enforcement can lead to large fines

The Reality of HIPAA Violations and Enforcement

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law.

The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.

The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:

  • The fine for a first time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
  • The fine for a violation due to willful neglect, but corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
  • The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000.

However, whenever there is a violation that is not considered willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty.

A Privacy Rule infraction can be considered criminal and may lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information; the fine is $50,000 and up to one year in jail. Whenever an offense is committed through deception, the fine is $100,000 and the jail time is 5 years. And, if person’s health information was sold, transferred or used for profit-making, or any type of personal gain or intent to harm, the fines can go as high as $250,000 with imprisonment for up to 10 years.

Knowing that enforcement of HIPAA is real and that the penalties can be financially and professionally devastating, healthcare offices need to prioritize their training efforts for all of their staff. There truly is no excuse for any healthcare office not to be thoroughly trained in HIPAA law, because if they are found to be out of compliance HHS will not accept ignorance of the law as a defense.

23 comments on “The Reality of HIPAA Violations and Enforcement”

  1. These fines our per individual and/or practice correct? The reason I ask is that my current manager and staff feel that the penalties only apply to the practice not to each of them if they are the violators. And I completely disagree with them based on all of my understanding on HIPAA.

    1. Fines are typically levied against the practice and are generally per occurrence, e.g. per record compromised.

      1. I have a very case specific scenario. I am in a current custody battle where both parties retained best interest experts. We both were ordered to take hair follicle tests. I unfortunately failed (the first one, second one passed). My adversaries “unethical” attorney sent a subpoena to the medical facility commanding all records pertaining to me. Without any signed authorizations, the facility sent all results to them ( via phone call to boot). By law, within the subpoena, a certain amount of days are given before the lawyer could obtain such records. if by chance such records were produced prematurely, it is the attorneys duty to close up the envelope, and send records back without looking; giving the opposing side the opportunity to put in a motion to quash. the following day an order to show cause was filed. My parenting time has since been altered to my detriment. I have gone full force. Any comments?

    2. Individual workers have been prosecuted for violating HIPAA:

      •2004 – Richard Gibson, phlebotomist, stole demographic info from a cancer patient and opened 4 credit cards. Sentenced to 16 months jail and 9k restitution (per plea Agreement)
      •2010 – Huping Zhou, a UCLA researcher, was sentenced to 4 months in federal prison for snooping. UCLA agreed to pay an $865,000 fine
      •2014 – Joshua Hippler, East Texas hospital employee, indicted on charges of Wrongful Disclosure of PHI. If convicted, he faces up to 10 years in prison

      ALSO, Civil Suits are possible in addition to OCR penalties. For example:

      Hinchy v. Walgreen Co. et al
      •A Walgreen pharmacist was informed by her husband of past sexual conduct with Hinchy & possibility of a sexually transmitted disease
      •The pharmacist intentionally accessed Hinchy’s prescription information while at work
      •The pharmacist’s husband sent a text message to Hinchy, causing her to suspect that her information was impermissibly accessed.
      •In July 2013, jury awarded $1.44 M to Hinchy

  2. What happens to my co-worker if she accessed her husband’s ex wife’s record but did not disclose or use any of her information and it was a clinical setting and on a separate server than her actual doctors record? There wasn’t any information in the record other than phone scheduled appointments and basic demographic. My co-worker has since left healthcare.

  3. Is there any possible penalty for an employee who has not completed their HIPAA Privacy training course? For instance, a V.P. where I work was hired in August 2014, but has yet to complete the training, even after numerous reminders.

  4. An enemy went as far to find out my personal hospital record when I was in the Er posted it all ova Facebook I talked to head security of John Hopkins they dealing with it but this does not satisfy me one bit I need something done cuz she keeps posting in all groups

  5. Before taking the time and HAS of filing a complaint about a pharmacy tech that not only disclosed some as a pt then also degraded this person and told people that he/she was nothing but a pill head and other very negative information. Then lies about this person again after being warned but the pt. Biggest deal is the information got to children and was discussed again

  6. A nurse noticed my fiance and I in the obgyn and told half the town she was pregnant? We started receiving calls about it before we told our family. We could’ve been there for any reason but everyone knew why. I’m assuming she checked our records after she saw us.

  7. My wife was terminated from her job at a local hospital for accessing her mothers medical records while at work . She IS POA , how can she be terminated for violating hipaa?

    1. You cannot even access your own records unless it is required to perform your job. A few people I know let their co-workers handle their relatives’ cases even though they have right to access the medical records just to be safe. With medical records, if you have no job-related reason to see someone’s medical record, it is a violation.

  8. I was recently in a drug and alcohol treatment facility while there I was in contact with a residential aide who also works part time at a convenience store. On my discharge from the facility I managed to gain employment at the same convenience store. The residential aide is discussing my health issues with other employees and saying I’m willfully spread Hepatitis C to others. I would like to know how to take action and what my chances are of anything being done about this. I’m extremely embarrassed and mortified as I am not spreading anything around. Prior to learning this was going on I enjoyed my job and worked full time. I’m trying to build a life worth living but finding myself ashamed to continue my employment

  9. I believe my phi and another patient’s phi have been violated. On a visit to a hospital, I was placed on a gurney in the ER hallway with only a half size curtain pulled to “provide me with some level of privacy.” For approximately 3 1/3 hours I had to discuss my symptoms, and what could be the cause of my symptoms, and the results of my CT scan. In that time, nurses, people pushing carts with linens, and visitors simply walking past me and making eye contact while in incredible pain. When the doctor was finally found by my nurse and asked if I was ever going to be provided with something for my pain, the doctor told me and everyone around me about an infection that from April isnt going away. He proceeded to tell me that he would prescribe me a pain medication that I am allergic to and another medication that I was already taking. When I told him that I am allergic to the pain medication he was prescribing me he added he was going to prescribe an antibiotic and that would help with the pain. And again, I had been taking 4 different antibiotics since April. I replied the antibiotics are not working. He clearly got ticked off with me protesting stating well the pain meds don’t seem to be working. I reminded him of how many people I have had to look at and how uncomfortable I had been while being placed against a wall with a sign that read “transition 1” in a hallway, that I had to change in and out of a gown in a public restroom, and remained miserable the entire time I was there. He remarked this is all he would do. As if that was not a horrible experience I had, I had a follow up visit with my family doctor and he informed me that this doctor, Dr. Edward Lee, added remarks in my medical records stating something to the letter that I was seeking narcotics!! I also overheard this woman’s issue with her pain, her struggles with methadone, and cry to a nurse and doctor about her lack of care with no pain medication. How in heaven’s name is this sort of medical treatment moral and / legal? Might someone advise me?

  10. First, If I post on here Will I actually get a reply by someone in / from someone that works with HIPAA Law?
    Okay, I was going through a Work comp deal. The Office closed my case with out finishing with medical help. So, I requested all my Paper work so I can get a lawyer. In the Middle of the paper work, they sent me paper work for another individual in another state. It has all his Personal info on it except his full SS# just the last 4. I called the office and told them about it. But have not contacted me back about it. I’m NOT the type of person to mis-use this info. But, I’m Not sure how this works. I’m getting a Lawyer because this company is shady in the first place.. Now this! & is this the first time they have done this? IDK? What do I DO???

    1. If you think that HIPAA laws were violated, you can file your concerns with HHSC in your state. They will determine if the practice falls under HIPAA regulation.

  11. Is HIPAA only applicable to those in the healthcare field?
    I keep reading about the covered entities, healthcare providers, health plans, and healthcare clearinghouse. But if two people non medical people are talking about a third that was injured is this a violation of HIPAA? The two people gossiping have never seen any personal medical records they are only talking about what the third openly talked about at work.

    1. The HIPAA laws only are applicable to those entities that meet the requirement of payment set forth by health insurance and those working in health insurance that might have access to personally identifiable information in regard to patient files and sensitive medical records.
      Now, to be clear, not all individuals that work in health care related professions fall under the auspices of HIPAA regulation and thus HHSC cannot enforce or levy any sort of fine set forth in these laws. Also, the laws typically target the practice where that individual works and not the individual who commits the offense. So if Betty Jo works at Dr. Bob’s office and through the practice, learns Peggy Sue is pregnant and doesn’t know who the dad is, then decides she wants to talk about it at the next community social, she commits a HIPAA violation. If word gets around to Peggy Sue that Betty Jo has been gossiping about her medical issues, then Peggy Sue can contact the HHSC in her state and file a complaint. Once the HHSC personnel review her complaint, they may ask other questions to see if the provider falls under the auspices of HIPAA enforcement. If that’s determined, they will investigate Peggy Sue’s complaints. If those complaints are valid, then they will determine what actions, if any, need to be taken against the owner of the practice and the fines will be levied against the practice and not necessarily Betty Jo.
      Now if Betty Jo is just some lady that is in no way affiliated with Peggy Sue’s health care that heard “through the grapevine” about the pregnancy and starts the rumor mill, then it’s just too bad, so sad. In spite of how upsetting the Betty Jos in our lives are, we really don’t want our government levying fines on the town’s gossiper. The reason is because those same laws can be used on YOU, when you have never agreed to keep something in confidence. It doesn’t make you a Betty Jo, necessarily. It can be you just get accused of saying something that you didn’t realize was a secret and now HHSC is at your door, with little to no actual due process, for you to write a check because you “spilled the beans” about Peggy Sue, in spite of no ill meaning to do so.
      Referring back to “not all health care providers fall under the auspices of HIPAA regulation,” this is also important to note. Certain services that might be thought of as health care related, but aren’t typically paid for with medical insurance, like sometimes midwives, massage therapists, holistic healers, etc…these people likely may not fall under the auspices of HIPAA regulation and, if they go blabbing about the “disgusting wart on your back that has 3 eyes and speaks Japanse,” they won’t be fined or jailed and there is nothing, aside from writing a bad review online about them, that will happen to them.

  12. Recently, an unknown individual at the practice where I work has intentionally posted confidential patient information to various web pages in an attempt to sabotage the company. Currently, the authorities have discovered over a dozen HIPAA violations and we are looking at a major lawsuit. I work at a small, private practice consisting of only 16 employees, plus the CEO. If the person or people responsible are not caught, who will be penalized, and what type of penalties are likely to be enforced?

  13. According to the different penalties applied to HIPAA violations, I notice this, “Willful neglect but violation is corrected within the required time period”. If the violation is release of PHI without consent, how can that be “corrected”? The information is already out there.

  14. Hospital requires wearing a mask throughout the entire hospital, not just working around patients, except the cafeteria,if an employee did not get a flu shot. The employee has a pre existing condition and is allergic to the influenza vaccine. Is this not a HIPAA violation in that now all the staff know that this employee has a medical condition? Also, can this be considered discrimination in that any person be it a patient, visitor, vendor….whom they don’t know whether they have received the flu shot or not can enter the hospital at anytime and not be required to wear a mask?

  15. I work in a medical office a patient came to my window I asked her for her new insurance card as instructed to me by my office manager. The patient was in the middle of telling me that her husband had left her and her took her of his insurance and that she was applying for Medicaid which would backdate to the date of services. Before I as through with the patient the practice manager comes to the window and tells the patient she has a 200.00 balance, the patient was upset…This patient also had dropped off a form to be signed by the Dr. for employment and on the form it asked if the patient had any mental illness it happens that the patient has bipolar she waves the paper in front of me and says to the patient :”I don’t think you want this form for employment since it states ‘YOU ARE BIPOLAR”. The patient was upset as well as I was so upset and even though there were no other patient’s in the waiting room it certainly wasn’t my business or my two coworker business that that patient has bipolar disease. what would be the best thing to make sure this does not happen again and believe me it happens all the time. what are my rights as an employee if the patient does not make a formal complaint

Leave a Reply

Your email address will not be published. Required fields are marked *