Compliance Confidence
How to Lose a Million in 60 Days: HIPAA Is No Romantic Comedy
How to Lose a Million in 60 Days: HIPAA Is No Romantic Comedy
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to maintain certain administrative, technical, and physical safeguards to secure its patients’, customers’ and employees’ protected health information (PHI), such as:
- Individual Rights
- Privacy Policies and Procedures
- Privacy Personnel
- Workforce Training
- Data Safeguards
- Mitigation and Complaints Procedures
- Notice and Record Retention
- Retaliation and Waiver Prohibitions
- Risk Analysis and Management
- Security Personnel
- Business Associate Agreement
- Minimum Necessary Requirement
- Workstation and Facility Control
- Device Security
If a covered entity fails to adhere to these standards, it may be subject to steep penalties and reporting requirements that will disclose its failures (within 60 days) to impacted individuals and sometimes the media and community at large.
Violation |
Per Violation Penalty |
Identical Violation in Calendar Year |
Did Not Know and Would Not Have Known | $117 – $59,522 | $25,000 (adjusted for inflation annually) |
Reasonable Cause and Not Willful Neglect | $1,191 – $59,522 | $100,000 (adjusted for inflation annually) |
Willful Neglect and Timely Corrected (within 30 days) | $11,904 – $59,522 | $250,000 (adjusted for inflation annually) |
Willful Neglect and Not Timely Corrected | $59,522 | $1,500,000 (adjusted for inflation annually) |
*2020 Penalty Shown Above
It is easy to look at the numbers in a chart and write them off as something that only happens to the mega-corporations you see on the news. However, here are a few examples of how easy, but costly HIPAA missteps can be for the average covered entity like you:
-
Failure to obtain a business associate agreement – Cost: $500,000
The covered entity failed to maintain a business associate agreement with a medical billing service that later exposed the PHI of 8,855 patients on its website.
-
Failure to terminate former employee’s access to electronic PHI (ePHI) – Cost: $111,400
The covered entity failed to terminate a former employee’s access to a web-based system, resulting in the unauthorized disclosure of 557 patients’ ePHI to the former employee and to the web-based system vendor with which the hospital did not maintain the required business associate agreement.
-
Failure to adequately protect ePHI on a stolen laptop – Cost: $1,725,220
The covered entity failed to address its known lack of encryption or implement an equivalent alternative for a company laptop which was later stolen, potentially exposing patient’s ePHI.
-
Failure to provide timely breach notification – Cost: $475,000
The covered entity lost the medical records of 836 individuals and failed to provide timely notice of the breach (within 60 days) to individuals, the media, or HHS when it notified them 100+ days after discovery of the breach.
-
Failure to securely dispose of PHI – Cost: $125,000
The covered entity failed to properly dispose of paper records containing PHI when it discarded the records in a dumpster that is accessible to the public.
These examples, along with the continued HIPAA Phase II audits, show the importance of knowing how to identify a HIPAA privacy or security breach and take the appropriate remedial action.