With HIPAA Phase 2 audits looming on the horizon, many organizations are gearing up for the audits with internal assessments. We’ve already talked about how your organization might be unwittingly violating HIPAA, but what penalties are you really facing? Whether you didn’t know you were committing a HIPAA violation or you willfully neglected to comply, the penalties you will face vary in fine amount and charges. Understanding the penalties your organization might face in light of a HIPAA violation will help you understand and prepare for future audits. Internal assessments will be your savor when it comes to preparing for said audits. It’s crucial to have a good understanding of HIPAA regulations. You don’t want to be put in a position where you slapped with a large fine or even worse, the violation results in a data breach.
The Cost of HIPAA Violations
Follow the chart below to understand the what penalties your organization could face if you fail to comply with HIPAA regulations.
* “The Secretary of the Department of Health and Human Services is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).”
The Department of Justice states that “Covered entities and specified individuals, who ‘knowingly’ obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations faces a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Common HIPAA Violations
According to the HHS the five most common HIPAA violations (in order of occurrence) are:
1. Impermissible uses and disclosures of protected health information.
2. Lack of safeguards of protected health information.
3. Lack of patient access to their protected health information.
4. Lack of administrative safeguards of electronic protected health information.
5. Use or disclosure of more than the minimum necessary protected health information.
Essentially these violations can be broken down into 2 main groups.
Unencrypted Data/Data stored on Devices: In this day and age unencrypted data poses a huge threat to many healthcare orgnazaitons. If a device with encrypted data is lost or stolen the threat of a data breach is even more prevalent.
Employee Error/Business Partners: From sharing logins to abusing social media, human error is a major factor in HIPAA violations.
5 Biggest Violation Fines Since 2009
Here’s a glimpse at the biggest HIPAA violation fines that the OCR has seen since 2009. Understanding the basics of the HIPAA violations and what fines your peers have faced due to their HIPAA breaches may help you get ahead of violations in the future. It’s important to note that many of these data breaches could have been easily prevented if correct HIPAA procedures had been followed.