The Office of Civil Rights (OCR) reviews thousands of HIPAA cases every year. In 2018, companies in violation of HIPAA were fined $28.7 million. Here are some of the reasons those companies had to pay the fines.
- An unencrypted laptop storing ePHI was stolen from an employee’s residence
- An employee lost some unencrypted USB drives storing ePHI
- ePHI wasn’t encrypted on enterprise-wide systems
- A hospital allowed filming onsite without obtaining authorization from patients
- A doctor disclosed PHI to a news reporter
- A company didn’t have a business associate agreement in place with a vendor
- A company didn’t make sure it’s vendor was in compliance — it held unsecured ePHI in a web-based system
- A company failed to properly respond to a patient’s request to send their ePHI to a third party
All of these violations could have been avoided by practicing periodic HIPAA risk assessments and compliance reviews to check possible points of failure in tech, employees, and business practices.
Can anyone file a HIPAA complaint against you?
No matter how compliant you are, anyone can submit a HIPAA complaint against you, whether you have violated HIPAA or not. The OCR. makes it easy for anyone to submit a HIPAA complaint with just a few clicks. Complaints can be filed online with the OCR directly, or with your own Compliance Officer. This isn’t meant to shock you, but to give you a sobering look at what to expect when it happens so you can be prepared.
What happens when HIPAA receives a complaint?
When the OCR receives a complaint, they review it according to the HIPAA Enforcement Rule to ascertain whether it violated the Security or Privacy rule, or whether any criminal activity was involved. If the complaint wasn’t filed within 180 days of the alleged violation or OCR believes the complaint didn’t violate any rules, it’s dismissed.
If criminal activity is detected in violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), the OCR will refer the complaint to the Department of Justice for investigation. If there is no criminal activity but a possible violation of the Security or Privacy rule, then the OCR will open an investigation.
What happens in a HIPAA violation investigation?
If the OCR decides to investigate a HIPAA complaint, it will contact the company named in the complaint and the person who filed the complaint. At this point, the OCR will gather evidence from both parties. They will ask you for a copy of your company’s policies and procedures, risk assessment history, and any other HIPAA compliance review material that may be relevant. This is where you can nip complaints in the bud if you are prepared.
The OCR will review the information and determine whether or not the Privacy or Security rule was violated. If the OCR doesn’t find any violations of the HIPAA rules, it resolves the case. If it sees evidence of noncompliance, it takes action in one or more of the following ways:
- Voluntary compliance;
- Corrective action; and/or
- Resolution agreement.
What is voluntary compliance?
In many cases, the company knows what went wrong by the time the OCR has contacted it or at least learns what went wrong. It’s not uncommon for a company and its business associates to fix the problem while the investigation is ongoing. The OCR will even offer technical assistance if needed.
What is corrective action?
Cases that require corrective action can sometimes take years to investigate, depending on their complexity. The company or business associate will have to make corrections to their HIPAA Privacy and Security policies, procedures, safeguards, and training. Corrective action often comes with a Resolution Agreement.
How does a Resolution Agreement work?
A Resolution Agreement is a signed agreement between a non-compliant company or business associate and the HHS. The agreement can impose a fine and require monitoring from one to three years — the company has to make periodic reports to the HHS.
An example of a basic HIPAA Violation that cost an SME $85,000
Company: Korunda Medical is a healthcare company that offers primary care and pain management to approximately 2,000 patients annually. It has a central office, five satellite offices, two primary care physicians, and five interventional pain physicians.
What happened? A patient asked Korunda several times to forward his or her records to a third party in a particular electronic format.
What did Korunda do wrong? Korunda dragged its feet on the request, charged more than the reasonably cost-based fees allowed under HIPAA, and didn’t provide the records in the requested electronic format.
What rule did Korunda violate? Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524
What action was taken? Initially, the OCR provided technical assistance to Korunda to teach them how they were supposed to respond to the request — and closed the case.
Why did Korunda get fined? The OCR received a second complaint about the same thing four days after it had provided the technical assistance to Korunda.
How was the case resolved? Korunda entered into a Resolution Agreement requiring an $85,000 fee and one year of a monitored Corrective Action Plan during which Karunda was ordered to:
- Revise policies and procedures within 30 days and prove it.
- Create and present training materials within 60 days.
- Submit a list of all the patient requests for PHI, the dates, particulars, and the cost every 90 days.
- Report any employee who failed to comply within 30 days.
- Submit an Implementation Report summarizing progress within 120 days.
- File an Annual Report within 60 days of the close of the one-year monitoring period.
How much are the fines for HIPAA compliance violations?
Most Privacy and Security Rule investigations are resolved informally with technical assistance or Resolution Agreements. If the OCR decides to impose a civil money penalty (CMP), companies can either pay the penalty or request a hearing with an HHS judge if they disagree. If the judge rules that the fine is justified, companies can then appeal to the HHS appeals board within 30 days.
HIPAA has four levels of fines depending on the severity of the violation. Penalties can be imposed each year, every year, for each violation category. Violations that involve willful neglect (Levels 3 and 4 can lead to criminal charges.)
- Had no idea they violated HIPAA violation.
$100-$50K per violation. $25K max per year.
2. There is reasonable cause to believe they knew they violated HIPAA.
$1K – $50K per violation. $100K max per year.
3. Showed willful neglect of HIPAA rules but corrected the violation within 30 days.
$10K-$50K per violation. $250K max per year.
4. Showed willful neglect of HIPAA rules and failed to correct the violation within 30 days.
$50k per violation. $1.5M max per year.
What’s the best way to avoid a HIPAA fine?
Your best defense against HIPAA enforcement and fines is to assume that you’ll have a HIPAA complaint filed against you at some point. Why? Because a HIPAA complaint opens the door to an audit where additional violations could be discovered.
Even if the original complaint ends up being false, the ensuing investigation and audit could uncover other HIPAA violations resulting in fines. Organizations that are merely box-checking for compliance could get in deep trouble here.
By assuming that you could be audited at any time, you’re more likely to stay on top of your HIPAA compliance reviews with periodic risk assessments. It’s better if you find all of your possible points of failure and correct them yourself before an OCR auditor does.