Once upon a time, patients had no control as to how their medical data got used and distributed. Employers could ask health care providers about the health conditions of an employee.
That information got used to check on employees and it often violated the privacy rights of employees. Everyday people had to rely on state laws to protect them since there wasn’t a federal law on the books.
In 1996, Congress passed the Health Information Portability and Accountability Act. This national legislation created HIPAA violation penalties to hold entities accountable for privacy violations. It also protected the healthcare privacy of individuals.
Read on to learn what the penalties for violating HIPAA are and how you can avoid them at your organization.
HIPAA Violation Penalties
The penalties for violating the law can be severe. It depends on whether or not the organization was aware of the violations, and whether or not they got fixed in a timely manner.
At the low end of the scale, a person or entity that unknowingly violates HIPAA gets a penalty between $100 and $50,000 per incident. The maximum penalty is $25,000 for repeat violations.
If there is reasonable cause to believe that the violations were knowingly committed, the fines increase to $1000 and $50,000 per incident. The maximum for repeat violations is $100,000.
In cases where there is willful neglect, but they’re fixed, the fines range from $10,000 to $50,000 per incident. The maximum is $250,000 for repeat violations.
What if your case has willful neglect and it’s not addressed? Well, look for penalties to start at $50,000 per violation and go all the way up to $1.5 million per violation.
What’s the largest penalty assessed on a business? That distinction goes to Anthem, which was fined about $16 million in 2018.
Criminal HIPAA Violation Penalties
In the worst-case scenario, if you or anyone at the organization knows about a violation and does nothing about it, they become criminal violations.
The organization could give or get identifiable health information, which reveals a patient’s personal health details with their records.
A person or entity could face a $50,000 fine and 1 year in prison. If fraud was used increases the penalties to 5 years in prison and a $100,000 fine.
Finally, if an entity or person obtains the information illegally with the intent to sell or distribute that information, they face 10 years in prison and a $250,000 fine.
How Is HIPAA Enforced?
HIPAA is enforced by the Office of Civil Rights (OCR), a department within the U.S. Department of Health and Human Services. A person has to file a complaint with OCR if they believe their privacy rights were violated.
OCR will only investigate complaints made within 180 days of the violation, and a covered entity committed the violation.
Once the investigation is over, OCR issues a letter to the company in question and the person who filed the complaint. The letter will detail if the entity didn’t comply and the remedies that need to take place.
They may need to take corrective action by a certain timeframe and agree to a settlement.
If the entity doesn’t resolve the matter, then OCR will assess one of the penalties described above. If you believe that your entity was unfairly treated or shouldn’t have penalties, you can request a hearing with an administrative law judge from the Department of Health and Human Services.
Since 2003, the Department of Health and Human Services received more than 200,000 HIPAA violation complaints.
Each complaint was investigated and only 85 organizations were found to have intentionally violated the law. As a result, these companies were given fines of more than $128 million.
Who Is Covered and Not Covered by HIPAA
One of the things that you need to know about HIPAA enforcement is what is considered a covered entity. HIPAA doesn’t apply to all businesses.
HIPAA compliance entities are healthcare clearinghouses, health care insurance plan providers, and healthcare providers.
You may be surprised to learn which entities aren’t required to abide by HIPAA. Personal trainers and gyms often need access to your healthcare records to create workout plans that are safe.
Naturopaths and alternative health professionals are healthcare providers. They don’t fall under covered entities.
These businesses should have HIPAA compliance in place anyway. It is a gray area for enforcement officials and having HIPAA compliance in place puts patients at ease.
Any government entity like law enforcement, municipal agencies don’t fall under HIPAA compliance regulations.
Developing HIPAA Compliance
How can you make sure that your entity is HIPAA compliant? Start by auditing your existing systems. You’ll need to know the law very well and find areas in your systems where you’re vulnerable.
Having some kind of HIPPA reporting in place is essential. This is where you create a set of standards and policies within your organization to ensure compliance.
Review the policies that you have in place and ensure that your employees understand how to remain in compliance. Remind them that they are still held liable for knowingly or unknowingly violating HIPAA. It’s in every employee’s best interest to understand the law and comply with it.
What Is a HIPAA Violation?
HIPAA is one of the most sweeping privacy laws to impact the healthcare industry. Providers have to remain in compliance with the law, or they face very stiff fines and penalties.
A HIPAA violation is the misuse of patient data, whether you intentionally do it or not. HIPAA violation penalties can be severe. The most severe penalties include jail time.
Fortunately, the way these cases get investigated, you do have a chance to settle the issue before penalties and fines get assessed.
For more tips about business and technology, visit the Technology section of this site.