The Health Insurance Portability and Accountability Act of 1996 revolutionised regulations surrounding the security and privacy of healthcare data. One of its many aims was to create stringent stipulations to be followed by healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities in order to safeguard the Protected Health Information (PHI) of patients.
HIPAA introduced strict requirements on how healthcare data can be stored stored, which parties are authorised to access it, with whom it may be shared, and the power of patients to access their own data. It has proven to be a critical piece of legislation in the modern healthcare system. As a piece of federal legislation, it created a nationwide standard for data protection in the United States
As an incentive for organisations to comply with these new rules, strict penalties were introduced to be levied against organisations that violate HIPAA. In the Enforcement Final Rule of 2006, the Department of Health and Human Services’ Office for Civil Rights (OCR) was granted the ability to issue financial penalties (and/or action plans) to CEs that fail to ensure HIPAA compliance in their organisation.
More recently, the Omnibus Rule in March 2013 was introduced to update the charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). According to the Omnibus Rule, new penalties for HIPAA violations are applied to healthcare providers, health plans, healthcare clearinghouses and all other CEs. This includes Business Associates (BAs) of CEs who are also guilty of violating HIPAA Rules.
Ignorance of a particular rule is not an accepted excuse for a violation. Therefore, even if a CE commits a relatively minor violation, they will still be fined accordingly. It is critically important that a CE is familiar with all aspects of HIPAA legislation to avoid such a fine, and informs its employees of their responsibilities under HIPAA. If an organisation is found to be wilful negligent of HIPAA Rules, the guilty party will be levied with the highest penalty.
The penalty structure is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
In some circumstances, a CE may not have been able to prevent a breach, such as if they were the victim of a particularly sophisticated phishing attack despite having security safeguards in place. These are called “unknown violations”. If this happens, the OCR has the power to waive a fee such that the organisation is not punished unfairly.
Categories of HIPAA Violation
The tiered structure for penalties can be described as follows:
• Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of wilful neglect of HIPAA Rules)
• Category 3: A violation suffered as a direct result of “wilful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Category 4: A violation of HIPAA Rules constituting wilful neglect, where no attempt has been made to correct the violation
HIPAA Violation Penalty Structure
Each category of violation warrants its on penalties. Upon investigating a particular breach, the OCR will determine the financial penalty within the appropriate range following their investigation of the incident. The OCR considers a wide range of factors when determining the appropriate penalty to be levied. This includes the length of time over which violation occurred, the number of people affected, and the nature of the data exposed, the financial means of the organisation, and how much damage had been done by the breach. An organisation’s willingness to assist with an OCR investigation is also taken into account, and prior history of HIPAA violations (if there is one). The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.
The tiers are as follows:
• Category 1: Minimum fine of $100 per violation up to $50,000
• Category 2: Minimum fine of $1,000 per violation up to $50,000
• Category 3: Minimum fine of $10,000 per violation up to $50,000
• Category 4: Minimum fine of $50,000 per violation
A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, regardless of how minor the incident was or how insignificant the data involved is.
Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead by the number of patients affected (as above). For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the CE has been in violation of the law. Therefore, in this case, the penalty would be multiplied by 365.
Penalties for HIPAA Noncompliance
It is not only security incidents which result in patient PHI being compromised that attract penalties for HIPAA noncompliance. If a CE or BA is found not to have complied with the HIPAA regulations during an audit, the OCR has the authority to issue penalties for HIPAA noncompliance. It is predicted that, as the OCR increases the volume of HIPAA audits, this scenario will become increasingly common.