Cost of a HIPAA Violation
Patients share critical health related information with caregivers and health organizations with the belief that their data will be kept confidential. Any breach of data confidentiality can lead to critical patient information being leaked to unwanted sources and can cause people to lose trust in their health provider.
The HIPAA privacy rule was enacted in 1996 by the US Department of Health and Human Services (HHS). This federal law informs healthcare agencies about their responsibility in keeping patient data confidential, and in turn assures patients that their information is safe.
Any breach in HIPAA regulations by healthcare organizations calls for strict legal penalties and monetary implications. HIPAA ensures the following:
- Investigate any complaints related to the violations
- Regularly evaluate the conduct of covered organizations and ensure that they are following compliance
- Provide education through outreach to promote compliance with the regulations
Organizations covered by HIPAA
You might want to check whether your organization falls under HIPAA regulations purview or not. You would need to comply with the regulations if you are one of the following:
Healthcare providers: Any healthcare provider, large or small, that receives patient records and enters them electronically needs to comply with HIPAA data transmission guidelines. This includes medi spas and other small beauty and wellness clinics that store and transmit patient data.
Insurance providers: Any insurance provider dealing with health insurance plans including Medicare, Medicaid, Choice, Supplement and long-term health plans as well as employer sponsored plans.
Intermediate health agencies: Any agency or organization that receives patient data for processing from other entities, for example clearinghouses, must be compliant.
Analytics firms: Business analysts that utilize patient data to perform certain analytics to inform business decisions must follow HIPAA guidelines.
Types of HIPAA breaches
HIPAA violations can be accidental, when violations occur due to maximum disclosure of protected health information (PHI) beyond the minimum required, or intentional, when a company or practice fails to report breaches or fails to correct them on time. How does a HIPAA breach happen?
When a patient’s health information is unsecured it can be easily accessible to anyone and the data can be lost or stolen by hackers.
Theft of Data
Every device with PHI must always be encrypted and secured with a password to avoid loss or theft of data in case the device is stolen or lost.
Lack of Training or Awareness
Unskilled workforce or lack of awareness can lead to insensitive handling and transfer of data from one device or channel to other, leading to security risks. This could include leaving out medical notes or records carelessly on a table that anyone could walk by and view or pick up. And as in any industry, employees are vulnerable to social engineering and phishing attempts.
Insufficient Measures to Avoid Hacks
Failed measures to protect data, and irresponsible log maintenance can lead to hacking attacks on the data.
Implications and Penalties for HIPAA Violations
Depending on whether you have violated the HIPAA norms intentionally or unintentionally and depending on the level and extent of breach, you can be charged under civil law or criminal law or both. Civil law leads to monetary implications for health agencies and individuals, while criminal law can land the offender in jail.
Under civil law, a HIPAA breach can be classified in 4 categories and penalties will be imposed accordingly:
- Tier 1 Breach: Tier 1 breach typically deals with an unintentional breach or when the offender is unaware of the breach. In such cases, a penalty in the range of $100 to $50,000 can be imposed, depending on the extent of the breach and its impact.
- Tier 2 Breach: Also known as second degree breach, this happens when the company is aware of the breach, but no timely action is taken to rectify the issue. Penalties range from $1,000 to $50,000.
- Tier 3 Breach: The entity neglects the rule by choice. Penalties can range between $10,000 to $50,000 per violation.
- Tier 4 Breach: The company carried out the violation by choice and presently there is no way in which the violation can be corrected. The penalty for such cases is $50,000 and above. The maximum penalty of $1.5 Million can be imposed.
If an organization or individual tries to obtain patient data through unlawful means, a criminal case may take place. There are three types of criminal breaches:
- Tier 1: 1-year jail term in the case of reasonable cause or no knowledge of the violation
- Tier 2: 5-year jail term in the case of acquiring PHI under fake pretenses
- Tier 3: 10 years of jail time in the case of obtaining PHI for personal gain or with malicious intent
Multiple examples of violations and corresponding penalties have been observed in the past. In February 2019, $3 million was fined by HHS to Cottage Health, which also runs Goleta Valley Cottage Hospital, Cottage Rehabilitation Hospital, Santa Ynez Cottage Hospital, and Santa Barbara Cottage Hospital in California. The penalty was levied due to repeated offense of unbarred electronic PHI, which impacted over 60,000 patients over a span of 2 years. In May 2019, a Tennessee diagnostic medical-imaging practice named Touchstone, was asked to pay $3 Million as they exposed the data of more than 300,000 patients.
How to Prevent HIPAA violations and Protect Against Penalties
Even if your company is careful and takes the necessary precautions, you may experience a cyber-attack, which can lead to data theft and result in HIPAA penalties. To prevent and hedge against cyber risks, strengthen your security with these measures:
Proper Business Agreements
Initiate strong business agreements with third-party vendors who share patient PHI, ensuring they share liability in their parts of the transmission process to keep patient data secure. Do your due diligence in selecting vendors with a strong track record of security and investigate their protocols related to cyber security to ensure they are up to your standard.
Strengthen Transmission Security
Encrypt the PHI that is shared on your network. Follow the industry best practices and latest technologies for strengthening transmission security.
Conduct a Cyber Risk Assessment
Quantify, benchmark, and mitigate the financial impact of cyber-attacks on your business. NOW Insurance offers a free cyber risk assessment to help gauge your risk and recommend solutions for improving cyber security. Once you understand your risk level, all business should implement a cyber security plan.
Get an Extra Layer of Protection with Cyber Liability Insurance
With the increasing threat of hacking and data breaches, it is imperative to have cyber security insurance. NOW Insurance offers options in cyber liability policies with three levels of coverage to choose from depending on your needs. Since a cyber policy will only cover violations related to cyber breach and cyber transmission, you will want to pair it with a solid Professional Liability policy that includes a HIPAA sub-limit. The standard NOW Insurance Professional Liability policy includes $25K HIPAA sub-limit.
Minor negligence in handling patient data can result in hefty fines or jail time. It can happen without your knowledge if you experience a cyber-attack. The “bare minimum” in cyber security has increased significantly over the last few years. Help your company stay ahead of risk by taking necessary measures to protect and encrypt patient data and to mitigate against cyber-attacks.
Don’t forget to take our cyber risk assessment to see where your company stands on cyber risk.