A HIPAA violation occurs when a HIPAA-covered entity or a business associate fails to comply with one or more provisions of the rules mandated by HIPAA, which are the Privacy, Security, and the Breach Notification Rule. To learn more about what aspects of HIPAA standards and provisions can be a violation of HIPAA rules, click here: 45 CFR Parts, 160, 162, and 164.
There are several ways HIPAA rules can be violated. Below are some of the most common ways HIPAA rules are violated:
- Disclosing Protected Health Information (PHI) without permission.
- Disposing of PHI improperly
- Unencrypted laptops being stolen or lost
- Unencrypted smartphones being stolen or lost
- Unencrypted USB devices being stolen or lost
- Posting information related to PHI on social media
- Breach of Electronic Health Record (EHR)
- Not providing HIPAA security awareness training
- Failure to conduct a HIPAA risk analysis
- Not implementing appropriate safeguards to ensure the confidentiality, integrity, and availability of PHI
- Not providing copies of PHI to the patients on request
- Discussing or sharing PHI outside the facility or to an unauthorized individual.
- Sending PHI to the wrong patient or person
- Not implementing access controls to restrict who can view PHI
- Theft of patient’s records
- Not executing Business Associate Agreements (BAA) with vendors before providing access to PHI
- Not properly documenting compliance efforts
A HIPAA violation may be deliberate or unintentional, nevertheless, penalties for violations are severe.
This is how civil penalties are structured per category:
Tier 1: This is when an organization did not have a way of knowing or was unaware that a violation could occur given that the organization had taken necessary precautions: A minimum fine of $100 per violation, up to $50,000, and a maximum of $25,000 per year.
Tier 2: A violation where an organization was or should have been aware of but could not have prevented it from happening, even with a sufficient amount of care, but not willfully neglecting HIPAA Rules: A minimum fine of $1000 per violation, up to $50,000 and a maximum of $100,000 per year.
Tier 3: This is when an organization was aware of the violation yet did not take the necessary steps to avoid it. This type of violation is classified as the direct result of willfully neglecting HIPAA rules, although attempts to rectify the violation have been made in some cases: A minimum fine of $10,000 per violation, up to $50,000, and a maximum of $250,000 per year.
Tier 4: A violation where an organization was fully aware of the violation, willfully neglecting it, and made no attempt to rectify the problem: A minimum fine ranging from $50,000 with an annual maximum of $1.5 million per violation.
As for criminal penalties, the fines can be anywhere between $50,000 and 1 year in jail, up to $250,000 and 10 years in jail. Quite intimidating, and it shows why HIPAA should be taken more seriously.
It is only natural that HHS increases penalties for a HIPAA violation so that people take it more seriously. However, it is important to realize that these common violations can be mitigated by implementing an effective HIPAA compliance program while simplifying your workflow.
To avoid HIPAA violations, you can make use of our HIPAA compliance software, HIPAA Ready.