The Healthcare Insurance Portability and Accountability Act (HIPAA) governs how organizations must handle protected health information (PHI) and electronic protected health information (ePHI). As a federal law, HIPAA non-compliance comes with both penalties and severe business impacts.

What Does HIPAA Say?

Congress enacted HIPAA 1996 to protect the flow of personal healthcare information. The U.S. Department of Health and Human Services (HHS) created the HIPAA Privacy Rule in 2003, defining PHI as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule was refocused on electronically stored PHI (ePHI) to create three types of compliance safeguards.

  • Administrative safeguards are policies and procedures that show compliance
  • Physical safeguards encompass controlling access to data storage areas
  • Technical safeguards incorporate communications transmitting PHI electronically over open networks

What Are Covered Entities and Business Associates?

HIPAA defines “covered entities” (that is, those subject to the law) as health plans, clearinghouses, and healthcare providers that transmit PHI or ePHI electronically. “Business associates” under HIPAA are those organizations with access to ePHI or PHI because they perform functions or activities on behalf of a covered entity.

Health care providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies to the extent that they transmit the information as part of a healthcare transaction.

Health plans incorporate health insurance companies, HMOs (health maintenance organizations), company health plans, and government programs such as Medicare, Medicaid, and the military and veterans’ health care programs.

A health care clearinghouse is the middleman between the healthcare providers and the insurance companies.

HIPAA requires that covered entities engaging with business associates have a written contract or arrangement that defines the business associate’s responsibilities regarding protected health information.

Who Is Protected by HIPAA?

The HIPAA Privacy Rule requires HIPAA-covered entities and their business associates to substantially protect all individually identifiable health information created, stored, maintained, or transmitted by HIPAA-covered entities and their business associates.

Individually identifiable health information created, collected, transmitted, or maintained by a HIPAA-covered entity in connection with the provision of health care, payment for health care services, or use in health care operations is protected health information under HIPAA.

HIPAA protects health information such as diagnoses, treatment information, medical test results, and prescription information. In addition, personal data includes Social Security numbers, birth dates, gender, ethnicity, phone numbers, and emergency information.

PHI only refers to data regarding patients or members of health plans. It excludes information from educational and employment records and health information kept by a HIPAA-covered entity in its role as an employer.

Health information is considered to be PHI only when an individual can be recognized from the data. Therefore, when all identifiers are deleted from health data, the information no longer qualifies as PHI; and the HIPAA Privacy Rule’s prohibitions on uses and disclosures are no longer in effect.

Who Governs HIPAA?

HIPAA privacy and security rules are enforced by the Office for Civil Rights (OCR), a part of the Department of Health and Human Services (HHS). The agency’s website allows people to file complaints against covered entities and their business associates. Individuals can submit complaints via the website’s portal, email, or fax.

What Are the Four Types of HIPAA Violations?

OCR prefers to settle HIPAA breaches through non-punitive means, such as voluntary compliance or giving technical assistance to assist covered entities in addressing non-compliance issues. Financial sanctions may be warranted if the violations are significant and have been ongoing for an extended period or if there are several areas of non-compliance.

There are four categories used for structuring HIPAA violations and imposing penalties.

Level 1

This lowest level is a breach that the covered entity was unaware of, and could not realistically have avoided by making reasonable efforts to comply with HIPAA standards.

Level 2

The covered entity was aware of a breach, but could not have prevented the breach even with reasonable care, which falls short of deliberate disregard of HIPAA regulations.

Level 3

A breach occurred due to “willful neglect” of HIPAA standards, but the organization made immediate attempts to correct the violation.

Level 4

A breach occurred due to “willful neglect” of HIPAA standards, and issues went uncorrected for an extended period.

It may appear unreasonable for a covered entity to be penalized for undiscovered violations in cases where the organization couldn’t have been expected to avoid a data breach. OCR understands this, and has the discretion to waive a financial penalty. That penalty, however, cannot be waived if the violation involved willful neglect of privacy, security, and breach notification rules.

It’s imperative to understand HIPAA requirements if you are a covered entity or a business associate to a covered entity. Penalties will be far less severe for an organization that has implemented various, reasonable control measures to protect PHI and ePHI.

What Are the Consequences of Violating HIPAA?

HIPAA violation consequences arise from the HIPAA Enforcement Rule, which imposes civil money penalties. Although HHS updated the Enforcement Rule between 1996 and 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) strengthened HIPAA and consolidated the rules under the Omnibus Act.

What Is the Civil Penalty for Violating HIPAA?

OCR imposes civil penalties on a tiered basis; violations focus on whether the entity knowingly, neglectfully, or willfully violated the law. Penalties are determined by the number of violations (records) affected.

An unknowing HIPAA violation can lead to a minimum of $100 per violation with an annual maximum of $25,000 for repeat violations. The maximum penalty can be $50,000 per violation with a yearly maximum of $1.5 million.

The second tier, known as reasonable cause, comes with a minimum penalty of $1,000 per violation, with an annual maximum of $100,000 for repeat HIPAA violations. The maximum penalty in this tier is $50,000 per violation, with a yearly maximum of $1.5 million.

The third tier of civil penalties focuses on whether the violation arose out of willful neglect but was corrected within the required period. This tier incorporates a minimum fine of $10,000 per violation, with an annual maximum of $250,000 for repeat violations. Therefore, the maximum penalty in this tier is $50,000 per violation, with a yearly maximum of $1.5 million.

Finally, organizations found to have willfully neglected HIPAA requirements without correcting them within the required period (a Level 4 violation) face a minimum of $50,000 per violation, with an annual maximum of $1.5 million.

Notice that the maximum penalty for any violation, regardless of tier, is the same. So an unknowing violation may be held equally accountable as a willful and uncorrected violation.

Can You Go to Jail for Violating HIPAA?

The Department of Justice oversees criminal prosecutions of HIPAA. Similar to monetary penalties, criminal violations are separated into tiers.

If a covered entity knowingly obtained and disclosed personally identifiable health information, a one-year prison term and a fine of $50,000 could be enforced.

False pretenses, meaning that an entity or individual working for the entity has lied to obtain information and misuse it, can lead to a $100,000 fine and up to 10 years in prison.

For those violations where the PHI or ePHI was compromised with malicious intentions to sell, transfer, or use it for some kind of personal gain, the fine increases to $250,000 and potentially ten years in jail.

Is it a Felony to Violate HIPAA?

Criminal HIPAA indictments are rare. Although they have happened, many fall under the umbrella of a misdemeanor. As a result, the OCR more often prefers to address the underlying causes of the problem and help organizations get compliant.

For example, in its Enforcement Results for January 2018, HHS noted that since 2004 it received more than 173,000 complaints leading to more than 871 compliance reviews. In addition, it investigated more than 25,000 cases requiring privacy practice changes and corrective actions, with 53 issues leading to civil money penalties totaling $75,23 million.

In short, non-compliance usually leads to sanctions and corrective actions, not prison. The costs, however, can still be formidable.

What Is the Penalty for Not Reporting a HIPAA Violation?

Healthcare staff should immediately notify their supervisor or the HIPAA privacy officer if they suspect a HIPAA breach in the workplace. The HIPAA privacy officer will investigate the potential HIPAA breach and perform a risk assessment.

The risk assessment will assist the privacy officer in determining whether the breach is a reportable incident. Failure to notify the affected individuals and OCR of a reportable violation could result in a financial penalty.

Remain HIPAA-Compliant with Automation

Becoming HIPAA compliant doesn’t have to be overwhelming. Instead of using spreadsheets to manage your compliance requirements, use ZenGRC’s compliance, risk, and governance software to automate and streamline activities for all of your compliance frameworks.

Security policies, incident response procedures, and internal controls must be documented and updated regularly to assure that they meet the evolving regulatory environment. With ZenGRC’s document repository, policies and procedures are revision-controlled and easy to find.

Workflow management features offer easy tracking, automated reminders, and audit trails. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.

Insightful reporting and dashboards provide visibility to gaps and high-risk areas. By better understanding your risk landscape, you can take action to protect your business from cyberattacks, avoid costly data breaches, and monitor the security posture of your business.

Schedule a demo today to see how ZenGRC can help you safeguard your data, centralize compliance activities, and protect your organization from hefty penalties.