Estimated reading time: 6 minutes
Picture this: you receive a notification from the Office of Civil Rights (OCR) saying a HIPAA complaint has been filed against you. Your heart starts to pound as you wonder if you broke a rule along the way.
What will happen next? Could you be fined? Sent to jail?
Although these are potential outcomes, there are other possibilities.
In this article, we’ll look in-depth at what a HIPAA violation is, how the OCR becomes aware of one, and what could happen if it turns out you have broken the rules. By the time you’re finished reading, you’ll understand how the system works and the range of consequences for violating HIPAA.
A HIPAA violation means that either a covered entity or a business associate has failed to follow one or more HIPAA Rules.
| Covered Entity (CE) | Business Associate (BA) |
|---|---|
| E.g., physician, therapist, optometrist, dentist, chiropractor, physical therapist | E.g., encrypted email provider, accountant, billing service, attorney, telehealth service |
A healthcare provider, healthcare clearinghouse, or a health plan that…
|
A business that…
|
HIPAA Rules include the HIPAA Privacy, Security, and Breach Notification rules. They define how covered entities and business associates must protect PHI and ensure clients can access their health records.
Examples of violations of the HIPAA Rules include mishandling protected health information (PHI) or failing to give clients their records within 30 days of a request.
Consequences for violating HIPAA are described in the regulations on compliance and investigations and security breaches.
According to the U.S. Department of Health and Human Services (HHS), the most frequent violations are:
“Impermissible uses and disclosures of protected health information”
That is, using or sharing PHI in a way the HIPAA Privacy Rule doesn’t permit.
For example, when a radiology practice submitted a worker’s compensation claim to a patient’s employer without authorization, it violated HIPAA.
“Lack of safeguards of protected health information”
That is, failing to keep PHI safe from people not authorized to see it (as outlined in the Privacy Rule).
One pharmacy chain, for example, was sanctioned because it stored PHI in a publicly accessible logbook.
“Lack of patient access to their protected health information”
That is, failing to provide clients with their records (as the Privacy Rule requires).
In one case, a complaint was made against a mental health center because it improperly withheld treatment records from a client.
“Lack of administrative safeguards of electronic protected health information”
That is, failing to protect electronic protected health information or e-PHI (as outlined in the HIPAA Security Rule).
In one example, a Medicaid plan broke the rules when it shared e-PHI with a service provider without putting a Business Associate Agreement (BAA) in place.
“Use or disclosure of more than the minimum necessary protected health information”
That is, sharing more information than is strictly necessary (according to the Privacy Rule).
A hospital employee broke this rule when she left a phone message with a patient’s daughter that included the patient’s medical condition and treatment plan.
The Office for Civil Rights (OCR), a division of the HHS, is responsible for enforcing the HIPAA Rules.
There are three main ways the OCR could discover a HIPAA violation:
Now that you understand what HIPAA violations are and how they may be investigated, let’s look at the steps to take if you experience a complaint.
If someone files a HIPAA complaint against you, it’s important to proceed carefully. HIPAA complaints are serious and can significantly impact your practice.
Take time to consider how you will respond. You may want to consult a healthcare compliance or HIPAA violation lawyer to guide you through the process.
|
And try not to panic. Not all complaints lead to sanctions. If the OCR finds you haven’t broken any rules, the case will be closed.
If you have knowingly or unknowingly broken a HIPAA rule, you may face a range of consequences, depending on the situation.
Part of the OCR’s job is outreach and education. In some cases, when rules are broken, the OCR may simply provide technical assistance.
This is not the same as technical support. It means the OCR educates a covered entity or business associate so that they understand and apply the rules.
For example, in one case (“Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance”), a medical clinic failed to provide records to a patient with an overdue balance. The OCR advised the clinic that they were required to give patients their records within 30 days of a request (whether or not money is owed), and the clinic complied.
The OCR may provide technical assistance without any investigation or after one.
The OCR may launch an investigation into a complaint or conduct a compliance review. These can be nerve-wracking and take valuable time away from other aspects of your practice.
What’s the difference between an investigation and a compliance review?
Investigations are launched in response to a complaint. According to the HHS, compliance reviews are triggered by: “media reports, referrals from other state and federal agencies, trends in complaints and/or breach reports received, or other ongoing indications of noncompliance identified by Headquarters or Regional staff.”
Investigations and compliance reviews lead to close scrutiny of a practice or business and can have unintended consequences.
Take this case in which the OCR received a complaint that a law firm (working with a pharmacy chain) had shared PHI incorrectly. The OCR investigated and found the law firm had done nothing wrong. However, during the investigation, the OCR noticed there wasn’t a BAA in place between the pharmacy chain and the law firm. The organizations were ordered to correct this oversight.
If the OCR conducts an investigation or compliance review of your practice, you may be required to provide the OCR with additional information, including:
If no HIPAA violation is found, the results will be sent in writing to you and any complainant, then the file will be closed. However, if a violation is found during an investigation or compliance review, the OCR may require your practice to follow a corrective action plan.
The OCR may also require your practice to follow a Corrective Action Plan (CAP).
Some examples of corrective action are providing patients with their records, revising policies and procedures, and training or retraining staff.
In one case, “Private Practice Implements Safeguards for Waiting Rooms”, a patient’s HIV status was disclosed in the waiting room of a clinic. The OCR recommended several corrective actions, such as implementing policies and procedures to better protect PHI, training staff, repositioning computer monitors, and installing privacy screens.
Once a CAP is in place, the OCR stays involved. “The agreement may be for a period of one to three years, during which period the practice is required to submit regular reports to the OCR as to their compliance and to generally be subject to their oversight,” said Youngman.
This extended monitoring can strain a healthcare practice’s resources.
|
If your failure to follow a HIPAA rule leads to a significant security breach, your practice could be listed on the HIPAA Wall of Shame and face negative attention in the media.
According to the Breach Notification Rule, if you have a HIPAA breach that affects 500 people or more, you must report it to the HHS and notify prominent media outlets in your area (without unreasonable delay and no later than 60 days).
If fewer than 500 people are affected, you must report the incident to the HHS annually but no later than 60 days from the end of the year. In this case, no media announcements are necessary.
Large breaches don’t only happen to bigger organizations — they can affect small practices and even individuals. For example, when Dr. Han V. Duong’s laptop was stolen, 1,571 people were impacted. This type of breach could happen to anyone.
Once an investigation into a large breach is opened, the organization involved is listed on the HIPAA Wall of Shame. This is a public website maintained by the OCR. Its formal name is the HHS Office for Civil Rights Breach Portal. It lists all breaches reported in the last 24 months that are under investigation.
No healthcare practice wants to cause harm to so many people. Having the error publicized either on the HIPAA Wall of Shame or in the media only makes things worse and could lead to a loss of reputation, client trust, and income.
To avoid this, make sure you follow all of the HIPAA rules and do a risk assessment at least once per year. Prepare for data leaks by putting breach notification policies in place. If you have staff, be sure they are trained in HIPAA and the procedures you use to protect client data.
In some cases, when a HIPAA violation occurs, the OCR may order a practice to pay a fine, also known as a civil money penalty (CMP).
One example involved the Rio Hondo Community Mental Health Center in California, which is operated by the County of Los Angeles. The OCR fined Rio Hondo/the County $100,000 after discovering the center took almost seven months to provide a client’s mental health records despite repeated requests.
The rules on CMPs state the OCR must take a few factors into account when deciding whether to fine an organization:
When determining the CMP amount, the OCR considers whether an organization willfully neglected the rules and how quickly it attempted to solve the problem.
| Description | Minimum fine per violation | Maximum fine per violation |
|---|---|---|
| 1. Unknowing. You weren’t aware of the rule and couldn’t have realistically avoided the violation. | $141 | $71,162 |
| 2. Reasonable cause but not willful neglect. You should have been aware of the rule and able to avoid committing the violation but committed the violation due to reasonable cause, not “willful neglect”. | $1,424 | $71,162 |
| 3. Willful neglect. You ignored your responsibilities (“willful neglect”) but attempted to correct the violation within 30 days. | $14,232 | $71,162 |
| 4. Willful neglect and not timely corrected. You ignored your responsibilities and didn’t attempt to correct the violation within 30 days. | $71,162 | $2,134,831 |
The HHS updated these figures to adjust for inflation on August 8, 2024. These new figures are effective for assessments by the OCR on or after August 8, 2024, and apply for violations that occurred on or after November 2, 2015.
In some cases, the OCR may agree to collect a percentage of the CMP if an organization agrees to put the rest of the CMP towards boosting HIPAA compliance. For example, the OCR might accept 50% of a CMP if the practice agrees to reinvest the other 50% in secure computer software and staff training as part of a corrective action plan.
Fines are relatively rare. According to the HHS, as of October 2024, the OCR had resolved 31,191 cases by providing technical assistance and requiring corrective actions. Only 152 cases resulted in fines. However, the fines were significant, totaling $144,878,972.
The OCR may also refer a case to the Department of Justice (DOJ) if the violation is criminal, according to the rule on wrongful disclosure of individually identifiable health information (42 U.S. Code § 1320d–6).
According to this law, people who knowingly obtain and/or disclose someone else’s health information without authorization may face fines or imprisonment.
For example, Roderick Harvey and five former employees of Methodist Hospital in Memphis, Tennessee, were charged and pleaded guilty to unlawfully disclosing patient information. Harvey paid the former employees to give him the personal information of patients injured in motor vehicle accidents. Harvey then sold the information to personal injury attorneys and chiropractors.
Harvey was sentenced to five years of probation (one served in home detention) and was fined $50,000. The former employees faced various consequences that included 1-2 years probation and fines of $1,000 - $3,000.
Referrals to the DOJ are more common than fines. As of October 2024, 2,419 cases had been referred to the DOJ.
Not all of these cases are prosecuted. The DOJ may hand a case back to the OCR if it doesn’t find sufficient evidence of criminal intent.
Fortunately, most of these consequences can be avoided with the right preventive measures. Let’s explore how you can stay HIPAA compliant.
Running a HIPAA-compliant practice should help ensure you never get a message from the OCR that spikes your heart rate or face any other consequences covered in this article.
Ensure you keep your HIPAA knowledge current by completing HHS training and signing up for the HHS listserv.
Put policies and procedures in place that describe how you follow the rules and train any staff you may have on them. And remember to conduct a risk assessment at least once a year!
Having the right tools is another important aspect of running a HIPAA-compliant practice. Using a secure email provider that offers a BAA, like Hushmail, is a great place to start.
Interested in HIPAA-compliant email?