HIPAA violations can incur monetary fines and other penalties that scale with the severity of an offense. In worst-case scenarios, HIPAA violations could even lead to jail time.
Want to learn how you can avoid HIPAA penalties? Request a consultation today.
Everything You Need to Know about HIPAA Violations
If your organization deals in protected health information (PHI), you’re likely subject to the Health Insurance Portability and Accountability Act (HIPAA). Failure to safeguard PHI could result in HIPAA violations and penalties, enforced by HIPAA’s governing body, the Department of Health and Human Services (HHS). The full scope of the stakes in these violations includes:
- What constitutes a violation—and the Tiers of severity
- What kinds of penalties can be assessed for violations
- How HIPAA penalties are enforced by the HHS
- How to avoid HIPAA violations and penalties
If you’re concerned about potential HIPAA violations, contact a compliance advisor immediately.
HIPAA Violation Tiers: Levels of Severity
An event is considered a HIPAA violation when an investigation by the HHS’s Office of Civil Rights (OCR) determines it to be. Any instance in which any of the HIPAA rules are not followed could constitute a HIPAA violation. However, the OCR decides the Tier of violation based on the specific manner in which a rule is broken. At present, the tiers break down as follows:
- Tier 1 Violation – This applies to situations where a Covered Entity was unaware of an incident causing a violation or if the specific circumstances could not have been avoided.
- Tier 2 Violation – This applies when a Covered Entity should have been aware of the circumstances leading to a violation but failed to apply an appropriate amount of care.
- Tier 3 Violation – This applies when a Covered Entity shows “willful neglect” of their HIPAA responsibilities, leading to a PHI breach, but has taken action to correct the issue.
- Tier 4 Violation – This applies in cases where a Covered Entity has both shown willful neglect regarding their HIPAA responsibilities and not taken steps to correct the issue.
The Tier is identified as part of the OCR’s Enforcement Process and determines what level of monetary and other penalties will be assessed—see below for more information on both.
Request a Consultation
Covered Entities and Business Associates Under HIPAA
A critical part of each tier’s definition is that it applies to Covered Entities. These parties, defined in the HIPAA Privacy Rule, include many organizations both within and adjacent to healthcare.
To begin with, organizations directly covered under HIPAA include healthcare providers (doctors, clinics, etc.), health plan administrators (HMOs, insurance companies, etc.), and healthcare clearinghouses (community health information systems, payment processors, etc.).
However, HIPAA rules also apply to select Business Associates of Covered Entities. Parties such as attorneys, accountants, or consultants who come into contact with PHI also need to safeguard it per the HIPAA rules. Their commitment to doing so needs to be laid out in Business Associate Contracts, arranging a shared responsibility model with partnered Covered Entities.
This means that HIPAA violations—and costs—can befall organizations “outside” of healthcare.
HIPAA Penalties: The Cost of a HIPAA Violation
In assessing HIPAA penalties, the OCR takes into consideration the minimum and maximum Civil Monetary Penalty (CMP) amounts allotted for each Tier. CMPs are fines paid to the OCR.
All Tiers feature a maximum annual fine cap of $1,919,173, meaning that the sum total of all related fines for a single resolution should not exceed that number. However, the minimum fine for Tiers 1 to 3 increases steadily, and Tier 4 features a higher maximum per-violation fine:
- Tier 1 CMP – Organizations are fined between $127 to $63,973 per violation.
- Tier 2 CMP – Organizations are fined between $1,280 to $63,973 per violation.
- Tier 3 CMP – Organizations are fined between $12,794 to $63,973 per violation.
- Tier 4 CMP – Organizations are fined between $63,973 to $1,919,173 per violation.
What this all means is that a single violation of the highest severity can incur the maximum annual fine. It should be noted that these amounts are adjusted for inflation and reflect an increase from earlier penalties ($50,000 maximum for Tiers 1 to 3 and minimum for Tier 4).
In addition, these are far from the only costs of a HIPAA violation. There are also indirect costs of reputational damage and potential lost business, along with criminal penalties for individuals.
Criminal Penalties for the Most Severe Violations
In the most severe cases, the OCR will work with the Department of Justice (DOJ) to determine whether criminal charges also apply to a HIPAA violation. These penalties operate on their own separate but closely related Tier system. At present, criminal penalties break down as follows:
- Tier 1 Criminal Penalties – Up to a year in jail for reasonable cause or no knowledge
- Tier 2 Criminal Penalties – Up to five years in jail for using PHI under false pretenses
- Tier 3 Criminal Penalties – Up to 10 years in jail for personal gain or malicious intent
These are among the most severe HIPAA violation penalties for employees, which can apply in addition to and irrespective of the CMPs detailed above—depending on the OCR’s findings.
Enforcement: How HIPAA Violations are Resolved
The HIPAA Enforcement Process determines whether or not a HIPAA violation has occurred, at what Tier, and what remedies the OCR seeks to resolve the issue, with or without penalties.
First, HIPAA violation reporting results in a complaint. An intake and review procedure begins, wherein the OCR may determine resolution if the incident does not violate HIPAA rules. If it happened more than six years ago, if the entity is not covered, or if the complaint was not filed within 180 days of the incident, it may be resolved, and enforcement may not be pursued.
However, if these criteria aren’t met, the OCR will investigate further, possibly involving the DOJ.
Ultimately, a resolution is reached if the OCR finds no violation, provides technical assistance, issues a formal finding, declines to investigate further, or reaches an agreement with the entity. The agreement typically includes a voluntary compliance plan and penalties, as detailed above.
Recent HIPAA Violation Examples and Settlements
While HIPAA penalties can impact individual employees and stakeholders, the primary purpose of enforcement is to prevent employers and other large institutions from exposing PHI at scale.
Some prominent, recent examples of HIPAA violations by employers include the following:
- A 2016 hack at Banner Health impacted three million people’s PHI; in February 2023, Banner Health agreed to pay $1.25M and implement a corrective action plan (CAP).
- Oklahoma State University (OSU) reached a 2022 agreement involving a CAP and payment of $875,000 to the OCR over improper PHI disclosure in 2016 and ‘17.
- In 2021, a New England based dermatological organization was found to have disposed of PHI inappropriately. Their 2022 agreement included a CAP and payment of $300,640.
As these examples show, the reasons for HIPAA violations vary widely. The best way to avoid CMPs and other costly consequences of a violation is to ensure seamless compliance.
HIPAA Compliance: How to Avoid HIPAA Violations
Any violation of HIPAA’s prescriptive rules can trigger the Enforcement Rule. Unlike certain other compliance frameworks, HIPAA does not require regular audits for certification. Instead, Covered Entities are assumed to be compliant unless an incident occurs and the OCR has cause to investigate. While this may seem like a relatively lax regulatory environment, the Enforcement process and fines above show that it is not. To avoid them, you need to comply.
HIPAA compliance requires abiding by the Privacy, Security, and Breach Notification Rules.
How to Uphold the HIPAA Privacy Rule
The Privacy Rule defines PHI, covered entities, and foundational elements of HIPAA. It’s the most expansive rule, and it informs all other parts of HIPAA compliance. It’s also relatively straightforward in terms of its aims, even if the methods required to fulfill them aren’t clear.
For practical purposes, the biggest burden of the Privacy Rule is restricting access to PHI. It needs to be limited to uses authorized by the data subject or a Permitted Use or Disclosure:
- Disclosures to the subject of the PHI or their representatives
- Uses in the service of healthcare treatment, payment, or operations
- Disclosures or uses that the subject has been given an opportunity to reject
- Insignificant uses or disclosures incidental to other authorized instances
- Uses in the service of the public interest or public benefit projects
- Uses of limited data sets for the purpose of approved scientific research
Beyond these baseline limitations, organizations also need to limit all uses by the principle of “minimum necessary.” That is, the least amount of PHI should be exposed to the fewest people and in the most restricted way possible within the parameters of a permitted or authorized use.
Failure to meet any of these requirements could constitute a breach or HIPAA violation.
How to Uphold the HIPAA Security Rule
The Security Rule spells out specific controls organizations should implement to meet Privacy Rule requirements. The initial purpose of the Security Rule was to extend these protections to electronic PHI (ePHI), but it has evolved to apply all of its requirements to all PHI environments.
The Security Rule ensures the confidentiality, integrity, and availability of PHI by requiring covered entities to identify and prevent threats and install three kinds of safeguards:
- Administrative Safeguards – Managerial-level controls, including:
- Security management processes for managing risk
- Clearly defined security personnel and responsibilities
- Identity and access management (IAM) protocols
- Staff cybersecurity training and awareness programs
- Periodic evaluation of security governance
- Physical Safeguards – Environmental restrictions to access, like:
- Entry restrictions and control over entire facilities
- Security measures instituted on individual devices
- Technical Safeguards – Software and application solutions, such as:
- Software and application-level IAM protections
- Regular auditing of the IT environment
- Monitoring for integrity across all PHI
- Secure transmissions across networks
As with the Privacy Rule, failure to implement the controls and risk monitoring requirements of the Security Rule could constitute a HIPAA violation—whether it impacts ePHI or other PHI.
Understanding HIPAA Breach Notification
If the Privacy or Security Rule is broken in any way, that might constitute a data breach. In these cases, Covered Entities need to provide notice to several parties (see below) to describe the specific circumstances that led to the breach, its nature, and actions taken to remedy it.
There are three kinds of notice organizations may need to provide if a breach occurs:
- Individual Notice – Individuals impacted by a HIPAA breach need to be notified by the Covered Entity in writing (by mail or email) within 60 days of the breach’s discovery.
- Secretary Notice – Covered Entities must also notify the HHS Secretary of all data breaches within 60 days if under 500 people are impacted and annually if more are.
- Media Notice – If a breach impacts more than 500 people within a given jurisdiction, the Covered Entity must contact a prominent media organization servicing that location.
Failure to provide any of these kinds of notices, for any reason, may trigger a HIPAA violation.
HITRUST Certification and HIPAA Compliance
For organizations straddling healthcare along with other regulated industries, or location-based compliance, there is an alternative approach to HIPAA compliance. The HITRUST CSF is an omnibus certification program that combines rules and assessment protocols from HIPAA and other regulations into one streamlined framework. Organizations work with a HITRUST advisor, scope out and implement controls, and conduct an assessment for HITRUST Certification.
In this way, you can “assess once, report many” to meet the compliance requirements of HIPAA, PCI, NIST, and many other frameworks all at once. HITRUST controls can’t guarantee that HIPAA violations won’t occur, but they are an excellent way to prevent and recover from them.
Optimize Your HIPAA Compliance Today!
If your organization operates in or adjacent to healthcare, you need to safeguard PHI according to the Privacy and Security Rules to avoid a breach. If a breach occurs, you’ll need to notify several parties according to the Breach Notification Rule. Failure to follow any of these rules could result in a HIPAA violation and penalties depending on the level of severity.
Working with a compliance advisor like RSI Security is the best way to avoid violations and their costly consequences. We believe in going above and beyond to ensure any PHI you come into contact with is secured. Discipline creates freedom, minimizing risk to your organization.
For further guidance on avoiding HIPAA violations, contact RSI Security today!