What are HIPAA non-compliance penalties?

Despite their best efforts, companies may sometimes find, due to a technical oversight or a mistake made by a member of staff, that they have violated the Health Insurance Portability and Accountability Act (HIPAA) and they ask themselves what the penalties for non-compliance are.

HIPAA is enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR), and also by state attorneys general. Since 2006, HIPAA violations have risked the possibility of incurring financial penalties. This possibility was increased in 2013 when sanctions in line with the Health Information Technology for Economic and Clinical Health Act (HITECH Act) were introduced.

Who can be fined?

Many different types of organization can be subject to these penalties, including healthcare providers, health plans, healthcare clearinghouses and all other Covered Entities. Their Business Associates are also subject to the same sanctions should they be found in violation of HIPAA.

While these types of penalties are punitive and dissuasive, many violations are solved through what is known as voluntary compliance – where companies implement the necessary systems or procedures to avoid future violations – or through having the OCR publish further guidance on a problematic or confusing issue. In such case, monetary fines may be avoided entirely and compliance with the laws is upheld.

Violation categories

HIPAA violations have been separated into four categories, which have been tiered based on the perceived level of control or negligence that the company has in relation to the violation. The law states that the fines must be within a particular range based on which category they are judged to be in. To quote the legislation:

[The authorities] may not impose a civil money penalty –

(i) For a violation in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision,

(A) In the amount of less than $100 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(ii) For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect,

(A) In the amount of less than $1,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iii) For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,

(A) In the amount of less than $10,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iv) For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,

(A) In the amount of less than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31).

In a nutshell…

What this means in summary is that tier one violations arise basically as unknowable factors, as they could not be found or avoided even if the organization was taking sufficient precautions. The fine for such a violation would be between $100 and $50,000, with a maximum of $1,500,000 per calendar year. Even if there were 20,000 breaches detected during the same year, which at a minimum fine of $100 would be $2,000,000, the maximum fine could only be $1,500,000.

For a violation to be considered category two, the problem must be found to be as as a result of reasonable cause instead of carelessness or willful neglect. This means that the violation could have been prevented if the company had sufficient measures in place, but that the reason the measures were not in place was not due to a conscious, intentional failure or reckless indifference.

The fine for category two violations would be between $1000 and $50,000, with a maximum of $1,500,000 per calendar year. Even if there were 2000 breaches detected during the same year, which at a minimum fine of $1000 would be $2,000,000, the maximum fine could only be $1,500,000.

More malicious, category threes are where a violation comes as a result of willful neglect – meaning reckless indifference or an intentional failure – but it is put right within 30 days of being discovered. Fines must be between $10,000 and $50,000 for each violation, with a maximum per year of $1,500,000.

Category fours occur is due to gross recklessness or carelessness and is not corrected within 30 days. Fines amount to $50,000 for each violation up to a maximum of $1,500,000.

It is important to note that the fine maximums are for identical violations. Violations in different categories do not contribute to the same maximum, so a company could theoretically be asked to pay out $6,000,000 if they commit a large number of identical violations but across different categories.