Businesses operating in the U.S. healthcare sector are required to comply with the data privacy and security regulations first defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of HIPAA legislation is to protect the privacy and security of an individual’s health-related information.
When HIPAA was passed, its primary concern was with safeguarding physical records containing protected health information (PHI). Subsequent updates to HIPAA regulations address the way the privacy and security of electronic protected health information (ePHI) are implemented.
In a perfect world, organizations would protect patient privacy and data security because it’s the right thing to do. Unfortunately, the market does not always operate in that way which was the reason HIPAA was necessary in the first place.
How Much Does HIPAA Noncompliance Cost?
Without the ability to levy fines and penalties, HIPAA would be an instructive but toothless set of standards. Fines for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) or state attorney generals.
The OCR issues civil fines directly related to HIPAA violations whereas in many cases, attorney generals enforce equivalent state standards. It can be easier to hold violators accountable with state laws and the financial penalties available can be greater than those imposed by HIPAA. In rare cases, criminal charges can result from activities such as the theft and use of PHI for financial gain.
Not all HIPAA violations lead to financial penalties. In some cases, especially when dealing with minor violations predicated by a misinterpretation of the rules, the OCR prefers organizations to adopt the necessary measures to comply voluntarily. When this tactic fails, the OCR has the authority to impose penalties on covered entities and business associates.
The costs of HIPAA noncompliance fall into two distinct categories.
A tiered structure is used to define the financial penalties for HIPAA violations. The cost of noncompliance varies and is based on the level of accountability demonstrated by the offending organization.
Four tiers are used to differentiate the severity of HIPAA violations.
- Tier 1 – This type of violation involves a covered entity that was unaware of the noncompliance issue. The issue is deemed to have been unavoidable even with a reasonable attempt to follow HIPAA guidelines.
- Tier 2 – These violations involve issues that a covered entity should have been aware of but could not be successfully addressed with a reasonable amount of care and effort.
- Tier 3 – This kind of violation indicates a “willful neglect” of HIPAA rules but also indicates the violator attempted to correct the issue.
- Tier 4 – The most egregious penalties are reserved for covered entities that demonstrate “willful neglect” and have made no attempt to address the violation.
The costs of violations in each tier are adjusted to reflect inflation with the last update occurring in November of 2021.
|Violation Tier||Minimum penalty per violation||Maximum penalty per violation||Maximum penalty per year|
Diminished organizational reputation
In addition to incurring substantial financial penalties, HIPAA noncompliance can lead to reduced customer trust and a hit to an organization’s reputation. In some cases, an organization may be able to shield its violation from public knowledge and avoid the wrath of its customers. But this is not always the case.
In cases where noncompliance resulted in a data breach, customers need to be notified so they can take the appropriate actions to safeguard their personal information. The awareness that their sensitive data has been compromised can influence future decisions about working with a breached organization.
In today’s competitive healthcare marketplace, companies don’t want to give customers additional reasons to shop around. It can take years to regain consumer trust after a data breach and some businesses never fully recover.
Examples of HIPAA Penalties
The increased focus on privacy and security has resulted in multiple financial penalties being assessed against organizations failing to maintain HIPAA compliance. Following are some recent HIPAA penalties of note.
- Premera Blue Cross was penalized $6.85 million for a 2014 data breach affecting the information of over 10 million individuals. The company had failed to conduct a risk analysis to reduce ePHI vulnerabilities. They were also found to have taken insufficient steps to monitor activity and prevent unauthorized access to ePHI resources.
- Cignet Health in Prince George’s County in Maryland was fined $4.3 million in 2011 for refusing to provide patients with copies of their medical records. This was the first civil penalty levied for a violation of the HIPAA Privacy Rule.
- Anthem experienced a data breach that resulted in the theft of records belonging to over 78 million of its members. The company settled with OCR and agreed to pay a $16 million fine in 2018. Numerous violations contributed to the data breach and the size of the resulting penalty.
A Cloud-based Approach to Maintaining HIPAA Compliance
A business can attempt to implement the necessary privacy and security measures to address HIPAA compliance with internal resources. Large companies often have dedicated teams whose primary responsibility is ensuring compliance with HIPAA and other regulatory standards. These teams understand what needs to be done and are skilled in carrying out the activities to protect ePHI.
Many small and mid-sized businesses do not have this luxury. These companies are challenged to provide the technical skills and resources required to maintain HIPAA compliance. Small doctors’ offices and health clinics do not have an extensive IT staff at their disposal. In this situation, a company has two main options.
They can attempt to maintain HIPAA compliance with the knowledge that they will likely fail to sufficiently protect ePHI. The organization is gambling that they will not be breached or found to be noncompliant.
Taking this approach risks falling victim to the substantial penalties outlined above and is not the preferred method of addressing HIPAA compliance. It also jeopardizes the valuable ePHI of patients and customers.
A better approach to reaching HIPAA compliance is to engage a reputable third-party cloud provider that can offer out-of-the-box compliant solutions. Many public cloud vendors have HIPAA-compliant infrastructure and services available for customers of any size.
The benefits of going with a cloud-based managed HIPAA compliant solution include:
- Taking advantage of the cloud vendor’s technical expertise and understanding of the compliance landscape.
- Reducing capital expenditures by contracting for the required infrastructure components.
- Keeping ePHI safe with secure scheduled and managed backups.
- Eliminating the need for a company to devote resources to maintain a compliant infrastructure so the focus can be on their core business.
- Quickly scaling up or down to address changing business needs.
A reputable cloud provider that specializes in HIPAA compliant platforms can be just what the doctor ordered for businesses operating in the healthcare market.
Your business cannot afford the costs of HIPAA noncompliance. While the financial penalties will sting and affect your bottom line, the impact to your company’s reputation can be much more damaging. Entering a partnership with a reliable cloud provider as a business associate is an excellent way to reduce the complications and pitfalls of maintaining HIPAA compliance.