Violating the Health Insurance Portability and Accountability Act (HIPAA) is no joke. In 2016, HIPAA settlements reached a record $23 million. And in the first few weeks of 2017 alone, over $2.5 million was collected to resolve just two cases of HIPAA noncompliance.
The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) upped its HIPAA enforcement efforts big time in 2016. Not only did it launch a series of random compliance audits as part of the HIPAA compliance audit program, but it also increased the fines for HIPAA violations by roughly 10%.
This means any business that collects and transmits electronic protected health information (ePHI) should be on high alert. If your facility hasn’t taken the necessary steps to become and remain HIPAA compliant, the time is now. Ignoring these important precautions and practicing outside the law puts your entire organization at risk.
Not convinced? Here are five consequences your facility or healthcare workers could face if found guilty of any HIPAA violations:
If the OCR discovers a case of noncompliance—whether through a complaint investigation or random compliance audit—it will seek to resolve the issue by requiring your facility to work through a deadline-driven corrective action plan. The purpose of this plan is to bring your facility up to HIPAA compliance standards. Thus, you will be required to do the work you should have done in the first place to follow HIPAA rules—but under the strict supervision of the OCR.
Corrective action plans typically require one or all of these actions to take place within a specified period of time (even as little as 30 days):
- ePHI risk analysis
- ePHI encryption (on all devices)
- Documentation of policies and procedures related to privacy, security, and breach notification
- Workforce training
As noted earlier, HIPAA violations are often subject to hefty fines. The purpose of these monetary penalties is to motivate facilities to operate in full compliance with HIPAA and to hold those who don’t accountable. HIPAA fines are tiered based on the severity of the violation and the facility’s knowledge of the noncompliance. There are four tiers:
- If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $110 to $55,010 per violation.
- If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,100 to $55,010 per violation.
- If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,002 to $55,010 per violation.
- If a violation is due to willful neglect but is not corrected in a timely manner, the maximum penalty of $55,010 per violation applies.
In all instances, if repeat violations (of identical nature) occur in the same calendar year, the penalty is $1,650,300 per violation. The largest fine ever paid in a HIPAA settlement was $5.55 million, after Advocate Health System suffered three data breaches that compromised the privacy of four million patients.
One important note is that the OCR can issue HIPAA fines for noncompliance if even there is no breach of ePHI. The type of noncompliance subject to these fines includes failure to maintain proper security documentation, failure to train employees on privacy and security practices, and failure to acquire a Business Associate Agreement (BAA) with any third-party service providers.
Additionally, state Attorney Generals have the authority to issue HIPAA fines on top of the fines issued by the OCR. And organizations may have to shell out more funds for legal defense of HIPAA violations.
Fixing the noncompliance and paying a fine are, of course, not the only repercussions of violating HIPAA. There are other consequences that can have longer-lasting effects on your career.
If a HIPAA breach can be attributed to an individual, that individual is at risk for termination of employment. For example, if an employee accesses the medical records of a patient for no reason (i.e., the employee does not need to know the patient’s history or status to do his or her job), the employee has compromised that patient’s privacy and could be fired. In fact, this happened in 2012 when a cardiology nurse unlawfully accessed the medical records of two family members. These types of HIPAA violations can also lead to the revocation or suspension of the guilty party’s medical license.
Some HIPAA violations may lead to criminal penalties. For instance, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. In these cases, the OCR gets the Department of Justice (DOJ) involved. While rare, jail time may be ordered based on a three-tiered approach:
- If someone willingly obtains or discloses ePHI, the penalty is up to one year in jail.
- If someone obtains ePHI through deception, the penalty is up to five years in jail.
- If someone obtains ePHI for personal gain or with intent to harm, the penalty is up to 10 years in jail.
Additionally, these jail sentences are typically accompanied by fines of $50,000 to $250,000. The fines and jail time for each offense are dependent on the charges as well as the state in which the offense occurred (since the laws are not identical in every state).
Failing to be HIPAA compliant and protect your patients’ private health information could be truly damaging to your business. For starters, if you compromise your patients’ privacy, they will lose trust in you and potentially seek healthcare elsewhere. They also are not likely to recommend your practice to others, thereby stripping you of your credibility.
Additionally, if your organization experiences a security breach, you could be subject to unwanted media attention that deters new patients from coming to your practice. Similarly, the Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be a permanent blemish on your reputation.
If your organization is collecting patient information in a noncompliant way, you are putting yourself at risk for serious consequences. Formstack’s HIPAA compliant forms can help you remedy the situation before you get audited. Click below to learn more.