Since April of 2003, OCR has received over 213,561 HIPAA complaints.
We all know HIPAA – it is our pesky neighbor that rears its head to remind us of all of the “stuff” we could be doing better at our homes, or in this case, our practice. HIPAA’s large set of rules that providers must be cognizant of means processes must be followed to ensure violations don’t occur. With that being said, there are not many plans in this world that are fool proof.
If your practice breaks HIPAA rules, your practice/you could face the following outcomes…
- Internal trouble from your employer
- Termination of your current employment
- Face sanctions from professional boards
- Criminal charges (including fines and possible imprisonment)
Now, the weight of the punishment depends on the nature of the crime and how many individuals are affected. It also depends on the following criteria…
- How did the violation occur?
- Was the practice/employee knowledgeable that a violation was committed/ if practicing due diligence, was it clear that a HIPAA violation was occurring?
- What action was taken to correct the violation?
- Was there any malicious intent with intent for personal gain on behalf of the practice/employee?
- How much harm (if any) was caused?
- How many individuals were impacted?
- Was it a violation of the criminal provision of HIPAA?
HIPAA Journal breaks civil penalties for HIPAA violations down into a four tier system. This helps to better explain what a healthcare system faces if a violation occurs. Each tier is based focuses on the likelihood the the covered entity was aware that the violation occurred.
Tier 1: If a covered entity clearly is unaware that there is a HIPAA violation, they could not have performed due diligence to avoid the HIPAA violation from occurring. Individuals who fall under this tier with a civil penalty are likely to receive anywhere from a $100 fine to a $50,000 find per violation; however, the maximum per year is $25,000.
Tier 2: If found that the covered entity should have known that a violation was occurring within a reasonable doubt if they performed due diligence, they fall into this tier. The stakes are higher for these practices. The fines range from $1,000-50,000 per violation. The maximum per year is $100,000.
Tier 3: For those practices found to have willfully neglected HIPAA rules with the violation corrected within 30 days of the violation’s discovery will fall into this tier. Again, the amount of money that could be owed increases. Covered entities could owe $10,000 to $50,000 per violation with a maximum of $250,000 per year.
Tier 4: If no effort is made to correct a HIPAA violation within 30 days of discovery, and it is found that the violation occurred due to willful neglect, covered entities land in tier 4. The weight for tier 4 is the heaviest – practices could owe $50,000 per violation with a maximum of $1.5 million per year.
If a HIPAA violation is thought to be criminal in nature, the case turns over to the Department of Justice. From there, individuals at the practice involved could be deemed criminally liable, however, if they are not “directly” liable, they could face other charges. These charges could include aiding and abetting or conspiracy. Individuals who knowingly act in violation of HIPAA and disclose unique health identifiers will be processed in this manner. HIPAA Violations can land a covered entity in jail while having to pay extreme fines – the longest length a covered entity can be imprisoned for is 10 years.
Understanding HIPAA is essential for your practice, your patients, and you as a healthcare provider. At the end of the day, in order to heal your patients physically, you also need to take care of their health records, too. Be mindful, stay alert, and remain cognizant of how you and other individuals at your practice utilize and handle PHI.