The Legal Side of Breaking HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) imposed various requirements that govern the confidentiality and security of an individual’s health and medical information. The law imposes serious consequences for violations of HIPAA that can result in steep fines or even prison sentences. By being familiar with the potential penalties and how they are assessed, healthcare professionals and organizations can more effectively tailor their compliance efforts.

HIPAA led to the establishment of uniform regulations that govern the security of health records. These records cannot be shared with or discussed with certain third parties without the express written consent of the patient. This means that an individual’s health information must be guarded and protected from any kind of disclosure. In addition, healthcare professionals and organizations must take steps to protect against any kind of intrusion that could result in an unauthorized access to or obtaining of health information.

Healthcare professionals will face consequences if they fail to follow the law or any of the associated regulations. If an individual feels that their rights have been violated under HIPAA, they can file a complaint with the Office of Civil Rights. This office is a part of the Department of Health and Human Services and has part of the enforcement responsibility for HIPAA.

There are two types of consequences for violations of HIPAA. The first type is a civil penalty and the second type is a criminal penalty. The main difference between the two types of penalties is the violator’s state of mind when committing the illegal act. If the violator unknowingly violated HIPAA, then the penalties will be civil in nature. If the violation was knowingly committed, then the penalty may likely be criminal if found guilty.

There are two different types of civil penalties. The first penalty is for an unknowing violation. These penalties start at $100 per violation, up to a maximum of $25,000. Beyond monetary penalties, many of these violations must be reported to the news media so the healthcare professional is likely to suffer more of a reputational blow that can impact the bottom line. The civil penalties are more severe when a healthcare professional is found civilly liable for willful neglect. In other words, the healthcare professional exhibited reckless indifference to their obligations under HIPAA, leading to a violation. Although this is still not criminally actionable, the penalties in this case are more severe because of the indifference exhibited by the healthcare professional. Fines for willful neglect begin at $50,000 per violation and the healthcare professional can be fined up to $1.5 million in total.

When someone knowingly violates HIPAA, they open themselves up to criminal liability. A knowing violation is when someone is fully aware of the prohibitions of HIPAA and allows the information to be released anyway. There are varying categories of criminal offenses of HIPAA. The least severe category of offense carries a minimum penalty of one year in prison.

When there is a HIPAA violation, much of the inquiry may center on whether the responsible party knowingly violated HIPAA. This is a difficult standard for a prosecutor to prove. Nonetheless, if a prosecutor can make this showing then the consequences will be dire.

Healthcare organizations can be in trouble even if they have not actually released any covered healthcare information. The Office of Civil Rights also conducts compliance reviews of healthcare providers. When a compliance review is initiated, OCR will look at the organization’s safeguards and controls. If they are found to be lacking, OCR can initiate enforcement action. OCR can also make criminal referrals to the Department of Justice. To date, OCR has recovered nearly $80 million, either through assessment of fines or entering into settlements with healthcare entities. OCR has also referred nearly 700 cases to DOJ for further investigation or prosecution.

Most investigations end up with no finding of a HIPAA violation. In some instances, even when there is a violation, an organization can remedy the violation by changing their practices and can escape civil and criminal liability. Most violations result in the healthcare entity having to take corrective action in which they are able to fix the condition that led an actual or possible HIPAA violation.

Follow Us

Leave a Reply

Your email address will not be published. Required fields are marked *