HIPAA violation cases occur all the time, and it’s up to your organization to maintain compliance. A violation can cost a business thousands of dollars, and in cases of extreme negligence, fines can reach into the millions. Criminal charges can also result. It is critical that your business understands and adheres to HIPAA compliance.
Continue reading to learn more about the importance of HIPAA, HIPAA penalties, and recent HIPAA violation case examples that highlight just how much your business could lose.
What is HIPAA and why is it important?
HIPPA stands for the Health Insurance Portability and Accountability Act. It is a US Federal Law that sets national standards for protecting patient information from being disclosed without their knowledge or consent. In order to meet HIPAA compliance, all organizations dealing with protected health information (PHI) and electronically protected health information (ePHI) need to have physical, network, and process security measures in place that are always adhered to.
HIPAA is actually beneficial to the healthcare industry, because it streamlines administration functions, enhances employee efficiency, and makes it easy to securely store and transmit sensitive information so that patient privacy is always maintained.
To learn more about HIPAA and its importance, read our article What Does HIPAA Stand For and Why Is It Important?
Download HIPAA Compliance Checklist
HIPAA violation classifications and costs
The Department of Health and Human Services’ Office for Civil Rights (OCR) generally resolves most HIPAA violations through non-punitive measures and voluntary compliance. They offer technical guidance so that a covered entity or business associate can establish policies and procedures to prevent future violations. In the case of egregious or repeated violations of HIPAA Rules, the OCR can issue a range of financial and/or criminal penalties.
There are four tiers of financial penalties for HIPAA violations:
Tier 1: The covered entity was unaware of the violation and could not have realistically avoided it. A reasonable amount of care was taken to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000, with an annual maximum of $25,000 for repeat violations.
Tier 2: The covered entity, if following due diligence, should have been aware of the violation, but the violation still falls short of willful neglect. Minimum fine of $1,000 per violation up to $50,000, with an annual maximum of $100,000 for repeat violations.
Tier 3: The covered entity willfully neglected HIPAA Rules, but corrected the violation within the required time period. Minimum fine of $10,000 per violation up to $50,000, with an annual maximum of $250,000 for repeat violations.
Tier 4: The covered entity willfully neglected HIPAA Rules and made no attempt to correct the violation. Minimum fine of $50,000 per violation, maximum $1,500,000.
In addition to these institutional liabilities, employees of healthcare organizations can be held personally responsible for willfully neglecting HIPAA Rules and subject to fines and/or criminal charges.
Criminal penalties for HIPAA violations:
Both institutions and individuals can be criminally liable for violations of HIPAA Rules. At the lowest tier, violators can receive up to a year in prison and/or a $50,000 fine. Gross negligence, such as intentionally breaking HIPAA Rules and attempting to conceal it, can result in up to five years in prison and a $100,000 fine. The most egregious violations, such as stealing PHI with the intent to sell it, can result in ten years in prison and $250,000 in fines.
HIPAA violation examples and how to avoid them
Unsecured records
Keeping unsecured records is in direct violation of HIPAA Rules, as safeguarding PHI is what the Rules are all about. All administrative officials and staff members responsible for handling PHI are required to keep the documents in a secured location at all times. Physical files should be under lock and key, whether that be in a filing cabinet, desk, or office, and digital files containing ePHI should be password-protected and encrypted.
Unencrypted data
Encrypting patient data isn’t strictly required under HIPAA, but it is required by some states. Even if it is not required by your state, encrypting ePHI is strongly recommended. If the worst should happen and your system is hacked, encryption is an additional layer of security preventing the loss of your patients’ private information and safeguarding your business from significant fines.
Poor device security and record disposal
Devices like smartphones and laptops can be easily lost or stolen if they aren’t kept in a secure location. If an employee’s device contains unencrypted ePHI and isn’t password-protected, it becomes a far more severe issue than just a lost phone, as the private information of both patients and staff could easily fall into the wrong hands. The same can be said of records containing PHI and ePHI that aren’t disposed of properly. If any records contain PHI, such as social security numbers or medical diagnoses and procedures, they should be shredded or completely scrubbed from the hard drive.
Insufficient employee training
Every employee who handles PHI needs to be properly and thoroughly trained. Being ignorant of a HIPAA violation won’t save the individual responsible or your organization from significant penalties. According to HIPAA Privacy and Security Rules, training is mandatory for both PHI and ePHI. Ensure each member of your staff is completely up to date and understands the proper practices for handling private patient information.
Hacking
Cybercriminals present a real danger to the safety of medical ePHI. It may seem implausible that your healthcare office could be the victim of cybercrime, but hacks happen every day, and if your ePHI isn’t secure, the future of your business could be in jeopardy. To safeguard your organization from hacking, keep all antivirus software up to date, use strong passwords, and encrypt your data wherever possible.
HIPAA violation cases
HIPAA violations can cost your business significantly depending on the severity of the offense and level of perceived negligence discovered within your organization. The following are just a few recent HIPAA violation case examples that highlight just how much your business could lose if you fail to comply with HIPAA Rules.
- On July 27, 2020, Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, had to pay a $1,040,000 fine and agree to implement a corrective plan to address their HIPAA violations in response to the theft of an affiliated hospital employee’s laptop in 2017 that contained ePHI. The breach affected 20,431 people due to Lifespan ACE’s failure to encrypt their data.
- On July 23, 2020, Metropolitan Community Health Services (Metro), doing business as Agape Health Services, had to pay a $25,000 fine and agree to implement a corrective plan to address their HIPAA violations after disclosing PHI to an unknown email account in 2011. The breach affected 1263 patients due to Metro’s systematic noncompliance with HIPAA.
- On September 21, 2020, Athens Orthopedic Clinic PA (Athens Orthopedic) had to pay a $1,500,000 fine and agree to implement a corrective plan to address their HIPAA violations after someone hacked into their database in 2016 and sold their ePHI online. The breach affected 208,557 people—patients had their names, social security numbers, health insurance information, medical procedures, and test results posted online for sale due to Athens Orthopedic’s widespread noncompliance with HIPAA.
The three types of HIPAA safeguards
Administrative safeguards
Administrative safeguards outline the policies and procedures your organization needs to implement to safely handle PHI. They detail the steps your employees should follow if they encounter a data breach. If the worst happens and your system is hacked, there’s no time to lose. A clearly defined set of actions will help everyone in your organization mitigate a crisis.
Physical safeguards
Physical safeguards outline the security measures that need to be implemented in offices and organizations that store physical copies of PHI, including properly securing and limiting access to workstations that store PHI.
Technical safeguards
Technical safeguards refer to ePHI exclusively. They are policies and protections that focus on ensuring only authorized people can access ePHI via devices and networks. They involve implementing technical security measures through hardware, software, and procedural mechanisms.
Jasco can help you maintain HIPAA compliance
Understanding the importance of HIPAA and risk of HIPAA penalties can be a challenge. If you need to implement or update your HIPAA compliance but don’t know where to begin, Jasco can help. We offer IT services dedicated to both healthcare organizations and dental offices. Contact us today to get started.