Understanding HIPAA breach penalties can be a problem for many providers. It can be a great challenge, in part, because of the myriad ways in which a breach can occur.
HIPAA created standards for protecting patient health information. It also established guidelines regarding with whom information can be shared.
As of today, the OCR has more than 500 open cases under investigation.
What is a HIPAA Breach?
The Enforcement Rules allowed litigation to be pursued against entities found in noncompliance of HIPAA standards. That litigation includes corrective-action plans and financial penalties for entities that fail to comply. To be clear, a HIPAA violation is one in which a covered entity or business associate fails to uphold provisions in one or more of the HIPAA Privacy, Security or Breach Notification Rules.
- Violations may be either deliberate or unintentional, but both are punishable offenses.
- Unintentional breaches occur when too much of a person’s protected health information (PHI) is disclosed beyond the minimum required.
- Deliberate violations are when a company or practice fails to report breaches to patients in a timely manner or fails to correct them.
Breaches most often are the result of negligence. That means that understanding the HIPAA Compliance Requirements and related breaches and how to avoid them has to include an understanding of risk assessment. To that end, company audits must be performed to determine HIPAA compliance.
As such, HIPAA breach penalties are strict and can have a significant impact on the financial wellness of an organization.
Violations, Enforcement and Breach Penalties
If your company or organization has violated any part of HIPAA, several things are going to happen. What You Don’t Know Can Cost You! Enforcement of the privacy and security rules falls to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR achieves enforcement in three ways:
- Conducting compliance reviews (notified and surprise)
- Education and outreach to encourage compliance with rule requirements
- Investigating complaints
In cases in which the OCR determines that either a HIPAA breach or noncompliance has occurred, an offending entity may seek resolution through voluntary compliance, corrective action or an entity-specific resolution agreement. HIPAA breach penalties may be criminal or civil.
The OCR generally refers those cases to the Department of Justice (DOJ) for litigation and corrective action. Fines for noncompliance are based on the level of perceived negligence of the organization at the time of the violation, and citations are issued per violation, each requiring either civil or criminal litigation.
Civil violations typically involve cases in which the covered entity fails to resolve the breach violation. A civil money penalty (CMP) is then imposed to cover the cost of the violation. HHS determines the amount in relation to the nature of the violation and the harm that resulted.
OCR breaks down CMP violations into four tiers.
- First – Covered entity committed the error without having reasonably known about the breach. Costs: $100 to $50,000 per incident, up to $1.5 million.
- Second – The organization either knew or would have known had it exercised due diligence even though the act wasn’t willful neglect. Costs: $1,000 to $50,000 per incident, up to $1.5 million.
- Third – The entity acted with willful neglect, but corrected the issue within 30 days. Costs: $10,000 to $50,000 per incident, up to $1.5 million.
- Fourth – The entity acted with willful neglect and failed to correct the issue. Costs: $50,000 per incident, up to $1.5 million.
The DOJ handles HIPAA criminal violations and, similar to civil ones, there are different levels, based on severity. They can be issued to several covered entities (CE), including:
- Health care clearinghouses
- Health plans
- Medicare prescription-drug sponsors
It’s important to note that covered entities’ employees may be responsible for penalties under the “corporate criminal liability” clause. If the employee is not directly liable, he or she can still be charged with aiding and abetting if there was foreknowledge of the breach. DOJ maintains that specific knowledge that an action was in violation of HIPAA is not required, so anyone in an office in which one exists may be held accountable.
Just as with civil violations, there are three tiers of criminal HIPPA breach penalties, including:
- Reasonable cause or no knowledge of the violation: up to a year in jail
- Obtaining PHI under false pretenses: up to five years in jail
- Obtaining PHI for personal gain: up to 10 years in jail
Unfortunately, the number of cases in which employees obtain PHI for personal gain is on the rise, because its value on the black market is significant. Therefore, there must be in place controls that are consistently evaluated against attacks so opportunistic individuals cannot take advantage of PHI.
HIPAA Breach Costs
HIPAA breach violations are costly, and can easily consume months and in some cases, years of profits. Fines increase incrementally with the number of patients involved and the amount of neglect. The legal term for it is mens rea (state of mind), which means fines increase from the level of no knowledge on up to willful neglect.
Fines and charges are divided into reasonable-cause and willful-neglect categories. They factor in a variety of information, including encryption of data, employee error, data theft breaches, and how the entity has measured the effectiveness of the compliance program.
Employee error is one of the leading causes of HIPAA violations. It occurs when an employee loses a portable device or mistakenly sends the wrong PHI to a vendor or clearinghouse. Because that kind of error is avoidable, employees must be trained constantly on security policies and procedures.
Examples of HIPAA Breach Penalties in 2019
In February 2019, Cottage Health, which operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California, settled with HHS for $3 million for a HIPAA breach regarding unsecured electronic PHI. The breach affected more than 60,000 people, and it happened twice, in 2013 and 2015.
In this case, safeguards should have been in place to prevent the breach from occurring in the first place. OCR’s investigation showed that Cottage didn’t conduct a thorough risk analysis regarding its own PHI practices, and it failed to obtain a written agreement with the clearinghouse that maintained its data.
After exposing the PHI of more than 300,000 patients, Touchstone, a Tennessee diagnostic medical-imaging practice, settled with HHS for $3 million in May 2019. As part of the settlement, HHS required that the company adopt a corrective-action plan to settle other potential violations. The case began when, after being notified by the FBI that a server provided uncontrolled access to patient PHI, Touchstone apparently did nothing to correct the issue, and the server remained online. For some time, Touchstone even maintained that no PHI was affected, but OCR investigations revealed that Touchstone didn’t even investigate the claim for months, and failed to conduct an accurate risk analysis.
An Indiana medical records clearinghouse, Medical Informatics Engineering, had to pay a $100,000 penalty after the discovery of a HIPAA breach. It involved hackers able to gain access to the health records of 3.5 million people.
How to Prevent a HIPAA Breach
Those examples illustrate that to ensure HIPAA compliance; it’s essential that an entity conducts periodically a HIPAA Risk Analysis. That will help you address the vulnerabilities in your practice and help you create safeguards against future breach penalities. The outcome of a Risk Analysis should address common operational functions such as assuring up to date policies and procedures and answer questions about encrypting data and how to handle emails, to mention just a few.
After completing a risk analysis, carefully review the HIPAA Security Rule (SR). Compliance helps ensure that health data is protected, created, received, maintained, and transmitted appropriately.
There are three SR safeguards:
- Administrative: Assign a privacy officer in your organization to implement new-employee training and review policies and procedures. That officer also should initiate business associate agreements with all organizations with which your patients’ PHI is shared.
- Technical: They relate to access-control requirements, transmission security, and audits. Some components are required, others just addressable. In reality, addressable items comprise the best practices and should be implemented if at all possible. Transmission security refers to the encryption of PHI that’s shared on your network. It’s not required, but as with access-control requirements, it makes good sense.
- Physical: They relate to access to your facility and device and media controls. Most of the physical safeguards are addressable under SR, but the implementation of them should be considered highly important.
What To Do Next?
Since 2003, OCR has received more than 200,000 HIPAA complaints and initiated nearly 1,000 compliance reviews, resolving almost all of them. It has investigated and resolved cases that ultimately required changes to the privacy policies of a variety of covered entities. The changes have been systemic and affected all of those involved.
As was mentioned earlier, as of today, the OCR has more than 500 open cases under investigation.
In cases in which an employee was unaware of a violation, but still was held accountable, penalties most often were assessed for improper PHI use. Lack of safeguards regarding PHI and of access to it also commonly lead to penalties. Administration safeguards and proper employee training should be assessed frequently to ensure compliance.
In addition to financial penalties issued by the OCR or a state attorney general, HIPAA breach penalties include developing corrective action plans. They ensure that policies and procedures already in place are brought up to the standards demanded by HIPAA.
Financial penalties are in place to prevent and deter entities and people from knowingly ignoring HIPAA guidelines. Breach penalties can be detrimental to practices and organizations; however, even if they’ve been conducted without mens rea. As such, ignorance is no excuse for failing to comply.
Learn how to safeguard your organization today and download this free checklist about measuring corporate compliance effectiveness.