The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general are authorized to issue penalties for HIPAA violations. Besides paying financial penalties, covered entities must follow a corrective action plan to have policies and procedures that are according to the criteria specified by HIPAA.
The Health Insurance Portability and Accountability Act of 1996 put certain specifications on HIPAA-covered entities to secure patients’ Protected Health Information (PHI), and to stringently manage when and to whom PHI can be disclosed.
From the Enforcement Final Rule of 2006, OCR has been authorized to issue financial fines (and/or corrective action plans) to any covered entity that violates the HIPAA Rules.
There was an update of the financial penalties for HIPAA violations as per the HIPAA Omnibus Rule. Changes were introduced in accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH). Enforcement of the Omnibus Rule began on March 26, 2013.
When the Omnibus Rule was introduced, the new HIPAA violations penalties covered healthcare providers, healthcare clearinghouses, health plans, business associates (BAs) of covered entities, and all other covered entities that are determined to have breached HIPAA Rules.
Financial penalties are supposed to deter or prevent the infringement of HIPAA regulations, and ensure that covered entities are made accountable for their actions or inaction with regards to safeguarding the privacy and confidentiality of patients’ health data, and giving patients access to their health information when requested.
There are tiers of penalties for a violation of HIPAA regulations, according to a covered entity’s knowledge of the violation. The OCR assigned the penalty according to several “general factors” and the severity of the violation.
Ignorance of HIPAA Rules is not considered as an excuse for not complying with HIPAA Rules. Each covered entity is responsible for ensuring that HIPAA Regulations are known and observed. When a covered entity is found to have willfully violated HIPAA laws, it will face the maximum penalties.
What Makes up a HIPAA Violation?
The media talks about a lot of HIPAA violations, however, what makes up a HIPAA violation? A HIPAA-covered entity or a business associate commits a HIPAA violation when it fails to observe at least one of the terms of the HIPAA Privacy, Security, or Breach Notification Regulations.
A violation could be willful or not intentional. An unintentional HIPAA violation occurs when more PHI is shared compared to the least required information. When PHI is shared, it should be restricted to the minimum required information to realize the intention for which it is shared. Financial penalties for HIPAA violations could be given for unintentional HIPAA violations, though the penalties is less compared to deliberate HIPAA violations.
A willful violation is unnecessarily putting off the sending of breach notification letters to individuals and going beyond the required 60 days after the breach is discovered. This violates the HIPAA Breach Notification Rule.
A lot of HIPAA violations are due to negligence, for example, the inability to conduct a company-wide risk evaluation. Financial fines for HIPAA violations have often been given for failure to do risk evaluation.
Penalties for HIPAA violations could possibly be released for all HIPAA violations, though OCR generally resolves the majority of cases by means of voluntary compliance, providing technical support, or agreeing to a covered entity or business associate’s plan to deal with the violations and modify policies and guidelines to avert more violations from happening. Penalties for HIPAA violations are earmarked for the major HIPAA Rules violations.