Skip to main content

The High Cost of HIPAA Breaches

Data Breach ScreenThe Health Insurance Portability and Accountability Act (HIPAA) is a framework to aid in the protection of our most sensitive information. It provides guidance for you as a healthcare professional who is responsible for protecting this information.

Failing to comply with HIPAA, even if it’s not your fault, results in audits, significant fines, potential legal action from your patients, damage to your reputation, and the possible loss of your business.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.

WHAT HAPPENS IF YOU EXPERIENCE A BREACH?

Being randomly selected is one way you can find yourself called for a HIPAA audit, but you also could fall victim to the growing threat of a malicious cyber attack. Although doing everything possible to prevent an attack may not stop one from happening, being prepared if one does happen is critical to survival. If you did get breached, and you did everything reasonably possible to prevent it, here’s what you are facing.

In general, fines are broken down into four categories, and each has an annual cap of $1,500,000. It is important to point out this is per violation. We have seen several fines exceeding the annual per violation cap of $1,500,000. And we will probably see more.

Category 1

While “I didn’t know” is not an excuse to avoid following HIPAA laws, there is a category for this in the penalty phase of an audit. If a breach occurred and you didn’t know it – and you reasonably may not have known of the violation – then you could fall into this category. You still need to demonstrate that you met all of the HIPAA requirements (like a regular HIPAA risk assessment, for example) and were otherwise in compliance. The per-record penalty structure can range between $100 to $50,000, assessed solely at the discretion of the U.S. Office for Civil Rights (OCR).

Category 2

This category addresses reasonable cause, where you knew, or would have known by exercising reasonable diligence, that the act or omission was a violation. In this case, you did not display “willful neglect” and otherwise conducted the necessary steps to remediate the breach. Fines in this category are from $1,000 to $50,000 per record or violation.

Category 3

This category introduces the act of “willful neglect” – and the potential for jail time. In this case, the violation was the result of conscious, intentional failure or reckless indifference to meeting the obligations of HIPAA compliance, but the violation was remedied within 30 days of discovery. An example would be sharing PHI over unsecured email with patients as a common practice. Once identified as being in violation, the process was stopped and a secure, encrypted process was implemented. Penalties in this category range between $10,000 to $50,000 and possible imprisonment.

Category 4
Landing in this category has proven to be exceedingly costly. Prison sentences and fines in the millions of dollars have been levied on individuals and organizations for displaying willful neglect and failing to correct the issue. This category includes fines of at least $50,000 and prison time of up to 10 years.

HOW HIPAA PROTECTS YOUR PATIENTS

For your patient, a breach is not only the exposure of their most sensitive information, but also the loss of their identity, a process that can take years to remedy.

HIPAA protects patients by affording them specific rights to their information. Patients can designate who can see their records, including which family members. We suggest you have them do this in writing. It is important to get that right – impermissible disclosure fines are far too common. Additionally, HIPAA requires you to make their records available to them. You must provide the patient with his or her records within 15 days in California, shorter than the 30-day time frame called for in HIPAA.

It is your responsibility to keep your staff up to speed on these requirements. Regular, recurrent training is a big step in the right direction.

THE BOTTOM LINE

Be absolutely certain you’ve done all you can to comply with HIPAA, and if you do have a breach, act quickly and responsibly. You may not be able to avoid a breach, but you can mitigate the damage with proper preparation.

 

Jeff Mongelli is CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services. If you have any questions about this article or would like recommendations, please contact him for a free consultation at 800-970-0402 or jeffm@acentec.com

The information in this publication should not be considered legal or medical advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.