[BreachExchange] What Are The Penalties For Violating The HIPAA

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 22 14:32:55 EDT 2018


https://www.intelligenthq.com/resources/penalties-violating-hipaa/

The Health Insurance Portability and Accountability Act (HIPAA) has been
the law of the land in the United States since 1996, when it was enacted to
help streamline the movement of medical records from one health care
provider to another as people switched jobs.

In addition, HIPAA created a set of patient rights designed to protect
people’s right to privacy in regards to their medical records. In 2003,
HIPAA was amended by the HIPAA Privacy Rule, which outlined protected
health information (PHI). HIPAA was further amended in 2005, by the HIPAA
Security Rule. That update introduced new safeguard provisions for
information stored or transported electronically.

HIPAA is governed by the U.S. Department of Health and Human Services
(HSS). The Office for Civil Rights, a unit of HSS, enforces the rules and
determines the financial penalties for violation, while the Department of
Justice has jurisdiction over criminal penalties.

Protecting Patient Privacy

To fully protect that privacy, healthcare organizations were tasked with
investing time and money in to not only putting safeguards into place to
ensure that patient privacy was being respected. It also meant investing in
education around the new HIPAA guidelines to make sure healthcare
organizations were in strict compliance.

While HIPAA has had a definite impact on both healthcare organizations and
their patients, it has definitely created an additional sense of security
as it relates to patient privacy. Maintaining that security entails very
real penalties if HIPAA rules and guidelines are violated.

Violations of HIPAA rules and guidelines are taken very seriously, and
penalties include civil and criminal remedies. The Enforcement Final Rule
added to HIPAA in 2006 also introduced financial penalties.

Defining HIPAA Violations

Spend any time around any healthcare organization, and you are sure to hear
the phrase “HIPAA violation.” But what actually constitutes a violation of
patient privacy rights?

Simply put, a violation occurs any time a HIPAA-covered entity fails to
comply with privacy, security or breach notification rules. An individual
or entity does not have to knowingly have breached protocol to be found in
violation of HIPAA. Knowledge does have an effect, however, on the severity
of the punishment.

A HIPAA-covered entity is any company or organization that transmits PHI.

- Healthcare plan administrators
- Healthcare clearinghouses
- Clinics
- Psychologists
- Dentists
- Doctors
- Nursing homes
- Pharmacies
- HMOs
- Medicare and Medicaid

Penalties can be issued for any violation. Typically, violations are
resolved through voluntary compliance, technical guidance or the acceptance
of an entity’s updated plan to address the source of the violation.

HIPAA Financial Penalties

Violations of HIPAA to be punished through fines are defined by a set of
classifications determined by how serious the offense is. They are broken
down into four categories.

- Category 1: Minimum fine of $100 up to $50,000. Usually result of an
unknowing HIPAA violation.
- Category 2: Minimum fine of $1,000 up to $50,000. Category 2 violations
deal with reasonable cause violations.
- Category 3: Minimum fine of $10,000 up to $50,000. This category involves
infractions due to willful neglect, but that were corrected within a
certain time period.
- Category 4: Minimum fine of $50,000. These fines involve willful neglect
that went uncorrected.

Fines can be enforced on a daily or per-violation basis, meaning that even
Category 1 fines can add up if allowed to persist over time.

HIPAA Criminal Penalties

Just like the financial penalties, criminal punishments for HIPAA violation
are separated into tiers.

- If a healthcare-related entity knowingly obtained and disclosed PHI,
there’s a possible one-year prison term and $50,000 fine.
- If an entity or individual working for that entity lied in order to
obtain information to be used inappropriately, there’s a possible $10,000
fine and 10-year prison sentence.
- For any violation involving the intent to sell, transfer or use PHI for
personal or commercial gain, or to do malicious harm, the fine can total
$250,000 and 10 years in prison.

Criminal cases involving HIPAA violations have been exceedingly rare. The
OCR usually chooses to directly address the causes of the problem in order
to help organizations return to compliance.

For example, in January of 2018, there were over 170,000 HIPAA violation
complaints registered with the OCR. Those complaints resulted in 871
compliance reviews, with 53 cases meriting civil financial penalties.

Avoiding HIPAA Violations

One of the best ways to avoid HIPAA violations is through automation.
Taking the chance of human error out of the PHI communication equation is
perhaps the best way for organizations to stay compliant.

Being completely transparent as to where patient data resides, and how that
data is encrypted is also important. Organizations should also be upfront
about who has access to PHI data, and how those privileges are maintained.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180622/5ac7add3/attachment.html>


More information about the BreachExchange mailing list