Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly targeting individuals who have knowingly violated HIPAA rules. Several cases resulted in significant fines and imprisonment. The fines are intended to act as a deterrent to preventing HIPAA violations, while ensuring that affected companies are held accountable for their actions – or lack of them – when it comes to protecting patient privacy and health data confidentiality, and allowing patients access to their medical records upon request. This level is the lowest level violation. This includes cases of reasonable reason, where the person should have known better, and ignorance when the person did not know that he or she had violated a rule. The DOJ does not recognize ignorance of HIPAA regulations as an excuse for violating HIPAA rules, as all affected companies are responsible for compliance. Since the introduction of the omnibus rule, the new HIPAA violation penalties apply to healthcare providers, health plans, healthcare information clearinghouses, and all other relevant companies and business partners (BAs) of affected companies that have violated HIPAA. Failure to enter into Business Partner Agreements (BAAs) with third-party vendors may result in penalties for non-compliance with HIPAA. Several affected companies were fined for failing to review the AAAs drafted until September 2014, when all existing contracts were invalidated by the final omnibus rule. In September 2016, Care New England Health System was fined $400,000 for HIPAA compliance, including failing to review a BAA originally signed in March 2005. Ignorance of HIPAA rules is no excuse for HIPAA compliance. It is the responsibility of each relevant entity to ensure that HIPAA rules are understood and followed.
In cases where an affected entity is found to have intentionally violated HIPAA, maximum penalties apply. The affected company or business partner was unaware of HIPAA and, due to due diligence, could not have known that HIPAA had been violated. A recent case that was resolved in 2021 involved Jennifer Lynne Bacor, a nursing technician at a Cedar Rapids hospital. She used her credentials to access her ex-boyfriend`s PHI several times — even though he wasn`t one of her patients — after he was treated at the hospital several times. After accessing her information, Bacor took a photo of a medical photo, which she then shared with a third party. The third shared the photo with the ex-boyfriend and others in a Facebook post with “mocking language and emojis.” Bacor was sentenced to five years of probation and fined $1,000 for violating HIPAA and using her boyfriend`s private medical information as a “weapon.” Bacor was also barred from any employment that would give him access to other people`s private medical information during his probationary period. Attorneys general are cracking down on data theft and are eager to provide examples of people who have violated HIPAA privacy rules. A prison sentence for theft of HIPAA data is therefore very likely.
The civil penalty level system for healthcare organizations is based on the extent to which the HIPAA-covered entity knew that HIPAA rules had been violated. The maximum civil penalty for wilful breach of HIPAA is $50,000 per violation, up to a maximum of $1.5 million per category of violation per year. OCR and HHS can resolve cases with affected companies and business partners through resolution agreements. These agreements may include legal action for HIPAA violation and the requirement to take corrective action and submit reports to HHS, typically for three years. For example, in a recent case, Children`s Hospital & Medical Center (CHMC) agreed to take corrective action and pay $80,000 to resolve a possible breach of the HIPAA access standard. If HHS is unable to reach a satisfactory resolution agreement with the relevant entity, it may impose civil fines for non-compliance. While it was mentioned above that OCR has the discretion to waive a civil penalty for unintentional HIPAA violation, ignorance of HIPAA regulations is not considered a justified excuse for not implementing appropriate safeguards. In April 2017, the CardioNet remote monitoring service was fined $2.5 million for failing to fully understand HIPAA requirements and then failing to conduct a full risk assessment. 1 By violating an identical HIPAA requirement or prohibition. 2 By violating an identical HIPAA requirement or prohibition. 3 The registered legal entity or business partner did not know (and would not have known if it had exercised due diligence) that it had breached the provision.
4 The violation was due to reasonable cause and not to intentional negligence. 5 The infringement was due to an intentional omission, which will be remedied within 30 days. 6 The infringement results from an intentional omission, which is not remedied within 30 days.