The main purpose of the Health Insurance Portability and Accountability Act is to protect an individual’s privacy regarding health information. Those who are subject to this privacy rule include healthcare providers, healthcare clearinghouses, health plans and business associates of the covered entities.
When a covered entity violates a condition of HIPAA, this individual or organization can face various penalties.
Common violations regarding HIPAA
The HIPAA Journal discusses common HIPAA violations:
- Failure to safeguard personal health information electronically
- Unallowed disclosure of PHI
- Failure to train employees about HIPAA rules and regulations
- Inappropriate disposal of PHI
- Failure to provide a patient access to his or her health records
Covered entities must also perform risk analysis regularly and manage any security risk.
Penalties for violations
The Office for Civil Rights of the U.S. Department of Health and Human Services investigates complaints of violations. If it determines there was a violation, the American Medical Association discusses that resolution often occurs via voluntary compliance by the covered entity, a resolution agreement or corrective action.
The Department of Justice investigates complaints related to criminal provisions of the Act. There are civil and criminal penalties associated with unresolved HIPAA violations.
Civil penalties include fines that vary based on the nature and severity of the violation as well as any harm that resulted. Criminal penalties are more severe. Cases in which the covered entity unknowingly violated HIPAA may result in fines ranging from $100 to $50,000 per violation. Knowingly violating HIPAA results in fines that range from $1,000 to $50,000 per violation and imprisonment of up to 10 years.