HIPAA violations can be very expensive. It can cost an organization up to $50,000 per violation and is based on how negligent you are. A violation can be losing or compromising a single healthcare record. Multiply that by a few thousand or more and it can be a major hit to your bottom line.
There is a sliding scale of penalties based on the level of negligence with a maximum penalty of $1.5 million per year for violation of an identical provision. And to add insult to injury, you could face criminal charges and jail time.
Fines and charges are divided into two major categories. Reasonable Cause ranges from $100 to $50,000 per incident and does not carry a criminal component. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in time behind bars.
The table below shows HIPAA categories of Violations and their respective penalties.
|Amount per Violation
|Did Not Know
|$100 – $50,000
|$1,000 – $50,000
|Willful Neglect – Corrected
|$10,000 – $50,000
|Willful Neglect – Not Corrected
Source: HHS, Federal Register.gov
According to the HIPAA Security Rule, Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). This requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of PHI. Since the vast majority of data breaches are due to stolen or lost data that was unencrypted, you should encrypt your data with persistent security policies to ensure you meet security standards.
Almost two-thirds of data breaches involved a business associate. The HIPAA rules extend to business associates which can mean you are responsible if an insurance company, payer provider, lab or other partner compromises PHI that originates in your organization. If you encrypt your data and control its access, this reduces the risk of violating this provision.
Breaches can occur when employees or 3rd parties lose laptops, tablets, smartphones or other portables devices or mistakenly send PHI to the wrong person. Someone may inadvertently post that information online or disclose it on social networks. Encrypting the data and adherence to security policies is important to prevent this.
Here are a few examples of how costly it can be when a Covered Entity violates HIPAA rules:
New York Presbyterian Hospital and Columbia University were fined $4.8 million for allowing unencrypted PHI to be easily accessible on the Internet because of lack of technical safeguards.
The Alaska Department of Health and Human Services was fined $1.7 million because an unencrypted USB hard drive containing patient information was stolen from an employee’s car.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates were fined $1.5 million for losing an unencrypted laptop, not doing a proper risk analysis, and failing to implement security policies.
In all these cases and many others, data encryption would have prevented the violations and saved each organization a lot of money, time and aggravation. The US Department of Health and Human Services (HHS) is getting stricter about enforcement and levying fines to those organizations that violate HIPAA rules.
For recent incidents, like those at Anthem and Premera Blue Cross, the fallout is only beginning. With millions of customers affected, you can be sure that HHS and law enforcement will look closely at everything that occurred and how to prevent these breaches in the future. Violations will be costly.
Review your adherence to HIPAA rules and see if you comply. If you encrypt PHI, you have met one of the most important safeguards that shows you are making a reasonable effort to comply. It’s the best way to make sure you keep your cash, customers and reputation.