Hipp's Law: Understanding The Legal Boundaries

Breaking HIPAA can result in civil and criminal penalties. The penalties depend on the nature and consequences of the violation, the motive for the violation, and whether the violator knew or should have known that their actions were in violation of HIPAA rules.

Civil penalties for HIPAA violations can be imposed on covered entities or business associates and start at $137 per violation. They can rise to $2,067,813 when a violation is due to willful neglect and not corrected within 30 days.

Criminal penalties for HIPAA violations can include fines and imprisonment. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) states that a person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one year in prison. If the wrongful conduct involves false pretenses, the penalty increases to a $100,000 fine and up to five years in prison. If the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm, the penalty further increases to a $250,000 fine and up to ten years in prison.

Criminal vs civil penalties

Breaking the Health Insurance Portability and Accountability Act (HIPAA) rules can result in civil and criminal penalties. The penalties depend on the nature of the violation, the level of culpability, the harm caused, and the efforts made to mitigate the breach.

Civil Penalties

The civil penalties for HIPAA violations are managed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and are imposed on covered entities or business associates. Civil penalties can start from $100 per violation and go up to $2,067,813 when the violation is due to willful neglect and not corrected within 30 days. The OCR follows a tiered penalty structure with four tiers:

• Unaware of the violation and could not have known about it even with due diligence: $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations.
• Should have known about the violation with reasonable diligence: $1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeat violations.
• Willful neglect but corrected within 30 days: $10,000 - $50,000 per violation, with an annual maximum of $250,000 for repeat violations.
• Willful neglect and not corrected within 30 days: $50,000 per violation, with an annual maximum of $1.5 million.

Criminal Penalties

Criminal penalties for HIPAA violations are handled by the Department of Justice (DOJ) and can result in fines, imprisonment, or both. There are three tiers of criminal penalties:

• Wrongful disclosure of PHI: Up to $50,000 in fines and up to one year in prison.
• Wrongful disclosure of PHI under false pretenses: Up to $100,000 in fines and up to five years in prison.
• Wrongful disclosure of PHI under false pretenses with malicious intent: Up to $250,000 in fines and up to 10 years in prison.

Who enforces HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is enforced by a variety of federal and state agencies, depending on the specific area of HIPAA being enforced. The primary enforcer of HIPAA compliance is the Department of Health and Human Services (HHS)' Office for Civil Rights (OCR). The OCR is responsible for enforcing the HIPAA Privacy and Security Rules, which form the foundation of healthcare privacy in the United States. Operating as an investigator, inspector, and educator, the OCR ensures that healthcare entities comply with HIPAA regulations.

Within organizations, the responsibility for enforcing HIPAA compliance may fall to designated Compliance Officers, Privacy Officers, or Security Officers. These individuals are tasked with developing and implementing policies and procedures to ensure HIPAA compliance within their organization.

In addition to the OCR, other federal agencies play a role in enforcing specific aspects of HIPAA. The Centers for Medicare and Medicaid Services (CMS), a division of the HHS, enforces the Transactions and Code Sets, National Identifiers, and insurance portability requirements under Title I of HIPAA. The Department of Justice (DOJ) is responsible for criminal prosecutions under the Privacy Rule and has the authority to pursue criminal convictions for wrongful disclosures of individually identifiable health information. The Federal Trade Commission (FTC) enforces HIPAA for organizations outside the scope of HIPAA, such as vendors of personal health records, and ensures that individuals are notified in the event of a data breach.

State Attorneys General also play a crucial role in HIPAA enforcement. The HITECH Act authorizes State Attorneys General to take legal action and enforce compliance with the HIPAA Rules. They can pursue civil actions on behalf of citizens harmed by HIPAA violations and work closely with the OCR to coordinate enforcement efforts.

The enforcement of HIPAA involves a collaborative effort between federal and state agencies, each contributing to maintaining the integrity and security of healthcare information.

What constitutes a violation

A violation of HIPAA (Health Insurance Portability and Accountability Act) occurs when an organization fails to comply with the standards and rules defined by the legislation. This includes any instance of unauthorized access, use, or disclosure of Protected Health Information (PHI), failure to provide patients with access to their PHI, lack of safeguards to protect PHI, failure to conduct regular risk assessments, or insufficient workforce training on the HIPAA rules.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules and investigates potential violations. The OCR reviews the information it gathers and, in some cases, may determine that there has been no violation of the Privacy and Security Rules. If noncompliance is found, the OCR will attempt to resolve the case by obtaining voluntary compliance, corrective action, and/or a resolution agreement.

There are several categories of HIPAA breaches, which can occur inadvertently or intentionally. Here are some examples:

• Lack of HIPAA compliance training: Compliance training and documentation of that training are required. Failure to provide either can lead to a violation.
• Failing to perform an organization-wide risk analysis: This analysis is necessary to identify vulnerabilities and potential risks to PHI.
• Medical record mishandling: Exposed computer screens, visible paper records, or physical charts left in hospital rooms can lead to unauthorized access to PHI.
• Using unencrypted technology to share PHI: Sharing patient files in unsecured channels, such as unencrypted emails, can result in a breach.
• Failing to plan for cyber attacks: With the increasing prevalence of cyber attacks, it is essential to ensure databases are secure and cloud providers have measures in place to prevent, detect, and contain breaches.
• Failing to get proper authorization to share records: Employees should be trained to obtain written consent for sharing records in circumstances unrelated to treatment and billing and to avoid sharing personal information without the patient's consent.
• Failing to safeguard devices that might be stolen: Digital devices, such as computers, phones, and USB drives, contain protected patient information and should be protected with encryption and robust access permissions.
• In-person discussions about patients: Casual discussions about patients that are not related to necessary treatment information and are within earshot of unauthorized employees violate HIPAA.
• Improper disposal of PHI: Physical records should be shredded before disposal, and digital files should be permanently deleted from hard drives.
• Social sharing: Social media posts can compromise patient privacy and allow for unauthorized sharing of information.
• Forgetting a business associate contract: Vendors who work with covered entities and access PHI must have a contract that requires HIPAA compliance.

The consequences of violating HIPAA depend on the nature and severity of the violation, the level of culpability, the harm caused, and the efforts made to mitigate the breach. In most cases, the penalties include a Corrective Action Plan, but the OCR can also impose substantial financial penalties. Criminal violations of HIPAA can result in fines and imprisonment.

Examples of violations

Examples of HIPAA Violations

The Health Insurance Portability and Accountability Act (HIPAA) was introduced to ensure employees could maintain healthcare coverage between jobs and not be discriminated against for pre-existing conditions. Since its passage, most regulatory activity has revolved around the Administrative Simplification provisions in 45 CFR Parts 160, 162, and 164, including the publication of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.

The failure to comply with any standards in these rules is considered a violation of HIPAA. Here are some examples of HIPAA violations:

• Snooping on Healthcare Records: Accessing patient health records without authorisation is a violation of patient privacy. This is one of the most common HIPAA violations committed by employees.
• Failure to Perform an Organisation-Wide Risk Analysis: Organisations must conduct regular risk analyses to identify vulnerabilities and risks to the confidentiality, integrity, and availability of Protected Health Information (PHI).
• Failure to Manage Security Risks/Lack of a Risk Management Process: Risks that are identified through risk analyses must be addressed through a risk management process.
• Denying Patients' Access to Health Records/Exceeding Timescale for Providing Access: The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request. Denying or delaying access is a violation.
• Failure to Enter into a HIPAA-Compliant Business Associate Agreement: A HIPAA-compliant business associate agreement is required for all vendors that are provided with or given access to PHI.
• Insufficient ePHI Access Controls: Covered entities and their business associates must limit access to electronic PHI to authorised individuals only.
• Failure to Use Encryption or Equivalent Measures to Safeguard ePHI on Portable Devices: Encryption is not mandatory under HIPAA rules, but if the decision is made not to use encryption, an alternative equivalent security measure must be used.
• Exceeding the Deadline for Issuing Breach Notifications: Covered entities must issue notifications of breaches without unnecessary delay and no later than 60 days following the discovery of a data breach.
• Impermissible Disclosures of Protected Health Information: Any disclosure of PHI that is not permitted under the HIPAA Privacy Rule can attract a financial penalty.
• Improper Disposal of PHI: When physical PHI and electronic PHI are no longer required, HIPAA rules require the information to be securely and permanently destroyed.
• Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility: Removing PHI from a healthcare facility and emailing electronic PHI to personal email accounts is a violation of HIPAA rules, even if there is no malicious intent.
• Leaving Portable Electronic Devices and Paperwork Unattended: The HIPAA Security Rule requires PHI and electronic PHI to be secured at all times. Leaving them unattended could result in an impermissible disclosure of PHI.
• Releasing Patient Information to an Unauthorized Individual: An authorisation form must be obtained from a patient before any of their PHI can be disclosed to a third party, except for purposes expressly permitted by the HIPAA Privacy Rule.
• Providing Unauthorized Access to Medical Records: It is the responsibility of the covered entity to ensure that access to patient health information and medical records is only given to authorised individuals.
• Filming Patients Without Consent: Filming patients without their consent is a HIPAA violation if it results in the unauthorised disclosure of protected health information, compromising patient privacy.
• Impermissible Data Sharing During Medical Research: Researchers must ensure that data sharing adheres to strict privacy safeguards and obtain proper patient consent to avoid HIPAA violations.
• Non-Secure File Sharing: Sharing patient records through non-secure methods, such as personal email accounts or unencrypted file-sharing services, is a HIPAA violation.
• Exposure of Patient Data in Home-Based Care: Lack of adequate data security measures in home-based healthcare settings can lead to unauthorised access to patient records.
• Data Exposure When Working from Home: When working from home, PHI must be protected. Family members and other individuals in the household are not authorised to view patient data.
• Medical Records Sent to Incorrect Patients: Sending medical records to incorrect patients is a HIPAA violation as it constitutes an unauthorised disclosure of protected health information.
• Mailing Correspondence with PHI Visible: Mailing correspondence with PHI visible on the outside of an envelope or package can lead to an unauthorised disclosure of sensitive health information.
• Unauthorized Photographs/Sharing of Photographs: Taking photographs of patients without authorisation and sharing images without consent is a HIPAA violation.
• Deliberate Sabotage of Healthcare Systems: Robust security measures must be implemented to prevent disgruntled employees from deliberately sabotaging healthcare systems, altering data, or introducing malware.
• Providing Family Members, Friends, and Partners with Access to PHI: Individuals requesting access to patient data must be authorised to access that information. Employees must not provide access to family members, friends, or partners without proper authorisation.

How to report a violation

How to Report a HIPAA Violation

The process for reporting a HIPAA violation depends on who is doing the reporting. If you are a member of the public, a patient, or a member of a covered entity's workforce, you can report a violation to the covered entity's Privacy Officer, your state Attorney General, or the Department of Health and Human Services' Office for Civil Rights (OCR).

If you are a member of a covered entity's workforce, you may also be able to report a violation to a supervisor or the individual responsible for HIPAA compliance within the organization. If you are unsure who to report to, check your employment contract.

When reporting a violation, it is important to provide as much information as possible, including the reason for the complaint, information about the covered entity or business associate, the date and address of the violation, and when you learned of the violation. Complaints should generally be submitted within 180 days of the violation being discovered, but this time limit may be extended in certain cases.

If you are a member of the public or a patient, you can also choose to first report a violation to the covered entity itself, giving them the opportunity to voluntarily correct the issue.

If you are a member of a covered entity's workforce, and you report a violation to your supervisor or compliance officer, but no action is taken, you can escalate the report to OCR. Retaliation against individuals who report violations is prohibited.

• If you are the victim of a data breach, be sure to report the correct organization. The breach may be attributable to an organization that your health information was permissibly disclosed to, rather than the covered entity itself.
• If you suspect a colleague is stealing PHI to sell, report your suspicions to a supervisor or compliance manager, who will determine whether to report the incident to OCR and the Department of Justice.
• If you wish to report a HIPAA violation by a pharmacy, you can contact the pharmacy itself, the pharmacy's head office, your state Attorney General, or OCR. If the pharmacy is part of an Organized Health Care Arrangement, you can contact their HIPAA Privacy Officer.
• If you wish to report a HIPAA violation by home health workers, contact the healthcare organization they are employed by. The contact information for the person responsible for receiving reports should be on the HIPAA Notice of Privacy Practices that you received when you registered with the organization.

What Happens After a Report is Made

After a report is made, the recipient will review it to determine whether a violation has occurred. If a violation is suspected, an investigation will be launched. If not, the recipient may request additional information.

If a violation is found, the outcome is most often voluntary compliance or technical guidance, or the covered entity or business associate agreeing to take corrective action. In more serious cases, the organization may be fined, or if the violation is criminal in nature, the case may be referred to the Department of Justice for prosecution.

Frequently asked questions