This is a user generated content for MyStory, a YourStory initiative to enable its community to contribute and have their voices heard. The views and writings here reflect that of the author and not of YourStory.

Penalties For Violating HIPAA

Working with ePHI can be risky if you're not aware of the penalties that can be levied against you or your company when working with sensitive health informaiton.

Penalties For Violating HIPAA

Monday December 10, 2018,

5 min Read

The sensitivity of health information triggered federal governments to institute compliance regulations to ensure that the privacy of patients is upheld at all times. The establishment of the Healthcare Insurance Portability and Accountability Act (HIPAA) heightened the security of Protected Health Information (PHI) as well as the electronic Protected Health Information (ePHI). If your firm fails to comply with HIPAA, you risk facing severe penalties!

Overview (What is HIPAA?)

HIPAA is a law that was enacted in 1996 to protect sensitive health information. The law has been revised severally including:

  • In 2003, the US Department of Health and Human Services (HHS) revised HIPAA to incorporate the Privacy Rule
  • In 2005, the HIPAA Security Rule was updated to include the protection of electronic Private Health Information. The update developed several procedures to provide safety guidelines when handling, storing or transmitting sensitive health data electronically. For example, physical safeguards were introduced to prevent unauthorized access to the data. Also, organizations must develop technical safeguards where they’ll be required to safeguard the transmission of data over open networks.

All these safeguards should comply with the HIPAA requirements.

What are HIPAA Covered Entities and Business Associates?

HIPAA defines covered entities as all institutions or individuals that interact directly with PHI and ePHI. The entities may include all healthcare providers (doctors, clinical officers, nurses, midwives, caregivers, pharmacies dentists, psychologists, and chiropractors), health care clearinghouses (processes non-standard data to standard data format), as well as those who provide health plans. The health plan providers may include the HMOs, health insurance companies, Medicare, and military health programs.

Business associates are individuals or entities that gain access to PHI and ePHI due to the services that they provide to the covered entities. For example, auditing firms or a CPA specialist who would require to access the private health data for accounting reasons. While this is risky, the hospital cannot forego the auditing system. As such, it is the obligation of the management to ensure that the business associates comply with HIPAA regulations to guarantee the security of the PHI and ePHI.

HIPAA regulations require that all the entities that involve business associates in their operations should use a written contract that explicitly explains the responsibilities of the business associate in protecting PHI and ePHI.

Who is in Charge of HIPAA?

The Office of Civil Rights (OCR) is obliged to ensure the implementation of the HIPAA Privacy and Security Rules. The agency provides a platform where aggrieved consumers can complain against specific actions by the covered entities and business entities. Some of these platforms include their website, email, postal mail address, and fax.

What are the Penalties for HIPAA Non-Compliance?

When you fail to follow HIPAA regulations, you will be tracked by the regulatory body and, if indeed guilty, you will pay monetary penalties. These regulations were strengthened by the adoption of the Consolidated Omnibus Budget Reconciliation Act (COBRA) which introduced more penalties to trigger widespread compliance.

The Office of Civil Rights can impose several tier-based fines for HIPAA non-compliance. The magnitude of the fine depends on whether the covered entity/business associate deliberately or unknowingly violated the HIPAA regulations.

For first-tier, the penalty can be $100 for every unknowing violation with a maximum of $25,000 for repeat violations. However, this amount is not static and can go up to $50,000 per violation with a maximum of $1.5 million every year depending on the assessment of the regulatory body.

If you face the second-tier penalty, you will pay a maximum of $1000 per violation with a maximum penalty of $100,000 annually. Just like in the first-tier, the maximum fine for every reasonable reason for violation is $50,000 with a maximum of $1.5 million per year.

The third-tier penalties are meant for those covered entities/ business associates that deliberately neglected the HIPAA regulations. Each penalty at this level is fined a minimum of $10,000 and repeat violations are charged up to $250,000 annually. The maximum penalty that you can pay per violation is $50,000 with the maximum of $1.5 per year.

Based on these fines, you can deduce that the fines of non-compliance may be costly whether you knowingly or unknowingly neglect the HIPAA regulations. As such, it’s necessary that you always research and comply with the requirements to avoid the penalties.

Is Failing the HIPAA-Compliance Test a Felony?

Only on extremely rare occasion will you hear of a criminal indictment based on HIPAA compliance. OCR and the Department of Justice intend to help all organizations to comply with the regulations. The penalties imposed are meant to enhance compliance.

Use of Automated Software to Enhance HIPAA Compliance

The processes and procedures of HIPAA compliance can be complex and time-consuming.  However, you can use automated software to audit your organization. It will give a real-time report and recommendations of the loopholes that you need to seal to comply with the regulations. The software also stores accurate data for a quick, accurate, and efficient auditing process.