Understanding HIPAA breach penalties can be a problem for many providers, in part because of the myriad of ways in which a breach can occur.
HIPAA created standards for protecting patient health information and established guidelines regarding with whom that information can be shared. This was a great step for patient confidentiality, but for providers, it can feel like a bit of a labyrinth to navigate, with hefty penalties if you are out of compliance.
As of today, the Office of Civil Rights (OCR) has more than 500 open cases under investigation. Let’s take a closer look at these penalties and how to avoid them.
What is a HIPAA Breach?
A HIPAA violation is one in which a covered entity or business associate fails to uphold provisions in one or more of the HIPAA Privacy, Security, or Breach Notification Rules:
- Violations may be either deliberate or unintentional, but both are punishable offenses.
- Unintentional breaches occur when too much of a person’s protected health information (PHI) is disclosed beyond the minimum required.
- Deliberate violations are when a company or practice fails to report breaches to patients promptly or fails to correct them.
Under the Enforcement Rules, litigation can be pursued against entities found in noncompliance with HIPAA standards. That litigation includes corrective action plans and financial penalties.
Violations, Enforcement, and Breach Penalties
If your company or organization has violated any part of HIPAA, several things will happen. Enforcement of the privacy and security rules falls to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
The OCR achieves enforcement in three ways:
- Compliance reviews (notified and surprise).
- Education and outreach to encourage compliance with rule requirements.
- Investigation of complaints.
In cases in which the OCR determines that either a HIPAA breach or noncompliance incident has occurred, the offending entity may seek resolution through voluntary compliance, corrective action, or an entity-specific resolution agreement. HIPAA breach penalties may be criminal or civil.
The OCR generally refers those cases that are criminal to the Department of Justice (DOJ) for litigation and corrective action. Fines for noncompliance are based on the level of perceived negligence of the organization at the time of the violation, and citations are issued per violation, each requiring either civil or criminal litigation.
Civil violations typically involve cases in which the covered entity fails to resolve the breach violation. A civil money penalty (CMP) is then imposed to cover the cost of the violation. The HHS determines the amount concerning the nature of the violation and the harm that resulted.
The OCR breaks down CMP violations into four tiers:
- First – The covered entity committed the error without having reasonably known about the breach. Costs: $100-50,000 per incident, up to $1.5 million.
- Second – The organization either knew or would have known of the error had it exercised due diligence even though the act wasn’t willful neglect. Costs: $1,000-50,000 per incident, up to $1.5 million.
- Third – The entity acted with willful neglect but corrected the issue within 30 days. Costs: $10,000-50,000 per incident, up to $1.5 million.
- Fourth – The entity acted with willful neglect and failed to correct the issue. Costs: $50,000 per incident, up to $1.5 million.
The DOJ handles HIPAA criminal violations and, similar to civil ones, there are different levels based on severity. They can be issued to several covered entities (CE), including:
- Healthcare clearinghouses.
- Health plans.
- Medicare prescription-drug sponsors.
It’s important to note that covered entities’ employees may be responsible for penalties under the “corporate criminal liability” clause. If the employee is not directly liable, he or she can still be charged with aiding and abetting if there was foreknowledge of the breach. DOJ maintains that specific knowledge of an action that violated HIPAA is not required, so anyone in an office in which one exists may be held accountable.
Similar to civil violations, there are three tiers of criminal HIPAA breach penalties, including:
- Reasonable cause or no knowledge of the violation: up to a year in jail.
- Obtaining PHI under false pretenses: up to five years in jail.
- Obtaining PHI for personal gain: up to 10 years in jail.
Unfortunately, the number of cases in which employees obtain PHI for personal gain is on the rise because its value on the black market is significant. Therefore, there must be controls in place that are consistently evaluated against attacks so opportunistic individuals cannot take advantage of PHI.
HIPAA Breach Costs
HIPAA breach violations are costly and can easily consume months, and in some cases years, of profits. Fines increase incrementally with the number of patients involved and the amount of neglect. The legal term for it is mens rea (state of mind), which means fines increase from the level of no knowledge on up to willful neglect.
Fines and charges are divided into reasonable-cause and willful-neglect categories. They factor in a variety of information, including encryption of data, employee error, data theft breaches, and how the entity measures the effectiveness of the compliance program.
Employee error is one of the leading causes of HIPAA violations. It occurs when an employee loses a portable device or mistakenly sends the wrong PHI to a vendor or clearinghouse. Because that kind of error is avoidable, employees must be trained constantly on security policies and procedures. What they don’t know can be costly.
Examples of recent HIPAA Breach Penalties
When an organization has settled with the HHS and OCR and has been forced to pay penalties, the information is made available to the public via a government Breach Portal website. The website also lists cases that are under investigation.
Here are a few examples of recent HIPAA settlements:
- On October 28, 2020, Aetna settled with the HHS for $1 million for three separate HIPAA breaches that dated back to 2017. The violations affected over 18,000 people. In the largest of the breaches, nearly 12,000 individuals were sent mailings with the words “HIV medication” clearly visible through the envelope’s window. During investigations, it was also uncovered that Aetna had failed to properly secure electronic PHI. In addition to the monetary fine, Aetna has agreed to a corrective action plan and will be monitored for the following two years.
- In July of 2020, Lifespan paid over $1 million for a stolen laptop breach that occurred in 2017. The laptop was unencrypted, unsecured and contained electronic PHI of over 20,000 patients. Lifespan has agreed to a corrective action plan and two years of monitoring.
- Premera Blue Cross (PBC) has the unfortunate distinction of being fined the second-largest penalty to resolve an investigation in the history of the OCR. In September 2020, PBC settled for $6.85 million for a breach that affected over 10 million people. PBC was the victim of a data phishing attack that went on for nine months and exposed patient names, bank account information and Social Security numbers. PBC must also consent to two years of monitoring and a corrective plan.
How to Prevent a HIPAA Breach
As demonstrated in these examples, breaches are most often the result of negligence. That means that, in addition to understanding the HIPAA compliance requirements, an entity must also periodically conduct a HIPAA risk analysis. This examination will help you address the vulnerabilities in your practice and create safeguards against future breach penalities. Among various other objectives, a risk analysis should address common operational functions such as assuring up-to-date policies and procedures as well as answer questions about encrypting data and how to handle emails.
After completing a risk analysis, carefully review the HIPAA Security Rule (SR). Compliance helps ensure that health data is protected, created, received, maintained and transmitted appropriately.
There are three SR safeguards:
- Administrative: Assign a privacy officer in your organization to implement new-employee training and review policies and procedures. That officer also should initiate business associate agreements with all organizations with which your patients’ PHI is shared.
- Technical: This relates to access-control requirements, transmission security and audits. Some components are required, while others are just addressable. In reality, addressable items comprise the best practices and should be implemented if at all possible. Transmission security refers to the encryption of PHI that’s shared on your network. It’s not required, but as with access-control requirements, it makes good sense.
- Physical: This relates to access to your facility, device and media controls. Most of the physical safeguards are addressable under SR, but the implementation of them should be considered highly important.
What To Do Next?
As mentioned, a common thread among cases of HIPAA breach penalties is the negligence of the rules required to keep sensitive patient data secure. Breaches are not always malicious. However, ignorance is no excuse, and it still leads to stiff penalties, public shaming, distrust among patients and future monitoring from the OCR.
So what can you do to prevent your organization from becoming the next HIPAA breach case?
- Keep PHI secure: Lack of security regarding electronic PHI is a common issue among organizations that have experienced HIPAA noncompliance. Electronic PHI must be encrypted. When emailing PHI, use a secure email server and ensure all employee mobile devices are encrypted.
- Conduct employee training: Employees need to be aware of HIPAA violations and should be updated on changes regularly. Be sure to answer all questions and provide periodic training on security regulations.
- Run risk assessments: A thorough risk assessment will uncover any areas of weakness in an organization’s HIPAA compliance plans. When done properly, the risk analysis should tell you how to avoid breaches and analyze how well your current plan is working.
HIPAA breach penalties are in place to deter entities from knowingly (and unintentionally) ignoring HIPAA guidelines. These penalties can be detrimental to practices and organizations, leading to financial and reputational downfall. As such, organizations have ample incentive (both for self-preservation and the good of their patients) to comply with HIPAA regulations.