HIPAA 101: Your Guide to Violations and Penalties
The Health Insurance Portability and Accountability Act (HIPAA) was instituted in order to protect the personal health information held by covered entities, including doctors, pharmacies, and health insurance companies. A HIPAA violation can cost an individual or entity millions of dollars in fines and can even land those responsible in prison. In order to keep you in the know, we’ve outlined some of the most important aspects of HIPAA and HIPAA violations.
Who do HIPAA rules apply to?
The HIPAA rules apply to covered entities and business associates.
- Health plans
- Health care clearinghouses
- Health care providers who transmit claims in electronic form
- Medicare prescription drug card sponsors
- Business Associates:
A “business associate” is a person or entity that performs certain functions or activities that involve the use of protected health information (PHI) on behalf of, or provides services to, a covered entity.
What is considered a HIPAA violation?
HIPAA violations occur when the acquisition, access, use, or disclosure of unsecured PHI, is done in a manner which poses a significant risk of financial, reputational, or other harm to the affected individual.
Civil penalties are determined based on a tiered penalty structure focusing primarily on those individuals that were neglectful, or simply unaware of the issue. The tiered penalty structure is broken out as follows:
- If the covered entity did not and could not have known the act was a HIPAA violation, they’re fined $100 per violation, up to $50,000.
- A violation that had a reasonable cause and was not due to willful neglect is penalized with a minimum $1,000 fine.
- If the HIPAA violation was due to willful neglect but was later corrected, the violating entity will be penalized with a minimum fine of $10,000 per violation.
- If the HIPAA violation was due to willful neglect and was not corrected, the minimum fine will be $50,000 per violation.
Criminal penalties are also determined based on a tiered penalty structure. However, criminal penalties are applied when an individual knowingly or maliciously obtains PHI. The tiered penalty structure is broken out as follows:
- Covered entities who “knowingly” obtain or disclose PHI could face a fine of up to $50,000, as well as imprisonment up to 1 year.
- Covered entities who commit offenses under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.
- Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.
Download Inspired eLearning’s HIPAA Violation Penalties infographic now.
How are HIPAA violations discovered?
HIPAA violations can continue for many months, or even years, before they are discovered. However, the longer the violation persists, the greater the penalty will be when it’s eventually discovered. It is therefore important for HIPAA-covered entities and business associates to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected before they are identified by regulators.
There are three main ways that HIPAA violations are discovered:
- Investigations into a data breach by OCR (or state attorneys general)
- Investigations into complaints about covered entities and business associates
- HIPAA compliance audits
How can we prevent HIPAA Violations?
The Department of Health and Human Services has mandated annual privacy and security training, as well as regular reminders, for all employees of covered entities. Regular training is therefore more than an issue of best practices: it is legally required by the federal government. Inspired eLearning’s engaging HIPAA and HITECH training programs can help your organization meet this legal requirement, while encouraging an organizational culture in which all employees understand the importance of compliance.
Check out TechGuard ® S.H.I.E.L.D’s™ HIPAA and HITECH training programs. To speak to a cybersecurity adviser, call 855-477-(SHLD) 7453.
© 2018 Inspired eLearning, LLC. All Rights Reserved.