Health Insurance Portability and Accountability Act (HIPAA)

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA (Health Insurance Portability and Accountability Act), also known as the Kennedy–Kassebaum Act, is a federal law that was enacted in 1996. HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the many health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers.

The federal law was signed by President Bill Clinton on Aug. 21, 1996. HIPAA overrides state laws regarding the safety of medical information, unless the state law is considered more stringent than HIPAA. Of the Act’s five titles, Title II concerns health care information security.

What is the purpose of HIPAA?

HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job and to ultimately reduce the cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery, and improving access to long-term care services and health insurance.

What are the 5 main components of HIPAA?

HIPAA contains five sections, or titles:

  • Title I: HIPAA Health Insurance Reform. Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions and from setting lifetime coverage limits.
  • Title II: HIPAA Administrative Simplification. Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
  • Title III: HIPAA Tax-Related Health Provisions. Title III includes tax-related provisions and guidelines for medical care.
  • Title IV: Application and Enforcement of Group Health Plan Requirements. Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.
  • Title V: Revenue Offsets. Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.
 

In healthcare circles, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:

  • National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit National Provider Identifier number, or NPI. This number that carries no extra information about the health care provider such as the state in which they live or their medical specialty.
  • Transactions and Code Sets Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims. The HIPAA Transactions and Code Sets Rule relates to the standardization of electronic transactions.
  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information. The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by covered entities, and protects individuals’ rights to understand and control how their health information is used.
  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information (ePHI) sets standards for patient data security. The HIPAA Security Rule complements the Privacy Rule and deals specifically with Electronic Protected Health Information (EPHI).
  • HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations. It also establishes procedures for compliance and investigations and sets civil money penalties for violations of the HIPAA AS Rules. HHS’s Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. All health care organizations impacted by HIPAA are required to comply with the standards within two years of adoption. The Enforcement Rule is supplemented by the HITECH Act of 2009.
 

The HHS Office for Civil Rights (OCR), which enforces HIPAA, performs audits and can issue penalties for HIPAA noncompliance. HIPAA violations can prove quite costly for healthcare organizations.

hipaa compliance checklist

Click here to download our FREE HIPAA Compliance Checklist

HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients’ personal or protected health information (PHI).

HHS issued the rule to limit the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients by requiring doctors to provide patients with an account of each entity to which the doctor discloses PHI for billing and administrative purposes, while still allowing relevant health information to flow through the proper channels.

The Privacy Rule also guarantees patients the right to receive their own PHI, upon request, from healthcare providers covered by HIPAA.

The HIPAA Privacy Rule applies to organizations that are considered HIPAA-covered entities. It also requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the BA uses or discloses.

What are HIPAA-covered entities?

HIPAA only applies to covered entities and their BAs.

A HIPAA-covered entity is any organization or corporation that directly handles PHI or personal health records (PHRs). Covered entities are required to comply with HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) Act mandates for the protection of PHI and PHRs.

Covered entities fall into three categories:

  1. Healthcare provider. Healthcare providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
  2. Health plan. Health plans include health insurance companies, health maintenance organizations (HMOs), company health plans and government healthcare programs, such as Medicare, Medicaid and military healthcare programs.
  3. Healthcare clearinghouse. Healthcare clearinghouses are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services and community healthcare systems for managing health data.

Entities can use the HHS online tool to determine if they qualify as a HIPAA-covered entity or BA and, consequently, if they must comply with HIPAA or not.

Covered entities must not use or disclose PHI except:

  • If the Privacy Rule permits or requires it.
  • If an individual (or their representative) authorizes the disclosure of their information in writing.

Covered entities must disclose PHI in only two situations:

  • To individuals (or their representatives) when they request access to their PHI.
  • To HHS when it is undertaking a compliance investigation or review or enforcement action.

Covered entities are permitted but not required to use and disclose PHI without an individual’s authorization:

  • To the individual who is the subject of the information.
  • For their own treatment, payment and health care operations activities.
  • When informal permission has been obtained by asking the individual outright.
  • As a result of, or “as incident to” an otherwise permitted use or disclosure (as long as the covered entity has adopted reasonable safeguards and the information shared is limited to the “minimum necessary”).
  • For 12 national priority purposes. Specific conditions or limitations apply to each public interest purpose.
  • As part of a limited data set (i.e. when certain specified direct identifiers have been removed) for research, health care operations and public health purposes.
 

There are no restrictions on the use or disclosure of information that cannot be used to identify an individual.

Among many other obligations, covered entities must keep track of PHI disclosures, must document privacy policies and procedures, must appoint a Privacy Official, and must train all members of staff in relevant procedures.

See the HHS website for full information on the Privacy Rule

What information is protected under HIPAA?

The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a BA. This information can be held in any form, including digital, paper or oral.

PHI includes but is not limited to the following:

  • a patient’s name, address, birth date, Social Security number, biometric identifiers or other personally identifiable information (PII);
  • an individual’s past, present or future physical or mental health condition;
  • any care provided to an individual; and
  • information concerning the past, present or future payment for the care provided to the individual that identifies the patient or information for which there is a reasonable basis to believe could be used to identify the patient.

PHI does not include the following:

  • employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA); and
  • deidentified data, meaning data that does not identify or provide information that could identify an individual — there are no restrictions to its use or disclosure.
 

Specific examples of PHI include a medical record, laboratory report or hospital bill because these documents contain identifying information — the patient’s name, for example — associated with health data.

One example of information that is not PHI would be blood pressure or heart rate data collected by a consumer health device, like a smartwatch, because it is not shared with a covered entity.

Administrative requirements

The Privacy Rule lays out certain administrative requirements that covered entities must have in place.

These requirements include the following:

  • A privacy official, such as a chief privacy officer (CPO), must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.
  • Employees, including volunteers and trainees, must be trained on policies and procedures.
  • Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.
  • A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.
  • If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate — to the furthest extent actionable — any harmful effects.
 

HIPAA-permitted uses and disclosures

The HIPAA Privacy Rule defines when a covered entity may use or disclose an individual’s PHI. There are two conditions in which use or disclosure is allowed:

  1. if the Privacy Rule specifically permits or requires it — if the covered entity is using the data themselves, or transmitting it to another covered entity, the Privacy Rule permits it; and
  2. if the subject of the information gives written authorization.
 

These stipulations aim to facilitate the interoperability of the health information technology (IT) environment by making sure that electronic health information is made available to the right people at the right time. In certain cases — like a national emergency (a pandemic, for example) — parts of the Privacy Rule may be changed to permit PHI disclosure that would, in normal circumstances, be a violation.

HIPAA Privacy Rule penalties

Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from OCR.

Privacy rule penalties vary depending on the severity of the infraction. They are split into four categories:

  1. Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
  2. Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  3. Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  4. Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
 

Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.

Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR offers guidance through educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization’s current HIPAA privacy and security policies, the HITECH Act, mobile device management (MDM) processes and other applicable guidelines.

While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.

The Transactions and Code Sets Rule

The HIPAA Transactions and Code Sets Rule relates to the standardization of electronic transactions.

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information, commonly known as the HIPAA Security Rule, establishes national standards for securing patient data that is stored or transferred electronically. It draws from the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

The HIPAA Security Rule complements the Privacy Rule and deals specifically with Electronic Protected Health Information (EPHI). It states that covered entities must:

  • Ensure the confidentiality, integrity, and availability of all EPHI they create, receive, maintain, or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.
 

The Security Rule identifies certain administrative, physical and technical security safeguards that need to be implemented by covered entities to protect EPHI and establishes the standards that should be used to address these safeguards.

For each Standard, the Rule names required specifications (which must be implemented) and addressable specifications (which are more flexible). The covered entity’s choice of addressable specifications must be documented, and should be regularly reviewed and modified according to changes in security effectiveness as determined by risk analysis.

OCR enforces the HIPAA Security Rule, which aims to balance patient security with the advancement of health technology.

The rule requires the placement of safeguards, both physical and electronic, to ensure the secure passage, maintenance and reception of PHI. When addressing the risks and vulnerabilities associated with PHI and ePHI, healthcare organizations should ask three key risk analysis questions:

  1. Can the sources of ePHI and PHI within the organization — including all PHI created, received, maintained or transmitted — be identified?
  2. What are the external sources of PHI?
  3. What are the human, natural and environmental threats to information systems that contain ePHI and PHI?
 

Using the answers to these questions, organizations can decide what measures they need to take to maintain or develop a HIPAA-compliant security management process, for example:

  • design a personnel screening process;
  • identify which data to back up;
  • determine how and where to back up data;
  • determine how and where encryption should be used;
  • determine what data should be authenticated for data integrity; and
  • implement access control for physical workstations and electronic media, as well as data.
 

Under HHS’ meaningful use program for certified health IT, healthcare organizations receiving federal incentive payments must attest to following privacy and security procedures based on HIPAA.

See the HHS website for full information on the Security Rule

The Unique Identifiers Rule

The HIPAA Unique Identifiers Rule states that all HIPAA-covered health care providers using electronic communications must use a single National Provider Identifier (NPI). The NPI is a unique ten-digit identification number that carries no extra information about the health care provider such as the state in which they live or their medical specialty.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule modifies the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under the HITECH Act.

The HIPAA Omnibus Rule marked the most extensive changes to the HIPAA Privacy and Security Rules since they were first implemented. Changes include the following:

  • strengthening the privacy and security protection for individuals’ PHI;
  • modifying the Breach Notification Rule for unsecured PHI and putting in place more objective standards for assessing a healthcare provider’s liability following a data breach;
  • modifying the HIPAA Privacy Rule to strengthen the privacy protections for genetic information;
  • outlining OCR’s data privacy and security enforcement strategies, as updated for the electronic health record (EHR) era and as mandated by the HITECH Act;
  • extending the Breach Notification Rule to vendors of EHRs and EHR-related systems;
  • holding HIPAA BAs to the same standards for protecting PHI as covered entities, including subcontractors of BAs, in the compliance sense;
  • stipulating that, when patients pay by cash, they can instruct their provider not to share information about their treatment with their health plan;
  • setting new limits on how information is used and disclosed for marketing and fundraising purposes;
  • prohibiting the sale of an individual’s health information without their permission;
  • making it easier for parents and others to give permission to share proof of a child’s immunization with a school;
  • streamlining an individual’s ability to authorize the use of their health information for research purposes;
  • increasing penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation; and
  • guaranteeing that organizations can operate with certainty that their privacy and security policies comply with all the applicable regulations
 

What are HIPAA business associates and their contract requirements?

HIPAA defines a BA as any organization or person working in association with or providing services to a covered entity who handles or discloses PHI or PHRs.

Under the HITECH Act, any HIPAA BA that serves a healthcare provider or institution is subject to audits by OCR within HHS and can be held accountable for a data breach and penalized for noncompliance.

According to the HHS, some examples of BAs include the following:

  • when a health plan uses a third-party administrator to help with claims processing;
  • if a certified public accountant (CPA) firm provides accounting services to a healthcare provider and has access to protected health information;
  • when a hospital has a consultant perform utilization reviews;
  • when a healthcare clearinghouse translates a claim from a nonstandard format to a standard format for a healthcare provider and then sends the process transaction to a payer;
  • when a physician uses an independent medical transcriptionist’s services;
  • when a pharmacy benefits manager manages a health plan’s pharmacist network; and
  • when a covered entity uses a cloud storage service to store PHI.
 

Mobile application developers could also be considered HIPAA BAs because many healthcare mobile applications handle PHI.

HHS gave a scenario where an app developer would be considered a HIPAA BA: A patient is told by their provider to download a health app to their smartphone. The app developer and the provider have a contract for patient management services that includes remote patient health counseling, patient messaging, food and exercise monitoring, and EHR integration and application program interfaces (APIs). Furthermore, the information the patient inputs into the application is automatically incorporated in the EHR.

A HIPAA BA agreement (BAA) is a contract between a HIPAA-covered entity and a HIPAA BA. The contract protects PHI in accordance with HIPAA guidelines.

According to HHS, HIPAA BA contracts or other written arrangements should do the following:

  • describe how the BA is permitted and required to use PHI;
  • require that the BA not use or disclose PHI, other than as specified in the contract or as required by law;
  • require the BA to use appropriate safeguards to ensure the PHI is used as detailed in the contract;
  • demonstrate how a BA would report and respond to a data breach, including data breaches that are caused by a BA’s subcontractors;
  • demonstrate how the BA would respond to an OCR investigation; and
  • require the covered entity to take reasonable steps to cure any breach by the HIPAA BA if and when they know of one — if this is unsuccessful, the covered entity is required to terminate the contract with the BA; if termination is unsuccessful as well, the covered entity should report the incident to the OCR.

How the HITECH Act changes HIPAA compliance

Thanks to the HITECH Act, HIPAA compliance has become stricter, with bigger fines for data breaches and restrictions on the use of personal data. The HITECH Act imposes stricter penalties for HIPAA violations and requires data breaches affecting 500 or more individuals to be reported to HHS and the media, as well as to the affected individuals. The HITECH Act also extends the Privacy and Security Rules of HIPAA to apply to the business associates of HIPAA covered entities. The purpose of this act is to promote the adoption and meaningful use of health information technology.

The biggest change to HIPAA compliance is the significant toughening of data breach notification laws, which now not only impose larger fines and require more extensive public notifications when data is lost, but also apply to a health care provider’s business associates. Additional updates to HIPAA compliance affect the way providers are authorized to use personal health information for marketing and communication purposes.

The chart below summarizes the major changes made to the HIPAA Privacy and HIPAA Security rules by the HITECH Act. The Department of Health & Human Services outlined these changes in its proposed rule on HIPAA compliance modifications under the HITECH Act, although it should be noted that some of the modifications within that rule are independent of the HITECH Act.

Much of this information comes courtesy of the American Association of Oral and Maxillofacial Surgeons, whose research on HIPAA compliance was passed along by Christopher Paidhrin, security compliance officer for the Southwest Washington Medical Center in Vancouver.

Issue
HIPAA
HITECH Act
Definition of CEHealth plan, clearinghouse or provider involved in the disclosure of PHIExpanded to include HIE, RHIO, e-prescribing gateway and subcontractor
Is a BA a CE?NoYes — subject to HIPAA Privacy and HIPAA Security rules
Data breach notificationNo direct obligation, though state laws varyNotification required if more than 500 patients affected
Data breach enforcementCollaborative investigation involving HHS and CEHHS investigation to determine willful neglect1; expanded to include individual employees at CE and BA
Data breach penaltiesMinimum of $100, maximum of $25,000$100 to $50,000 per violation, with yearly maximum of $25,000 to $1.5 million and mandatory penalties for willful neglect
Sale of PHIAllowedProhibited by CEs and BAs without valid authorization, save for certain conditions2
Use of PHI in marketing communicationsAuthorization required, with three exceptions — CE services, treatment, case management/alternative treatmentExpanded to ban direct or indirect payment for communications; now applies to BAs
Dissemination of PHI to patientsOnly if readily availableMust be provided, preferably in electronic format; fee cannot exceed labor cost
Fundraising opt-outIf patients opt out, CE must make “reasonable efforts” to stopIf patients opt out, CE must stop
Definition of electronic mediaLimited to storage media, such as tape and diskExpanded to reference Internet and VoIP technology

Key to acronyms

BA = business associate
CE = covered entity
HHS = Department of Health & Human Services
HIE = health information exchange
PHI = personal health information
RHIO = regional health information organization

1The “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated”

2Public health activities; research; treatment; services rendered by a BA; or “the sale, transfer, merger, or consolidation of all or part of a CE”

HIPAA violation

If you believe a covered entity or business associate has violated your or anyone else’s health information privacy rights or has committed another violation of the Privacy, Security, or Breach Notification Rules, you should file a complaint with OCR within 180 days of discovering the alleged violation.

OCR reviews all complaints it receives. According to the HHS website, in 2020 there were 27,182 complaints received vs 2013 which had 12,915. If a covered entity or business partner is found to have breached the Privacy or Security Rules, OCR will attempt to resolve the case by obtaining voluntary compliance, corrective action, and/or resolution agreement from the covered entity. If OCR is not satisfied with the resolution, it may decide to impose civil money penalties (CMPs) on the covered entity.

The HIPAA violation penalty structure is tiered according to the cause of the incident and the actions taken to remedy it. In cases of willful neglect, fines are much higher than those incidents that covered entities and business associates would not have known about by exercising reasonable diligence.

A single incident might result in multiple violations. If, for example, the records of 500 individuals were lost in once incident, that would count as 500 violations.

  • CMPs for HIPAA violations range from fines of $100 per violation (with an annual maximum of $25,000 for repeat violations) to fines of $50,000 per violation (with an annual maximum of $1.5 million).
  • Criminal penalties range from fines of $50,000 and one year’s imprisonment to fines of $250,000 and ten years’ imprisonment.
 

All enforcement data is available on the HHS website

HIPAA violation and penalties

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

The HIPAA violation penalty structure is tiered according to the cause of the incident and the actions taken to remedy it. In cases of willful neglect, fines are much higher than those incidents that covered entities and business associates would not have known about by exercising reasonable diligence.

Failure to comply with HIPAA requirements can result in civil and criminal penalties. These civil and criminal penalties can apply to both covered entities and individuals.

Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:

  • Four categories of violations that reflect increasing levels of culpability
  • Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
  • A maximum penalty amount of $1.5 million for all violations of an identical provision
 

A single incident might result in multiple violations. If, for example, the records of 500 individuals were lost in once incident, that would count as 500 violations.

  • CMPs for HIPAA violations range from fines of $100 per violation (with an annual maximum of $25,000 for repeat violations) to fines of $50,000 per violation (with an annual maximum of $1.5 million).
  • Criminal penalties range from fines of $50,000 and one year’s imprisonment to fines of $250,000 and ten years’ imprisonment.

What Happens HIPAA is Violated? – Classification of HIPAA Violations

What happens when you violate HIPAA? The answer to this depends of the severity of the breach that occurred. OCR prefers to settle HIPAA violations using non-punitive actions; however, if the violations are serious, have been permitted to go on for a long time, or if there are multiple areas of noncompliance, financial sanctions may be deemed necessary. There four categories of HIPAA violations, each of which has a different penalty structure. With unknown violations, where the covered entity could not have been expected to prevent a data breach, it may seem unreasonable for financial penalties to be issued. OCR accepts this, and has the discretion to decide not to issue a penalty. The penalty cannot be waived if the violation involved deliberate neglect of the HIPAA Privacy, Security and Breach Notification Rules.

Structure of HIPAA Violation Penalties

Each category of HIPAA violation carries a different HIPAA penalty range. It is up to OCR to determine a financial penalty within that range. OCR considers a number of factors when calculating penalties, such as the duration of time a violation was allowed to continue, the number of people affected and the nature of the data exposed, the harm caused as a result of the violation, and previous compliance history. An organization’s willingness to help with an OCR investigation is also taken into account as is the ability to pay a fine.

A data breach or security incident that occurs due to any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, possibly, be issued for any violation of HIPAA rules; however small.

A HIPAA fine may also be issued on a daily basis. For example, if a covered body has been denying patients the right to access copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered body has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been denied access to their medical records.

The HIPAA penalty fines are issued per violation, although there are caps on the total fines for violations of the same provision. The financial penalties for HIPAA were increased by the HITECH Act to act as a more powerful deterrent and to encourage covered entities to deterrent and the maximum annual penalty for violations of the same provision was capped at $1.5 million across all four penalty tiers. On April 28, 2019, the HHS announced that it had reviewed the HITECH Act and reinterpreted the maximum annual penalties and reduced the maximum annual penalty in three of the four penalty tiers. This will be addressed in further rulemaking, but the HHS will be using the penalty structure below until further notice.

HIPAA Violation Fines Can Also Be Issued by State Attorneys General

Since the HITECH Act (Section 13410(e) (1)) became effective in February 2009, state attorneys general have had the power to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and initiate civil actions over those violations. HIPAA violation fines can be applied up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.

A covered entity suffering a data breach affecting residents of multiple states may be ordered to pay a HIPAA violation penalty fines to attorneys general in multiple states. At present only a small number of U.S states have so far taken legal action against HIPAA offenders, but since attorneys general are able to keep a percentage of the fines issued, more attorneys general may decide to fine covered entities in the future. The number of states issuing fines for HIPAA violations is increasing.

Criminal Penalties for HIPAA Violations

Along with civil financial penalties for HIPAA violations, criminal charges can be filed against the persons responsible for violations of HIPAA Rules. Criminal penalties for HIPAA violations are split into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each single case. Criminal penalties are handled by the Department of Justice.

As with OCR, a number of general factors are taken into account which influence the fines and jail term. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be given back, in addition to the payment of a HIPAA violation penalty fine, up to a maximum of $250,000.

The different tiers for HIPAA criminal penalties are:

Tier 1:   Reasonable cause or no knowledge of violation – a maximum of 1 year in jail
Tier 2:   Obtaining PHI under false pretenses – a maximum of 5 years in jail
Tier 3:   Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail

In the last few years, the number of employees found to be accessing or stealing PHI – for various reasons – has risen. The value of PHI on the black market is high, and this can be a big temptation for some people. It is therefore vital that security controls are put in place to limit the potential for individuals to steal patient data, and for systems and policies to be implemented to ensure improper access and theft of PHI is identified quickly.

All staff members that may come into contact with PHI as part of their work duties should be made aware of the HIPAA criminal penalties and that violations of HIPAA may not just result in termination.

Civil Penalties for Unknowingly Violating HIPAA

Although it was referred to above that OCR has the discretion to waive a civil penalty for unknowingly breaching HIPAA, ignorance of HIPAA regulations is not thought of as a justifiable excuse for not implementing the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for not fully understanding HIPAA requirements and subsequently failing to complete a thorough risk assessment.

Due to the incomplete risk assessment, the PHI of 1,391 individuals was potentially impermissibly disclosed when a laptop containing PHI was stolen from a car parked outside an employee’s home. Speaking after details of the fine had been revealed, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for not considering security protections.

There is also potential for a CE or BA to receive a civil penalty for unknowingly breaching HIPAA if the state in which the violation happens allows citizens to bring legal action against the person(s) or entity responsible for the violation. Although HIPAA lacks a private cause of action, people can still use the regulations to establish duty of care under common law.

Penalties for HIPAA Violations May Be Issued for HIPAA Compliance Audit Failures

If a CE or BA is found not to have adhered to HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance even if there has been no breach of PHI or no complaint filed.

After some delay, OCR has carried out the second phase of its HIPAA compliance audit program. The audits were not carried out specifically to find HIPAA violations and to issue financial penalties, although if serious breaches of HIPAA Rules are found, financial penalties may be deemed necessary.

The first phase of HIPAA compliance audits was finished in 2012 and showed many covered entities were having difficulties with compliance. OCR gave technical assistance to help those entities address areas of noncompliance and no penalties for HIPAA violations were applied.

Five years on, HIPAA covered entities have had plenty of time to develop their compliance programs. OCR is not expected to be as lenient on this occasion.

One of the largest areas of noncompliance with HIPAA Rules found during the first phase of compliance audits was the failure to complete a comprehensive, organization-wide risk assessment.

The risk assessment is important for developing a good security posture. If a risk assessment is not completed, a covered entity will be unaware whether any security weaknesses exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be controlled and reduced to an acceptable level.

The failure to enter into Business Associate Agreements (BAAs) with third-party service providers can attract financial penalties for HIPAA noncompliance. Several covered entities have been fined for not revising BAAs written before September 2014, when all existing BAAs were made invalid by the Final Omnibus Rule. In September 2016, the Care New England Health System was issued with a fine for $400,000 for HIPAA noncompliance that included the failure to update a BAA originally completed in March 2005.

BAAs are a key area that OCR will be reviewing throughout its audit program. BAAs – contracts that lay out the allowable uses and allowable disclosures of PHI – should be signed with every third party with whom PHI is disclosed (including lawyers) to ensure they are made aware of their responsibilities with respect to HIPAA.

 
Civil monetary penalties
Tier Penalty
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
2. The HIPAA violation had a reasonable cause and was not due to willful neglect. The covered entity should have been aware of but could not have prevented even with a reasonable amount of care. 
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period (within 30 days)
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
4. The HIPAA violation was due to willful neglect and where no efforts have been made to correct the violation in a reasonable time frame
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
Criminal penalties
Tier Potential jail sentence
Unknowingly or with reasonable cause
Up to one year
Under false pretenses Up to five years
For personal gain or malicious reasons
Up to ten years

Should you file a complaint? 

If you believe a covered entity or business associate has violated your or anyone else’s health information privacy rights or has committed another violation of the Privacy, Security, or Breach Notification Rules, you should file a complaint with OCR within 180 days of discovering the alleged violation. To report a HIPAA violation, you can use the Complaint Portal Assistant on the US Department of Health and Human Services Office for Civil Rights (OCR) website. If you have questions, you may contact the OCR toll free at 800-368-1019 (TDD: 800-537-7697). For additional contact information, see the OCR’s Contact Us page.

OCR reviews all complaints it receives. According to the HHS website, in 2020 there were 27,182 complaints received vs 2013 which had 12,915. If a covered entity or business partner is found to have breached the Privacy or Security Rules, OCR will attempt to resolve the case by obtaining voluntary compliance, corrective action, and/or resolution agreement from the covered entity. If OCR is not satisfied with the resolution, it may decide to impose civil money penalties (CMPs) on the covered entity.

All enforcement data is available on the HHS website

Enforcement Highlights

For information on the history of and details about each of the HIPAA Rules, please visit https://www.hhs.gov/hipaa/for-professionals/index.html and click on “Privacy,” “Security,” or “Breach Notification” from the left-hand tool-bar.

Enforcement Results as of January 31, 2022

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 289,211 HIPAA complaints and has initiated over 1,106 compliance reviews.  We have resolved ninety-six percent of these cases (278,146).

OCR has investigated and resolved over 29,398 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates.  Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve.  OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate.  To date, OCR settled or imposed a civil money penalty in 106 cases resulting in a total dollar amount of $131,392,632.00.  OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

In another 13,618 cases, our investigations found no violation had occurred. 

Additionally, in 50,202 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.

In the rest of our completed cases (184,928), OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:

  • OCR lacks jurisdiction under HIPAA.  For example, in cases alleging a violation by an entity not covered by HIPAA;
  • The complaint is untimely, or withdrawn by the filer; and
  • The activity described does not violate the HIPAA Rules.  For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.  

From the compliance date to the present, the compliance issues most often alleged in complaints are, compiled cumulatively, in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and 
  • Use or disclosure of more than the minimum necessary protected health information.

The most common types of covered entities that have been alleged to have committed violations are, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Outpatient Facilities;
  • Pharmacies; and
  • Community Health Centers.

Referrals

OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules.  As of the date of this summary, OCR made 1,294 such referrals to DOJ.

All enforcement data is available on the HHS website