HIPAA violations are a major concern in today’s ever-evolving healthcare industry, and compliance is one of the most important factors to a health organization’s success.
The HIPAA Privacy and HIPAA Security Rules were created to ensure that patients’ personal health information would be kept private and secure while establishing safeguards for protecting personal data over electronic storage and exchanges. Ongoing efforts help to maintain the integrity of these laws as well as the intent of the healthcare professionals the Rules apply to, but to ensure that patients get the security they deserve, steps have been put in place to address concerns and help eliminate violations.
Investigation Stages of HIPAA Violations and Compliance
Enforcement of the Privacy and Security rules is a serious process, and the Office of Civil Rights (OCR) uses three different methods to ensure that healthcare professionals are compliant.
First, it will thoroughly assess all complaints filed through a rigorous investigation process. Once a compliant has been accepted for investigation, both the submitting party and the healthcare provider will be contacted, where further details will be collected and assessed. By law, any healthcare professional involved in a violations claim is required to cooperate with the investigations.
Most complaints for HIPAA violations are closed and resolved after finding evidence that the “covered entity” was indeed operating in compliance of the Rules. However, if noncompliance is detected, resolution can be made through voluntary compliance, immediate corrective action, or an agreement upon a resolution. In some cases the OCR will partner with the Department of Justice to work together on establishing possible criminal charges. If, after a resolution method has been established, the health care professional does not meet its requirements and comply, a steep fine can be issued.
The OCR also moderates compliance with complete reviews of covered entities to ensure that they are operating in compliance with the law.
A third method used to ensure compliance is to reach out to the covered entities and offer education and training to help foster full understanding and compliance within the requirements of the Rules.
Possible Charges and Penalties for HIPAA Violations
As described briefly above, there are several resolution methods and outcomes that can come of an investigation. For those that have been found to be true violations, the civil and criminal charges imposed cover a wide range of penalties.
True HIPAA violations can come in many forms, and the OCR and Department of Justice investigates to determine if a violation occurred when an individual did not know they were violating the Rule(s), if violation occurred due to reasonable cause, or if it was due to willful neglect in practice. Of these different combinations, the severity of the penalties can range from a fine of $100 per violation to $50,000 per violation.
For more severe HIPAA violations and extensive investigations, criminal charges can be administered with penalties ranging from a $50,000 fine and one year in prison to up to $250,000 and up to ten years in prison.
Results of HIPAA Violations and Investigations
Since the official compliance enforcement date in April 2003, there have been over 65,000 HIPAA Privacy complaints. Despite this high number, about 90% of the complaints and issues have been resolved by the HHS, with over half of those complaints deemed ineligible for enforcement because no violation occurred.
According to the HHS, the majority of the investigations into HIPAA violations have been conducted for private practices, general hospitals, and outpatient facilities, respectively. Most complaints in these practices have been filed for the following reasons:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
With steep penalties in place for noncompliance, it is vital for all organizations covered under the HIPAA Privacy and Security Rules to know the guidelines and procedures while continually striving to protect patients’ individual health information.