What Happens If You Violate HIPAA?

• Rochelle van Rensburg
• Dec, 4 2020
• Compliance Training
• HIPAA Compliance Training
• HIPAA compliance
• HIPAA Violation

The Health Insurance Portability and Accountability Act of 1996 was enacted to establish guidelines and standards for maintaining health information security and confidentiality. Covered entities are mandated by HIPAA legislation to provide their employees with adequate training to ensure HIPAA rules and regulations are understood and diligently followed. Violations can lead to severe consequences such as suspension, loss of your license, and hefty fines. To help you and your staff understand the consequences of a violation better, here is what happens when one takes place.

Deciding on how a HIPAA violation will be handled depends on the offense’s overall seriousness and the crime’s essence. The actions of professional boards, employers, and in some cases, the Department of Justice will depend on certain factors, some of which are:

• Whether there was the knowledge that HIPAA rules were being violated and the extent of the violation.

• Was action taken to correct the violation?

• Was the violation causing harm, or was there malicious intent.

The investigation, disciplinary action, and termination

When a breach occurs, the three phases that follow are investigation, correction, and notification. Organizations look at what caused the breach during the investigation process. The employee involved must be questioned, and it must be handled professionally to make it clear that what happened was serious. After identifying what happened and who was involved, it’s time for corrective action.

Employee discipline for HIPAA violation depends entirely on the type of breach that occurred. Breach definitions, and the recommended disciplinary corrective actions should be in your policy manual. There are three levels of a breach, each with its penalty. Let’s have a look at what they are in more detail:

• Level 1: Unintentional

  • This is when protected health information (PHI) is carelessly accessed or released by an employee. Here are some examples which are seen as minor breaches:
    • An unlocked computer left on an unattended desk may leave the PHI open for others to access.
    • Talking about PHI in public places of your organization like elevators or cafeterias.
    • Mailing bills and statements to the incorrect address.

Disciplinary action isn’t severe at this level, and you shouldn’t terminate or suspend an employee unless they are repeat offenders. Disciplinary action for a level 1 breach should be an oral or written warning, retraining, and coaching.

• Level 2: Curiosity and concern with no personal gain

  • These violations occur when an employee:
    • Gossips about PHI outside of the organization.
    • Accesses a family member’s PHI.
    • Accesses the PHI of a high-profile patient, like an actor, pop star, or professional athlete.

Accessing the PHI of a high profile client usually leads to termination on the spot to save your reputation due to the story reaching headlines. However, if an employee accesses their family member’s PHI, a written warning will suffice if this is their first violation.

• Level 3: Malicious intent or personal gain

  • It sometimes happens that employees go out of their way to harm individuals by accessing their PHI for ulterior reasons. Some examples are:
    • PHI used for theft or any other form of criminal activity.
    • Knowingly accessing PHI in violation of company policies.
    • Using PHI to harass or harm patients.
    • Accessing PHI with the intent to sell it for profit or personal gain.

Delivering the notification

According to the HIPAA Breach Notification Rule, covered entities must notify all affected individuals in writing by first-class mail or email. If necessary, the Secretary of Health and Human Services (HHS) and the media must also be notified.

The requirements of the Breach Notification Rule vary based on the number of individuals affected – usually 500 or more individuals or fewer than 500 individuals. Suppose 500 or more individuals are affected by a breach of PHI. In that case, the covered entity must send a notification to the Secretary no later than 60 days from the discovery of the violation without reasonable delay. If fewer than 500 individuals are affected, the covered entity must submit the notice to the Secretary annually.

Now that we know more about the delivery of notifications let’s look at Civil and Criminal Penalties.

Civil Penalties

The Department of Health and Human Services Office for Civil Rights can issue civil penalties for HIPAA violations.

Penalties are based on the following four-tiered system:

• Tier 1: This is when an individual is unaware that a HIPAA rule is being violated. The fine ranges from $100 – $50 000, with an annual maximum of $1.5 million.

• Tier 2: This applies to violations where HIPAA rules were not willfully neglected. The fine applicable in this case is a minimum of $1000 – $50,000 with an annual maximum of $1.5 million.

• Tier 3: This violation is due to willful neglect but was corrected within the required time period. The fine ranges from $10 000 – $50 000 up to an annual maximum of $1.5 million.

• Tier 4: This is the most serious violation where willful neglect is evident, and no attempt was made to correct the situation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.

Criminal Penalties

Criminal penalties for HIPAA violations can be severe. These cases can be referred to the Department of Justice by The Office for Civil Rights, and penalties are also determined based on a tiered structure, which is set out as follows:

• Tier 1: Reasonable cause /negligence. The fine is $50 000 as well as imprisonment of up to one year.

• Tier 2: False pretenses, which carries a penalty of $100 000 and a prison sentence of up to five years.

• Tier 3: Personal gain or malicious intent permit fines of $250 000 and imprisonment of up to ten years.

What are the most common HIPAA violations, and what do you do when you notice a HIPAA violation?

Some of the most common HIPAA violations are:

• Keeping records that are not secure and lack of employee training.
• Hacking and keeping unsecured records.
• Unencrypted data and loss or theft of devices.
• Improper disposal of records.
• Employee dishonesty and unauthorized release of information

Should you think you have accidentally violated HIPAA rules or become aware that your employer or a colleague is not complying with the regulations, you should report the matter immediately. If a violation is discovered and corrected internally, it minimizes the chances of penalties imposed by the HHS’ Office of Civil Rights and will prevent a recurrence.

Your employer should have a process for reporting HIPAA breaches, so you should know which steps to follow. Usually, you would report the violation to a manager or supervisor. If you are uncomfortable speaking to that specific person for whatever reason, you should be able to talk to the HIPAA Privacy Officer. Suppose you report a violation internally, and no action is taken. In that case, the matter can be escalated, and a complaint can be filed with HHS’ Office for Civil Rights – the primary enforcer of HIPAA rules.

Now that we know what happens if the HIPAA law is breached and what the consequences and reporting procedures are let’s take a look at what you can do to ensure your company is HIPAA compliant.

Here are some tips to make sure your practice is HIPAA compliant:

• Hire dedicated security staff and establish and implement effective training protocols.

• Understand breach notification requirements and adopt and implement a comprehensive security policy.

• Have an internal auditing process and stipulate specific email policies.

Conclusion

Ensuring your company or practice is compliant with the HIPAA law will reduce the risks of breaches and fines. Make sure each new staff member is trained and repeat the training annually. Keeping your staff trained and informed will minimize your risk of being found non-compliant.

Coggno has a wide range of online corporate training courses relating to the HIPAA act. Get started today!

You can have a look at our free courses here and our course catalog here.