Patients share critical health related information with caregivers and Health organizations. They do so with a belief that their data would be kept confidential. Any breach of data confidentiality can lead to critical patient information being leaked to unwanted agencies and can cause severe trust deficit between health agencies and patients.
To protect the sensitive data about the patient’s health information, the Health and Human Services of the US department (HHS) enacted a HIPPA privacy rule in 1996. This federal law informs the Healthcare agencies about the authority they have, and in turn assures the patients, to control the flow of patient’s personal information without being disclosed to third party agencies or individuals except in the case if the agency or the individual is associated with protecting the public’s health and well-being.
Any breach in HIPAA regulations by health agencies, calls for strict legal penalties and monetary implications. The Health and Human Services of the US department (HHS) enacting the HIPPA regulations, ensures the following:
- Investigate any complaints related to the violations
- Regularly evaluate the conduct of the covered organizations and ensure that they are following compliance
- Provide education through outreach to promote compliance with the regulations
Organizations covered under HIPAA regulations
You might want to check whether your organization falls under HIPAA regulations purview or not. You would need to comply with the regulations if you are one of the following:
- Healthcare Provider: Any Healthcare provider, small or big, who is receiving patient records and entering them electronically, needs to comply with HIPAA data transmission guidelines
- Insurance Providers: Any insurance player, who is dealing with Health plans including Medicare, Medicaid, Choice, Supplement and long term Health plans (including employer sponsored plans), need to comply with HIPAA guidelines
- Intermediate Health Agencies: Any agency or organization, who receives patient data for processing, from other entities, for example clearing houses, needs to be compliant.
- Analytics firms: Any business analyst, who utilizes patient data to perform certain analytics to inform business decisions, needs to follow HIPAA guidelines.
Types of HIPAA breaches
HIPAA violations can be accidental, when violations occur due to maximum disclosure of PHI beyond the minimum required or intentional, when a company or practice fails to report breaches or fails to correct on time. HIPAA breach can happen, intentionally or unintentionally, due to multiple reasons:
- Unencrypted Data: When a patient’s health information is unsecured, it can be easily accessible to anyone, and the data can be lost or used unauthorized by hackers.
- Theft of Data: The device with PHI information needs to be always encrypted, and secured with a password, to avoid loss or theft of data, in case the device is stolen or lost.
- Lack of Training or Awareness: Unskilled workforce or lower awareness can lead to insensitive handling and transfer of data from one device or one channel to other, leading to security risks
- Insufficient Measures to avoid Hacks: Failed measures to protect data, and irresponsible logs maintenance can lead to hacking attacks on the data
Implications and penalties for HIPAA violations breach
Depending on whether you have violated the HIPAA norms intentionally or unintentionally and depending on the level and extent of breach, you can be charged under the Civil law or Criminal law or both. The Civil law leads to monetary implications for the Health agencies and individuals, while the criminal law can gives you a hard jail term.
Under the Civil law, the HIPAA breach can be classified in 4 categories and accordingly penalties will be imposed:
- Tier 1 Breach: Tier 1 breach typically deals with unintentional breach or when the offender is unaware of the breach. In such cases, a penalty in the range of $100 to $50,000 can be imposed, depending on the extent of the breach and its impact.
- Tier 2 Breach: Also known as second degree breach, this happens when the company is aware of the breach, however no timely action is taken to rectify the issue. In such cases, penalties in the range of $1000 to $50,000 can be imposed.
- Tier 3 Breach: In such cases, the entity neglects the rule by choice. In such cases, the penalties can range between $10,000 to $50,000 per violation
- Tier 4 Breach: In such cases, the companies did the violation by choice and presently, there is no way in which the violation can be corrected. The penalty for such cases is $50000 and above. The maximum penalty of $1.5 Mn can be imposed in total.
In case, an organization or individual tries to obtain patient data through unlawful means, criminal cases can be instigated against the parties. The criminal breaches can be of 3 types:
- Tier 1: 1-year jail term in case of reasonable cause or no knowledge of the violation
- Tier 2: 5-year jail term in case of Acquiring protected health information (PHI) under fake pretenses
- Tier 3: 10 years of jail time in case of Obtaining protected health information (PHI) for personal gain or with malicious intent
Multiple examples of violations and corresponding penalties have been observed in the past. In February 2019, $3 million was fined by Health and Human Services (HHS) to Cottage Health, which also runs Goleta Valley Cottage Hospital, Cottage Rehabilitation Hospital, Santa Ynez Cottage Hospital, and Santa Barbara Cottage Hospital in California. The penalty was levied due to repeated offence of unbarred electronic PHI, which impacted over 60,000 patients over a span of 2 years. In May 2019, a Tennessee diagnostic medical-imaging practice named Touchstone, was asked to pay $3 Mn as they exposed the data of more than 300,000 patients.
How to prevent HIPAA violation and protect against penalties
Though you might not want to intentionally violate HIPAA norms and guidelines, there can be cyber attacks, which can lead to data theft and can land you into trouble with HIPAA agencies. To prevent and hedge against these cyber risks, you should do the following:
- Proper Business Agreements: Initiate proper business agreements, with third party players, who share patient’s PHI. This ensures liabilities at the partner end as well, to avoid any data breaches.
- Strengthen Transmission Security: Encrypt the PHI that is shared on your network. Follow the industry best practices and latest technologies for strengthening transmission security
Conduct Cyber Risk Assessment tests to quantify, benchmark, and mitigate the financial impact of cyber-attacks on your business. Take a risk assessment test by Now Insurance, which uses leading corporations for cyber insurance, supply-chain risk, and security assessments.
- Cyber Security Insurance: With the increasing threats of hacking and data breaches, it is imperative to insure business with strong Cyber security insurance plans. Now Insurance offers some of the better insurance plans, available in the market, that cover both cyber and Professional Liability, and include a $25K HIPAA sublimit.
A small negligence in handling patient data can handover to you hefty fines running in millions of dollars and can land you in jail. This can happen, without your knowledge, because of an unwarranted cyber attack, Hence, it is important that you take all the necessary measures to protect and encrypt patient data and take some steps to prevent cyber attacks. Also, have a good Cyber security insurance, as even after following diligent steps, any unwarranted cyber attack on the patient data can leave you penniless and broken for life.