The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to protect sensitive health information from being disclosed without the patients’ consent. The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general issue penalties for HIPAA violations, and these penalties can be devastating for healthcare companies.
Penalties for HIPAA violations can range from $100 to $50,000 per violation, but they can become much bigger, especially once compounded. In 2017, Memorial Healthcare System, which operates several healthcare facilities throughout South Florida, was ordered to pay $5.5 million to settle potential HIPAA violations. This is why it’s important to take steps to ensure your business is HIPAA compliant.
In this blog post, we will discuss the different kinds of HIPAA penalties and what you need to know to avoid them.
What are the penalties under HIPAA?
Under HIPAA, covered entities — which include healthcare providers, insurers, and other organizations that handle protected health information (PHI) — must take steps to safeguard PHI.
Violations of HIPAA can result in a number of penalties, including:
- Civil monetary penalties (CMPs)
- Criminal charges
- Exclusion from Medicare and Medicaid programs
Every healthcare company needs to be aware of the potential penalties for violating HIPAA, as fines, charges, and other consequences can be costly. Here’s what you need to know about HIPAA penalties.
Civil monetary penalties
CMPs are the most common type of penalty for HIPAA violations. They can be imposed for a variety of reasons, including failure to comply with HIPAA’s rules on PHI privacy, security, and breach notification. The amount of fines will be determined according to the nature and scope of the violation and the extent of harm caused by the violation. Civil penalties may be waived by the OCR if the violation is corrected within 30 days, but this does not apply in cases where there's willful neglect.
The penalties for civil violations under HIPAA can be divided into four categories:
- No-knowledge penalty – $100–$50,000 per violation, with a maximum annual limit of $1.5 million for all violations
- Reasonable cause – $1,000–$50,000 per violation, with a maximum annual limit of $100,000 for repeat offenses
- Willful neglect but violation is corrected within the required time period – $1,000–$50,000 per violation, with a maximum annual limit of $1.5 million for all violations
- Willful neglect and violation is not corrected within the required time period – $50,000 per violation, with a maximum annual limit of $1.5 million for all violations
These violations refer to those committed by individuals with malicious intent. The penalties for criminal violations under HIPAA are much more severe, and can result in up to 10 years in prison and a fine of $250,000.
The most common criminal charge is wrongful disclosure of PHI, which is a felony. Other potential charges include obtaining PHI under false pretenses, selling or trafficking PHI for personal gain, and falsifying records to conceal a HIPAA violation.
Exclusion from Medicare and Medicaid programs
Being excluded from the Medicare and Medicaid programs can have a devastating effect on healthcare businesses, as it effectively bars them from receiving payments from these government-sponsored health insurance programs.
How your healthcare business can avoid penalties
To avoid these penalties, it is critical to take steps to ensure your business is HIPAA-compliant. This includes implementing policies and procedures to safeguard PHI, providing training to employees on HIPAA rules, and staying up to date on changes to the law. By taking these precautions, your business can avoid the costly consequences of violating HIPAA.
Talk to the experts at Online Computers to tighten the IT security measures of your healthcare business.