HIPAA laws exist to maintain the integrity of all healthcare services by protecting patient privacy. As such, the consequences of HIPAA violations can cripple a healthcare business for years. Some organizations never recover from their damaged reputation and the financial burdens associated with remediation and penalties.
Intentional violations can cost a company millions of dollars, along with criminal charges for guilty individuals. Neglect, even if unintentional, can still cost thousands of dollars worth of fines on top of employee termination and sanctions.
Just because a violation goes undiscovered does not guarantee that it will not one day come to light. And because the consequences of HIPAA violations can be retroactive, an organization will likely pay the price of years’ worth of HIPAA privacy infractions if they fail to take compliance seriously.
What Healthcare Organizations are Required to Follow HIPAA Regulations?
Technically, there is no healthcare organization that does not manage protected health information, or PHI, to some degree. That’s why every healthcare facility and their business associates are liable under HIPAA Privacy Law, otherwise known as the HIPAA Privacy Rule.
HIPAA refers to healthcare organizations as covered entities. Covered entities include a host of different companies, including auxiliary service providers to healthcare organizations.
What is a Covered Entity?
A covered entity is a medical facility or business, including hospitals and private practices. These covered entities are also medical billing and insurance agencies, to include outsourced billing. For the sake of the greater healthcare system, there are typically many different organizations gathering, organizing, and managing PHI to efficiently serve patients and their healthcare providers.
The Privacy Rule names covered entities as health plan providers, healthcare providers, and healthcare clearinghouse. Third-party vendors serving a business within one of those three categories are also required to be HIPAA compliant.
Are Other People or Organizations Also Accountable to the HIPAA Privacy Law?
Any organization that manages PHI must be HIPAA compliant. The consequences for breaking HIPAA laws are very serious. In cases where individuals or organizations have not considered a covered entity break compliance, the healthcare agency that partnered with the guilty party may also be held liable.
People or organizations that lawfully come into contact with or manage PHI on behalf of a covered entity are commonly referred to as business associates in HIPAA Privacy Law. These associates include independent contractors and subcontractors. Employees of covered entities are also required to be HIPAA compliant.
Assess your HIPAA / HITECH compliance
PHI and the Consequences of HIPAA Privacy Violations
“A major goal of the Privacy Rule is to assure that individuals’ health information is
properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public’s health and well being.” – United States Department of Health and Human Services
Protected health information includes all personal data, such as the patient’s social security number, contact information, and medical history. Neglectful actions pertaining to PHI can lead to a patient having their identity stolen, as well as face a host of other billing and treatment issues.
Whether intentionally or unintentionally, misuse of PHI can ruin a patient’s life and cause that patient and their loved ones to lose faith in medical professionals. That’s why the HIPAA Privacy Law exists. Any business managing PHI that has not taken active steps to become HIPAA compliant should do so immediately.
What are the Most Common Kinds of HIPAA Violations?
Last year, The HIPAA Journal published a report detailing the most common HIPAA violations. Of the violations listed, most pertained to employee bad behavior or neglect. Organizations that fail to properly vet and train their staff stand to suffer the most if faced with an OCR investigation.
The second most common category of HIPAA violation exists as a result of failing to maintain basic cybersecurity policies and procedures. These infractions were preventable had organizations initiated information risk management, encryption, or incident detection and response protocols.
Other common types of HIPAA violations included inappropriate disclosures of PHI to employees or business associates; failure to grant patient access requests; and incorrect, untimely, or insufficient disposal of PHI. To avoid these common HIPAA violations, covered entities and their business associates should consult a HIPAA Security Rule Checklist.
Download Our HIPAA Compliance Checklist
Top Five Consequences of HIPAA Violations
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the enforcement agency that may take action against a person or organization that fails to meet HIPAA Privacy Law compliance. OCR investigations can result from random audits, anonymous reports, or security breaches gone public. Here are the five most common consequences of HIPAA violations.
-
Financial Penalties
The OCR may fine a healthcare organization several thousand dollars per HIPAA violation. Financial penalties vary depending on how grievous the covered entity’s negligence. If an investigation determines that serious violations occurred on purpose, fines could reach the maximum $1.5 million annually.
There are four tiers of OCR financial penalties. Each tier corresponds to “the level of harm.”
- $100-5,000/violation
- $1,000-50,000/violation
- $10,000-50,000/violation
- $50,000 or more per violation
A financial penalty is the most common consequence of breaking HIPAA. FileFax Inc. and Anchorage Community Mental Health Services, for example, both paid over $100,000 in fines after “improperly disposing of medical records” and neglecting basic cyber risk management, respectively. In 2017, Memorial Healthcare System paid an epic $5.5 million settlement after company employees collected PHI illegally. A year later, Anthem submitted to OCR fines in excess of $15 million for ePHI security breaches that occurred in 2015.
-
Loss of income (Medicare payments)
Medicare remains one of the largest medical plan providers in the United States. Failing to comply with HIPAA Privacy Law can result in Medicare withholding sizable portions of Medicare payments.
-
Termination of an Employment Contract
In nearly every case of HIPAA violations, multiple employees lost their jobs. Even in cases of unintentional negligence, workers not adhering to HIPAA and their employer’s privacy policies and procedures may not retain their jobs. After firing responsible parties, covered entities still face OCR fines or plaintiff settlements once investigators take stock of the damage.
-
Criminal Charges
The most sobering reality of any HIPAA violation – whether willful or otherwise – is that if damage is severe enough, people can face criminal charges, along with time in jail. HIPAA Privacy Law sets clear boundaries for covered entities, employees, and business associates.
Similar to financial penalties, criminal charges for violating HIPAA privacy law are broken into three tiers. Each tier is based on the intentions of the person that illegally accessed or exposed PHI.
- Up to 12 months incarceration for “no knowledge of violation”
- Up to five years for intentional deception to access PHI
- Up to ten year for “malicious intent”
-
Sanctions
All employees have a responsibility to report HIPAA violations in the workplace. On top of firing employees that intentionally or unintentionally break HIPAA protocols, employees that knew about the violations but failed to act can also face HIPAA sanctions.
Between terminations and sanctions, healthcare organizations stand to raise their costs significantly as a result of employee turnover on top of fines paid to the OCR or plaintiffs.
Key Takeaway – The Impact of Violating a Client’s HIPAA Rights
Recovering from the consequences of HIPAA violations is extremely challenging, and for some businesses, is impossible. That’s why it is critical your organization takes HIPAA Privacy Law seriously.
RSI Security helps covered entities and their business associates protect themselves and their clients from HIPAA noncompliance. Our team of HIPAA security experts can perform in-depth risk analyses, oversee HIPAA compliance training, and secure your network from unauthorized access or cyber intrusions.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.