HIPAA Breaches: What Can Healthcare Organizations Do?

The new HIPAA Omnibus rules cover various changes to HIPAA Privacy, Security, and Breach Notification rules, and health care organization need to follow the changes in their policies and procedures. The most distinguished changes happened in the individual rights, which need to be reflected in an entity’s HIPAA policies and Notice of Privacy Practices (NPPs).

The new HIPAA policy covers—

  • New requirements of fundraising activity and a chance to opt out
  • New requirements for individuals to provide authorization for the sale of PHI
  • Patient rights of access to electronic records, rights to limit certain disclosures
  • Rights of notice in the event of a breach.

The updated rules are very stringent and breaches are subject to enforcement that includes fines up to $50,000 per day. Failure to comply with the new rule can result in civil and criminal penalties. The new tiered penalty structure is based on the knowledge a covered entity had of the violation. Lack of knowledge of HIPAA Rules is no excuse for a rule violation, though it will affect the fine that is issued. However, in cases where there was willful neglect of HIPAA Rules, the maximum fines apply.

The Tiers for Civil HIPAA Penalties are:

HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected  $50,000 per violation, with an annual maximum of $1.5 million  $50,000 per violation, with an annual maximum of $1.5 million

The tiers for Criminal HIPAA Penalties are:

Tier 1 Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2 Obtaining PHI under false pretenses – Up to 5 years in jail
Tier 3 Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail


The number of employees discovered to be stealing PHI has increased over the years. For instance, the cyber attack on Anthem BlueCross BlueShield is being called the largest data breach ever in the healthcare industry, affecting more than 80 million customers and employees. According to a recent survey, many healthcare organizations have been struggling to comply with HIPAA. The Office for Civil Rights has promised an increase in investigations and penalties for entities that have failed to take patient privacy seriously.

What can healthcare organizations do?

  1. Multiple Security Level: A multi-security level is required to prevent data loss. From protecting the data itself to the devices its stored in and the people who access it
  2. HIPAA Risk Analysis: Conduct regular risk analysis to see whether your organization is complaint with HIPAA new rules
  3. Identify the Weakness: Be it enhancement of infrastructure, new system deployments, organizational restructuring and employee turnover. Assess your security risk to identify the real vulnerabilities.
  4. Encryption of Data: The significance of data encryption cannot be denied because one third of all the HIPAA breaches have to do with unencrypted portable devices. Maintain encryption of data on all laptops and portable devices.
  5. Communication, Education and Training: Make your employees aware of the importance of security and breaches. Educate your employees on IT security and its significance by providing them security awareness training.
  6. Scanning and Testing: Cyber crime can be avoided regular scanning and testing of vulnerabilities. Opt for internal and external penetration testing which helps in exposing malicious attackers.

The new HIPAA rules and regulations are complex! If you are struggling to comply with the new regulations, try our HIPAA training programs.

Source – http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Content is protected !!