Penalties for HIPAA non-compliance can be severe, and both healthcare providers and business associates need to be aware of the risks that come with violating HIPAA Rules. This article provides the healthcare industry with an overview of the different tier types of penalties for HIPAA violations, as well as information on how to ensure your HIPAA compliance efforts are successful. Read on to learn more!
In this Article …
Violation Classifications for HIPAA Non-Compliance
Under HIPAA regulations, violations for non-compliance are classified into four categories that largely depend on if the breach was due to willful neglect or if it was unintentional, how avoidable it may have been, and how the HIPAA covered entity (healthcare providers, insurance companies, and healthcare clearinghouses) responded to resolve violations. Those tiers are as follows:
|Tier 1 Violation:||The covered entity was unaware of the HIPAA breach and could not have avoided this violation with reasonable care.|
|Tier 2 Violation:||The covered entity did not act with any willful neglect that caused the HIPAA breach, but they did not utilize due diligence to comply either.|
|Tier 3 Violation:||The covered entity demonstrated willful neglect that caused the HIPAA breach, but proceeded to correct the flagged issues.|
|Tier 4 Violation:||The covered entity demonstrated willful neglect that caused the HIPAA breach, and they did not correct the flagged issues.|
What are the Penalties for HIPAA Non-Compliance?
The penalties for HIPAA non-compliance are based on the tier of violation committed, as well as if the covered entity has been cited for repeat violations. The penalties originally ranged from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year for violations of an identical provision. And willful neglect penalties had a minimum fine of $10,000 per violation. However, in the Federal Civil Monetary Penalties Inflation Adjustment Act Improvements Act, passed by Congress in 2015, HHS was required to raise civil money penalties to keep in line with inflation. Consequently, the dollar amounts for these civil penalties are now adjusted annually.
In 2019 the Department of Health and Human Services revisited the language in the HITECH Act and decided that maximum penalties had been interpreted improperly. Instead of the original schedule of penalties that was announced, it was determined that the maximum penalty should be revised downward for the first three violation tiers, and then adjusted annually for inflation.
An odd outcome of the above was that in Tier 1 the annual penalty limit for violating HIPAA regulations is higher than the maximum penalty per violation. This is certain to be addressed as further rule clarifications roll out.
To date, OCR settled or imposed a civil money penalty in 126 cases resulting in a total dollar amount of $133,519,272.00. With the above in mind, below are the four tiers of HIPAA violations, along with their current (as of 2022) civil monetary penalties.
|Penalties for Tier 1 Violations:||Start at $127 and max out at $63,973 per violation, with an annual maximum penalty of $30,487.|
|Penalties for Tier 2 Violations:||Start at $1,280 and max out at $63,973 per violation, with an annual maximum penalty of $121,946.|
|Penalties for Tier 3 Violations:||Start at $12,794 and max out at $63,973 per violation, with an annual maximum penalty of $304,865.|
|Penalties for Tier 4 Violations:||Start at $63,973 and max out at $1,919,173 per violation, with an annual maximum penalty of $1,919,173 million.|
Are HIPAA Violations Criminal?
While not all HIPAA violations are criminal, certain ones may be subject to criminal penalties. For example, suppose a HIPAA violation is found to have been caused by the intentional misrepresentation of facts to the Secretary of Health and Human Services. In that case, that party could be subject to criminal penalties including imprisonment. Additionally, covered entities that knowingly and willfully disclose protected health information in violation of HIPAA can be subject to criminal penalties. The table below demonstrates the tiers of criminal HIPAA violations and their consequences.
|Class A Felony:||Committed with the intent of selling or transferring protected health information (PHI) for commercial or personal gain, or to do so with malicious intent. Up to 10 years in jail and a fine of $250,000.|
|Class B Felony:||Committed false pretenses. Up to 5 years in jail and a fine of $125,000.|
|Class C Felony:||Knowingly obtain or disclose individually identifiable health information. Up to 2 years in jail and a fine of $50,000.|
Who enforces HIPAA?
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. OCR received over 34,000 complaints in 2021. Complaints to OCR may be filed by individuals or entities. Enforcement actions are made public on OCR’s website. In addition to complaint investigations, OCR also conducts compliance reviews and audits of HIPAA covered entities and their business associates. These are proactive reviews that OCR initiates to assess compliance with the Rules. Audit results are shared with the covered entities and their business associates, and may also be made public. Finally, OCR provides technical assistance to help covered entities and business associates understand and comply with the requirements of the HIPAA Rules. Technical assistance resources include publications, webinars, presentations, and other resources.
How can Covered Entities Ensure Compliance with HIPAA Rules?
There are a number of steps that covered entities can take to prevent HIPAA violations. These include:
Designating a HIPAA compliance officer:
Every covered entity must have a designated individual responsible for compliance with HIPAA Privacy and Security Rules. This person is typically the privacy officer or security officer.
Establish a Compliance Committee:
A compliance committee helps the covered entity meet its obligations under the HIPAA Privacy, Security, and Breach Notification Rules. The committee should be made up of members from different areas of the organization, including one or more members from management. The compliance committee’s activities should be designed to promote compliance with policies and procedures and to prevent and detect non-compliance. The committee should also review complaints about the covered entity’s compliance with HIPAA and investigate any incidents of non-compliance. By providing HIPAA enforcement and effectively carrying out these activities, the compliance committee can help the covered entity avoid HIPAA penalties for non-compliance.
Developing policies and procedures for complying with HIPAA rules:
Covered entities must develop written policies and procedures that address all required and addressable aspects of the HIPAA Privacy, Security, and Breach Notification Rules.
Providing training to employees on HIPAA compliance:
For all employees who have access to PHI, receiving training on the requirements of the HIPAA Privacy and Security Rules is the hallmark of an effective HIPAA compliance program. Training should be provided on an ongoing basis at least annually, as new employees are hired, and when changes to policies or procedures are made.
Implementing physical, technical, and administrative safeguards:
HIPAA regulations require that covered entities put in place physical, technical, and administrative safeguards to protect the confidentiality, integrity, and availability of PHI. Physical Safeguards are a set of rules and guidelines outlined in the HIPAA Security Rule that focus on the physical access to Protected Health Information (PHI). In contrast, Administrative Safeguards focus on policy and procedures, while Technical Safeguards focus on data protection such as:
- Access Control. A HIPAA covered entities must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls
- Integrity Controls
- Transmission Security
Conducting a HIPAA Risk Assessments:
As part of their security management process, covered entities must conduct regular HIPAA risk assessments to identify potential threats and vulnerabilities and to determine the level of risk posed to the confidentiality, integrity, and availability of protected health information. A Risk Assessment should be conducted on an ongoing basis, as needed.
Responding promptly to detected offenses and undertaking corrective action:
All covered entities should have a HIPAA Compliance Program that is quick to take corrective action on detected offenses. Corrective action might include implementing new policies and procedures, providing training to staff members, and/or reporting non-compliance to the Department of Health and Human Services Office for Civil Rights (OCR)
Execute business associate agreements with all appropriate third parties:
Covered entities must have a business associate agreement in place with any third party that creates, receives, maintains, or transmits PHI on their behalf. These agreements must contain certain provisions as required by HIPAA, including specifying the permissible uses and disclosures of PHI by the business associate, as well as identifying the covered entity’s obligations with respect to safeguarding PHI. If you don’t have one already, you can download our business associate agreement template. It’s a reusable PDF fillable form that complies with all of the most recent requirements, and it’s ready to be used with all of your business associates.
Now that You Better Understand HIPAA Compliance and the Penalties for HIPAA Violations …
HIPAA penalties can be imposed for a variety of violations, ranging from non-compliance with the HIPAA Privacy Rule to failure to adhere to the requirements of the HIPAA Security Rule. And, as you can see, the civil and criminal penalties for each type of violation are tiered, with increasing harshness for more serious violations.
Covered entities can take a number of steps, like those outlined above, to ensure compliance with HIPAA Rules. However, given the complex nature of HIPAA compliance, it is often best to seek help from qualified experts, like The Fox Group, who can assist with ensuring success.