The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that mandates the creation of national standards to safeguard patient health data. However, HIPAA regulations are extensive and sometimes confusing. They may leave you wondering, "what is a HIPAA violation?" You may also be curious about the monetary damages for HIPAA violation occurrences. We lay out the facts of HIPAA violations and monetary damages below.
What Is a HIPAA Violation?
A HIPAA violation arises when a person's Protected Health Information (PHI) falls into the wrong hands. A few more details determine HIPAA violations and the types of violations. For example, the following must be true: 1) the HIPAA violation occurs at a covered entity, and 2) the PHI fell into the wrong hands without the person's consent — this may occur accidentally or willfully.
Depending on the details of the HIPAA violation, it may be classified as a civil HIPAA violation or a criminal HIPAA violation. Here is what you need to know about each.
Civil HIPAA Violations
Civil HIPAA violations usually result from cases of noncompliance where the entity fails to resolve the issue successfully. In these cases, the U.S. Department for Health and Human Services Office for Civil Rights (OCR) may choose to impose civil monetary penalties upon the violator.
The civil money penalties are based on a tiered structure. The secretary of Health and Human Services has the final determination on the violation penalties based on details surrounding each violation. However, they will issue no penalties if the entity corrects the HIPAA violation within 30 days.
How Monetary Penalties Are Determined for Violating HIPAA
The monetary penalties for determining HIPAA violations are calculated according to the number of breaches, calendar year caps, and minimum and maximum penalty amounts. These are adjusted into four tiers to determine penalties.
Number of Breaches
The more breaches that occur from a HIPAA transgression, the higher the likely monetary penalty. For example, an unknown violation can accrue a minimum fine of $100 per violation. In contrast, the maximum fine can reach a staggering $50,000 per violation. The penalty per violation will fall within the penalty range of the violation's tier group.
Calendar Year Caps
There is a calendar year cap that prevents these fines from accumulating without limit. For more minor violations accruing fines at $100 per violation, the calendar year cap is $25,000. For graver violations accruing at $50,000 per infringement, the cap is $1.5 million.
Minimum and Maximum Penalty Amounts
These minimum and maximum penalty amounts are set by tier level as follows:
- Tier 1 violation (unknowing penalty): $100 to $50,000 per violation, with a calendar year cap of $25,000
- Tier 2 violations (reasonable cause penalty): $1,000 to $50,000 per violation, with a calendar year cap of $100,000
- Tier 3 violations (willful neglect — corrected): $10,000 to $50,000 per violation, with a calendar year cap of $250,000
- Tier 4 violations (willful neglect — uncorrected): $50,000 per violation, with a calendar year cap of $1.5 million
What Else Comes Into Play in Regards to HIPAA Violations?
When it comes to HIPAA violations, there are some other things to consider besides the monetary penalties. Two of those considerations are the standard of care and malicious intent. These can factor into the severity of the violation.
Standard of Care
Courts may use HIPAA regulations to confirm a standard of care in some negligence causes of action. In HIPAA cases, a standard of care refers to the duty your healthcare provider or healthcare organizations must provide when you are under their care. It determines the level of prudence and caution required. The standard of care can vary depending on the specifics of a particular case.
Malicious Intent
Sometimes, someone may gain access to protected private health information under false pretenses or through unauthorized access. If they have purposefully violated HIPAA privacy rules for personal gain or malicious intent, they can face serious criminal penalties, including imprisonment for up to ten years and fines of up to $250,000.
HIPAA Enforcement
The OCR enforces HIPAA's privacy and security rules in various ways, including via:
- Running compliance reviews to determine the compliance of certain entities
- Investigating HIPAA complaints filed with the OCR
- Conducting education and outreach to promote compliance with HIPAA's requirements
However, the OCR cannot prevent 100% of HIPAA violations before they occur. In many cases, the OCR must attempt to minimize the damages caused by existing violations. When HIPAA violations occur, they can result in enforcement actions and compliance reviews.
Enforcement Actions
Enforcement actions arise when a HIPAA violation is discovered and officially reported to the OCR. If you have been the victim of a HIPAA violation, an experienced HIPAA violation attorney can help you file an official report with the OCR. This is often the first step taken in HIPAA cases.
HIPAA Compliance Review
Once an enforcement action has been lodged, the OCR may conduct a compliance review. The online HIPAA Journal releases an annual compliance checklist that informs organizations of what they will check for during a compliance review. The current checklist contains eight points for organizations to adhere to. If they are not in compliance, then they may face severe penalties.
If the OCR finds that the organization was not in compliance, then it will attempt to resolve the case by obtaining:
- Resolution agreement
- Corrective action
- Voluntary compliance
Most investigations are concluded to OCR satisfaction via these resolutions.
Don't Hesitant To Take Legal Action
If you believe your personal information has been used in a way that constitutes a HIPAA violation, you have legal rights and options. Taking action against large healthcare organizations can be intimidating. However, an experienced HIPAA violations lawyer can help answer your questions, explain your options, and guide you through the ensuing legal process.
Contact the law firm of Ratzan Weissman & Boldt to speak with a knowledgeable attorney who can help.