What are the penalties for violating HIPAA? The risks of ignoring the obligations required by the Healthcare Insurance Portability and Accountability Act (HIPAA) for companies and web sites

IIS - How to setup the web.config file to send HTTP Security Headers with your web site (and score an A on securityheaders.io)

Healthcare entities collect a lot of sensitive data from their patients. The Healthcare Insurance Portability and Accountability Act (HIPAA) set the guidelines of how patient information should be protected. HIPAA seeks to control the use of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) by unauthorized people. All organizations that deal with healthcare in one way or another are expected to comply with the HIPAA requirements. The HIPAA was enacted under the Office of Civil Right (OCR) which oversees the implementation of the act. The OCR is under the Department of Health and Human Services (HHS).

What are the HIPAA Requirements?

The HIPAA was put into action in 1996 to protect private healthcare information. The act requires the healthcare industry players to be vigilant in protecting patient information. This can be done by implementing procedures and installing software that prevents the possibility of breaching PHI. The US Department of Health and Human Services saw it fit to add a privacy rule in 2003. This privacy rule in HIPAA was defined as the Protected Health information (PHI). The aim of PHI rule is to protect information submitted to any healthcare facility by patients from unauthorized users. This information includes medical records, payment records of the patient, the condition of the patient and medical services that a patient receives.

The HIPAA privacy rule was updated in 2005 to include electronically stored protected health information. The addition created three layers of security to PHI namely: administrative safeguards, physical safeguards, and technical safeguards. The administrative safeguards included implementation of policies and procedures that are compliant to HIPAA in the healthcare entity. Physical safeguards are meant to limit accessibility to PHI. For example, organizations should have several levels of authorization to limit the number of people accessing PHI. Technical safeguards cover the spectrum of secure networks for transmitting data like payment information.

Covered Entities and Business Associates

HIPAA defines covered entities in three categories namely health plans, healthcare clearing houses, and healthcare providers. All these entities transmit PHI electronically. Healthcare providers are defined in the act as personnel or institutions dealing with PHI. They include doctors, clinics, nursing homes, pharmacies and many more as long as they transmit electronic data for an HHS transaction. Health plans include insurance companies that offer health covers, company health plans, Government health programs including Medicare, Medicate and military health programs. Veteran government health programs are classified under health plans. A healthcare clearing house is an overall phrase that refers to entities that handle health information they receive from other entities.

Business associates are entities that conduct some processes for covered entities and have authorization to ePHI and PHI. Access to PHI and ePHI is a vital item in the processes that the business associates performs for the covered entity. Since covered entities are obligated to protect PHI under HIPAA, they should have a contract with their business associates. The contract should stipulate the duties of the business associates and include a non-disclosure agreement. Lack of a contract is deemed as noncompliance with HIPAA requirements.

Civil Penalties for Violating HIPAA

The penalties for violating HIPAA depend on the magnitude of the violation. There are minimum limits and maximum limits set for the violations. These act as a guideline for ruling. The actual penalties will be determined based on the facts of the case. There are three tiers of the civil penalties. The first tier is whereby the violation occurred unwittingly. The penalties per violation range from $100 to $25,000 for repeat violation. The maximum penalty per violation is $50,000. The maximum penalty payable per annum is $1.5 Million.

The second-tier penalties are for violations carried out due to a “reasonable cause.” This means that the violations did not occur unknowingly to some extent. The penalties per violation for second-tier range from $1,000-$50,000 with a maximum of $100,000 per year for the repeat violations. The maximum penalties for HIPAA violations in the second tier are 1.5 million annually

Third tier penalties are for willful neglect but correct the mistake in reasonable time. The penalties are a range of $10,000-$50,000 per violation, a maximum of $250,000 for repeat violations and a maximum of 1.5 million annually. Organizations that do not correct the neglect can pay a minimum penalty of $50,000 per violation and a maximum of 1.5 million annually. The maximum annual penalty is the same for all violations.

Importance of Automating HIPAA Compliance

HIPAA compliance involves training and monitoring a variety of parties including stakeholders, directors and employees. Automating the HIPAA compliance boosts communication within the organization when providing information. The software can monitor and evaluate risks arising from noncompliance. It is an easier and faster way to monitor whether an organization is HIPAA compliant.


About Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.

View all posts by Ken Lynch

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.