HIPAA penalties: What are they & how can you avoid them?
HIPAA: many people know the acronym, but few know what it stands for, where it comes from or even the multitude of HIPAA penalties that can impact their organization.
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, which requires healthcare providers to safeguard patients’ Protected Health Information (PHI). Protecting PHI means strictly controlling when and with whom healthcare providers share sensitive information. Any time an organization shares PHI with an unauthorized person or in an unauthorized place (intentionally or otherwise), the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general can issue a HIPAA violation.
Though these violations do come with financial penalties, fines are just one way OCR enforces HIPAA among healthcare providers, health insurance providers and all other covered entities.
Here’s what organizations need to know about HIPAA violations and what they can do to avoid penalties.
What Are the Penalties for HIPAA Violations?
HIPAA penalties aren’t always punitive. In fact, OCR will often issue technical guidance or request compliance to help covered entities address their gaps in meeting HIPAA guidelines. But when violations are serious, OCR does employ more punitive measures, which involve both financial penalties as well as additional operational requirements.
According to OCR, a “serious” violation includes those that last for a long length of time, impact a large number of people or involve especially sensitive patient data. Should an organization violate HIPAA in any of these three ways, OCR can issue a fine according to four different violation tiers; the higher the violation tier, the steeper the HIPAA penalties.
The HITECH Act of 2009 set the maximum penalty at $1.5 million per year, though OCR re-interpreted the HITECH Act in 2019 to set different maximum penalties depending on the tier/level of culpability.
Tier 1 HIPAA Penalties
Tier 1 is reserved for organizations that unknowingly violate HIPAA. Though these organizations are ultimately responsible for lapses in PHI standards, they were still taking steps to meet HIPAA standards and could not have realistically avoided the violation.
Tier 1 Definition & Penalties:
The covered entity was unaware of the violation and could not have avoided it. They took a reasonable amount of care to meet HIPAA standards.
| Min. Penalty Per Violation (inflation-adjusted) | Max. Penalty Per Violation (inflation-adjusted) | Min. Penalty Per Year (inflation-adjusted) |
|---|---|---|
| $120 | $30,113 | $30,113 |
Tier 2 HIPAA Penalties
Organizations guilty of a Tier 2 violation should have known about their HIPAA violation, but this tier recognizes that the violation was nonetheless unavoidable. In other words, the violation does not rise to the level of willful neglect.
Tier 2 Definition & Penalties:
The covered entity should have been aware of the violation, but did not willfully neglect HIPAA standards.
| Min. Penalty Per Violation (inflation-adjusted) | Max. Penalty Per Violation (inflation-adjusted) | Min. Penalty Per Year (inflation-adjusted) |
|---|---|---|
| $1,205 | $60,226 | $120,452 |
Tier 3 HIPAA Penalties
If an organization committed a Tier 3 violation, it willfully neglected HIPAA standards. The organization can lessen the severity of the violation and, therefore, the HIPAA penalty if they can prove they tried to correct the violation.
Tier 3 Definition & Penalties:
The covered entity willfully neglected HIPAA standards, but tried to correct the violation.
| Min. Penalty Per Violation (inflation-adjusted) | Max. Penalty Per Violation (inflation-adjusted) | Min. Penalty Per Year (inflation-adjusted) |
|---|---|---|
| $12,045 | $60,226 | $301,130 |
Tier 4 HIPAA Penalties
OCR reserves Tier 4 for the most serious violations. Organizations that fall under Tier 4 both willfully neglected HIPAA standards and made no attempt to correct the violation once they became aware of it.
Tier 4 Definition & Penalties:
The covered entity willfully neglected HIPAA standards and did not try to correct the violation.
| Min. Penalty Per Violation (inflation-adjusted) | Max. Penalty Per Violation (inflation-adjusted) | Min. Penalty Per Year (inflation-adjusted) |
|---|---|---|
| $60,226 | $1,806,775 | $1,806,775 |
HIPAA Violation Reporting
All employees of covered entities are responsible for reporting HIPAA violations. It’s important that those working in healthcare and healthcare insurance understand when a HIPAA violation occurs and how they can report it internally and to the appropriate governing bodies.
Covered entities should provide HIPAA training to all employees and let them know to whom they should report. This individual will investigate internally and determine whether or not a HIPAA violation has occurred. If it has, they’ll also be the one to escalate the report to OCR.
The HIPAA complaint process goes as follows: anyone can file a complaint via mail, fax, email or the OCR complaint portal. The complaint should name the covered entity or employee and explain the incidents believed to have violated HIPAA. Complaints should be filed within 180 days, although this can be extended if the filer can show “good cause.”
What Are the Most Common HIPAA Violations?
Organizations don’t always knowingly commit HIPAA violations, making it even harder to prevent HIPAA penalties. In fact, many HIPAA violations are unintentional and often due to gaps in data security practices or improper employee training. Regular compliance audits can help organizations identify these gaps in their practices. We've identified these five issues as the most common HIPAA violations:
- Data Wasn’t Secured or Encrypted: Inadequate data security can leave organizations vulnerable to breaches. But this isn’t just due to hackers. If a physician leaves a chart in an exam room and another patient sees it, this subjects the organization to potential HIPAA penalties. Organizations are also vulnerable if physicians text unsecured patient information to other physicians, log in from an unsecured device at home to finish charting or even leave patient charts open on a desktop after they walk away.
- Devices Were Stolen: Device theft may not seem like a threat, but this is a major source of HIPAA violations. When unencrypted devices like laptops, mobile phones and more get stolen, valuable PHI can be compromised.
- Employees Mishandled PHI: HIPAA violations can happen if employees disclose information to unauthorized family members, discuss PHI in public settings or leave files with PHI where unauthorized individuals can see them.
- Partnership Agreements Didn’t Meet Standards: Healthcare organizations have countless partnerships to help share data with patients and other providers. This can leave organizations vulnerable to HIPAA violations, especially if the partner company is purchased by another company, if contracts are handled off-site or partners are brought on without proper training on PHI.
- Employees Didn’t Receive Proper Training: HIPAA violations often happen because employees don’t know they’re mishandling PHI. Organizations must provide adequate training, such as what HIPAA is, what the rules are, how to avoid breaches and how to make HIPAA compliance part of their daily activities.
How to Prevent Violations and Avoid HIPAA Penalties
Preventing a HIPAA violation and avoiding HIPAA penalties doesn’t always require overhauling an organization’s information systems. Though data security should be at the top of the list for any healthcare organization, there are several other things covered entities can incorporate into their governance to reduce the likelihood of a HIPAA violation.
- End-to-End Data Encryption: This ensures PHI is only accessible to authorized users.
- Firewalls and Antivirus Software: Using tools like these can put valuable gatekeepers between sensitive PHI and bad actors.
- Cybersecurity Training: Ensure employees have the information they need to sidestep malware, phishing, ransomware and more, all of which can lead to HIPAA penalties.
- Safe Disposal of PHI: Whether organizations hire a paper-shredding agency or have their own shredding protocol, it’s important that PHI is securely disposed of and not just tossed in the recycle bin.
- Proper Device Management: Mismanaged devices are at huge risk for breaches. Implement security features zero trust architecture, multi-factor authentication (MFA) and automatic timeouts.
- Continuous HIPAA Training: Employees must know exactly what constitutes a HIPAA violation. Comprehensive and ongoing training can ensure they don’t make any slip-ups.
Get Ahead of HIPAA Violations With the Right GRC Framework
HIPAA violations aren’t a given. Though they’re a risk all healthcare organizations face, there are steps covered entities can take to reduce the chances that they’ll face a HIPAA penalties. The key? A robust governance, risk and compliance (GRC) framework.
Organizations of all sizes can benefit from good governance and an effective board portal, but it’s especially critical for healthcare organizations handling sensitive PHI. It’s important to remember that avoiding HIPAA penalties isn’t just about avoiding fines; it’s about protecting patient rights and privacy. Governance is the best tool healthcare organizations have to do just that.
Learn more about how healthcare organizations can improve their data management, protect patient rights and avoid HIPAA penalties by downloading Curing the Data Deficit: How to Heal Governance Problems in Healthcare from Diligent.
