In this article, we will focus on the Health Insurance Portability and Accountability Act (HIPAA) of 1996. We will look at what HIPAA is, what constitutes a HIPAA violation, and how much a HIPAA violation can cost your business.
Defining HIPAA Compliance
The HIPAA law was passed by Congress in 1996. The federal law protects patient’s privacy rights in the United States. In accordance with the law, organizations are required to abide by a set of standards to protect against unauthorized use and disclosure of Protected Health Information (PHI).
In addition to protecting privacy rights, the federal law also facilitated and strengthened the flow of PHI with the aim of reducing healthcare fraud and abuse.
Any individual or organization that comes into contact with PHI must implement appropriate policies and procedures to safeguard patients’ data to ensure compliance with HIPAA law. That means if you:
- Speak to patients directly
- Check blood pressures
- Write or give out prescriptions
- Oversee the firewall in a healthcare setting
- Encrypt medical data on behalf of a covered entity
- Manage a database that stores, maintains, or creates patient data
You are responsible for HIPAA compliance and HIPAA violations. Individual employees may face charges if PHI gets jeopardized, but that doesn’t mean the entity is exempt from following the HIPAA rules.
Any healthcare practice that compromises Protected Health Information (PHI) is considered to be at fault. However, individual employees may also be considered at fault depending on their actions and face serious consequences.
According to the HHS, “Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.”
The Department of Health and Human Services (HHS) does not accept ignorance on the part of an employer or employee as an excuse. That is why HIPAA training is so crucial to protect patient data and avoid HIPAA violations.
HIPAA Violation Penalties
HIPAA violations can be of two types – civil and criminal. The penalties enforced will depend on the severity of the violations, and whether it was deliberate or unintentional will be taken into consideration.
The civil penalties can be divided into four tiers. Here’s what they look like:
Tier 1: A category of violation that was unintentional, and the entity was unaware that a violation could occur given that they had taken all the necessary steps. Penalties for this tier range from $100 per violation to up to $50,000, and a maximum of $25,000 per year.
Tier 2: A category of violation where the organization could not have prevented the violation but was or should have been aware of the potential risks, not willfully neglecting all the necessary steps. Fines for this tier range from a minimum of $1000 up to $50,000 per infringement, and a maximum of $100,000 per year.
Tier 3: A category of violations where the entity willfully neglected all the HIPAA requirements, and as a result, a violation occurred. Although, the entity made efforts to rectify the violation in some cases. Fines for this tier range from $10,000 up to $50,000 per violation, and a maximum of $250,000 per year.
Tier 4: A category of violations where the organization was fully aware of the potential risks, willfully neglecting all the HIPAA requirements, and did not attempt to rectify the violation. Fines for this tier range from a minimum of $50,000 per violation to a maximum of $1.5 million per year for repeated violations.
Violations that are considered to be criminal in nature are handed over to the Department of Justice. From there, individuals at the practice involved in the violation could be held criminally liable. These types of violations could stem from the theft of PHI for financial gain or wrongful disclosures with malicious intent.
Criminal violations can be divided into three tiers, with the term and an accompanying fine decided by a judge based on the facts of each separate case. Here’s what they look like:
Tier 1: Up to 1 year in jail for reasonable cause or no knowledge of the violation
Tier 2: Up to 5 years in jail for obtaining PHI under false pretenses
Tier 3: Up to 10 years in jail for obtaining PHI with malicious intent or for personal gain
In addition to civil or criminal penalties, there are also Corrective Action Plans (CAP) to worry about. Not to mention, you might also risk losing the license to practice. These CAPs are enforced by the Office for Civil Rights (OCR) when a data breach occurs. These plans are often cumbersome and costly.
Nevertheless, it just goes to show that HIPAA violations could cost you more than you think. Hence the best way to go about this is to ensure that you are as compliant with the HIPAA law as possible by implementing all the necessary policies, procedures, and controls in place.
Understanding HIPAA is essential for you, your employees, and your practice as a whole. Make sure to deliver proper and timely HIPAA training to your workforce members and make a lifestyle out of HIPAA compliance.
Author Bio: Riyan N. Alam is a digital marketing analyst at CloudApper, a supplier of mobile ERP solutions, including HIPAA compliance software, facility management software, and many more. Combining his passion for reading books, he writes about subjects valuable to people and their daily lives. Riyan loves traveling and trading in his free time.