While everybody knows that failing to comply with HIPAA brings consequences, many people don’t realize how severe they are. The good news is that no matter how bad your noncompliance is, there is a maximum annual civil penalty. The bad news – especially for small business owners -- is that the maximum annual civil penalty is $1.5 million. People who are found criminally liable may be imprisoned for up to 10 years.
A Tiered System
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services is responsible for administering and enforcing HIPAA privacy standards. A tiered system helps the OCR determine the consequences for violations. But they still have a lot of leeway, depending on the case. For example, a first-time HIPAA violation by somebody who didn’t know they were violating the rule ranges from $100 to $50,000 per violation, depending on what the OCR decides.
The other categories are:
- HIPAA violation due to reasonable cause and not due to willful neglect
- HIPAA violation due to willful neglect but violation is corrected within the required time period
- HIPAA violation due to willful neglect and not corrected.
By the time you reach the most serious category, the minimum fine is $50,000 per violation.
Deliberately defying privacy rules can bring criminal charges. Criminal consequences also have a tiered system. Deliberately disclosing somebody’s health information reaps a $50,000 fine and up to a year in jail. For an offense committed through deception, the consequence is $100,000 plus up to five years in jail. If you exploit somebody’s health information for profit, or use it to maliciously harm them, you can face a $250,000 fine and up to 10 years in prison.
Who is Liable?
ANYONE, companies and individuals can be liable for HIPAA violations. Covered entities, such as health care providers, Medicare prescription drug card sponsors, health plans and health clearinghouses, as well as employees of these covered entities, could face charges.
Even more alarming, covered entities are also responsible for the compliance of their business associates. This means any vendor who has access to protected patient information and experiences a data breach or otherwise fails to uphold privacy measures can leave the covered entity exposed. Examples of typical vendors include data centers and online backup providers.
According to the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy and Data Security, the statistics are pretty dire. According to the report, “Employee training is the most common activity but does not seem to be effective in reducing insider negligence.” Less than half of the organizations surveyed conducted annual security risk assessments. 94 percent of healthcare organizations in their survey suffered one or more security breaches in the past two years, and 45 percent reported more than five incidents in that time period.
Outside vendors are necessary for most large health organizations. Seldom can everything be done in-house. But with such frightening statistics as those cited above, how do you protect yourself from HIPAA vulnerability? You need to carefully vet and monitor your vendors. Ideally, each vendor will undergo a full HIPAA assessment from an independent auditor to verify they are using best practices to secure ePHI.
At CoreSpace, we pride ourselves on being fully compliant and operating at the top level of HIPAA’s guidelines. We accomplish this by employing a multi-tier security platform and an enterprise service level environment, state-of-the-art physical security, with round-the-clock support and multiple monitoring systems. If you ever have concerns, our highly trained team is available to you 24/7.
We take PHI and HIPAA audits seriously and believe everybody else should, too. If you have any questions about our many measures to maintain persistent HIPAA compliance, please call us today.