An increasing number of health care organizations are being hit with fines from the U.S. Department of Health and Human Services (HHS) for not complying with the Health Insurance Portability and Accountability Act of 1996. HIPAA covers a series of rules and regulations, including the Privacy Rule, the Security Rule, the Enforcement Rule, the Omnibus Rule and the Breach Notification Rule.
Due to the recent and sudden rise in HIPAA audits, the HHS has decided to establish strict audit protocols, requiring health care organizations to be cautious and attentive to prevent HIPAA violations.
To learn more, check out the infographic below created by University of Cincinnati’s Online Master of Health Administration program.
The Most Common HIPAA Violations
According to the Advance Healthcare Network, several HIPAA violations are common among health organizations, such as failing to store private health care information properly, failing to obtain written consent from patients and sharing photos of patients on social media.
In 2016, the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) received a $650,000 fine for a data breach affecting 412 individuals.
In the fiscal year 2017, more funding was made available to the Office for Civil Rights (OCR) by the Obama administration, giving the OCR a greater means to audit business associates (BA) and covered entities (CE) throughout the health care industry. Before May 2017, the OCR closed 98 percent of privacy cases due to complaints.
The Cost of a HIPAA Violation
Requirements for privacy rules, security rules and breach notification rules are covered by a HIPAA audit as determined by the updated audit protocol from April 2016. Penalties can be severe for any HIPAA-covered entity or business associate that fails to comply with HIPAA rules.
What a HIPAA Audit Conducted by the OCR Will Cover
Security Rule requirements cover over a dozen policies and procedures, including audit controls, information system activity review, risk management, security incident procedures and workforce security.
Privacy Rule requirements are also extensive. Authorizations, confidential communication requirements, minimum necessary uses of protected health information (PHI), personnel designations and safeguards are all covered under the HIPAA Privacy Rule, as well as many other requirements.
In the event of a breach, individuals, secretaries, business associates and the media must be notified. Training employees, putting policies and procedures in place and refraining from retaliatory acts are several other measures that should be taken to ensure HIPAA compliance.
The Four Categories of HIPAA Violations and Penalties
Category 1 covers a violation where a covered entity had attempted to follow HIPAA rules but could not have realistically avoided the violation. The penalty for a Category 1 HIPAA violation includes a fine of up to $50,000, with a minimum fine of $100 for each violation.
Category 2 covers a violation that a covered entity could not have realistically avoided but should have noticed. The penalty for a Category 2 HIPAA violation includes a fine of up to $50,000, with a minimum fine of $1,000 for each violation.
Category 3 covers a violation that a covered entity attempted to correct but still resulted from “willful neglect.” The penalty for a Category 3 HIPAA violation includes a fine of up to $50,000, with a minimum fine of $10,000 for each violation.
Category 4 covers a violation that a covered entity made no attempt to correct despite resulting from “willful neglect.” The penalty for a Category 4 HIPAA violation includes a fine of up to $1,500,000, with a minimum fine of $50,000 for each violation.
Criminal Penalties for HIPAA Violations
The OCR can issue fines to CEs or BAs for failing to comply with HIPAA rules. Jail time may also be allotted, depending on the severity of the violation.
Tier 1 violations can result in up to one year of jail time, Tier 2 violations can result in up to five years of jail time and Tier 3 violations can result in up to ten years of jail time.
How to Ensure HIPAA Compliance
Health care organizations are able to access several online resources, including the HIPAA Security Checklist. These resources are available to help health organizations ensure they are compliant with HIPAA regulations and allow them to prepare for an audit.
The Guide to Privacy and Security of Electronic Health Information, issued by the Office of the National Coordinator for Health Information Technology, provides a list of steps that health care organizations can take to establish a HIPAA-compliant security management process, including:
1. Selecting a qualified team to learn HIPAA rules and requirements.
2. Documenting the security process as well as any actions or findings.
3. Reviewing the existing security of electronic protected health information (ePHI) and performing a security risk analysis.
According to the IHS HIPAA Security Checklist, there are three categories of safeguards for health care organizations to follow.
Administrative safeguards include designating one or more security officers, implementing employee training and completing security risk analysis at regular intervals.
Physical safeguards include locking offices, covering screens and installing alarms.
Technical safeguards include encrypting data, planning routine audits and developing contingency plans.
Technology is continuing to automate processes throughout the health care industry, making patient health records an integral part of discussions concerning privacy and security. In order to avoid hefty fines for HIPAA violations and keep the trust of their patients, health care organizations must make data security a high priority.