Not Complying with HIPAA?

  • August 01, 2019

  • Violating the Health Insurance Portability and Accountability Act (HIPAA) is not a joking matter!

    In the first few weeks of 2018 alone, over $3 million was collected to resolve just two cases of HIPAA noncompliance. You read that right - in just two cases!

    The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) upped its HIPAA enforcement efforts, and part of those efforts included increasing the fines for HIPAA violations by approximately 10%.

    Do you still think it’s not that important? If so, read on. Following are five consequences you and your facility or healthcare employees could face if found guilty of any HIPAA violations:


    HIPAA violations are often subject to hefty fines. The purpose of these penalties is to motivate facilities to operate in full compliance with HIPAA and to hold those who don’t accountable. HIPAA fines are tiered based on the severity of the violation and the facility’s knowledge of the noncompliance. There are four tiers:

    • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $110 to $55,010 per violation.
    • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,100 to $55,010 per violation.
    • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,002 to $55,010 per violation.
    • If a violation is due to willful neglect but is not corrected in a timely manner, the maximum penalty of $55,010 per violation applies.

    In all cases, if repeat violations occur in the same calendar year, the penalty is $1,650,300 per violation. The largest fine ever paid in a HIPAA settlement was $5.55 million, after Advocate Health System suffered three data breaches that compromised the privacy of four million patients

    A very important note is that the OCR can issue HIPAA fines for noncompliance if even there is no breach of ePHI. The type of noncompliance subject to these fines includes failure to maintain proper security documentation, failure to train employees on privacy and security practices, and failure to acquire a Business Associate Agreement (BAA) with any third-party service providers.

    On top of all this, state Attorney Generals have the authority to issue HIPAA fines on top of the fines issued by the OCR. And organizations may have to shell out more funds for legal defense of HIPAA violations.

    Corrective Action

    If the OCR discovers a case of noncompliance, whether through a random compliance audit or a complaint investigation, it will seek to resolve the issue by requiring your facility to work through a corrective action plan, whose purpose is to bring your facility up to HIPAA compliance standards. In other words, you will be required to do the work that should have been done in the first place to follow HIPAA rules, but now, under the strict supervision of the OCR.

    Corrective action plans typically require these actions take place within a specified period of time.

    • ePHI risk analysis.
    • ePHI encryption (on all devices).
    • Documentation of policies and procedures related to privacy, security, and breach notification.
    • Workforce training.

    Jail Time

    Some HIPAA violations may lead to criminal penalties. For instance, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. In these cases, the OCR gets the Department of Justice (DOJ) involved. While rare, jail time may be ordered based on a three tiered approach:

    • If someone willingly obtains or discloses ePHI, the penalty is up to one year in jail.
    • If someone obtains ePHI through deception, the penalty is up to five years in jail.
    • If someone obtains ePHI for personal gain or with intent to harm, the penalty is up to 10 years in jail.

    To make matters worse, these jail sentences are typically accompanied by fines of $50,000 to $250,000. The fines and jail time for each offense are dependent on the charges as well as the state in which the offense occurred.

    Patient Mistrust

    Failing to protect your patients' private health information and be HIPAA compliant could be truly damaging to your business. If you compromise your patients' privacy, they will more than likely lose trust in you and seek healthcare elsewhere. They also are not likely to recommend your practice to others. There goes your credibility.

    Also, if your practice experiences a security breach, you could be subject to unwanted media attention that will certainly deter new patients from coming to your practice. Similarly, the Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be a permanent blemish on your reputation.

    If you have any questions about HIPAA compliancy, please feel free to contact RevPro Healthcare Solutions below or call us at 561-578-8400.