Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5). The U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities, Business Associates and individuals, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification regulations face fines, as well as imprisonment.
A tiered civil penalty structure for HIPAA violations is in place, and it’s critical for employees to understand that they are personally subject to fines and criminal penalties.
Tiers of civil money penalties for HIPAA/HITECH violations
Penalties are measured for non-compliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
The 2013 final Omnibus Rule strengthened the government’s ability to enforce the law.
OCR enforces the Privacy and Security Rule by:
- Investigating complaints filed with it; and
- Conducting compliance reviews to determine if covered entities are in compliance.
More than one in three data breaches are caused by workforce members
HIPAA liability stemming from the actions of workforce members (including employees, volunteers, and trainees) is a bigger issue than you may realize. In 2013, Forrester Research conducted a survey of IT executives and found that employees having lost, stolen, or inadvertently misusing data, caused 36% of data breaches. The report also found that only 57% of employees said they were familiar with their company’s security policies.1
Human error and malicious intent are working against you
An often overlooked cause of privacy breaches is human error. Workforce members with the best of intentions can still be careless and make mistakes. Health information may be mishandled and files may be disposed of improperly.
The experience of Kroll, an organization specializing in cyber security, sheds light on the prevalence of malicious intent. Examining data from cases Kroll handled for clients in 2013, they found that 78% of healthcare cyber crises were tied to human error, and 22% involved an act of malicious intent.2
1. Heidi Shay. Understand the State of Data Security and Privacy: 2013 to 2014. Forrester Research Inc. October 1, 2013 http://www.mobility-sp.com/images/gallery/FORRESTER-Understand-The-State-Of-Data-Security-And-Privacy-2013-To-2014.pdf
2. Kroll Special Report: Healthcare, Higher Education, Finance Industry Clients Top Three Cyber Targets in 2013. Published 2014.
3. U.S. Department of Health and Human Resources. Breaches Affecting 500 or More Individuals: downloaded from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html