Site icon

What Are the Penalties for HIPAA Violations?

HIPAA featured

In October of 2015, the Excellus Health Plan suffered what was the largest HIPAA data breach of the year, with some 9.5 million patient records compromised. An investigation concluded in January 2021, stating that Excellus had five critical violations of HIPAA, including a failure to conduct risk analysis, implement sufficient network security measures and enact data security policies around data and access controls. 

The Office of Civil Rights (OCR) settled with Excellus for $5.1 million from the five violations found and after years of audits and investigations. 

Don’t let this become your story if you are working in the healthcare sector. Understand compliance and penalty structures. 

 

What Is a HIPAA Violation?

Generally speaking, HIPAA violations are when Protected Health Information (PHI) is disclosed to unauthorized persons and the healthcare organization is found at fault. 

It’s important to understand just who HIPAA applies to (and who can be found in violation of HIPAA rules:

So, any enterprise or organization that handles PHI for healthcare or related services falls under HIPAA jurisdiction. Patients, however, do not fall under such jurisdiction, understanding that the patient is the final arbiter of authorized disclosure and cannot violate their privacy. 

With that in mind, CEs and BAs can violate compliance if they’ve been found responsible for unauthorized disclosures. However, there are several other areas where they can be found in non-compliance, each of which will contribute to different penalties:

These incidents of non-compliance, whether discovered during an audit or unearthed in the aftermath of a breach of PHI disclosure, can cost healthcare organizations significantly. 

 

HIPAA Civil Penalties

For the most part, non-compliance will be classified as “civil” or monetary. Penalties are assessed and levied by the Office for Civil Rights (OCR), part of the Department of Health and Human Services (HHS). The OCR, for the most part, would prefer to remedy non-compliance through mandatory remediation and admonishment. However, if the violations are significant, penalties will be levied. 

Civil penalties are classified into four different categories, based on different levels of severity:

These tiers represent increasing severity based on culpability, from ignorance to neglect. Accordingly, penalty costs also rise as the severity does so. Per the HITECH Act, violations are adjusted by the OCR for inflation every year. 

 

HIPAA Civil Penalties*

Minimum Penalty Per Violation Maximum Penalty Per Violation Maximum Penalty Per Year
Tier 1 $100 ($127) $50,000 ($63,973) $1,500,00 ($1,919,173)
Tier 2 $1,000 ($1,280) $50,000 ($63,973) $1,500,00 ($1,919,173)
Tier 3 $10,000 ($12,794) $50,000 ($63,973) $1,500,00 ($1,919,173)
Tier 4 $50,000 ($63,973) None $1,500,00 ($1,919,173)

 

*Penalties are represented as a base penalty(inflation-adjusted penalty), representing adjustments as of 4/22.

Note that maximum penalties per year are limited by category. If an organization has extreme violations across multiple tiers, those counts as separate and individual penalty caps and will compound. 

 

HIPAA Criminal Penalties

As stated earlier, violations by employees will almost always be considered company violations. However, there are some exceptions where individual professionals or organizations may be suspected in knowingly seeking to break HIPAA rules to obtain PHI for nefarious purposes. In these cases, the Justice Department may pursue criminal charges with HIPAA laws. 

Criminal HIPAA violations are broken into three tiers:

 

Avoid HIPAA Penalties with the HIPAA Experts at Lazarus Alliance

While these penalties, civil or criminal, seem steep, the reality is that most violations that we run across are either totally by accident or through emergencies where a patient’s health or life is on the line. 

That being said, your organization must show good faith in pursuing and maintaining HIPAA compliance. Should issues arise, it goes a long way with the OCR to show that you’ve done your due diligence to support your adherence to regulations. 

 

Are You in the Healthcare Industry Preparing Your HIPAA Strategies?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version