HIPAA Compliance: The Financial Consequences of Violating the Rules

HIPAA compliance is one of the most important concerns for healthcare organizations since it ensures that patient and employee information is protected so that it never falls into the wrong hands. While many health systems follow the compliance of HIPAA and have the proper security measures in place, there still have been numerous data breaches within healthcare systems in which patients' health information, social security numbers, addresses, and so on have been exposed due to lack of security measures. Despite the strict laws that come into place, protected health information (PHI) is still unlawfully disclosed in some cases causing serious violations, as well as large fines due to the breach. Consequently, most data breaches occur as a result of either information being accidentally exposed or because of a HIPAA violation.

Data breaches are broken up in tiers.

There are several levels of penalizing violators for disclosing sensitive PHI due to the varying different causes of exposed information. The four tiers are broken up in its level of severity and consequences. Additionally, there are ranges for each fine as well as there may be more than one fine, depending on the tier. As a result, the total amount of fines that can be issued each year is limited.

Tier 1

The covered entity was not aware of the broken rule and HIPAA violation. In addition, the covered entity was unaware of this violation until the issue escalated. Violations of this tier could have been caused by theft of devices as well as documents of disclosed information. Because of the lack of ill intent, fines range up to $100-$50,000 with a maximum of $25,000 per year.

Tier 2

In tier 2, the covered entity was knowingly violating HIPAA guidelines. To elaborate, “the covered entity knew or should have known through due diligence that its action (or omission) violated HIPAA, but the violation was not caused by willful neglect” (HHS.gov). Violations of this tier could have been caused by an entity who improperly disposed of discrete information which was then stolen. Fines increase in severity due to the complexity of contributing to a data breach. Fines range from $1,000- $50,000 with a maximum of $100,000 per year.

Tier 3

While both tier 3 and 4 involves the violation of willful neglect to secure PHI. The determination for a violation being a part of tier 3 is how the company responds to the violation. Violations of this tier could have been caused because an entity did not do risk assessment checks and lacked the security measures HIPAA advises businesses to do. Tier 3 violations are those where the violating party responded and resolved the issue within 30 days, incurring a lighter punishment than tier 4 violations. Responding within 30 days shows that the service has the intent to fix the violation that they caused. Fines range from $10,000- $50,000 with a maximum of $250,000 per year.

Tier 4

Tier 4 is the greatest level of the penalty. Despite sharing similarities with Tier 3 violations, the response in Tier 4 cases is very different. Failing to respond and resolve the issue within 60 days, a citation for the level 4 infraction will be issued. The Department of Human and Health Services has reason to believe that the company is not making any serious attempt to fix the problem they've created. The fines can start at $50,000 and go up to $1.5 million. However, keep in mind that these sanctions are limited for small scale scenarios where not many individuals were affected. Larger scale data breaches can cause a company to pay millions of dollars in damages.

In general, it is the responsibility of those working with health information to ensure the confidentiality of sensitive data belonging to patients, clients, and staff. It is crucial that organizations are familiar with HIPAA rules, and the recommendations provided by the law regarding the protection of sensitive data.

The Infiniwiz technical team takes a proactive approach to securing client sensitive data. We set up the right IT protocols and help you put in place the employee procedures that will keep your data and network safe from online predators.