What Penalties Apply to Violations of Privacy Rule Requirements?

In this lesson, we're going to cover all things related to HIPAA violation penalties and what the true costs are to your business or practice if this should happen to you. At the end of the lesson, we'll provide you with a Word about what constitutes a HIPAA violation.

The United States Department of Health and Human Service's Office for Civil Rights is responsible for administrating and enforcing the HIPAA standards and may conduct investigations and compliance reviews whenever they see fit.

Should you be found to be in violation of any privacy rule requirements, your business or practice could be responsible for paying civil penalties. These penalties are for each violation and can be stacked if there are multiple violations with respect to a single individual.

Penalties also depend on the type of violation. Civil penalties, for instance:

• Can range from $100 to $50,000 per violation
• Can go up to a maximum of $1.5 million per year

Criminal penalties on the other hand:

• Can range up to $250,000 in fines
• Can result in 10 years imprisonment for those knowingly or improperly disclosing information or obtaining information under false pretenses
• Can result in even higher penalties for violations designed for financial gain or deemed as malicious harm

The True Cost of a Data Breach

Let's go over the details of the cost of a data breach to your business or practice. Here are a few costs you may be subjected to:

1. Health and Human Services fines up to $1.5 million per violation or per year.
2. Federal Trade Commission fees up to $16,000 per violation.
3. Class action lawsuits from between $1000 and $500,000 since no one usually sues for less than $500,000.
4. State Attorney General can inflict fines of between $150,000 and $6.8 million.
5. Business or patient loss up to 50 percent.
6. The costs associated with offering ID monitoring and free credit reports to all people impacted, or somewhere around $10 to $30 per person.
7. Lawyer fees of at least $2000+.
8. Breach notifications costs of at least $1000.
9. Business associate changes and technology repairs of around $5000+.

A Word About What Constitutes a HIPAA Violation

There is much talk of HIPAA violations in this course, but what actually constitutes a HIPAA violation?

A HIPAA violation has occurred when a HIPAA covered entity – or a business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.

A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed, and the minimum necessary information standard is violated.

When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although, as mentioned above, the penalties will often be at a lower rate than willful violations of HIPAA Rules.

An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications, which is a clear violation of the HIPAA Breach Notification Rule.

Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.

Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although the Office for Civil Rights typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate's plan to address the violations and change policies and procedures to prevent future violations from occurring.

It should be noted that financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules.