To properly answer the question about what a HIPAA violation is, it is important to first understand what HIPAA, who it applies to, and what constitutes a violation. Although most individuals believe they understand what a HIPAA violation is, evidence suggests otherwise.
What is HIPAA and who is it for?
The 1996 Health Insurance Portability and Accountability Act (HIPAA) was established to simplify healthcare administration, reduce wastage, prevent healthcare fraud, and ensure employees could maintain their healthcare coverage when switching jobs. Standards have been implemented since its passage to promote patients’ rights and protect Protected Health Information (PHI).
Failure to comply with these standards is considered a HIPAA violation, even if no harm has been made. One of the most typical types of complaints, for example, is failure to provide patients with copies of their PHI upon request. Other sorts of HIPAA violations are listed below, along with the fines that may be imposed in case of a HIPAA violation.
The standards apply to covered entities and business associates. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has developed standards. Besides a few exceptions, most healthcare providers are considered covered entities.
Business associates are companies that covered entities share PHI with in order to carry out their healthcare operations and functions. Since the publication of the Final Omnibus Rule in 2013, business associates have been required to comply with the Privacy, Security, and Breach Notification Rules included in 45 CFR Parts 160, 162, and 164 in the same way as covered entities.
What actually constitutes a PHI violation?
The most common form of HIPAA violation involves the unauthorized disclosure of PHI beyond the permitted uses and disclosures. PHI violations can range from giving more information than is required to achieve the objective of an allowed disclosure to hacking into an unencrypted database that exposes the PHI of thousands of patients.
To avoid a PHI violation, covered entities and business associates must not only implement the measures outlined in the Privacy and Security Rules, but also ensure that proper policies and processes are in place to reduce the risks of a PHI violation. Each entity’s employees must also be trained on the policies and procedures, as well as the consequences of noncompliance.
Other Types of HIPAA Violation
One common misconception concerning HIPAA is that a violation only occurs when authorized uses and disclosures of PHI are involved. However, there are numerous more methods for a covered entity or business associate to breach HIPAA, for example, failing to train employees on policies and procedures or failing to document the training.
Withholding details of a breach from those affected by it, the HHS Office for Civil Rights, and, in certain situations, the media, also represents a HIPAA law violation. Several fines have been issued in recent years for HIPAA law violations related to non-compliance with the Breach Notification Rule or for failing to comply with the rule within the specified time frame.
Additional HIPAA Violation
In addition to the examples listed above, there are numerous other ways for covered entities and business associates to breach HIPAA. Additional examples include:
- Impermissible disclosures of PHI,
- Improper disposal of PHI,
- Failure to conduct a risk analysis,
- Failure to manage risks to the confidentiality, integrity, and availability of PHI,
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI,
- Failure to maintain and monitor PHI access logs,
- Failure to enter into a HIPAA-compliant Business Associate Agreement prior to sharing PHI,
- Failure to provide patients with an accounting of disclosures on request,
- Failure to implement access controls to limit who can view PHI,
- Failure to terminate access rights to PHI when no longer required,
- Failure to provide security awareness training,
- The unauthorized release of PHI to individuals unauthorized to receive the information,
- The sharing of PHI online or on social media without permission,
- The mishandling and mismailing of PHI,
- Texting unencrypted PHI,
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure.
Anybody with access to PHI in an organization must receive HIPAA training that defines what a HIPAA breach is, and all members of a covered entity’s or business associate’s workforce, regardless of their role, must receive security awareness training.
How is HIPAA violation identified?
Internal audits of HIPAA-covered organizations uncover many HIPAA violations. Employees who have breached HIPAA rules may be identified by their supervisors. Employees also frequently self-report HIPAA violations and possible violations committed by coworkers.
The HHS Office for Civil Rights is the primary enforcer of HIPAA rules and investigates HIPAA violation complaints made by healthcare staff, patients, and health plan members. The OCR also investigates all covered entities that disclose breaches of more than 500 records, as well as smaller breaches. The OCR also audits HIPAA-covered organizations and business associates on a regular basis.
State attorneys general have the authority to investigate breaches, and investigations are frequently conducted in response to complaints about possible HIPAA violations and reports of patient record breaches.
What are the penalties for HIPAA rule violations?
Penalties for HIPAA violations vary based on the nature of the violation, the level of culpability, the amount of harm caused by the violation, and the measures made by the covered entity or business associate to minimize the breach or its consequences. Most penalties consist of a corrective action plan, but the OCR has the authority to impose significant financial penalties.
State attorneys general have the authority to investigate breaches, and investigations are frequently conducted in response to complaints about suspected HIPAA violations and reports of patient record breaches. These add to any penalties imposed by individual states for violations of HIPAA laws where data breaches violate state privacy and security rules.
HIPAA Violation Categories
There are four categories of HIPAA violations. Depending on the level of responsibility, each has a minimum and maximum limit within which the OCR can apply financial penalties. Two of the HIPAA violation categories are allocated for covered entities and business associates who can demonstrate reasonable due diligence, while the other two are designated for entities guilty of willful neglect.
Category 1 – Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA rules had been violated.
Category 2 – Reasonable cause that the covered entity/business associate knew – or should have known – about the violation by exercising reasonable due diligence.
Category 3 – Willful neglect of the HIPAA rules with the violation corrected and the consequences mitigated within thirty days of discovery.
Category 4 – Willful neglect of the HIPAA rules and no effort made to correct the violation or mitigate the consequences within thirty days of discovery.
Penalties for HIPAA violation
Initially, the financial penalties for HIPAA violations were low and did not serve as a good enough deterrent to prohibit HIPAA-covered entities from breaking HIPAA rules. They were significantly increased by the 2009 HITECH Act and have been adjusted for inflation annually since 2015. The table below lists the HIPAA violation penalties for 2022, as well as the maximum fine that can be imposed on an entity for multiple incidents of the same violation.
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit|
|Tier 1||Reasonable Efforts||$127||$63,973||$1,919,173|
|Tier 2||Lack of Oversight||$1,280||$63,973||$1,919,173|
|Tier 3||Neglect – Rectified within 30 days||$12,794||$63,973||$1,919,173|
|Tier 4||Neglect – Not Rectified within 30 days||$63,973||$1,919,173||$1,919,173|
The OCR Reinterprets the HITECH Act Penalty Increases
As seen in the table above, each year, the maximum penalty is the same in all four penalty tiers, which may appear strange. The HHS reexamined the text of the 2019 HITECH Act and determined that the language had been misinterpreted regarding the penalty amounts, and the OCR determined that the maximum penalty per year should be reduced in three of the four penalty tiers and set the annual cap at $25,000 for Tier 1, $100,000 for Tier 2, $250,000 for Tier 3, and $1,500,000 for Tier 4.
These new maximum penalties have not been made official as more rulemaking is required. While this appears to be the HHS’s intention, it has now been addressed through a notice of enforcement discretion, which is in effect indefinitely until the change in the penalty structure is made permanent. There is still a discrepancy between the maximum punishment per violation in Tier 1, which is double that of the annual cap, which will undoubtedly be resolved in future rulemaking.
|Annual Penalty Limit||Annual Penalty Limit||Minimum Penalty per Violation||Maximum Penalty per Violation||Annual Penalty Limit|
|Tier 1||Lack of Knowledge||$127||$63,973||$30,487|
|Tier 2||Reasonable Cause||$1,280||$63,973||$121,946|
|Tier 3||Willful Neglect||$12,794||$63,973||$304,865|
|Tier 4||Willful Neglect – Not Corrected within 30 days||$63,973||$1,919,173||$1,919,173|
To conclude, we can say that HIPAA requires covered entities and business associates to complete risk assessments on a regular basis. Any areas of noncompliance that suggest the organization violates HIPAA should be identified during those risk analyses. Failure to undertake and document a risk analysis, as well as failure to resolve issues identified by a risk analysis constitute HIPAA violations.