A Review of Penalties for HIPAA Noncompliance (And How to Comply)

In this post we’ll explain the penalties associated with HIPAA noncompliance. With healthcare information so highly sought by cybercriminals, it’s essential your organization can comply by identifying and securing all electronic protected healthcare information (e-PHI).

What is HIPAA

The Health Insurance Portability and Accountability Act 1996 (HIPAA) is the US federal law that provides privacy and data protection for sensitive health information of patients. The HIPAA Privacy Rule sets out the requirements for handling protected health information (PHI) that eligible organizations and institutions must satisfy to comply with HIPAA. Further, the HIPAA Security Rule sets additional requirements to protect electronic health information (e-PHI).

HIPAA applies to healthcare providers, health plan providers, healthcare clearing houses and business associates involved in healthcare-related services.

Failure to comply with HIPAA and its Rules as well as breaches or unauthorized disclosures of PHI and e-PHI can result in significant monetary penalties and even criminal charges.

The cost of noncompliance

Each year, the Office of Civil Rights (OCR) provides a report to Congress that summarizes the complaints and healthcare breaches it has received as well as its enforcement action under the HIPAA legislation.

According to their most recent report, the OCR resolved 17 investigations in 2021 and imposed penalties of $6.1m. The OCR also provides a report on breaches of unsecured PHI. In 2021, they investigated 631 breaches and issued penalties over $5.1m.

Criminal violations of the Act — such as theft of patient information or wrongful disclosure — can result in fines to individuals of $50,000–$250,000 and potential jail terms of between 1 and 10 years.

The Health Information Technology for Economic and Clinical Health (HITECH) Act operates in close association with HIPAA. For breaches of electronic systems and records, individuals can pursue organizations for civil penalties. Single/initial violations can be as much as $250,000 with repeat offences extending up to $1.5m.

How to comply

Achieving healthcare data compliance means implementing safeguards to ensure the privacy and security of PHI and e-PHI. These include:

• Documenting security and privacy policies to establish how you will protect and security sensitive PHI and e-PHI
• Identifying all PHI and e-PHI within on-premises networks and cloud services
• Disposing of any data that is no longer required
• Implement physical and technical security controls to safeguard PHI and e-PHI data from unauthorized access or disclosure
• Appointing a HIPAA compliance officer to provide governance and oversight of organizational performance
• Establishing a breach notification procedure so you can be prepared to respond to any data breach or violation

How Ground Labs can help

The journey toward sustainable HIPAA compliance starts by understanding where your PHI data resides. Ground Labs’ data discovery and data management solutions can locate health information stored across on-premises and cloud-hosted environments and deliver a range of remediation and data management features.

To find out how Enterprise Recon can streamline your HIPAA compliance efforts, request your complimentary data security risk assessment today.