HIPAA requires covered entities to conduct training to staff to make sure HIPAA Rules and regulations are fully comprehended. During HIPAA training, healthcare staff should be knowledgeable in relation to the possible punishment for HIPAA violations, but what are those penalties and what happens if you breach HIPAA Rules?
What Happens if You Breach HIPAA Regulations?
If you breach HIPAA Rules there are four possible outcomes:
- The matter will be dealt with internally by an employer
- You could be removed from your position
- Sanctions from professional boards may be applied
- Criminal charges which include fines and imprisonment could be sanctioned.
The extent of the punishment will depend on the severity of the violation. The decision of employers, professional boards, federal regulators, and the Department of Justice will depend on a number of different factors:
- The extent of the violation
- If HIPAA Rules were knowingly being violated, or by using due diligence, it should have been obvious that HIPAA Rules were being violated
- Whether action was taken to address the violation
- Whether there was malicious reasons or HIPAA Rules were broken for personal gain
- The damage created by the violation(s)
- The number of people affected by the violation
- If there was a violation of the criminal provision under HIPAA
Civil Punishments for HIPAA Violations
Civil penalties for HIPAA violations begin as low as $100 per violation by any individual who breaks HIPAA Rules. The fine can go as high as $25,000 if there have been a number of different violations of the same sort. These penalties are applied when the individual was knowledgeable that HIPAA Rules were being broken or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was remedied within 30 days from when the employee knew that HIPAA Rules had been broken, civil penalties will not apply.
Criminal Punishment for HIPAA Violations
The criminal punishment for breaking HIPAA can be severe. The minimum fine for willfully breaking HIPAA Rules is $50,000. The highest criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be forwarded to the victims. Along with the financial penalty, a prison sentence is likely for a criminal violation of HIPAA Rules.
As with the punishment for breaking HIPAA rules for HIPAA covered entities and business associates, there are different penalty tiers.
Criminal violations that happen due to of negligence can result in a prison term of up to 12 months. Obtaining protected health information under false pretenses brings a maximum prison term of five years. Knowingly breaking HIPAA Rules with malicious intent or for personal gain can lead to a prison term of up to 10 years in prison. There is also a mandatory two-year jail term applied in relation to aggravated identity theft.