What is a HIPAA Violation? | Penalties and Fines

To file a complaint for violation of your rights under HITECH or HIPAA, visit the Dept. of Health & Human Services website.

We’ve just launched our latest white paper on HIPAA Compliance! This white paper is ideal for executives and IT decision-makers seeking a primer as well as up-to-date information regarding hipaa compliance best practices and specific technology recommendations, including cloud-based hipaa compliant hosting options.

Download the HIPAA Compliance white paper.

Read below for an excerpt about what is a hipaa violation:

Penalties and Fines

There are all kinds of HIPAA violation cases out there – whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported breaches affecting 500 individuals or more.

If you’re looking for what the penalties and fines are for certain types of HIPAA violations, see the chart below (recently updated to reflect the final HIPAA rules):

VIOLATION TYPE	EACH VIOLATION	VIOLATIONS OF AN IDENTICAL PROVISION IN A CALENDAR YEAR
Individual didn’t know they violated HIPAA	$100 – $50,000	$1,500,000
Reasonable cause and not willful neglect	$1,000 – $50,000	$1,500,000
Willful neglect but corrected within time	$10,000 – $50,000	$1,500,000
Willful neglect and is not corrected	$50,000	$1,500,000

Source: Department of Health and Human Resources, Federal Register.gov (PDF)

According to the final HIPAA modifications, in applying these amounts, the Department will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors.

The most common cases in the news involved the following:

Unencrypted Data

Although this may be due to the fact that encrypted data breaches do not have to be reported, the vast majority of data breaches are due to stolen or lost data that was unencrypted. A common theme includes the data archiving method of using backup tapes to store patient health records.

While increasing and monitoring security of the storage facilities is important, another alternative is IT disaster recovery for the cloud. By eliminating tape backup, cloud disaster recovery can increase recovery time objectives (RTO) and restore your server data and applications in hours.

Employee Error

Two separate cases involved an employee leaving unencrypted backup tapes with PHI in their vehicles while parked off-premises. Another case was due to employees mistakenly sending PHI to contractors that posted the information publicly online. Still others include disclosing sensitive information on social media networks that could be personally identifiable.

Training, documenting and monitoring employee adherence to company security policies and procedures is extremely important and one of the easiest preventative actions an organization could take to avoid a data breach. While you should train your own employees, remember that part of due diligence in checking your business associates’ compliance is also verifying their employees have been trained. Ask your HIPAA hosting provider for the latest dates of their employee training.

Data Stored on Devices

Almost half of all data breach types can be attributed to the theft of physical records – 49 percent. When portable devices are unencrypted or not properly secured by passwords, pins and other security methods, the risk of a PHI breach increases considerably. Additionally, if you’re not backing up your data frequently, you can lose a lot of valuable patient records if you lose your laptop, smartphone, etc.

One solution is using a HIPAA compliant data center to host your data and applications securely in an offsite location with the appropriate technical, physical, logical and network security in place. With limited remote access, your data is safely stored off of your personal and portable devices while your servers are being managed and monitored by trained professionals.

Business Associates

Sixty-two percent of data breaches involved a business associate, according to HHS.gov, making the vendor selection process an essential step toward achieving full compliance.

What should you look for when you’re comparing HIPAA hosting providers?

An independent HIPAA audit report for verification of that a HIPAA hosting provider can actually provide compliant solutions and a compliant hosting environment that can withstand scrutiny by an auditor measuring against the OCR HIPAA Audit Protocol.
Knowledge of what services are essential to helping you meet compliance – a dedicated or virtual firewall/VPN, antivirus, OS patch management, offsite backup/DR – as well as what services are strongly recommended or considered best practice in the industry.
Documented, formal policies and procedures, as well as dates and documentation that all of their employees have undergone training. Dates are important to verify their ongoing compliance.
A business associate agreement (BAA) that outlines their responsibilities, ownership, timeline of breach notification, how they handle PHI, etc.

Lapse in Notification

Another mistake made in many HIPAA violation cases is the date of notification to HHS and affected individuals. HHS requires extensive documentation within 10 days of a data breach, with at least 15 specific components that relate to the covered entity’s internal investigation, policies and procedures, physical safeguards, risk assessment, and breach notification.

Looking for HIPAA compliant hosting? Otava can help. Our cloud, disaster recovery and colocation solutions have helped covered entities and business associates alike adhere to HIPAA regulations and keep PHI secure. Check out our HIPAA compliant solutions for yourself or contact us to learn more.

Related resources

Why disaster recovery is important to HIPAA compliance: There are many aspects of complying with HIPAA regulations, and all are equally important to avoid facing the stiff penalties that come as a result of any violations. In addition to technical and physical safeguards for your PHI, the administrative safeguards…(Keep Reading)

Achieving Compliance in a Hybrid Cloud: According to the 2019 Rightscale® State of the Cloud report, the number of enterprises with a hybrid cloud strategy (one that combines both public and private clouds) grew to 58 percent for 2019, up from 51 percent in 2018… (Keep Reading)

What Is The HIPAA Security Rule? How can you be certain that your patients’ electronic health information is adequately protected? The HIPAA Security Rule was created to help you answer that question more confidently… (Keep Reading)

What Is The HIPAA Privacy Rule? Physicians are entrusted with some of the most intimate and personal information in a patient’s lifetime—account and identity information as well as health information… (Keep Reading)

About Otava

Otava provides secure, compliant hybrid cloud solutions for service providers, channel partners and enterprise clients. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers with a clear path to transformation through its highly effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by its exceptional support team. Learn more at www.otava.com.