A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before: another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 to settle potential violations of the HIPAA Privacy Rule.
Once a medical records storage company for covered entities, Filefax shut its doors during the OCR investigation yet could not escape additional fines and penalties that followed. The bottom line? HIPAA violations do not stop just because a business closes.
The consequences of HIPAA violations are significant and far-reaching. Beyond the financial ramifications, organizations stand to lose their good reputation, client/patient trust, and ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?
Read on to understand the long-lasting implications of HIPAA violations and how to avoid penalties, fines, and other significant consequences.
What Qualifies as a HIPAA Violation?
Before discussing the harsh penalties and fines organizations pay when they violate HIPAA, it is vital to first recap what constitutes a HIPAA violation.
A HIPAA violation occurs when a covered entity (CE) or business associate (BA) fails to comply with one or more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for several reasons and may be deliberate or unintentional.
- Example of a Deliberate Violation – If a clinical staff member discloses a patient’s full identity through a verbal announcement in a waiting area or hospital emergency room, this could result in a patient complaint and be due to inadequate privacy training for staff.
- Example of an Unintentional Violation — Unintentional HIPAA violations are commonly a result of a negligent situation, such as:
- Failure to complete a Security Risk Analysis (SRA)
- Failure to employ encryption for laptops.electronic media, resulting in loss or theft
- Failure to maintain policies and procedures for instructing staff members to handle protected health information (PHI) appropriately
Are Violation Penalties the Same for All Healthcare Organizations?
Providers, hospitals and hospital systems – all CEs – are all required to protect PHI (Protected Health Information) per 45 CFR 164.308(a)(1) a.k.a., the HIPAA Security Rule. This CFR, or Code of Federal Regulation describes the Administrative, Physical and Technical Safeguards to protect PHI.
In the event of a loss of PHI significant enough to submit a Breach Notification Letter to the Office of Civil Rights (OCR), the CE will be required to submit their last SRA to the OCR. Based on the quality of the SRA performed (i.e., did it meet the OCR’s Guidance Document for SRAs), the HIPAA risk plan and the CE’s ability to prove it has a “Culture of Compliance” will determine if the OCR decides to, among other things, fine the CE for the violation.
The maximum fine imposed is $50,000 per patient record lost and up to $1.5M per breach. The key is to be able to demonstrate the CE is taking protecting patient data seriously. The CE’s “Book of Evidence” will include the CE’s latest SRA and proof that it’s actively adjudicating risks to PHI.
Penalties and Fines
The penalties and fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed.
If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record), with a maximum penalty of $1.5 million per year of violations of an identical provision.
OCR takes many different factors into account when determining the appropriate financial penalty and uses a four-tiered approach to make this decision as shown in the image below. A few of these deciding factors include:
- Number of patients affected
- What specific data was exposed
- How long the data exposure lasted
Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.
Examples of Recent Penalties and Fines
The latest data security incident from CommonSpirit Health should make all healthcare providers take heed. As one of the largest healthcare systems in the US, CommonSpirit Health has a sophisticated IT organization. If it can happen to CommonSpirit Health, it can happen to your organization.
As quoted from Health IT Security, “The Cybersecurity Incident has had an estimated adverse financial impact of approximately $150 million to date, which includes lost revenues from the associated business interruption, the costs incurred to remediate the issues and other business expenses, and is exclusive of any potential insurance related recoveries,” the quarterly report stated.
So, what can CEs do? The first step is to complete a thorough security risk assessment. The Office of Civil Rights, or OCR, provides an SRA Guidance Document detailing how to review the Administrative, Physical and Technical Safeguards to protect PHI. Second, using the findings from the CE’s SRA create a risk register of high, medium and low risks to PHI. Finally, begin remediating the identified high risks to PHI. Get moving – time is NOT on your side.
Avoidance is Key
Given that the stakes are high and much is on the line, how does a practice or organization protect itself against HIPAA violations? The key is to show due diligence through year-round compliance vigilance.
Start with completing a comprehensive, organization-wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both covered entities and business associates operate daily unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.
By understanding compliance gaps, organizations can take steps toward remediating and mitigating significant compliance risks and avoid costly penalties.
Unsure where your organization stands? Take our 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.