These are trying times for the healthcare industry. Resources across various facilities are being exhausted due to the COVID-19 pandemic and previously unforeseen levels of traffic. But that’s not all: cyberattacks on the healthcare sector rose 150 percent in just the early stages of the pandemic, according to one report. The need for cyberdefense is clear. Now, more than ever before, penalties for HIPAA violations pale in comparison to other threats compliance can assuage.
That’s not to say the penalties should be taken lightly. The Health Insurance Portability and Accountability Act (HIPAA) exists to help businesses protect themselves and their patients. Its various penalties serve to encourage safety precautions companies should be taking anyway.
This quick guide will show you how.
What are the Penalties for HIPAA Non-Compliance?
It’s vitally important for all healthcare providers and adjacent businesses to ensure HIPAA compliance. Failure to do so is symptomatic of a broader disregard for cybersecurity, which means that an attack is imminent. Beyond legal penalties, cybercriminals can do short-term financial damage through direct theft and fraud, as well as long-term reputational harm.
Plus, the baseline financial and criminal penalties are not insignificant.
In the sections just below, we’ll break down all you need to know about penalties and fines for HIPAA non compliance into three major areas:
- HIPAA violation penalties 101
- HIPAA enforcement 101
- HIPAA compliance 101
By the end of this guide, you’ll be well equipped to avoid the penalties detailed within. Let’s begin with a detailed look at the penalties for non compliance HIPAA can entail.
HIPAA Violation Penalties 101
A great number of HIPAA violation complaints have been fielded since the act’s adoption.
Since 2003, the overall numbers include 242,743 complaints, of which 98 percent have been resolved. However, only 40,847 have necessitated an investigation. Of all cases investigated, violations were found and corrective action taken occurred in 69 percent. Correction doesn’t always involve a penalty; still, 28,279 cases warranted either the threat or enforcement thereof.
In all such cases, the penalty would comprise some combination of:
- Civil money penalties (fines)
- Criminal penalties (jail time)
It’s worth noting that, of all enforcement results, compliance breach investigations make up a relatively small proportion. Compliance-related resolutions accounted for just over 300 resolutions compared to just under 300 thousand overall resolutions in 2019.
Nevertheless, noncompliance incurs fines, just like any other form of violation.
We’ll take a deeper dive into the investigation and enforcement process below. But first, let’s cover the exact values these penalties could entail for all these companies.
Civil Money Penalties: HIPAA Compliance Fines
Civil money penalties are the formal title given to HIPAA violation fines. These fines break down into three distinct categories (or levels) based upon the violating party’s intelligence and intentionality with respect to violating HIPAA or taking measures to correct violations.
- Ignorance – Violations in which the responsible party had no knowledge of the violation and could not have known, using reasonable diligence. Fines include:
- Not more than $100 dollars for the first violation
- Up to $50,000 dollars for repeat violations
- A maximum of $1.5 million dollars per year
- Reasonable cause – Violations in which the responsible party knew of the violation, or could have, but did not willfully neglect it. Fines include:
- Not more than $1,000 dollars for the first violation
- Up to $50,000 dollars for repeat violations
- A maximum of $1.5 million dollars per year
- Willful neglect – Violations in which the responsible party had full knowledge of the rules and deliberately broke them without reasonable (justifiable) cause. Fines break down further depending on correction within a 30-day period:
- Between $10,000 and $50,000 dollars for violations that are corrected (totalling up to $1.5 million dollars cumulatively over the course of a year)
- A higher, flat rate of $50,000 dollars per violation that is not corrected (totalling up to $1.5 million dollars cumulatively over the course of a year)
Importantly, the $1.5 million dollar annual total applies to violations within the same level over the course of a year. Technically, this means that the total amount a party is charged in a given year, across all levels, could exceed this sum. But in practice, the levels are structured such that violations eventually all scale upward—one can only maintain ignorance for so long.
Criminal Penalties: Jail Time for Serious Violations
In addition to fines of over $1 million dollars, the most serious HIPAA violations can also incur criminal sentencing and jail time for responsible parties. Importantly, these penalties are not typically related to passive matters of noncompliance. Instead, they are relegated to active criminal pursuits, such as willful breach of privacy or security for financial gain.
According to an American Medical Association (AMA) briefing on HIPAA penalties, criminal penalties also break down into multiple tiers:
- Imprisonment of up to 1 year for improperly sharing protected information knowingly
- In addition to a fine of up to $50,000 dollars
- Imprisonment of up to 5 years for offenses committed under false pretenses
- In addition to a fine of up to $100,000 dollars
- Imprisonment of up to 10 years for offenses committed for financial gain
- In addition to a fine of up to $250,000 dollars
Across the financial and criminal consequences you can face for violating HIPAA, it’s vitally important to avoid enforcement. But it’s also important to know what that process looks like.
HIPAA Enforcement 101
Administration of HIPAA is the responsibility of the US Department of Health and Human Services (HHS), which exists to ensure the wellbeing of all Americans. HHS oversees a wide variety of governmental functions, not limited to healthcare. For example, Freedom of Information Act (FOIA) requests about all government documents are processed by the HHS.
Within HHS, enforcement for HIPAA penalties falls under the jurisdiction of the Office for Civil Rights (OCR), which also enforces various laws related to civil liberties and religious freedoms.
HIPAA violations have similar status to social justice initiatives; they’re taken seriously.
In addition to the OCR, HHS also works in conjunction with the US Department of Justice (DOJ) for criminal elements of HIPAA enforcement. Both OCR and DOJ are law enforcement agencies, and thus withhold information about ongoing investigations. But highlights of past enforcement procedures are available as a resource to help companies learn from others’ mistakes.
Process: How Are HIPAA Penalties Enforced?
HHS’s enforcement for HIPAA follows a defined yet flexible process adaptable to the specifics of any given complaint. When HHS receives a complaint of potential HIPAA-related violation, the OCR begins a formal enforcement process with the goal of reaching a resolution.
That process takes the following steps:
- Intake and review – OCR begins determining whether the case will be investigated:
- Resolution is reached if there is no apparent violation, or if the complaint was not filed within 180 days of the alleged violation.
- OCR Investigation will commence if a civil rule breach may have occurred; a possible criminal infraction commences DOJ investigation
- Investigation – The OCR and/or DOJ determines whether there was an infraction, as well as the level of the violation (detailed above).
- Resolution – The OCR reaches resolution through:
- Not finding any violation (whether in initial intake or after investigation)
- Reaching agreement through voluntary compliance or corrective action
Importantly, formal investigation is not the only way in which OCR enforces HIPAA. It also performs compliance reviews to determine lower-level violations, as well as education and proactive outreach designed to help healthcare providers avoid investigation.
Covered Entities: Who Needs to Comply?
HIPAA regulations apply to nearly all players across the medical field—any business that stores, transmits, or otherwise processes personal health information (PHI). Specifically, there are three main kinds of covered entities to whom HIPAA regulations apply:
- Healthcare providers – Entities that administer healthcare services and process PHI, including but not limited to:
- Hospitals, clinics and private practices
- Doctors, dentists, and other specialists
- Nursing homes and pharmacies
- Health plans – Businesses or administrators responsible for administering health insurance, including but not limited to:
- HMOs and company-provided plans
- Health insurance companies themselves
- Healthcare clearinghouses – Organizations who process information, specifically translating it from nonstandard forms into standardized ones, including but not limited to:
- Certain billing services
- Information management systems
In addition, HIPAA limits the sharing of information to certain business associates with whom covered entities are partnered. Covered entities are responsible for confirming that associates meet certain regulations with respect to their own cybersecurity and their use of the shared information. Failure to properly meet these is grounds for violation.
While these classifications can be confusing, HIPAA provides a simple self-assessment tool for companies to determine whether or not they must comply with HIPAA. For any such organization, compliance is the first step toward safeguarding PHI.
HIPAA Compliance 101
Compliance with HIPAA isn’t just a way to avoid the various fines and penalties outlined above. It’s also a necessary first step toward safeguarding your business against a vast array of cybercrime and other related costs. Leveraging your clients’ PHI, cybercriminals can potentially cause more financial harm to your company than any particular HIPAA fine.
Compliance with HIPAA is a process of understanding and abiding by the controls laid out across its four main rules:
- HIPAA privacy rule – The first rule establishes PHI as a protected class of information (PHI initially meant “protected health information”). It also defines regulations regarding:
- Permitted use and disclosure of PHI without clients’ authorization
- Clients’ own rights to obtain copies of their records for examination
- HIPAA security rule – The second rule establishes standards for protecting electronic information (ePHI) across administrative, physical, and technical controls that:
- Ensure confidentiality, integrity, and availability of ePHI
- Monitor, identify, and mitigate threats to ePHI’s safety
- Ensure compliance across all personnel through training
- HIPAA enforcement rule – The third rule dictates all of the enforcement specifications, such as criteria and procedures, detailed in the prior sections.
- HIPAA breach notification rule – The final rule, also known as HITECH, specifies requirements for reporting the details of a data breach:
- As soon as possible, but within no more than 60 days, for breaches impacting 500 or more individuals.
- Within 60 days of the end of the calendar year, or sooner, for breaches impacting fewer than 500 individuals.
Maintaining all required controls for HIPAA compliance can be challenging, even for the most diligent healthcare providers with robust resources dedicated to this very purpose. That’s why, for many businesses, bringing in professional help is the best way to stay compliant.
Compliance Assistance: How to Ensure Ongoing Security
RSI Security is a full-service HIPAA assessor and advisor. What that means for your company is that we can help you along every step of your journey toward HIPAA compliance. Our dedicated HIPAA services include comprehensive preparation, assessment, and patchwork to make sure that you not only achieve initial compliance, but are set up to maintain it over the long haul.
Not only will we make compliance easily accessible for you; we will custom-tailor a plan to integrate compliance into your everyday, business as usual procedures. We believe HIPAA compliance is most effective when implemented throughout your broader cybersecurity infrastructure—that way, every piece of your network is aimed at the same goal.
For everything that entails, we’re here to help.
Compliance and Cybersecurity, Professionalized
The team of experts at RSI Security boasts over a decade of experience providing comprehensive compliance and cybersecurity services to healthcare providers. We know how vitally important HIPAA compliance is for all covered entities, and we also know that many such companies have other compliance obligations, including but not limited to:
RSI Security is equipped, ready, and happy to help you with all your compliance needs.
Additionally, we know that compliance isn’t the end of cybersecurity; it’s just the start. Whether you’re looking to shore up your firewall and web filtering, or conduct detailed penetration testing to get at the root of your vulnerabilities, we can help. We’re your first and best option for any and all cyberdefense solutions you may need to keep your company and stakeholders safe.
To stop worrying about fines for HIPAA violations, contact RSI Security today!
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.