Employees that work for organizations in the healthcare sector generally receive training on HIPAA rules. This training helps ensure that employees know how to properly handle protected health information (PHI) to prevent confidential data from falling into the wrong hands. When these rules are not followed, an employee could be charged with a HIPAA violation and be penalized for their wrongdoing.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed by Congress in 1996. This U.S. legislation covers data privacy and security provisions for protecting medical information. HIPAA overrides any state laws pertaining to the safety of medical information with the exception of laws considered more stringent than HIPAA.
Also known as Public Law 104-191, HIPAA serves two main purposes. It provides employees with continuous health insurance coverage if they lose or change their job, as well as reduce the cost of healthcare by standardizing the electronic transmission of financial and administrative transactions. HIPAA also has other objectives, including combating fraud, abuse, and waste in healthcare and health insurance delivery.
What Is Protected Health Information?
Protected health information refers to any type of demographic information that can be used to identify a particular client or patient of a HIPAA-protected entity. Some of the most common examples of PHI include client or patient names, Social Security numbers, addresses, phone numbers, financial information, medical records, and full facial photographs.
HIPAA regulatory standards oversee the electronic transmission, storage, and access of PHI. Known as electronic protected health information (ePHI), this type of sensitive data is regulated by the HIPAA Security Rule which establishes national standards to maintain reasonable technical, administrative, and physical safeguards for protecting ePHI.
What are the Penalties for HIPAA Violations?
One of the most important factors that employees must be aware of in terms of HIPAA law relates to the sanction policy. Employees that violate HIPAA could face civil and criminal penalties, including fines of between $100 and $250,000 per offense and up to ten years in prison.
There are three main levels of infractions, each with its own disciplinary HIPAA sanction.
Level 1:
The first level of infraction deals with an employee’s first simple infraction in three years. The majority of violations at this level are accidental exposures of PHI. For example, an employee could send PHI via an unencrypted email or forget to sign out of a database, leaving vulnerable PHI exposed.
The recommended sanction policy for a level one HIPAA violation is a letter of reprimand to the employee. This letter should explain the wrongdoing and warn the employee of penalties if further infractions should occur. This letter should be stored in the employee’s file for six years.
Level 2:
A level 2 infraction under HIPAA law refers to an employee making a second simple infraction or their first serious infraction in three years. An example of a serious infraction could be an employee logging into a patient or client account that belongs to a relative or neighbor.
If an employee commits a level 2 infraction, a letter of reprimand should be issued to the client, as well as a one-week suspension without pay. While a level 2 infraction may be performed out of curiosity or concern with no personal gain, they are just as serious as level 3 infractions.
Level 3:
Level 3 HIPAA violations occur when an employee performs a third simple infraction or a second serious infraction in three years. In some instances, an employee will commit an offense so serious that it is automatically classified as level three, even if it was their first infraction.
If an employee is charged with a level 3 infraction, it is advised that the employer dismiss the employee. Depending on the seriousness of the infraction, the violation may need to be reported to authorities on a state or federal level. The offender may even be prosecuted for their wrongdoing.
What are the Civil Penalties for a HIPAA Violation?
The penalties for a HIPAA violation are dependent on several factors, including culpability. There is a maximum penalty cap of up to $1.5 million for all violations.
- If the infraction was performed with no knowledge, there is a minimum penalty of $100 per violation, a maximum penalty of $50,000 per violation, and an annual cap of $25,000.
- If the infraction was performed with reasonable cause, there is a minimum penalty of $1,000 per violation, a maximum penalty of $50,000 per violation, and an annual cap of $100,000.
- If the infraction is performed with willful neglect and is timely corrected, there is a minimum penalty of $10,000 per violation, a maximum penalty of $50,000 per violation, and an annual cap of $250,000.
- If the infraction is performed with willful neglect and not timely corrected, there is a minimum penalty of $50,000 per violation, a maximum penalty of $50,000 per violation, and an annual cap of $1,500,000.
What are the Criminal Penalties for a HIPAA Violation?
If a HIPAA violation is charged as a criminal offense, an employee could face stiffer charges. An employee who knowingly obtains and discloses a person’s identifiable health information could face a criminal penalty of up to $50,000 and up to one year in prison.
These penalties increase to $100,000 and up to five years in prison if the wrongdoing involved false pretenses. If the offender’s intent was to transfer, sell, or use the identifiable health information for personal gain, commercial advantage, or malicious harm, they could face up to $250,000 in damages and up to 10 years in prison.
Speak with an Employment Lawyer
Do you need legal advice or assistance regarding an employment law issue, such as a HIPAA violation charge? The team of experienced employment attorneys at JacksonWhite is here to help.
Contact our employment law team today at (480) 464-1111 to schedule a consultation and discuss your legal options.