Common types of HIPAA violations
Most HIPAA violations can fall into one of three categories: Unencrypted Data, Employee Error, or breaches due to theft.
The Vast majority of data breaches are due to stolen or lost data that was unencrypted. Encrypting the data is an additional level of protection if a device containing PHI is lost or stolen. Additionally, encrypting the data provides further protection a device is somehow remotely accessed through hacking. While encryption is not a strict requirement of HIPAA, it is strongly recommended.
Loss or theft of Technology
One of the most common types of HIPAA violations is simply losing a device with PHI on it. While there is really nothing that anyone can do to completely eliminate the risk of theft, encrypting the information on the device and protecting through the use of passcodes is generally enough to safeguard the data so in the event it does get stolen, the thieves will be unable to access the data.
Lack of employee Training
Breaches can occur when an employee loses a portable device, insecurely sends ePHI to venders who post may lose that information online, or discloses identifiable patient information in conversation.
Every Employee who may come into contact with PHI be trained on HIPAA regulations and compliance. This is more than just a good idea - it is a requirement of HIPAA. When discussing PHI, employees should always be aware of who may be listening.
How much do HIPAA Violations Cost?
The cost of noncompliance to HIPAA can be crippling to an organization. The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible.
HIPAA breaks the penalties for noncompliance into four tiers:
- First Tier: The covered entity did not know and could not reasonably known of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
- Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
- Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30 day period of the breach. Penalties for the third tier can range from $10,00 - $50,000 per incident up to $1.5 million.
- Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.
If the HHS decides that there was deliberate malicious intent, the Department of Justice can step in. As with civil penalties for noncompliance, there are multiple tiers of penalties for violations that are considered criminal.
Prevent HIPAA Violations with Accountable
It’s important to remember that as easy as it is to violate HIPAA, implementing training and policies to safeguard PHI and your organization is easier. That is why we created Accountable: an all in one cloud-based platform to help you achieve and maintain HIPAA Compliance. We give you the tools you need to train your employees, manage your vendors, and identify risk within your organization.
Oh, and it’s free to get started.