What Happens if You Break HIPAA Rules?

By | January 1, 2023
0 Comment

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules?

What Happens if You Break HIPAA Rules?

If you break HIPAA Rules there are four potential outcomes:

  1. The violation could be dealt with internally by an employer
  2. You could be terminated
  3. You could face sanctions from professional boards
  4. You could face criminal charges which include fines and imprisonment

What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:

  1. The nature of the violation
  2. Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
  3. Whether action was taken to correct the violation
  4. Whether there was malicious intent or HIPAA Rules were violated for personal gain
  5. The harm caused by the violation(s)
  6. The number of people impacted by the violation
  7. Whether there was a violation of the criminal provision of HIPAA

Civil Penalties for HIPAA Violations

Civil penalties for HIPAA violations start at $100 per violation by any individual who violates HIPAA Rules. The fine can rise to $25,000 if there have been multiple violations of the same type. These penalties are applied when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply.

Criminal Penalties for HIPAA Violations

The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules.

As with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers.

Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in jail. There is also a mandatory two-year jail term for aggravated identity theft.

What Happens if You Break HIPAA Rules FAQs

What happens if you violate HIPAA?

If you are a member of a Covered Entity´s or Business Associate´s workforce, the consequences of the violation will depend on the organization´s sanctions policy. If you are a Covered Entity or Business Associate, you are required to report the violation to HHS´ Office for Civil Rights if it has resulted in an impermissible disclosure of unsecured PHI.

What are the consequences of violating HIPAA?

This again depends on your HIPAA “status” (Covered Entity, Business Associate, workforce member, etc.) and the nature of the violation. However, in most cases, the consequences of violating HIPAA are more training. Covered Entities and Business Associates are required to conduct periodic HIPAA risk assessments which should consider HIPAA training as a preventative tool, while more than a third of Corrective Action Plans issued by HHS´ Office for Civil Rights involve additional training.

What happens if a medical facility violates the HIPAA Privacy Rule?

The consequences of a medical facility violating the HIPAA Privacy Rule depends on who identifies the violation and what they do with that information. For example, if a member of the workforce identifies the information, it is likely to be reported to a compliance officer and the violation resolved internally. Similarly, a patient could report the violation to the person indicated on the Notice of Privacy Practices, which would again result in an internal resolution.

However, both the member of the workforce and the patient could report the HIPAA violation to HHS´ Office for Civil Rights via the OCR Complaints Portal. In this case, OCR would review the case, seek evidence of the violation from the complainant; and, if there is sufficient evidence to suggest a violation has occurred, OCR may choose to conduct an investigation. If found guilty of a violation, the penalty will reflect the nature and seriousness of the violation.

What happens if a doctor violates HIPAA?

This depends on the doctor´s HIPAA status. If he or she is employed by a Covered Entity or Business Associate, the doctor will be subject to the penalties stipulated by their employer´s sanctions policy. If the doctor is a sole practitioner, and the violation is reported to HHS´ Office for Civil Rights, the doctor may be investigated and required to comply with a Corrective Action Plan and/or issued with a civil monetary penalty.

What happens if you break HIPAA rules due to a lack of training?

If you break HIPAA rules due to a lack of training, your employer is at fault because he or she has a legal requirement to provide training “as necessary and appropriate for members of the workforce to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule). To prevent any dispute about whether appropriate training has been provided, employers are required to document what training has been provided, when it was provided, and who attended.

Can I get in trouble for disclosing more than the minimum necessary information?

This depends on the circumstances, how much information was disclosed, and whether it had a negative impact on the patient. The Privacy Rule does allow for incidental disclosures – which are “by-products of another permissible use or disclosure” – provided the minimum necessary rule has been applied with respect to the primary use or disclosure.

Who is to blame for inadvertent disclosures caused by a computer error?

Covered Entities and Business Associates are required to implement administrative, technical, and physical safeguards to prevent events such as computer errors. If the inadvertent disclosure is attributable to a Covered Entity or Business Associate failing to implement safeguards – or failing to provide instruction on how to use the computer securely – the employer is at fault. If, however, the inadvertent disclosure is attributable to operator error, the employee is at fault.

How are breaches of HIPAA identified?

Breaches of HIPAA can be identified in various ways. The Covered Entity or Business Associate can find them during a risk analysis, the HHS Office for Civil Rights can find them during a HIPAA audit, or the patient(s) whose data has been disclosed without authorization can report it. Third parties scouring the Internet for vulnerable applications and storage volumes can also identify breaches of HIPAA.

What if I am aware of a colleague breaking HIPAA rules?

Your employer should have a process for reporting breaches of HIPAA that include when a colleague breaks the rules. Usually you would report the breach to a supervisor, manager, or departmental head; but, if you are uncomfortable speaking with somebody in your department – or that person is the colleague breaking HIPAA rules – you should be able to speak with the HIPAA Privacy Officer.

The post What Happens if You Break HIPAA Rules? appeared first on HIPAA Journal.