The Health Insurance Portability and Accountability Act is a U.S. law that helps “… protect sensitive health information from being disclosed without the patient’s consent or knowledge (CDC).” This is accomplished by the “HIPAA Privacy Rule” that was implemented by the U.S. Department of Health and Human Services, or HHS. The CDC outlines that the HIPAA Privacy Rule both helps to protect the information of individual patients, while also allowing the efficient flow of health information to maintain quality care. The Privacy Rule applies to certain individuals and organizations, which are classified as “covered entities.” This includes healthcare providers, health plans, healthcare clearinghouses, and business associates.
The HHS’s Office for Civil Rights (OCR) is the body that enforces these privacy and security guidelines. The American Medical Association outlines that the OCR enforces these Privacy and Security Rules by investigating any complaints filed, conducting compliance reviews of covered entities, and performing education and outreach to foster compliance with requirements. Failure to comply with HIPAA can result in severe consequences depending on the violation. If a HIPAA violation has occurred, penalties are decided based on the severity of the violation, whether the covered entity was aware of the issue, and if they took measures to correct the violation within the time window given by the HHS.
Civil violations for a HIPAA violation that is deemed as “Unknowing” can range from $100 - $50,000, with an annual maximum of $25,000 for repeat violations. HIPAA violation where the HHS believes the covered entity had “Reasonable Cause” to know about the issue can carry penalties of $1,000 - $50,000 per violation, with $100,000 being the annual maximum for repeat violations (AMA).
If the HHS finds there was intentional neglect but the issue is corrected within the required time period, penalties will range $10,000 - $50,000 per violation, with the annual max being $250,000 for repeat violations. If there was intentional neglect and the issue isn’t corrected in the required time period, penalties are the most severe. Fines will be $50,000 per violation, with an annual max of $1.5 million (AMA). Keep in mind that many HIPAA violations can also carry criminal penalties, including prison time. Maintaining security of this information is incredibly important for avoiding these penalties and protecting the personal information of patient health information.
Other rules exist within the HIPAA Privacy Rule, like the Security Rule. This rule protects any health information that is made, sent, stored, or generally kept in electronic form. This means that compliance with the Security Rule requires covered entities to do the following (CDC):
- Ensure security, integrity, and availability of all electronic health records
- Monitor and safeguard against any anticipated security threats to health information
- Protect against any unanticipated uses or disclosures of information without permission
- Certify compliance of all workers in the covered entity
As you can see, HIPAA violations are a very serious matter, and any workplace that handles this kind of information should make sure that they are aware of the guidelines and practices they should use to maintain compliance and confidentiality of records. As part of our Hard Hat Training Series, we offer training on HIPAA to help you know the standards and best practices. Good luck, and stay safe!