A Guide to HIPAA Penalties and Fines

HIPAA (The Health Insurance Portability and Accountability Act 1996) is the major data privacy regulation in the US. The HIPAA rules outline the expectations for the protection of personal data. Any entity that deals with private healthcare data, or protected health information (PHI), is bound by HIPAA.

US citizens have the right to data privacy. Originally, the HIPAA rules were meant to improve portability across health insurance companies, as people changed employers. Now, HIPAA’s scope extends beyond that, and ensures maximum protection for health information that is stored or transferred by a health organization. 

Despite the importance of data privacy, organizations do make mistakes. HIPAA violations do happen, and penalties must be given in these cases. Without consequences, there’s no drive to follow the HIPAA rules. HIPAA outlines expected penalties and fines, and how these penalties are decided. 

Criminal HIPAA Violations

Generally, HIPAA violations are split into two categories: willful or accidental. This is used to guide the level of severity of the violation. Both can have differing levels of impact for the victims, and should be avoided, but intentional violations are a serious concern. 

Despite the consequences, violations still happen. Here are some of the common HIPAA violations and their criminal implications.

Wrongful Disclosure

Typically, wrongful disclosure of PHI falls under the “accidental” category. Ultimately, HIPAA outlines that information supplied should only be the minimum necessary to meet objectives. This goes some way to protecting personal information when it is disclosed to another party. 

However, mistakes can happen. This might occur when patient data gets mixed up. For instance, if a patient has the same surname, and lives in the same location. Covered entities need to do everything in their power to implement security measures preventing this, but human error is a considerable factor in this case. 

Wrongful disclosure that is intentional is a considerable offence, and is treated as such during violation cases. Intentional violations are done with the intent to cause harm, and can have detrimental effects to the business, and the individual victim.

Whether accidental or intentional, both are offences under HIPAA. However, the intent of the violation goes a long way to deciding the ultimate penalty. 

Exposure of PHI or Devices

Employees don’t intend to have their devices stolen, so theft of devices or PHI is typically an accidental exposure for businesses. For instance, a remote staff member might have their device stolen while outside of work. A member of staff could be subject to a phishing attack, providing unauthorized access to the data. In these cases, the breach didn’t occur due to an intentional violation by the business. Therefore, exposure of PHI due to theft is often classified as an accidental breach.

However, bear in mind that there is a chance that someone within the organization might have accessed data without authorization, from another staff member. In a case like this, a full investigation is necessary to establish the cause of the violation. This will determine the severity of consequences for the staff member, and for the business.

It’s also worth noting that a violation due to theft of data can also be put down to negligence. While this may not be classed as an intentional violation, it implies that a covered entity has not done everything in its power to protect the PHI. 

Whether human error, or an intentional breach, if a violation has occurred then it may be prosecuted as a criminal act. 

Human Error

People are often the weakest component in any organization’s security. Employees can do their best but mistakes are made. 

For instance, an employee might leave their workspace open, allowing others with fewer access rights into the computer. An employee could open a link in an email, or visit a third party web site, that gives way to a phishing attack. Neither of these situations are intentional violations of HIPAA, but could have detrimental effects on health information. However, the human element is the cause of the potential breach. 

While not intentional, a court might find the violation was due to negligence. Whilst this isn’t as dangerous as intentional violations, it signifies that real changes need to be made in the organization, and the mistake was preventable. 

Penalty Tiers

HIPAA criminal and civil penalties are categorized into four tiers, depending on the severity, supposed awareness, and preventability of the violation. Your penalty tier will dictate the fine for the violation, alongside your organization's financial status and violation history.

Tier 1

This is the lowest penalty tier. A tier one violation is one that the covered entity was not aware of, and could not have avoided having followed the HIPAA regulatory requirements. This may be applied in small-scale HIPAA breaches.

In this case, the covered entity would need to have done everything possible to protect PHI. Despite this, the violation occurred. 

Fines in this category start at a minimum of $100 and can be as high as $50,000, per violation. They are the lowest fines.

Tier 2

A tier 2 violation is one that a covered entity should have been aware of, but could not have reasonably prevented following HIPAA regulations. 

This tier falls just outside of wilful neglect according to HIPAA. Ultimately, an organization needs to do everything possible to prevent a HIPAA violation, but this tier recognizes that this can be challenging. 

Financial penalties in this category start at $1,000 and could go up to $50,000, per violation.

Tier 3

This penalty tier is assigned when a violation demonstrates a ‘willful neglect’ of HIPAA regulations. However, the organization has made attempts to correct or address the violation within 30 days.

The attempt to address the vulnerability or violation is what separates this tier from tier 4. This demonstrates a willingness to fix the problem in the case of noncompliance.

Tier 3 fines start at $10,000 and can go up to $50,000, per violation.

Tier 4

This is the highest tier for HIPAA violations. A tier 4 violation is a violation that demonstrates willful neglect of the HIPAA Rules. No attempt has been made to rectify or address the violation.

The lack of attempt to fix the issue is what makes this penalty category so severe. This shows neglect in following HIPAA rules, and a disregard for them.

Tier 4 fines are a minimum of $50,000 but, depending on the violation itself, could result in jail time. These also do not qualify for a waiver, and $50,000 is the maximum penalty for HIPAA violations.

Who Prosecutes HIPAA Violations

HIPAA breaches and violations must be reported to the Office for Civil Rights (OCR). Therefore, the majority of cases are handled by the OCR, and they hand out the relevant penalties. 

Ideally, the OCR will avoid fines where possible. They will try to resolve the violation by administering guidance, or deadlines for new security measures. They might even waive the fine in lower tier violations.

If these guidelines and approaches don’t work, then they will issue a fine. They will issue a fine in the higher tier cases. In the worst cases, they will assess your violation history, and potential for jail time. 

In publicized cases, or those with a wider impact, an attorney general can issue fines and penalties. If the violation has impacted people in multiple states, fines must be paid for each state. As a result, cases assessed by an AG can be even more costly. Not to mention potential reputational damage as a result of a more high profile violation assessment.

At Vertrical, we know how critical HIPAA compliance is in the digital health industry. HIPAA settlements can be costly, and HIPAA violation cases can have a serious impact on your reputation. That’s why we have compliance experts based around the globe ready to work on your development projects. Get in touch with us today to ensure complete HIPAA compliance for your next innovation.