What is Considered a Violation of HIPAA?

Scarcely a day passes without a media report of a hospital, health plan, or healthcare professional breaching HIPAA, but what is a HIPAA breach and what happens when a violation takes place?

What does a HIPAA Violation entail?

The Health Insurance Portability and Accountability Act of 1996 is a pivotal piece of legislation that was enacted to make the control of healthcare easier, stop wastage, obstruct healthcare fraud, and ensure that workers could keep healthcare coverage when going between jobs.

There have been major amendments to HIPAA to enhance privacy protections for patients and health plan members over the years which help to see to it healthcare data is completely secure and the privacy of patients is protected. Those updates were the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

A HIPAA violation is classified as the failure to be in line with any aspect of HIPAA standards and provisions included in 45 CFR Parts 160, 162, and 164.

The amalgamated text of all HIPAA regulations released by the Department of Health and Human Services Office for Civil Rights includes 115 pages and has a great number of provisions. There are countless ways that HIPAA Rules can be broken, although the most witnessed HIPAA violations are:

How are HIPAA Violations Discovered?

Many HIPAA violations are spotted by HIPAA-covered entities through internal reviews. Supervisors may see that employees have violated HIPAA Rules and in many cases employees self-report HIPAA violations and potential HIPAA breaches by co-workers.

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also looks into every covered entity that reports that includes greater than 500 records and conducts investigations into certain smaller breaches. OCR also subject HIPAA covered bodies and business associates to periodic audits.

State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are registered.

What is the Punishment for Violations of HIPAA Regulations?

The punishments for violations of HIPAA Rules can be severe. State attorneys general can issue fines as high as $25,000 per violation category, per 12 month-period. OCR can apply financial punishments of up to $1.5 million per violation category, per 12-month-period. Multi-million-dollar fines can be – and have been – sanctioned.

In addition to this there are also possible punishments for individuals who violate HIPAA Rules and criminal penalties may be applied as well. A prison sentence for violating HIPAA is a possibility, with some violations carrying a pubishment of up to 10 years in jail.