Don’t Mess with HIPAA

By March 18, 2015blog

Failure to comply with HIPAA is expensive and can even result in jail time.

In a nutshell, fines increase with the number of patients and the amount of neglect. One end of the spectrum is “Reasonable Cause,” i.e., even after exercising reasonable diligence, you still wouldn’t have known that you violated a HIPAA provision. On the other end of the spectrum is “Willful Neglect,” in which a security breach is due to negligence and not corrected within 30 days. Reasonable Cause ranges from $100 to $50,000 per incident and doesn’t involve jail time, whereas Willful Neglect ranges from $10,000 to $50,000 per incident and can result in criminal charges.

Civil Penalties

The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.

HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

 

Criminal Penalties

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Real Examples of HIPAA Violations

Entity Fined Fine Violation
CIGNET $4,300,000 Online database application error.
Alaska Department of Health and Human Services $1,700,000 Unencrypted USB hard drive stolen, poor policies and risk analysis.
WellPoint $1,700,000 Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a tech eval in response to software upgrade.
Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates $1,500,000 Unencrypted laptop stolen, poor risk analysis, policies.
Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital $750,000 Backup tapes went missing on the way to contractor.
Idaho State University $400,000 Breach of unsecured ePHI.
Shasta Regional Medical Center $275,000 Inadequate safeguarding of PHI from impermissible uses and disclosures.
Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, training.
The Hospice of Northern Idaho $50,000 Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis.

 

What Constitutes a HIPAA Violation?

  1. Unencrypted Data

The vast majority of data breaches are due to stolen or lost data that was unencrypted.

  1. Employee Error

Breaches can occur when employees lose unencrypted portable devices, mistakenly send PHI to vendors who post that information online, and disclose personally identifiable, sensitive information on social networks.

  1. Data Stored on Devices

Almost half of all data breaches are the result of theft, and risk of a security breach increases considerably when information stored on laptops, smartphones and tables are not encrypted.

  1. Business Associates

Almost two-thirds of data breaches involved a business associate. While your organization might comply with HIPAA, it does not mean that your partners do.

Lesson Learned: Don’t Violate HIPAA

While becoming HIPAA compliant can be costly and time consuming, failure to comply with HIPAA is doubly so. Aside from the actual cost of penalties and fines, a HIPAA violation can also destroy an organization’s reputation beyond repair.

How do I become HIPAA compliant? Read next week’s blog post or download our whitepaper.

Leave a Reply

5