The Expensive Costs Of HIPAA Noncompliance & How To Avoid Them

Uploaded on 2023-10-16 in FREE TO VIEW, BUSINESS-Services-Health & Welfare

promotion

Companies operating in the U.S. healthcare sector need to comply with HIPAA guidelines to protect the privacy of patient data. Failure to maintain compliance with HIPAA regulations can result in expensive financial penalties and even more extensive and long-term damage to an organization’s reputation. Noncompliance can also result in data breaches that expose sensitive patient data.

Organizations must implement safeguards designed to keep sensitive protected health information (PHI) and electronic protected health information (ePHI) secure. Patient data stored and processed digitally is considered ePHI while traditional paper records are categorized as PHI. The majority of violations we will look at concern ePHI and vulnerabilities in the IT environments and systems used to process it. For clarity, we will use the term PHI exclusively throughout this post. 

What Factors Determine the Penalties for HIPAA Violations?

The penalties for HIPAA violations are determined by taking multiple factors into account including:

  • The specific nature and severity of the violation;
  • The amount of harm caused and the number of individuals impacted by the violation;
  • If the violators knew that HIPAA rules were being violated;
  • If corrective actions have been taken to address the violation;
  • If HIPAA rules were violated with malicious intent or for personal gain;
  • If there were violations of HIPAA’s criminal provisions.

Who Determines and Enforces HIPAA Fines and Penalties?

Penalties for HIPAA violations can be determined by employers, federal regulators,  professional boards, and the Department of Justice (DOJ). Employers can take action against employees who cause violations. Federal regulators and professional boards address complaints regarding HIPAA violations. In cases of criminal liability, the DOJ also gets involved in determining the appropriate penalty.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency responsible for investigating HIPAA violations and assessing penalties. The OCR can enforce HIPAA rules in multiple ways.

  • The OCR investigates complaints filed with it regarding HIPAA violations.
  • The OCR may conduct compliance reviews to ascertain whether covered entities or business associates have violated HIPAA regulations. Reviews and audits are almost always carried out in the wake of a data breach involving HIPAA-regulated data.
  • The OCR provides education to promote HIPAA compliance.

If the OCR determines that a violation has occurred, they try to resolve the issue with the offending covered entity in one of the following ways.

  • The first choice is to obtain voluntary compliance from the covered entity that makes the necessary changes to address the violation.
  • The OCR can prescribe specific corrective actions that the covered entity must take to comply. 
  • A resolution agreement can be proposed that may include a fine and must be accepted by the violating covered entity.

Covered entities that do not accept the above conditions are subject to civil, and in some cases, criminal penalties.  

What are the Different Tiers of HIPAA Violation Penalties?

HIPAA violations can result in civil or criminal penalties based on the severity of the infraction. Civil penalties are levied according to the following tiered structure.

  • Tier 1 violations are for covered entities that were unaware of the HIPAA violations.  Fines range from $100 to $50,000 per violation.
  • Tier 2 violations are for instances where the covered entity knew or should have known about the violation. Fines range from $1,000 to $50,000 for each violation.
  • Tier 3 is for willful neglect of HIPAA rules, with violations corrected within 30 days of discovery. Fines are between $20,000 and $50,000 per violation, with a maximum of $250,000 annually.
  • Tier 4 is for instances of willful neglect of HIPAA rules with no effort to correct the issue within 30 days. Fines are $50,000 per violation with a maximum of $1.5 million per year.

Criminal penalties are appropriate when individuals or organizations disclose PHI without authorization. The minimum criminal fine for individuals is $50,000 with a maximum of $250,000. There are penalty tiers for jail time based on the type of violation.

  • Criminal violation due to negligence can result in a prison term of one year.
  • Obtaining PHI under false pretenses has a maximum penalty of five years in prison.
  • Disclosing PHI for personal gain or malicious intent can land the violator in prison for ten years.
  • Aggravated identity theft carries a mandatory two-year jail term.

What are the Most Common HIPAA Violations?

Failure to comply with any of the physical, technical, or administrative safeguards defined in the HIPAA Security Rule is considered a violation. While there are many ways an organization can violate HIPAA guidelines, some violations are more common than others. The most common HIPAA violations include:

  • Unauthorized viewing of PHI;
  • Lack of a viable risk management program;
  • Not performing risk analysis for the complete organization;
  • Improper disposal of PHI;
  • Inadequate access controls regarding PHI resources;
  • Not using encryption to protect PHI on mobile devices;
  • Failure to issue a breach notification within 60 days.

Physical security requirements to maintain HIPAA compliance

To maintain compliance with HIPAA regulations, organizations must develop both cybersecurity and physical security solutions. All locations used to store PHI, and devices/systems containing PHI, must be secured using managed security systems.

Access control systems:   Access control systems must be installed to prevent unauthorized persons entering locations/systems used to store PHI. Personalized credentials must be issued to all individuals authorized to access and handle PHI, with security teams able to assess, review and revoke such credentials in response to suspicious actions or behaviors.

Video security systems:   While a business surveillance system is an integral part of any physical security system, cameras must be implemented in line with HIPAA guidelines. Surveillance footage must be encrypted to prevent hackers from accessing private data, while access to video surveillance software must be secured using advanced password protections.

Recent Examples of HIPAA Fines and Their Remedies

Let’s look at some recent examples of fines for HIPAA violations and the remedies the offending covered entity or business associate could have taken to avoid them. These fines were imposed by the OCR to address previous violations. 

Banner Health:   The OCR imposed a fine of $1.25 million for violations that led to hackers gaining unauthorized access to the PHI of over 2.8 million customers. The specific violations included:

  • Not conducting a risk analysis;
  • Not monitoring and reviewing IT system activity;
  • Insufficient procedures to verify an individual’s identity;
  • Failing to protect PHI transmitted over a network.

The fine could have been avoided by following HIPAA guidelines for risk analysis and system monitoring. Encryption should have been implemented for transmitted PHI along with more stringent user authorization procedures.

iHealth Solutions:   iHealth Solutions is a business associate that performs coding, billing, and IT services to healthcare providers. They were found to be storing PHI on an unsecured server, exposing the health information of 267 patients. The company agreed to pay a $75,000 fine and implement the necessary procedures to avoid repeat violations. 

Huntington Hospital:   This is a case of potential criminal penalties being imposed on an individual for illegally accessing patients’ PHI. An employee has been charged with accessing the personal information of over 13,000 patients. The employee was terminated and faces up to a ten-year prison term if convicted of the offense. The hospital implemented additional security procedures to minimize the risk of similar violations.

Avoiding HIPAA Violations with a Trusted Hosting Solution

One of the primary measures a company must take to handle HIPAA-regulated data effectively is to process it in a compliant IT infrastructure. An organization’s IT environment has to be capable of implementing the necessary safeguards to comply with HIPAA. Its personnel must also be trained to handle HIPAA data securely. 

Organizations have two basic options when deciding on the proper IT environment to address HIPAA requirements and securely process PHI.

One choice is to construct and manage the environment themselves using on-premises resources. The alternative is to engage a third party to provide the necessary infrastructure to protect a company’s PHI resources.

In the case of small and medium-sized companies, outsourcing to a third party is often the most effective and efficient solution.

Image: Ridofranz

You Might Also Read: 

Responding To An Unintentional HIPAA Violation:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Understanding The Threat Of QR Codes & Quishing
Electric Vehicles: The Hacking Risks  »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Maureen Data Systems (MDS)

Maureen Data Systems (MDS)

Our mission at Maureen Data Systems is to digitally transform business environments with the use of cloud infrastructure, security and privacy controls, data analytics, and managed services.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

BCS Financial

BCS Financial

BCS Financial delivers financial and insurance solutions. Specialty risk products include Cyber and Privacy Liability insurance.

StormWall

StormWall

StormWall is an Anti-DDoS protection service for websites and networks. We offer 100% protection from all types of DDoS attacks and 24/7 technical support.

Findings

Findings

Findings (formerly IDRRA) is a scalable AI powered assessment platform that streamlines security compliance across sectors, jurisdictions and regulatory frameworks.

Exponential-e

Exponential-e

Exponential-e provide Cloud and Unified Communications services and world-class Managed IT Services including Cybersecurity.

Slice

Slice

Slice offer subscription based Cyber Insurance for small businesses.

Redwall Technologies

Redwall Technologies

Redwall provides cybersecurity expertise and technology to prevent and respond to emerging threats against mobile applications and connected infrastructures.

Sertainty

Sertainty

Sertainty enables developers to mix intelligence into data files for active risk mitigation and data control. Discover the impact of Data: Empowered.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

Arcturus Security

Arcturus Security

Arcturus is a CREST-approved cyber security consultancy created by experts in the field.

V3 Cybersecurity

V3 Cybersecurity

V3 Cybersecurity is a unique company focused on contextualization of security programs from a business perspective. Our mission is to provide enterprise IT Risk Management capabilities.

ANSSI Burkina Faso

ANSSI Burkina Faso

ANSSI is responsible for managing the security of information systems and cyberspace in Burkina Faso.

AC3

AC3

AC3 is a leading secure cloud services provider, focused on turning your technology challenges into real results.

KIT365

KIT365

KIT365 aim to protect organisations against cyber security attacks, by mitigating the risk to their systems and information, and protecting their data and reputation.