Organizations that work in healthcare have an obligation to train employees on HIPAA rules. Employee training ensures that employees working with protected health information (PHI) understand the requirements of HIPAA and the penalties they may face for failing to follow HIPAA rules. The penalties for violating HIPAA rules are discussed below.
Repercussions of Violating HIPAA Rules
Depending on the nature of the HIPAA violation, penalties for the violation vary for employees. Disciplinary actions may be determined by an employer, federal regulators, professional boards, and the Department of Justice.
Imposed penalties for breaking HIPAA rules are determined by the following:
◈ The nature of the violation
◈ Whether or not the employee was aware that HIPAA rules were being violated
◈ Whether or not the employee took action to correct the violation
◈ Whether or not there was malicious intent, or the violation contributed to personal gain
◈ The nature of harm caused by the violation
◈ How many people were impacted by the violation
◈ Whether or not the incident violated the criminal provision of HIPAA
Employees that break HIPAA rules can face the following HIPAA violation penalties:
◈ Employers can deal with the violation internally
◈ The employee could face termination
◈ Professional boards could issue employee sanctions
◈ Criminal charges could be imposed, including fines and imprisonment
Criminal Repercussions for Breaking HIPAA Rules
Employees that intentionally break HIPAA rules can be fined $50,000 – $250,000, and that doesn’t include potential restitution to victims. Employees may also be subject to jail time; employees that commit aggravated identity theft are subject to a mandatory two-year imprisonment.
Other criminal violation penalties are categorized into three tiers:
◈ Negligence: up to 1 year jail time
◈ Falsely obtaining protected health information: up to 5 years jail time
◈ Malicious intent or personal gain: up to 10 years jail time
Civil Repercussions for Breaking HIPAA Rules
Civil penalties apply when an employee was aware that they violated HIPAA, or they would have been aware had they exercised due diligence. Fines for civil penalties can be anywhere from $100 – $25,000, depending on whether or not there were multiple violations. If the employee corrected the HIPAA violation within 30 days of discovery, and did not commit willful neglect, the employee is not subject to civil penalties.