The Healthcare Insurance Portability and Accountability Act (HIPAA) is a federally regulated compliance program that controls Protected Health Information (PHI) and electronic Protected Health Information (ePHI). Organizations that are not HIPAA compliant face various penalties.

Overview of HIPAA

HIPAA was enacted into law in 1996 and revised to include the HIPAA Privacy Rule in 2003 by the US Department of Health and Human Services (HHS). The Act is meant to protect health information that is in the hands of organizations or institutions that provide or are involved in healthcare in one way or the other.

In 2005, the HIPAA Security Rule was updated to provide guidelines on handling, storage, and transmission of electronically stored Protected Health Information (ePHI). A number of procedures were developed for compliance purposes.

For example, the policy introduced physical safeguards such as restrictions on accessing data storage areas and technical safeguards such as requiring transmission of electronic PHI over open networks to be secured.

Understanding HIPAA Covered Entities and Business Associates

According to HIPAA, Covered Entities are institutions that handle and transfer PHI or ePHI electronically. These entities include healthcare providers, health care clearinghouse, and health plan providers.

On the other hand, Business Associates are organizations that have access to PHI or ePHI due to the activities that they perform as a service for a covered entity.

Pharmacies, nursing homes, dentist, doctors, psychologists, and chiropractors that submit electronic information as part of an HHS transaction are classified as healthcare providers.

Entities that fall under health plans include HMOs, Medicare and similar federal government programs, military healthcare programs, and health insurance companies.

Finally, any entity that processes nonstandard health information received from another party into a standard data format is considered a health care clearinghouse.

According to HIPAA regulations, entities that engage with Business Associates in one way or another should have a written agreement or contract that defines the responsibilities of the Business Associate with regards protecting data.

Who is in Charge of HIPAA?

The HIPAA Privacy and Security Rules are implemented by the Office for Civil Rights (OCR). On the agency’s website, aggrieved consumers can bring complaints against Covered Agencies and their Business Associates. Citizens can also submit claims through the website’s portal, email, fax, or postal mail.

Penalties of HIPAA Non-Compliance

The HIPAA Enforcement Rule imposes civil monetary penalties to entities that are not compliant with HIPAA. The regulations were strengthened under the Omnibus Act through the introduction of various penalties.

HIPAA Violation Civil Penalties

The OCR can slap entities with a number of tier-based penalties for being HIPAA non-compliant.  The penalties are informed by civil law and vary depending on whether an entity knowingly, willingly, or neglectfully violated HIPAA.

An entity can be slapped with a $100 fine for every unknowing HIPAA violation and a maximum of $25,000 for repeat violations. However, the penalty can go up to $50,000 per violation up to a maximum of $1.5 million per year

The second-tier penalty is a maximum of $1,000 per violation and can be imposed on entities that violate HIPAA on a reasonable cause. The maximum penalty for the violation is $100,000 per year.  Like is the case with the first tier, the maximum fine per reasonable cause violation is $50,000 and a maximum of $1.5 million annually.

Finally, the third-tier penalty is imposed on entities that willfully neglect HIPAA but comply within a required time period. At this tier, each penalty attracts a minimum fine or $10,000, while repeat violations can lead to up to $250,000 in fines per year. The maximum fine per violation under this tier is $50,000 and the annual maximum if $1.5 million.

Entities that are found to have willfully neglected to be HIPAA compliant or fail to be compliant on time face a minimum of $50,000 per violation and an annual maximum of $1.5 million.

As you can see, any violation attracts a maximum penalty of $1.5 million per year. Therefore, an unknowing violation is not treated any different from an uncorrected or willful violation.

Is HIPAA Non-Compliance a Felony?

Criminal indictments for HIPAA noncompliance are rare. However, those that have happened have mostly been classified as misdemeanors. Generally, OCR prefers organizations to address the underlying causes of noncompliance and help them be compliant.

The Department of Justice oversees prosecuting HIPAA offenders. Similar to the case with monetary penalties, the criminal violations are considered in terms of tiers.

Use Automation Software to Achieve HIPAA Compliance

You can use various automation software to audit your organization’s compliance status. The software will provide a single source of truth, which will help you to save time and focus on securing the patient data environment.

Compliance automation software will make it easy for your firm to attain compliance while storing all the important documentation in one place.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.