What Happens In The Case Of A HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996 placed a number of strict requirements on healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities in order to safeguard the Protected Health Information (PHI) of patients. It covers how data must be stored, who can access it, with whom it may be shared, and the power of patients to access their own data. It has proven to be a critical piece of legislation in the modern healthcare system.
In addition to creating rules, HIPAA created penalties for the violation of those rules. These penalties were aimed to be a deterrent for any covered entity (CE) who may consider ignoring the rules, and to hold those who do violate HIPAA accountable for their actions. In the Enforcement Final Rule of 2006, the Department of Health and Human Services’ Office for Civil Rights (OCR) was granted the ability to issue financial penalties (and/or action plans) to CEs that fail to ensure HIPAA compliance in their organisation.
Those who violate HIPAA face hefty financial penalties. Recently, HIPAA legislation was updated following the introduction of the Omnibus Rule in March 2013. This introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). According to the Omnibus Rule, new penalties for HIPAA violations are applied to healthcare providers, health plans, healthcare clearinghouses and all other CEs. This includes Business Associates (BAs) of CEs who are also guilty of violating HIPAA Rules.
Organisations are expected to be familiar with every aspect of HIPAA legislation; ignorance of a particular rule is not an accepted excuse for a violation. If an organisation is found to be wilful negligent of HIPAA Rules, the guilty party will be levied with the highest penalty.
The penalty structure is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
Categories of HIPAA Violation
The tiered structure for penalties can be described as follows:
• Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
If the CE in question could not have been expected to avoid a data breach, a so-called “unknown violation”, it may seem unreasonable for a CE to be issued with a fine. In these circumstances, the OCR has the power to waive a fee such that the organisation is not punished unfairly.
HIPAA Violation Penalty Structure
There is a distinct HIPAA penalty for each category of violation. It is the OCR’s to determine a financial penalty within the appropriate range following their investigation of the incident. The OCR considers a wide range of factors when determining the appropriate penalty to be levied. This includes the length of time over which violation occurred, the number of people affected, and the nature of the data exposed, the financial means of the organisation, and how much damage had been done by the breach. An organisation’s willingness to assist with an OCR investigation is also taken into account, and prior history of HIPAA violations (if there is one). The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.
The tiers are as follows:
• Category 1: Minimum fine of $100 per violation up to $50,000
• Category 2: Minimum fine of $1,000 per violation up to $50,000
• Category 3: Minimum fine of $10,000 per violation up to $50,000
• Category 4: Minimum fine of $50,000 per violation A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, regardless of how minor the incident was or how insignificant the data involved is.
Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead by the number of patients affected (as above). For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the CE has been in violation of the law. Therefore, in this case, the penalty would be multiplied by 365.
Attorney Generals and HIPAA Fines
In February 2009, the HITECH Act (Section 13410(e) (1)) awarded state Attorney Generals the power to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents. This act also allowed Attorney Generals have the power to file civil actions with the federal district courts. Statutory damages can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
If a particular CE is suffering a data breach affecting residents in multiple states, the Attorney General of those states may be able to fine that CE. Although the Act was created in 2009, at present only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have so far taken action against HIPAA offenders. This is likely to change soon, as AG offices have been granted the power to retain a certain amount of the fines issued against CEs; an attractive incentive for other AGs to become involved in HIPAA offenders.
Criminal Penalties for HIPAA Violations
A HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of PHI if the case is particularly severe. These are brought against the CE in conjunction to financial penalties. Criminal penalties for HIPAA violations are divided into their own tier system. A judge considers the facts of each individual case, and determines the term and an appropriate fine according to the tier to which the penalty belongs. As with the OCR, a number of general factors are considered which will affect the penalty. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to payment of a fine.
The tiers for criminal penalties for HIPAA violations are:
Tier 1: Reasonable cause or no knowledge of violation. Term: up to 1 year in jail Tier 2: Obtaining PHI under false pretenses. Term: Up to 5 years in jail Tier 3: Obtaining PHI for personal gain or with malicious intent Term: up to 10 years in jail
The healthcare industry has faced a recent epidemic of employees stealing PHI with malicious intent. PHI has enormous black market value; an age-old incentive for individuals with easy access to it. HIPAA stipulates that covered entities must both limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to enable improper access and theft of PHI to be rapidly identified.
All staff likely to come into contact with PHI should be informed by their employer of the penalties for HIPAA violations. It should be made clear that violations will not only result in a termination of their employment contract, but potentially also a lengthy jail term and fine.
Penalties for HIPAA Noncompliance
Covered entities and their business associates are liable to be fined for the violation of HIPAA protocol even if their organisation has not faced a breach of PHI. If a CE or BA is found not to have complied with the HIPAA regulations during an audit, the OCR has the authority to issue penalties for HIPAA noncompliance. It is predicted that, as the OCR increases the volume of HIPAA audits, this scenario will become increasingly common.
For example, if a covered entity fails to complete Business Associate Agreements (BAAs) with third-party service providers, they are likely to be fined for HIPAA-non-compliance. Already, several CEs have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005. In addition to the financial penalty, the organisation was requested to implement a Corrective Action Plan (CAP) to address the non-compliance within the organisation.