HIPAA infractions have serious and far-reaching repercussions. In addition to the financial consequences, businesses risk losing their favorable reputation, patients’ and clients’ confidence, and their capacity to run a business. Why have so many of us read the headlines but ignored the warnings when it might take businesses months or even years to recover from penalties?
Read on to learn how to prevent penalties, fines, and other serious repercussions as well as the long-term effects of HIPAA violations.
How Important Is HIPAA to Patients?
HIPAA compliance is why HIPAA is important, as it plays a pivotal role in safeguarding sensitive personal and health information. It mandates that healthcare providers, health plans, and healthcare clearinghouses must establish stringent security measures. Without HIPAA, there would be no repercussions for data breaches in healthcare businesses. HIPAA imposes restrictions on who can access and exchange patient information while affording patients the right to control and authorize access to their data. Patients are empowered to request and verify the accuracy of their medical records, enabling them to make informed decisions about their care. Before the HIPAA Privacy Rule, healthcare organizations didn’t require patients to release copies of their health information.
What Occurs During a HIPAA Violation?
It is important to first review what constitutes a HIPAA breach before talking about the severe fines and penalties corporations must pay when they break the law.
When a covered entity (CE) or business associate (BA) disregards one or more rules outlined in the HIPAA Security, Privacy, or Breach Notification Rules, it constitutes a HIPAA breach. Violations can happen for several different causes and can be intentional or unintentional.
Example of a Deliberate Violation: If a clinical staff member verbally announces a patient’s entire identity in a waiting area or hospital emergency room, this could lead to a patient complaint and be the result of staff members’ lack of privacy training.
Example of an Unintentional Violation: Instances of negligence that result in unintentional HIPAA violations include:
- Not finishing a Security Risk Analysis (SRA)
- Loss or theft as a result of electronic media on computers not being encrypted
- Not maintaining policies and procedures to ensure that staff members are properly trained to handle protected health information (PHI)
Are All Healthcare Organizations Subject to the Same Violation Penalties?
According to 45 CFR 164.308(a)(1), often known as the HIPAA Security Rule, providers, hospitals, and hospital systems—collectively known as CEs—are all obligated to protect PHI (Protected Health Information). The Administrative, Physical, and Technical Safeguards to Protect PHI are described in this CFR or Code of Federal Regulation.
The CE will be required to submit their most recent SRA to the Office of Civil Rights (OCR) if a loss of PHI occurs that is significant enough to warrant sending the OCR a Breach Notification Letter. The OCR will decide whether to, among other things, fine the CE for the infringement based on the quality of the SRA carried out (i.e., did it comply with the OCR’s Guidance Document for SRAs), the HIPAA risk plan, and the CE’s capacity to demonstrate it has a “Culture of Compliance.”
The potential penalty is $50,000 for each lost patient record and up to $1.5M for each breach. The key is being able to show that the CE takes seriously securing patient data. The CE’s “Book of Evidence” will contain the CE’s most recent SRA as well as documentation indicating the CE is actively evaluating risks to PHI.
Penalties and Fines
The severity of each HIPAA violation determines the penalties and fines imposed by OCR. The cost of some HIPAA infractions can be high and varies considerably depending on the degree of carelessness shown.
If a fine is assessed, it may cost between $100 and $50,000 per infraction (or record), with a maximum fine of $1.5 million for infractions of the same provision per year.
OCR uses a four-tiered methodology and considers a variety of variables when deciding on the appropriate financial penalty, as indicated in the graphic below. Some of these determining elements are:
- number of impacted patients
- Exactly what information was revealed
- length of the data exposure
HIPAA infractions can have legal repercussions as well as financial ones, including even jail time if necessary.
Recent Penalties and Fine Examples
All healthcare providers should pay attention in light of CommonSpirit Health’s most recent data security problem. CommonSpirit Health, one of the biggest healthcare systems in the US, has a highly developed IT department. Your company is also susceptible if it happens to CommonSpirit Health.
In the words of Health IT Security, “The Cybersecurity Incident has had an estimated adverse financial impact of approximately $150 million to date, which includes lost revenues from the associated business interruption, costs incurred to remediate the issues, and other business expenses, and is exclusive of any potential insurance-related recoveries,” according to the quarterly report.
What can CEOs do, then? A thorough security risk assessment must be done initially. An SRA Guidance Document from the Office of Civil Rights (OCR) explains how to examine the administrative, physical, and technical safeguards to protect PHI. Second, construct a risk register of high, medium, and low risks to PHI using the findings from the CE’s SRA. Lastly, start addressing the significant threats to PHI that have been identified. Time is NOT on your side, so get moving.
Avoidance is Key
How can a practice or organization safeguard itself against HIPAA violations given the high stakes and significant risks involved? The secret is to demonstrate due diligence by maintaining year-round compliance vigilance.
To identify any compliance gaps, start by undertaking a thorough, organizational-wide HIPAA risk analysis. Both covered companies and business associates operate regularly without having a baseline understanding of their security, privacy, and breach-notification posture, which can directly result in HIPAA violations and data breaches.
Organizations can take action to remediate and mitigate serious compliance risks and avert expensive fines by analyzing compliance gaps.
Uncertain about where your company stands? Take our 5-minute HIPAA compliance test to learn your organization’s overall level of compliance in no time.