HIPAA has been the law of the land since 1996, but HIPAA infractions are reported and prosecuted all the time—actually the number is two reported infractions every day. You’d think we would have learned the rules by now!
This is especially true considering the penalties associated with a data breach. Here are some facts about what happens when an individual or a covered entity ignores regulations or willfully breaks HIPAA laws. (This article focuses on electronic breaches, but throwing away the wrong information could be a breach as well. Also note that some telehealth platforms are not HIPAA compliant. Doxy.me always is because we don’t store patient data.)
Are you a covered entity?
HIPAA infractions can’t happen to just anyone—if a provider tells a neighbor about her bunions, it’s not a violation. However, if a provider emails a neighbor about a patient’s bunions, it might be a violation. Remember, HIPAA regulations apply to “covered entities,” which includes any provider who transmits any information in an electronic form regarding healthcare relationships. It also includes insurance companies and the companies who manage their data.
So let’s say you woke up this morning and decided to ignore HIPAA regulations, and you got caught. Several things can now happen:
- Your workplace does its own investigation and makes internal decisions about how to proceed
- After an investigation, you get fired from your clinic job
- Professional governing bodies discipline you and you lose your license(s)
- You receive fines concomitant to your civil infractions
- Actual criminal charges are filed, and then it’s fines and jail time
How much do HIPAA violations cost?
Penalties for HIPAA infractions depend on the level of negligence. According to this article, “…they can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.”
The lowest fines start with a data breach you didn’t know about because you didn’t know you were vulnerable. Then things get more expensive according to the level of neglect and the size of the breach. Negligence in this case means you knew, or should have known, that you were vulnerable.
Maybe you knew that a specific employee was inappropriately interested in the medical records of strangers and you did nothing to mitigate the problem. Maybe you knew that your IT partners were not patching their computers, creating a security risk. The more you knew, or in other words the more negligent your behavior, the steeper the fine.
Because of Freedom of Information Act provisions, all prosecuted instances of HIPAA violations are publicly accessible
Doing hard time
It’s important here to note we have been talking about civil penalties: negligence and mistakes in the course of daily work that don’t involve actual bad actors. Things get worse when sketchy people with bad intentions get involved.
- Individuals who knowingly release private patient data can face up to $50,000 in fines and a year in prison.
- If the criminals lie to people to get the information, or in other words they use social engineering or other deceit to obtain the information, penalties can increase to $100,000 fine and up to five years in prison.
- If the breach occurs because the criminals want to sell identifiable health information for malice or personal advantage, fines can increase to $250,000 and ten years in prison.
Losing patient trust
This is all scary stuff, and it can happen through simple carelessness, so it should be on our minds. However, setting fines and prison aside we should talk about the immediate impact of breaching patient confidence.
Negligence means you knew, or should have known, that your patient information was vulnerable
The old saying goes that a reputation takes a lifetime to create and “one bad day to destroy.” You have built your practice on the trust of your patients and the knowledge that they can rely on your expertise and good judgment. Even small violations of patient trust might destroy the relationship you have built with your patients. Worse, because of Freedom of Information Act provisions, instances of HIPAA violations are publicly accessible. Your data breach is available for everyone to review, including potential patients.
What can you do?
This discussion about HIPAA violations should reinforce the importance of vigilance regarding our patients’ private information. Simple awareness of the potential for harm is only the baseline for success. Designating a Privacy Officer who oversees HIPAA compliance is a good place to start even for many small organizations. Procedures and double checking go a long way towards protection. Here are some more suggestions for increasing your vigilance and protecting your patients.