In October of 2015, the Excellus Health Plan suffered what was the largest HIPAA data breach of the year, with some 9.5 million patient records compromised. An investigation concluded in January 2021, stating that Excellus had five critical violations of HIPAA, including a failure to conduct risk analysis, implement sufficient network security measures and enact data security policies around data and access controls.
The Office of Civil Rights (OCR) settled with Excellus for $5.1 million from the five violations found and after years of audits and investigations.
Don’t let this become your story if you are working in the healthcare sector. Understand compliance and penalty structures.
What Is a HIPAA Violation?
Generally speaking, HIPAA violations are when Protected Health Information (PHI) is disclosed to unauthorized persons and the healthcare organization is found at fault.
It’s important to understand just who HIPAA applies to (and who can be found in violation of HIPAA rules:
- Covered Entities: Any hospital, doctor’s practice, insurance company or healthcare provider that offers direct healthcare or healthcare insurance services.
- Business Associates: Any third-party vendor, service provider or supplier that partners with Covered Entities and, as any part of that partnership, touch PHI.
So, any enterprise or organization that handles PHI for healthcare or related services falls under HIPAA jurisdiction. Patients, however, do not fall under such jurisdiction, understanding that the patient is the final arbiter of authorized disclosure and cannot violate their privacy.
With that in mind, CEs and BAs can violate compliance if they’ve been found responsible for unauthorized disclosures. However, there are several other areas where they can be found in non-compliance, each of which will contribute to different penalties:
- Failure to Conduct Risk Analysis: HIPAA requires risk assessment and management to go along with compliance efforts. If the organization is found to avoid risk assessments, which leads to substandard security, there could be dire consequences.
- Failure to Maintain Audit Logs: Logging is a necessary part of HIPAA compliance. Any organization skipping out on autism or log maintenance will quickly find out that this part of their security process was never optional.
- Failure to Retain Relevant Records: Medical records have no retention requirements under HIPAA–state authorities legislate these requirements. However, records related to HIPAA (privacy notices, disclosure authorizations, risk assessment reports, business associate agreements, etc.) do have a required retention period of six years.
- Lack of Training and Policy: Like nearly any compliance framework, HIPAA regulations require that personnel obtain continuing trading and education on HIPAA rules and compliance. This is especially crucial considering that, in most cases, a violation of regulations by an employee is almost always considered a violation for the organization
- Withholding of Breach Notifications: If your IT systems experience a breach, you must report that breach to the appropriate authorities, patients, and news outlets. Failure to do so is considered non-compliance.
- Lack of Business Associate Agreement: When CEs work with Business Associates, they must have a standing Business Associate Agreement (BAA) that defines their relationship and obligations under HIPAA.
These incidents of non-compliance, whether discovered during an audit or unearthed in the aftermath of a breach of PHI disclosure, can cost healthcare organizations significantly.
HIPAA Civil Penalties
For the most part, non-compliance will be classified as “civil” or monetary. Penalties are assessed and levied by the Office for Civil Rights (OCR), part of the Department of Health and Human Services (HHS). The OCR, for the most part, would prefer to remedy non-compliance through mandatory remediation and admonishment. However, if the violations are significant, penalties will be levied.
Civil penalties are classified into four different categories, based on different levels of severity:
- Tier 1: Violations that a healthcare organization was unaware of couldn’t have realistically avoided. At this tier, the organization is usually compliant, but that compliance is incomplete for reasons outside the organization’s control.
- Tier 2: Violations that the healthcare provider should have been aware of but could not have been avoided had they been aware of it. At this tier, the organization is falling shy of willful neglect.
- Tier 3: Violations result from willful neglect of HIPAA rules, but where attempts have been made to correct the violation.
- Tier 4: Violations where an organization willfully neglects HIPAA rules and makes no effort to correct the problem.
These tiers represent increasing severity based on culpability, from ignorance to neglect. Accordingly, penalty costs also rise as the severity does so. Per the HITECH Act, violations are adjusted by the OCR for inflation every year.
HIPAA Civil Penalties*
|Minimum Penalty Per Violation||Maximum Penalty Per Violation||Maximum Penalty Per Year|
|Tier 1||$100 ($127)||$50,000 ($63,973)||$1,500,00 ($1,919,173)|
|Tier 2||$1,000 ($1,280)||$50,000 ($63,973)||$1,500,00 ($1,919,173)|
|Tier 3||$10,000 ($12,794)||$50,000 ($63,973)||$1,500,00 ($1,919,173)|
|Tier 4||$50,000 ($63,973)||None||$1,500,00 ($1,919,173)|
*Penalties are represented as a base penalty(inflation-adjusted penalty), representing adjustments as of 4/22.
Note that maximum penalties per year are limited by category. If an organization has extreme violations across multiple tiers, those counts as separate and individual penalty caps and will compound.
HIPAA Criminal Penalties
As stated earlier, violations by employees will almost always be considered company violations. However, there are some exceptions where individual professionals or organizations may be suspected in knowingly seeking to break HIPAA rules to obtain PHI for nefarious purposes. In these cases, the Justice Department may pursue criminal charges with HIPAA laws.
Criminal HIPAA violations are broken into three tiers:
- Tier 1: If an individual violates HIPAA significantly but does so unknowingly or for reasonable cause (but still to an extent where it would be considered criminal), the individual could spend up to a year in jail.
- Tier 2: If a professional or professionals obtain PHI using pretenses (fraud), they could spend up to 5 years in jail.
- Tier 3: If a professional or professionals obtain PHI with the express purpose of profit or harming individuals, they could spend up to 10 years in jail.
Avoid HIPAA Penalties with the HIPAA Experts at Lazarus Alliance
While these penalties, civil or criminal, seem steep, the reality is that most violations that we run across are either totally by accident or through emergencies where a patient’s health or life is on the line.
That being said, your organization must show good faith in pursuing and maintaining HIPAA compliance. Should issues arise, it goes a long way with the OCR to show that you’ve done your due diligence to support your adherence to regulations.
Are You in the Healthcare Industry Preparing Your HIPAA Strategies?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.