The Health Insurance Portability and Accountability Act of 1996 was enacted to make it easier to manage healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when moving between roles.
There have been a few major amendments to HIPAA to improve privacy protections for patients and health plan members over the years which hsough to ensure healthcare data is secured and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
A HIPAA violation is a failure to adhere with any part of HIPAA standards and provisions in 45 CFR Parts 160, 162, and 164.
The combined text of all HIPAA regulations created by the Department of Health and Human Services Office for Civil Rights includes 115 pages and includes many provisions. There are many ways that HIPAA Rules can be violated, although the most witnessed HIPAA violations are:
The financial penalties for HIPAA Rules can be massive. State attorneys general can issue fines up that go as high as $25,000 per violation category, per calendar year. OCR can issue financial penalties as high as $1.5 million per violation category, per year. Multi-million-dollar fines can be – and have been – applied.
While healthcare providers, health plans, and business associates of covered entities can be hit with financial penalties, there are also potential fines for individuals who breach HIPAA Rules and criminal penalties may also be sanctioned. A jail term for violating HIPAA can also be applied with some violations carrying a penalty of up to 10 years in prison.
How are HIPAA Violations Uncovered?
Many HIPAA violations are found by HIPAA-covered entities through internal reviews. Supervisors may discover employees who have violated HIPAA Rules. Alternatively, employees often self-report HIPAA violations and potential breaches by colleagues.
The HHS Office for Civil Rights is the chief policeman in relation to HIPAA Rules. The body investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan subscribers. OCR also investigates all covered entities who report breaches of more than 500 records and runs investigations into a number of smaller breaches. OCR also runs periodic audits of HIPAA covered entities and business associates.
State attorneys general also have the power to look in to HIPAA violations and investigations are often operated due to complaints about potential HIPAA violations and when reports of breaches of patient records are submitted.