When a covered entity or business associate makes the HIPAA Wall of Shame for a significant breach or violation, it often results in huge fines. In some cases, the breaches and resulting fines resulted from organizations knowingly violating HIPAA regulations and just hoping they wouldn’t get caught. However, many violations and fines occur because people thought they were doing enough to be compliant. Do the regulators consider intent when handing out penalties? What is the civil penalty for unknowingly violating HIPAA regulations?
What Would Cause a Civil Penalty for Unknowingly Violating HIPAA?
In 1939, Winston Churchill famously described Russia as “a riddle, wrapped in a mystery, inside an enigma.” You may feel the same way about HIPAA after scrolling through the thousand-plus related pages on the Health and Human Services website.
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) governs how healthcare organizations (covered entities – CE) and their employees should properly collect, use and manage the protected health information (PHI) of their patients.
It also defines how PHI must be managed by companies that provide services to covered entities (business associates – BA). Penalties for failing to comply with HIPAA regulations can vary widely, but one of the most significant factors that investigators consider is whether a violation was intentional or unintentional.
How Do Regulators Determine a Civil Penalty for Unknowingly Violating HIPAA?
HIPAA regulators classify violations by covered entities and business associates into one of four tiers, based upon what was known and what was done.
Tier A – The violation unknowingly occurred, and the offenders would have acted differently if they had known. The penalty can be as low as $100 for each HIPAA violation, not to exceed $25,000 per category for the calendar year.
Tier B – The violation occurred as a result of a reasonable cause but not “willful neglect.” The penalty can be as low as $1,000 for each HIPAA violation, not to exceed $100,000 per category for a calendar year.
Tier C – The violation occurred as a result of willful neglect that the organization ultimately corrected. The penalty can be as low as a $10,000 fine for each violation, not to exceed $250,000 per category for the calendar year.
Tier D – The violation occurred as a result of willful neglect that the organization did not correct. The penalty is $50,000 for each violation, not to exceed $1.5 million per category for the calendar year.
Can an Employee Receive a Civil Penalty for Unknowingly Violating HIPAA?
Employees are not immune from receiving civil penalties if they violate HIPAA regulations. Civil penalties apply when an employee was aware that they violated HIPAA, or they would have been aware had they exercised due diligence. Fines for civil penalties can be anywhere from $100 – $25,000, depending on whether or not there were multiple violations. If the employee corrects a HIPAA violation committed unknowingly within 30 days of discovery, and does not commit willful neglect, the employee is not subject to civil penalties.
