What You May Not Know About HIPAA Penalties Could Cost You
By now, most healthcare professionals are familiar with HIPAA, or the Health Insurance Portability and Accountability Act. Designed to set and enforce privacy standards to protect patients’ medical records and other health information, HIPAA regulations come with strict and enforceable legal and financial penalties. While it’s imperative for health care providers and their business associates to abide by the administrative and privacy regulations of HIPAA in practice, it’s also important to actively prevent security breaches, and if a breach does occur, to report it in a timely manner. If not, your negligence could lead to hefty fines or harsh penalties.
HIPAA guidelines have established categories of violations that you may be subject to as a medical practice, dental practice, or other healthcare provider (referred to as a “covered entity”). HIPAA violations fall into one of four categories:
- Category 1: The covered entity was unaware of the violation, could not have realistically avoided it, and showed a reasonable amount of care towards abiding by HIPAA rules.
- Category 2: The covered entity should have been aware of the violation, but could not have avoided it even with a reasonable amount of care.
- Category 3: The covered entity caused a violation by showing willful neglect of HIPAA rules, but an attempt has been made to correct the violation.
- Category 4: The covered entity showed willful neglect in violating HIPAA rules, and no attempt has been made to correct the violation.
Each of these categories warrants its own minimum fine per violation which correlates to the severity of the offense. The fines can range anywhere from hundreds, to thousands, to even upwards of millions of dollars—and each fine may be multiplied to reflect the duration of each violation. For example, a $50,000 fine could be multiplied by 365 days if the violation occurred over the course of a year.
If you are in the healthcare industry or you in any way come into contact with protected patient health information (PHI, or ePHI if it’s in electronic format), you need to be aware of the HIPAA rules that are currently being enforced. These include not only privacy, security and administrative concerns, but also the procedure by which a data breach is reported to the Office of Civil Rights (OCR). The HIPAA Breach Notification Rule requires covered entities to notify individuals affected as a result of their ePHI being compromised, leaked or stolen. Depending on the severity of the breach, the covered entity may be required to report it to media outlets and have their practice’s name listed on the OCR’s breach report website. The Breach Notification Rule also requires business associates (or BA’s) of covered entities to notify the covered entity of breaches affecting the business associate. Some examples of typical BA companies would be clinical research organizations (CRO), IT service providers, paper shredding companies, or even building maintenance services. In short, this means each “link in the chain” is held accountable for any violations that may result, whether due to negligence or deliberate criminal act.
That part of HIPAA which governs the enforcement of compliance for business associates is called the Omnibus Rule. Enacted in 2013, it further amends and expands on existing HIPAA laws. The object of the Omnibus Rule is to further improve patient privacy, give individuals expanded rights to their health information, and strengthen the ability of the US government to enforce penalties for a violation. It is important to note that business associates are now responsible for responding to all non-compliant subcontractors with whom they have entered into a Business Associate Agreement, or BAA.
Failing to achieve and maintain HIPAA compliance not only jeopardizes those patients whose information is exposed, but it can also result in a severe financial burden, or even the loss of your credibility. And, the prevalence of reported violations is increasing. Settlements in 2016 have totaled more than any year prior, at over 20 million dollars. Physicians have had their medical licenses revoked, and violators have even been sent to prison for exposing ePHI.
Make no mistake; it is absolutely critical for you to stay informed about the specific details of HIPAA privacy laws, especially with your information technology resources where highly sensitive information is constantly exchanged and accessed. Ignorance of the law does not exclude you from bearing the burden of any legal implications from HIPAA violations, and the laws are strictly and firmly enforced. Don’t put your practice or your career in jeopardy because of what may seem to be a minor infraction of the law—take the steps to minimize risk for both yourself and those with whom you work.