR will be monitoring BAAs as a part of its audit program. These are contracts that lay out the permitted and required uses of PHI, and should be signed with every third party service provider to whom PHI is disclosed (including lawyers), and should have a start date and end date. If a breach of PHI occurs, the CE and the BA could be issued with both penalties for HIPAA violations and penalties for HIPAA noncompliance.