The Healthcare Insurance Portability and Accountability Act (HIPAA) controls Protected Health Information (PHI) and electronic Protected Health Information (ePHI). As a federally regulated compliance program, HIPAA noncompliance comes with both penalties and severe business impacts.

Penalties of HIPAA Violations

What does HIPAA say?

Congress enacted HIPAA 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally created the HIPAA Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule refocused on electronically stored PHI (ePHI) to create three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

What are Covered Entities and Business Associates?

HIPAA defines covered entities as health plans, health care clearinghouses, and healthcare providers who transmit PHI or ePHI electronically. Business associates under HIPAA are those organizations with access to ePHI or PHI because they perform functions or activities on behalf of a covered entity or services to a covered entity.

Health care providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies to the extent that they transmit information in electronic form as part of an HHS transaction. Health plans incorporate health insurance companies, HMOs, company health plans, and government programs such as Medicare, medicate, and the military and veterans’ health care programs. A health care clearinghouse acts as a “catch-all” that incorporates any entities processing nonstandard health information they receive from another entity into a standard data format.

HIPAA requires that covered entities engaging with business associates must have a written contract or arrangement that defines the business associate’s responsibilities regarding protected health information.

Who governs HIPAA?

The Office for Civil Rights (OCR) which is a unit of the Department of Health and Human Services (HSS), enforces the Privacy and Security Rules. The agency’s website allows people to file complaints against covered entities and their business associates. Individuals can submit claims via the website’s portal, mail, email, or fax.

What are the consequences of violating HIPAA?

HIPAA violation consequences arising out of the HIPAA Enforcement Rule which imposes civil money penalties. Although HHS updated the Enforcement Rule between 1996 and 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) strengthened HIPAA and consolidated the rules under the Omnibus Act.

What is the civil penalty for violating HIPAA?

OCR imposes civil penalties on a tiered basis. Similar to civil law, the violations focus on whether the entity knowingly, neglectfully, or willfully violated the law.

An unknowing HIPAA violation can lead to a minimum of $100 per violation with an annual maximum of $25,000 for repeat violations. However, the maximum penalty can be $50,000 per violation with an annual maximum of $1.5 million.

The second tier, known as reasonable cause, comes with a minimum penalty of $1,000 per violation, with an annual maximum of $100,000 for repeat HIPAA violations. The maximum penalty in this tier is $50,000 per violation, with an annual maximum of $1.5 million.

The third tier of civil penalties focuses on whether the violation arose out of willful neglect but was corrected within the required time period. This tier incorporates a minimum penalty of $10,000 per violation, with an annual maximum of $250,000 for repeat violations. The maximum penalty in this tier is $50,000 per violation, with an annual maximum of $1.5 million.

Finally, organizations found to have willfully neglected HIPAA requirements without correcting within the required time period face a minimum of $50,000 per violation, with an annual maximum of $1.5 million. The maximum penalty here is the same as the minimum.

All entities should note that the maximum penalty for any violation, regardless of tier, is the same. Thus, an unknowing violation may be held equally accountable as a willful and uncorrected violation.

Can you go to jail for a HIPPA violation?

The Department of Just oversees the criminal penalties associated with HIPAA. Similar to monetary penalties, criminal violations are separated into tiers.

If a covered entity knowingly obtained and disclosed individually identifiable health information a 1-year prison term and a fine of $50,000 could be enforced.

False pretenses, meaning that an entity or individual working for the entity, has lied to obtain information and use it inappropriately can lead to a $100,000 fine and up to 10 years’ imprisonment.

For those violations where the PHI or ePHI was compromised with an intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm, the fine increases to $250,000 and potentially 10 years in jail.

Is it a felony to violate HIPAA?

Criminal HIPAA indictments are rare. Although they have happened, many fall under the umbrella of a misdemeanor. The OCR more often prefers to address the underlying causes of the problem and help organizations get compliant.

For example, in its Enforcement Results highlights for January 2018, HHS noted that since 2004 it received over 173,426 complaints leading to more than 871 compliance reviews. It investigated over 25,99695 cases requiring privacy practice changes and corrective actions with 53 cases leading to civil money penalties totaling $75,229,182.

In short, noncompliance more often leads to sanctions and corrective actions. However, in the cases where the penalties were invoked, the cost was gigantic.

How automation can ease HIPAA compliance

The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate with your organization’s various stakeholders, providing them with the right information for their needs.

A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.

With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.

ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.

To schedule a demo, contact ZenGRC.