A HIPAA violation is a failure to comply with any aspect of HIPAA laws and regulations detailed in 45 CFR Parts 160, 162, and 164. It occurs when a covered entity or business associate violates one or more aspects of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule.
The Department of Health and Human Services Office for Civil Rights (OCR) is responsible for the text of all published HIPAA regulations. There are 115 pages of regulations related to HIPAA standards.
There are many recurring and common violations, such as…
via HIPAA Journal
Organizations could face a HIPAA violation if they don’t notify OCR of a security incident related to protected health information (PHI) within 60 days of discovering the breach. Instances where an organization needs to notify OCR could include an employee texting PHI, sending health records to the wrong address, or stealing patient records.
No matter how someone mishandles or discloses PHI, OCR is responsible for enforcing consequences so that the situation won’t happen again. Although depending on the severity, there are different levels of penalties.
There are four different categories concerning civil HIPAA violations, and three tiers of criminal violations. For both civil and criminal penalties, each category or tier is more severe than the last.
Table of Contents
HIPAA Civil Penalties
It’s important to understand that none of the civil categories includes a punishment of prison time. All of these breaches involve varying amounts of monetary fines that increase as the situations become worse.
I should also mention that a HIPAA fine could multiply due to the number of days the breach occurred. This means that if a violation occurred for 10 days, then the fine will multiply ten times over. A fine isn’t based on the number of people affected by the violation.
OCR can implement fines of up to $50,000 per violation for civil penalties, no matter which category it is. They can penalize an organization up to $1,500,000 per calendar year for the same type of violation committed more than once. HITECH and the Omnibus Rule cap these monetary fines at $1,500,000 for each type of violation.
via Hinshaw
The attorney general can also get involved with civil HIPAA violations if the HHS hasn’t yet taken action. They can ensure that healthcare organizations don’t cause further breaches by penalizing them $100 per violation. The fines can’t exceed $25,000 for the same kind of recurring violation in the same calendar year.
Category 1
The lowest level of civil breaches has the minimum potential punishments. These are situations where a covered entity didn’t know the breach occurred. The organization couldn’t have realistically known that the violation occurred simply by exercising reasonable diligence.
The monetary fines for this type of violation range from a mere $100 to a whopping $50,000. The amount varies depending on how many PHI files got leaked during the breach.
Category 1 Example - Blabbermouth (Possible Scenario)
Imagine that you’re a security guard who works for a rehabilitation center. The facility helps drug addicts quit substance abuse and turn their life around.
You and your friend just got off of a 10-hour shift at 3:00 in the afternoon and are going out for coffee. You recognize one of the baristas, Crystal, at your favorite local coffee shop. Crystal used to be a patient at the rehab facility, and you can see now that she has turned her life around.
You approach her and ask how she’s been. One of the other baristas asks how you know each other. All of your HIPAA training goes out the door because you’re so excited to see her happy, healthy, and succeeding. You tell her coworker that she used to be a patient at the rehab center that you work at.
Crystal’s coworker has a shocked look on their face. She never mentioned that she used to be a drug addict, so no one at the coffee shop knew. Crystal later files a complaint because her coworkers treat her differently now that they know about her past. And it's all your fault because you couldn’t keep your mouth shut.
Category 2
The second category results from a breach that the organization should’ve been aware of, but couldn’t have prevented even with proper due diligence. Since the covered entity couldn’t prevent it, this category doesn’t encompass willful neglect. The Legal Information Institute defines willful neglect as the following…
OCR can implement fines ranging from $1,000 to $50,000 per incident.
Category 2 Example - Phishing to the Next Level (Possible Scenario)
It’s early in the morning, and you just arrived at work. You’re a senior manager for a small emergency room. You can’t open any of your files, so you contact your IT department. Before you get done writing the email, you receive a phone call.
You find out that one of your colleagues fell for a phishing attempt. Later, the OCR informs the public that it was one of the best phishing scams that they’ve ever seen. Your organization should’ve been aware that one of the employees fell for the scam, but there was nothing you could’ve done to prevent the situation since it was such a unique hack.
Category 3
This category involves willfully neglecting HIPAA rules and regulations which results in a violation. Another distinct factor of Category 3 violations is that the covered entity takes action within 30 days to address or resolve the situation.
Fines for these categories start at a minimum of $10,000 per violation but can reach up to $50,000.
Category 3 Example - Email Management (Possible Scenario)
Imagine that you’re a hospital manager, and you recently fired a nurse for misconduct in the workplace. The nurse returned their badge and technological devices that they used on the job.
Normally, employee emails get deleted after a week of official termination. However, because of extra stressors with the pandemic and an influx of patients, your team forgot to delete the email account.
The terminated employee accessed PHI and downloaded files that they shouldn’t have been able to access anymore. You have an alert set in place for when PHI gets downloaded onto an external computer. As soon as you see the alert, your eyes widen at the realization that their account was never deleted. You call the IT department, and the account gets deleted within the day.
Your organization is at fault for a breach since it willfully neglected the duties to terminate employee access. However, because you took action within 30 days of discovering the breach, the situation is only Category 3.
Category 4
The final and most severe type of civil HIPAA violation is a Category 4 breach. This category involves willful neglect while also making no effort to correct the violation in a reasonable timeframe.
The set fine for a category 4 incident is $50,000.
Category 4 Example - St. Joseph's Hospital and Medical Center
A real-world example involved a mother who asked for her son’s medical records in January 2018 from the hospital that treated him. She claimed that St. Joseph’s Hospital and Medical Center (SJHMC) failed to provide access to the records. The mother issued several follow-up requests between January to May 2018, yet the organization didn’t provide full access to the records.
An investigation conducted by OCR found that SJHMC had violated the HIPAA right of access clause. The right of access requires that the healthcare organization provides the requested records to the patient (or legal guardian of a patient who is a minor) within 30 days of the initial request. The only exception to this mandatory 30-day maximum is if the healthcare organization is in a situation where it can’t reasonably provide the information. In this case, an alternative is acceptable.
The mother didn’t receive the medical records until December 2019, 22 months after her initial request. You don’t need to be a math genius to know that this is way past the 30-day requirement). As a result, ORC announced in October 2020 that they fined SJHMC $160,000.
HIPAA Criminal Penalties
Unlike civil penalties, the Department of Justice handles criminal violations instead of OCR. They may also result in jail time. A judge decides the HIPAA criminal penalties based on the situation of every case.
Each of the three tiers builds off of one another. This means that everything involved in tier one is also involved in tiers two and three. And everything involved in tier two is also involved in tier three.
Tier 1
The first tier for HIPAA criminal penalties involves violations with wrongful disclosure of individually identifiable health information. The maximum penalties involve a $50,000 fine and/or up to one year of prison time.
Tier 1 Example - Jeffrey Luke (February 2017)
Jeffrey Luke, a former behavioral analyst at the Transformations Autism Treatment Center (TACT), stole PHI after the organization fired him. Luke downloaded the PHI of 300 current and former patients onto his personal computer.
About one month after Luke’s termination, TACT realized that patient information was being accessed and downloaded remotely. The company launched an investigation involving law enforcement and alerted the FBI. They identified Luke as the perpetrator with his IP address. A search of his residence uncovered a computer containing stolen ePHI records and TACT forms.
Luke pleaded guilty to the charges and received a 30-day jail sentence. He was also ordered three years of supervised release and had to pay $14,941.36 in restitution. Why such a weird number? I don’t know. You’ll have to ask the judge.
Tier 2
The second tier results from wrongful disclosure of individually identifiable health information committed under false pretenses. This last part is what differentiates it from Tier 1. The maximum penalty is up to $100,000 and/or five years of prison time.
Tier 2 Example - Jennifer Lynne Bacor (June 2021)
Jennifer Lynne Bacor, a former Cedar Rapids hospital employee, pleaded guilty to wrongfully obtaining individually identifiable health information under false pretenses. Bacor worked at the hospital as a patient care technician.
She accessed her ex-boyfriend's PHI who was being treated at the hospital. She wasn’t permitted to access files unrelated to her patients. Since her ex wasn’t her patient, she shouldn’t have accessed his information. She also took a picture of a medical photograph and shared it with another person. This other individual then shared the photograph on Facebook Messenger along with “taunting language and emojis.”
As her penalty, Bacor has to serve five years' probation and will pay a $1,000 fine. In addition to the probation, she’s no longer allowed to work for any organization that deals with private medical information.
Tier 3
Tier 3 also involves wrongful disclosure of individually identifiable health information under false pretenses. But what makes Tier 3 different from Tier 2 is that the individual committing the crime does so with the intent to sell, transfer, or use data for commercial advantage, personal gain, or malicious harm. The maximum fine is $250,000 and the maximum amount of prison time is ten years.
Tier 3 Example - Stacy Lavette Hendricks (January 2021)
Stacy Lavette Hendricks worked for several medical clinics in Florida in an administrative role. She sought out patients’ birth dates and social security numbers in order to steal their identities. Hendricks then sold the identities for profit or defrauded businesses herself. Agents found 113 distinct identities in her vehicle that she stole from the clinic’s patients.
Hendricks pleaded guilty to wire fraud and identity theft. For the wire fraud offense, Hendricks received a maximum penalty of 20 years in prison. Following this, she will also serve a mandatory two-year term in prison for the identity theft charge.
Conclusion
By now, you know the severity that comes with HIPAA violations. Just like an onion, the penalties for a violation have different layers.
Depending on the situation, they can cause up to millions of dollars in fines if the breaches continue to occur. Even worse, perpetrators can face decades behind bars.
There are so many instances that a healthcare organization may fail to comply with HIPAA Rules. Because they can vary, there are different penalties determined by OCR and the Department of Justice.
