What Is a HIPAA Violation?
A HIPAA violation is the unauthorized disclosure of protected health information or the failure to provide timely access to patient data to authorized individuals against the mandates of the Health Insurance Portability and Accountability Act, or HIPAA. Those who follow Healthcare IT news will often see stories about large HIPAA settlements enforced by the US Department of Health & Human Services (HHS). The biggest violation so far in 2021 is Lifetime Healthcare Companies‘ violation, where 9.3 million people were affected and a $5.1 million fine was enforced. In 2020, Premera Blue Cross was the biggest violation; 10.4 million people were impacted and a $6.9 million fine was handed down.
No HIPAA violation situation is ever the same as another, and not all penalties will be as severe as the examples above. If your organization is found to be in violation of HIPAA, you won’t necessarily have to pay millions of dollars. Such massive penalties are only for the very worst offenders, but what are the general parameters for violations?
Summary of OCR HIPAA Settlements 2021
At the time of writing, October 2021, there have been eight settlements with the OCR so far this year. The majority of settlements are for healthcare organizations failing to give timely access to medical records, which is a mandatory requirement of HIPAA.
| Covered Entity | Reason | Individuals Impacted | Amount |
| Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) | Failed to give timely access to Patient Data | 1 | $5,000 |
| AEON Clinical Laboratories (Peachstate) | Unsecured PHI in Telehealth App | 3 | $25,000 |
| Banner Health ACE | Failed to give timely access to Patient Data | 1 | $200,000 |
| Lifetime Healthcare Companies | Data Breach | 93,000,000 | $5,100,000 |
| Renown Health, P.C | Failed to give timely access to Patient Data | 1 | $75,000 |
| Sharp Rees-Stealy Medical Centers | Failed to give timely access to Patient Data | Unknown | $70,000 |
| Arbour Hospital | Failed to give timely access to Patient Data | 1 | $65,000 |
| Village Plastic Surgery | Failed to give timely access to Patient Data | 1 | $30,000 |
Historical OCR Settlements (2016-2020)
Source: HIPAA Journal
Following on from our 2021 figures, the HIPAA Journal has published data from 2016 to 2020. We have compiled this data to show the biggest penalties of each year.
| Covered Entity | Reason | Individuals Impacted | Amount | Year |
| University of Rochester Medical Center | Loss of flash drive/laptop; no encryption | 43 | $3,000,000 | 2019 |
| Sentara Hospitals | Breach notification failure; business associate agreement failure | 577 | $2,175,000 | 2019 |
| Touchstone Medical Imaging | No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure | 307,839 | $3,000,000 | 2019 |
| Texas Department of Aging and Disability Services | Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI | 6,617 | $1,600,000 | 2019 |
| Jackson Health System | Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations | 25,661 | $2,154,000 | 2019 |
| Cottage Health | Risk analysis and risk management failures; No BAA | 62,500 | 3,000,000 | 2018 |
| Anthem Inc | Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access | 78,800,000 | $16,000,000 | 2018 |
| Fresenius Medical Care North America | Risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards | 521 | $3,500,000 | 2018 |
| University of Texas MD Anderson Cancer Center | 3 breaches resulting in an impermissible disclosure of ePHI; No Encryption | 34,883 | $4,348,000 | 2018 |
| Memorial Healthcare System | Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices | 115,143 | $5,500,000 | 2017 |
| Cardionet | Theft of an unencrypted laptop computer | 1,391 | $2,500,000 | 2017 |
| Memorial Hermann Health System | Disclosure of patient’s PHI to the media | 1 | $2,400,000 | 2017 |
| 21st Century Oncology | Multiple HIPAA violations | 2,213,597 | $2,300,000 | 2017 |
| MAPFRE Life Insurance Company of Puerto Rico | Theft of an unencrypted USB storage device | 2,209 | $2,200,000 | 2017 |
| Children’s Medical Center of Dallas | Theft of unencrypted devices | 6,262 | $3,200,000 | 2017 |
Legislative Basis
The OCR and Centers for Medicare & Medicaid (CMS) are authorized to enforce HIPAA. The amount of some penalties can be frighteningly high, including civil and criminal judgments.
The stimulus package that was adopted in 2009, called the American Recovery and Reinvestment Act (ARRA), detailed the specific minimum and maximum limits for healthcare privacy and security violations. “The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty,” according to the American Medical Association, “based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.”
However, there is an exception: if the agency determines that you were not purposely neglectful, you will have one full month to rectify the situation.
Consequences of HIPAA Violations – Civil Penalties for HIPAA Non-Compliance
| HIPAA Violation | Minimum Penalty | Maximum Penalty | |
| Scenario #1 | The organization or employee was unaware that they were in violation of the law, despite operating soundly | $100 for each instance of noncompliance, up to $25,000 total (the highest amount that can be assessed by an attorney general at the state level) | $50,000 for each instance, totaling up to $1.5 million |
| Scenario #2 | The company was noncompliant not because of purposeful neglect but because of unexpected causes | $1000 for each instance, up to $100,000 total | $50,000 for each instance, totaling up to $1.5 million |
| Scenario #3 | Purposeful neglect occurred, but the company took corrective action within an acceptable time window | $10,000 for each instance, up to $250,000 total | $50,000 for each instance, totaling up to $1.5 million |
| Scenario #4 | Purposeful neglect occurred, and the company did not implement the steps of a corrective plan | $50,000 for each instance, up to $1.5 million total | $50,000 for each instance, totaling up to $1.5 million |
HIPAA Non-Compliance Criminal Penalties – Can You Be Imprisoned?
According to data published by the HHS, up to 31st August 2021, the OCR has received nearly 273,000 compliance-related complaints, with over 1101 being investigated. However, in only 100 cases the OCR has settled or imposed a civil money penalty (since 2008), totaling $130,980,482.00 so far.
Jail terms are rare, but not unheard of. In February 2017, Jeffery Luke was jailed for stealing PHI from his employer’s secured Google Drive accounts. In January 2020, Stacey Lavette Hendricks was imprisoned for 48 months for PHI identity theft.
“Covered entities and specified individuals … who ‘knowingly’ obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000,” explained the AMA report, “as well as imprisonment up to one year.”
Sentencing can be more severe, though. Anything that violates the law and involves deception carries a maximum sentence of $100,000 and/or five years imprisonment. Violations that occur because individual plans to use the data for their own gain or for malevolent reasons are penalized with judgments up to $250,000, accompanied by prison sentences as high as ten years.
Covered Entities & Individual People
The Department of Justice decided that if it is determined that a crime has been committed, covered entities (healthcare plans, data clearinghouses, and providers) can be held directly liable. Leadership at a covered entity can also be subject to criminal investigation and sentencing by piercing the corporate veil. Even if someone in an executive position at a company where misuse takes place didn’t do anything that was specifically non-compliant, they still may be guilty as a co-conspirator or accomplice.
“Knowingly”
The Department of Justice specifically targeted a word within the HIPAA crime provisions that are a source of confusion: what does knowingly mean?
Knowingly refers to the highest criminal penalty situation listed above, the “for their own gain” scenario (bolded above). According to Law360, “Under the statute, covered entities and individuals who ‘knowingly’ obtain or disclose individually identifiable health information with the intent to” profit from it or hurt someone face the stiffest penalties.
The Department of Justice clarified in 2005 that the word referred to knowledge of HIPAA law rather than knowledge of a particular instance of noncompliance.
Exclusion & Upholding the Law
The federal government can remove any healthcare plan, provider, or clearinghouse from the Medicare system if they have not adopted a universal, standardized medical code. In terms of enforcement, the OCR identifies and punishes HIPAA privacy violations. The Centers for Medicare & Medicaid (CMS) oversees security and uniform code.
Choosing a Compliance Partner
As you see above, the consequences of violating HIPAA can be extreme. Even if you don’t get fined millions, it’s not a productive way to spend money, and it’s not fun to end up on the HIPAA Wall of Shame.
That’s why it’s extraordinarily important to choose a technological partner that specializes in healthcare HIPAA Compliance Hosting like Atlantic.Net. Our Virtual Private Servers offer a 100% uptime guarantee and can launch in under 30 seconds.
Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, visit us at www.atlantic.net, call 888-618-DATA (3282), or email us at [email protected].
