HIPAA violations are costing healthcare providers millions of dollars in fines, not to mention negative publicity and reputational damage. Yet lack of compliance among many healthcare providers persists, largely because HIPAA compliance can be a very complex process. HIPAA Privacy, Breach and Security Rules encompass hundreds of requirements and implementation specifications, all enforced by the Office for Civil Rights (OCR). Enforcement is strict and tenacious, and OCR is known to vigorously pursue any and all infractions. Moreover, the government does not consider ignorance of HIPAA law a defense. With literally millions of dollars at risk, can your organization really afford to ignore the legal and ethical responsibility of HIPAA compliance?
OCR enforces HIPAA compliance through complaint investigations, breach investigations and random compliance reviews. When determining the dollar amount of a financial penalty, OCR will evaluate a variety of factors such as the type of data exposed, the length of time a violation was actually present, the level of potential harm the violation could have caused, and the Covered Entity’s prior history. The tiered fine schedule is as follows:
- An “unknowing” violation, about which the Covered Entity or Business Associate did not know, or could not have reasonably known- $100 to $50k per infraction.
- A “reasonable cause” violation, about which the Covered Entity or Business Associate knew, or should have known, but did not demonstrate willful neglect- $1k to $50k per infraction;
- A “willful neglect” violation, about which the Covered Entity or Business Associate acted with intentional failure or reckless indifference- $10k to $50k per infraction.
Keep in mind that these numbers are compounded by the fact that rarely is only one infraction found. Infractions identified during an OCR investigation typically include both those surrounding the incident, as well as a host of non-related infractions that are uncovered as a result of the investigation. Just this month, two large medical centers, one in the south and one in the pacific northwest were each fined over $2.70 million after breaches triggered OCR investigations that uncovered multiple violations. And in June a Healthcare Business Associate providing IT services to skilled nursing facilities in the northeast was fined $650,000 and a put on a corrective action plan for, among other things, failure to adequately safeguard protected health information after an employee’s cell phone was stolen.
Financial penalties for HIPAA violations hold Covered Entities accountable for their actions, and act as a deterrent to those who ignore or procrastinate on some of the HIPAA requirement and implementation specifications. Common violations that can incur huge fines include:
- failure to implement policies and procedures to prevent, detect, contain, and correct security violations;
- failure to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
- failure to perform routine risk analyses;
- failure execute an active risk management plan.
HIPAA enforcement is real, and the financial penalties for non-compliance can be devastating. Healthcare organizations should proactively identify and remediate Privacy, Breach and Security compliance shortcomings before they find themselves the subject of a breach, a complaint investigation or a random audit. Yet complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to achieve and maintain HIPAA compliance. Consider hiring a compliance partner to design a customized approach based on your organization’s unique needs and requirements. Your organization’s reputation, as well as financial health could depend on it.
For more information on OCR HIPAA enforcement, download our OCR Audit eBook by clicking on the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.