Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules.
Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013.
Financial penalties are intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and the confidentiality of health data, and providing patients with access to their health records on request.
The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
Ignorance of HIPAA Rules is no excuse for failing to comply with HIPAA Rules. It is the responsibility of each covered entity to ensure that HIPAA Rules are understood and followed. In cases when a covered entity is discovered to committed a willful violation of HIPAA laws, the maximum fines apply.
HIPAA Violation Classifications
What happens if you violate HIPAA? That depends on the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
Tier 1 violations will have the least penalties. These violations are those that cannot be avoided. The person or entity in question might have been ignorant and, potentially even with due diligence, not known about the violation.
Tier 1 violations have a minimum fine of $119, and a maximum of $52522. The total maximum that can be proposed per year is $1785651.
Tier 2 violations are not purposeful either. There was an appropriate cause for the violation, and the individual should have known about the violation before it occurred.
Tier 2 violations have a minimum of $1191, and a maximum of $59522. The cap for the year is $1785651.
Tier 3 violations are evidently more serious. For tier 3, the activity must have been negligent willfully. The violation must have been corrected in a timely fashion, as to soften the penalty.
Tier 3 violations have a minimum of $11904, and a maximum of $59522. The cap for the year is $1785651.
Tier 4 violations are the most serious. For tier 4, the actions must have been willfully negligent or willful. There is also no attempt to rectify the circumstances.
Tier 4 violations have a minimum of $59522, and a maximum of $1785651. For low-level violations, the employee can also be subject to training, observation, or loss of a job. For willful violations, they are certain to lose their position at the company.
Criminal Penalties
In some cases, there’s more to a problem than a simple fine. Some HIPAA violations are identified as criminal offenses, resulting in jail time. Offenses like these are willful and usually cause some harm to someone.
For instance, if a medical specialist is sharing PHI for financial gain, this will be a criminal offense. All disclosure or use of PHI has to be covered under the Privacy Rule. Criminal HIPAA violations have their own tier system.
In tier 1, the entity must have had reasonable cause for the violation or they were unaware of it. Can lead to a year in prison.
In tier 2, the entity obtained PHI under pretense. Can lead to 5 years in prison.
In tier 3, the entity obtained PHI for personal gain, or with malicious intent. Can lead to 10 years in prison. Now let’s take a look at the most common HIPAA violations, and how you can avoid them.
HIPAA Consulting For You
Now that you have discovered what HIPAA violations are, as well as how to avoid them, you are that much closer to ensuring your organization is HIPAA compliant. Nonetheless, it can be daunting to keep track of all the HIPAA rules and clauses.
If you’re looking to ensure your team is properly trained and HIPAA-aware, get in touch with us and we will happily set you up with one of our HIPAA experts.
