Health was on everyone’s mind in 2020 – which means a lot of passing of medical records! The need for portability isn’t waning – so we put together what you should know about HIPAA Violations.
Passed in 1996, the Health Insurance Portability and Accountability Act (commonly known by its acronym, HIPAA) was enacted to protect sensitive patient health information from disclosure. Subsequently, the US Department of Health and Human Services (HHS) created the HIPAA Privacy Rule so that the regulation could be implemented and enforced. With HIPAA in place, it is designed to protect health information from being disclosed without patient knowledge or consent.
HHS also understands that for efficient healthcare services and public health, information needs to flow within the healthcare system. The Privacy Rule considers this and balances the important use of health information with mechanisms to properly protect the data.
Who is Subject to the Privacy Rule?
Covered entities are responsible for following requirements outlined in the Privacy Rule. Covered entities include:
- Healthcare Providers: Regardless of size, any provider that electronically transmits health information during certain transactions must follow the Privacy Rule.
- Health Plans: Any entity that covers costs associated with medical care, such as health or dental insurance.
- Healthcare Clearinghouses: Organizations that process nonstandard individually identifiable health information.
- Business Associates: Any organization that provides services for a covered entity and receives health information to do so.
In certain instances, covered entities are allowed to disclose personally identifiable health information without patient consent or knowledge. This may be for treatment, payment, or operations, when required by law, organ donation, victims of abuse or domestic violence, or other conditions that do not require the covered entity to obtain consent or inform the patient.
In addition to the Privacy Rule, covered entities must also adhere to the HIPAA Security Rule when dealing with electronic protected health information (e-PHI). Covered entities must ensure the confidentiality and security of e-PHI; anticipate, detect, and protect e-PHI from security threats; certify compliance; and protect the information from unauthorized use or disclosure.
The HHS’s Office of Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, as well as handling and HIPAA-related complaints. Plus, OCR conducts compliance reviews and educational outreach efforts to ensure that covered entities are adhering to the regulation.
For covered entities that violate HIPAA policies, the violations may result in either civil monetary or criminal charges. Civil violations are penalized as follows:
- Unknowing: Fines range from $100 to $50,000 per violation, with an annual max. of $25,000 per repeat violation.
- Reasonable Cause: Fines range from $1,000 to $50,000 per violation, with an annual max. of $100,000 per repeat violation.
- Willful Neglect, Corrected: If the violation is corrected within HHS’s specified timeline, fines range from $10,000 to $50,000 per violation, with an annual max. of $250,000 per repeat violation.
- Willful Neglect, Not Corrected: If the violation is not corrected within HHS’s specified timeline, fines are $50,000 per violation, with an annual max. of $1,500,000 per repeat violation.
In the event of criminal charges being brought against a covered entity, OCR works closely with the Department of Justice for investigation and resolution. Criminal offenses are penalized as followed:
- Intentionally Obtaining or Disclosing Individually Identifiable Health Information: Fines of up to $50,000 plus imprisonment of up to 1 year.
- Offenses Committed Under False Pretenses: Fines of up to $100,000 plus up to 5 years of imprisonment.
- Offenses Committed with Intent to Sell, Transfer or Use Personally Identifiable Health Information for Personal Gain: Fines of up to $250,000 and imprisonment of up to 10 years.
There have been numerous instances in which organizations have failed to meet HIPAA requirements, resulting in steep fines. In the largest HIPAA settlement, Anthem was required to pay OCR $16 million, and take corrective actions, to resolve a major violation. Following a series of cyberattacks, the e-PHI of nearly 79 million patients was breached. Not only is this the largest HIPAA settlement, but it was also the largest data breach in US history.
Through phishing campaigns, the hackers were able to infiltrate Anthem systems. The threat went undetected from December 2014 to January 2015, extracting protected health information. During their review of the violation, OCR determined that Anthem did not conduct enterprise-wide risk assessments, insufficiently reviewed system activity, and failed to maintain minimum access controls.
YouAttest – Part of Your HIPAA Risk Assessment Program
YouAttest is a pro-active enterprise user access review product for your identity audits. It’s designed to work directly into your Okta tenant or other systems. In adddition to “static” reviews of users, applications and groups – as recommended by HIPAA best practices (NIST 800-53, AC-4) – YouAttest provides pr0-active monitoring of the enteprise Okta and AD groups. This means automatically admins can be alerted and FORCED to do an attestation of the event.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. Register for the Jan 13th YouAttest webinar; Health Care and Identity Governance from the Cloud. HIPPA, HHS OCR, regulations, enforecment and fines will all be covered – a Q&A session will follow w/ Health Care Compliance expert: Craig Guinasso.