Legal, Financial, and Criminal Consequences for HIPAA Violations

Protecting patients’ private health information has become a major concern for most of the world. That’s because this information and data, otherwise known as “protected health information” (PHI) and electronic protected health information” (e-PHI), has increasingly become a primary target of a variety of hackers and scammers. And while this data and information is protected by rules like the HIPAA Privacy Rule and the HIPAA Security Rule, as well as the HITECH Act and the Omnibus Rule, PHI and e-PHI data theft still occur at frequent and alarming rates.

If your healthcare organization doesn’t take the necessary steps to protect PHI and e-PHI in EMRs and EHRs, and confidential information and/or records end up in the wrong hands, your healthcare organization or practice could be facing a long road filled with serious penalties that may include legal, financial, or criminal consequences.

Possible Penalties for HIPAA Violations

  1. Issuing voluntary compliance or technical guidance. The Department of Health and Human Services’ Office for Civil Rights (OCR) prefers to resolve HIPAA violations without punishment whenever possible. This is especially true if the violation isn’t serious, if it hasn’t persisted for long periods of time, and if there aren’t multiple areas of noncompliance.
  2. Financial penalties. Financial penalties exist as a deterrent to prevent the violation of HIPAA laws and are mostly reserved for the most serious of HIPAA violations. However, penalties for violating HIPAA laws are tiered (in four categories) based on if the entity knew about the violation(s) and the seriousness of the HIPAA violation(s). Each category has its own fine structure, but the OCR may waive it in certain cases. Depending on the category, financial penalties for HIPAA violations range from $100 per violation (up to $50,000) all the way up to $50,000 per violation, per year that the violation was allowed to persist (maxing out at $1.5 million per violation category, per year). Some violations’ fines may be issued based on days committed rather than years. Covered entities that commit willful violations of HIPAA will receive maximum fines.
  3. Fines by states affected. State attorneys general can also hold HIPAA-covered entities accountable for the exposure of state residents’ PHI by filing civil actions with the federal district courts. These HIPAA violation fines can be issued from $100 per violation up to a maximum level of $25,000 per violation category, per calendar year. A breach that involves multiple states, however, can result in fines from attorneys general in multiple states.
  4. Criminal penalties and charges. Alongside civil financial penalties, those who are responsible for HIPAA violations and PHI breaches may also face criminal charges. Three tiers of criminal penalties for HIPAA violations exist, ranging from one year in jail up to 10 years in jail.
  5. Individual litigation. Patients affected by PHI data breaches could suffer identity theft and the destruction of their finances and credit. Affected patients can seek litigation against the healthcare practice or organization in which the breach occurred, and if multiple patients were affected, that could result in a hefty (and expensive) legal battle.

Learn more: “What are the Penalties for HIPAA Violations” from the HIPAA Journal.

Make PHI and e-PHI Data Security a Priority

Most healthcare organizations and providers don’t intend to commit a HIPAA violation but fines and penalties can still ensue — just look at these HIPAA violation settlement amounts from 2016 and 2017. So, as you continue to build the reputation of your healthcare organization and practice, always keep patient information security at the forefront of your mind. Always ask yourself: “am I ensuring that my patients’ data is safe, secure, and confidential?” From there, make sure you’re following all HIPAA and HITECH rules, have a secure and reputable EHR/EMR in place, that your entire staff is properly trained on IT best practices, and that your IT team is constantly monitoring and updating your systems and data with the latest technology and knowledge.