Non-compliance with the HIPAA can be costly- that’s why HIPAA violations often make the news. But what happens when the HIPAA is violated, and what are the consequences? Let’s find out!
- What is the HIPAA?
- How is the HIPAA violated?
- Who should worry about HIPAA violations?
- How is the HIPAA enforced?
- What are the consequences of HIPAA violations?
- What are the civil penalties under the HIPAA?
- What are the criminal penalties under the HIPAA?
What is the HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a complex law dealing with many aspects of the use of protected health information (PHI) in the healthcare setting.
The most known and discussed part of the HIPAA is the Privacy Rule, which deals with authorized disclosures. In other words, the Privacy Rule tells health care providers and their associates when they can disclose protected health information, and to whom.
However, the HIPAA covers a broad range of other topics: data management, technical standards for electronic health records, and contractual arrangements with business associates.
How is the HIPAA violated?
Because the law is so far-reaching, HIPAA violations can take many forms. The ones that make the news are usually privacy violations due to unauthorized disclosures or data breaches. But it is also common for companies to breach the HIPAA by denying patients access to their information, by failing to have a business associate agreement in place with third parties when required by the law, by failing to notify a data breach, by failing to provide security awareness training to the staff, and so on.
Bottom line: the Privacy Rule gets the most attention, but don’t forget about all the other aspects of the HIPAA!
Who should worry about HIPAA violations?
The HIPAA only applies to healthcare providers (“covered entities”) and so called business associates.
Business associates are organizations or individuals that work for a covered entity and need to access protected health information. For instance, a web hosting company providing hosting for the website of a hospital, will likely need to process protected health information and qualify as a business associate. As such, it needs to comply with the HIPAA and must have a business associate agreement (BA) in place.
On the other hand, if you process health information that is not collected in the context of healthcare, then you don’t need to worry about HIPAA. You can visit our blog on the scope of the HIPAA for more information.
How is the HIPAA enforced?
The HIPAA is enforced by the Office for Civil Rights of the US Department of Health and Human Services (HHS) as well as the Attorney General of each State. Criminally relevant cases are referred to the Department of Justice.
Enforcement proceedings can start after an own-volition investigation or after a patient or employee of a covered entity filed a report.
Additionally, organizations have an obligation to self-report breaches of the HIPAA in certain scenarios, such as known data breaches. Failing to notify a HIPAA violation can put organizations in a bad position. So, it is important for organizations to have robust procedures in place to assess internal reports of possible HIPAA breaches, and to get their privacy officer and legal staff involved in the matter.
What are the consequences of HIPAA violations?
HIPAA violations can result in both a civil and criminal penalty, depending on the nature of the breach. Additionally, the HHS may impose a corrective action plan to an organization in order to ensure compliance in the future.
It is worth noting that corporations can be criminally liable under US law. Therefore, an entity covered by the HIPAA may itself be subject to the fines arising from criminal liability. In some cases, individuals within an organization may be held criminally liable along with the organization itself.
Organizations can also be held liable by the patients for any harm caused by a HIPAA breach, on top of having to pay a fine. These damages can be especially high when patients put forward a class action. For instance, in 2018 insurance provider Anthem paid a $18M fine (the highest HIPAA penalty to date) in a settlement for a massive data breach . On on top of the fine, the company had to pay more that $100M to settle a class action from its patients.
What are the civil penalties under the HIPAA?
The HIPAA provides both a minimum and a maximum for civil penalties due to HIPAA violations. In enforcing the HIPAA, the HHS can impose a fine between these minimum and maximum thresholds, depending on factors such as the harm inflicted, the preventability of the incident, and the degree of neglect displayed by an organization. Please note that penalties are adjusted for inflation, which results in higher numbers in practice.
The penalty system of the HIPAA is somewhat complex. Any HIPAA violation belongs to one of four tiers, depending on its nature and circumstances. All civil penalties are capped at $50.000, but the minimum is different for each tier.
Tier 1 is for unknowing violations: a covered entity was unaware of the breach and could not avoid it. For instance, a hospital accidentally forwards the result of an exam to the email address of the wrong patient. Penalties for tier 1 violations range from $100 to $50.000 per violation.
Tier 2 is for reasonable cause violations- that is, violations the entity should have known about, but which were not due to willful neglect. For instance: a hospital's IT department suffers a data breach because it failed to update its software. Penalties for tier 2 violations range from $1.000 to $50.000.
Tiers 3 and 4 are for willful violations, and the difference between the tiers is whether the violation was corrected by the covered entity. For instance: if a hospital employee unnecessarily accesses the health records of a celebrity patient out of curiosity, and the hospital later discharges the employee, this will result in a tier 3 violation. On the other hand, if the hospital takes no action against the employee, this will result in a tier 4 violation.
Penalties for tier 3 violations range from $10.000 to the same maximum of $50.000, while penalties for tier 4 are fixed at $50.000.
In practice, proceedings over HIPAA violations often end with a settlement, resulting in lower penalties.
What are the criminal penalties under the HIPAA?
Criminal penalties for HIPAA violations are also organized by tiers.
A tier 1 criminal violation takes place when the HIPAA is knowingly violated. Tier 1 violations are punished with a fine up to $50.000 and imprisonment up to 1 year.
It is worth noting that according to the case law, a tier 1 violation can take place even if the individual acts without specific knowledge of the HIPAA- provided that they are aware that their actions are unlawful in a more general sense.
A tier 2 criminal violation takes place when an individual violates the HIPAA through** false pretenses**- for instance, by using deceit to access protected health information. Tier 2 violations are punished with a fine up to $100.000 and imprisonment up to 5 years.
Tier 3 violations are the most severe and take place when health information is misused or unlawfully disclosed for personal gain, for commercial advantage, or to cause malicious harm. These violations can lead to a fine up to $250.000 and imprisonment up to 10 years.
We care about privacy. This is why we like to explain privacy law in a clear way and without all the legalese.
Our passion for privacy led us to develop Simple Analytics: an innovative web analytics solution to provide you with all the insights you need, without collecting personal data. Simple Analytics allows businesses all over the word to gain visibility and reinforce their online presence in a responsible, privacy-friendly way.
If this sounds good to you, feel free to give us a try!