41.2 million. That’s the number of healthcare records that were reported to be stolen, exposed, or impermissibly disclosed in 2019 alone. HIPAA penalties aside, the cost from these data breaches is expected to reach $4 billion in 2020. A survey revealed that 35% of healthcare organizations had not scanned for vulnerabilities before an attack and 87% of healthcare organizations did not perform cybersecurity drills and had no proper incident response procedures in place. There were more that were revealed in the survey – all of which indicate healthcare organizations had failed to close security gaps in their practices.
Even though everyone in the healthcare industry knows all too well about HIPAA compliance, violations are still quite common. HIPAA violations can stem from a variety of circumstances, including untrained employees or lack of awareness of the potential consequences of HIPAA violations. More importantly, non-medical business practices can also be held responsible for violating HIPAA regulations. These businesses often require access to protected health information (PHI) to carry out their functions on behalf of covered healthcare providers and these entities are known as business associates. Given that many organizations are failing to meet compliance requirements, this article talks about the potential consequences for HIPAA violations as a brief reminder.
The consequence of a HIPAA violation can be quite severe for both individuals and organizations and it significantly depends on the nature and severity of the offense. For organizations where the breach occurred, there can be significant civil penalties issued by the Department of Health and Human Services’ Office for Civil Rights (OCR). When a HIPAA violation has been committed, OCR will issue a penalty based on a four-tiered penalty structure by considering the circumstances of the offense.
- Tier 1: A fine ranging from $100 to $50,000 per violation where it was determined that the individual was unaware of the HIPAA law being violated and couldn’t prevent it despite taking the necessary steps.
- Tier 2: A fine ranging from $1000 to $50,000 per violation, where the organization could have prevented the violation by exercising a reasonable level of due diligence.
- Tier 3: A fine ranging from $10,000 to $50,000 per violation where it was evident that the organization willfully neglected HIPAA rules but the violation has been corrected within a specific time frame.
- Tier 4: A minimum fine ranging from $50,000 and a maximum up to $1.5 million per year where it was evident that the organization willfully neglected HIPAA rules but no corrections were made.
It is important to note that while lower-tier fines may seem low when a violation takes place it usually affects multiple individuals, so the final toll increases significantly.
HIPAA violation consequences extend to more than just civil penalties and can reputationally harm an individual or organization. The victims involved in such violations can either lose their job, get rejected into a job, get socially shunned, or may even face worse consequences.
Civil penalties aside, there are also criminal penalty charges for individuals or organizations who use patients’ health information with ill intent. Sharing, stealing, or selling patients’ data to harm others, while trying to cover up a violation is punishable by the law. Criminal penalties are extremely severe and can destroy someone’s career. Criminal penalties can result in a $50,000 fine and one year in prison and can go up to a $250,000 fine and ten years in prison.
For hospitals and healthcare providers who were involved in a serious violation or where a large breach took place, there will most likely be a negative press and a mention in the HIPAA wall of shame. Even if the breach occurred because of a third-party vendor, the healthcare provider will be in the limelight.
Organizations that are found to violate HIPAA are required to overhaul their security programs and fix any damage to systems. Due to the HIPAA enforcement rule, organizations typically agree to enact further security standards as part of the settlement with HHS. In short, this means that organizations will need to improve their security systems, process, and manage the fallout from any data loss. All these implementations can be quite costly.
This article is just a brief reminder for organizations that are failing to adequately meet HIPAA compliance requirements. As seen above, the consequences of violating HIPAA can be extremely grievous and it is high time for organizations to take HIPAA compliance more seriously. On a positive note, due to the advancement in software technologies, many healthcare organizations and business associates are streamlining their compliance efforts through HIPAA compliance management applications.
The benefits of using such applications are many. From risk assessments to training management, such software allows users to manage their compliance processes from a single centralized platform – all of which help save time and money. Since there are no official HIPAA certifications, organizations must put their best effort forward in addressing security issues before a HIPAA violation takes place.