Back

What Happens If You Violate HIPAA

February 10, 2020 Acupuncture Practice Management
Colorful file folders

From hiring, firing, or training employees to managing patients to bookkeeping, there are a lot of balls to juggle when it comes to running your own clinic. While it’s hard to pick out just one piece of the puzzle that should be considered the most important, the protection of your patients’ personal health information (PHI) and maintaining HIPAA compliance surely lands among the top three. 

At Unified Practice, we wanted to create an all-in-one system that would help our clinics reach new levels of success by streamlining your important daily tasks and making communication between clinics and patients easier. As part of those efforts, we are diligent about partnering with companies, like Constant Contact, that know helping our clinics maintain HIPAA compliance through patient communication is vital to their success. 

What is HIPAA?

To help medical providers take PHI protection seriously, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. HIPAA was designed to bring rules and regulations to three main areas: Administrative, Physical and Technical. 

Administrative regulations were put into place to ensure patient data was correct and easy to access by authorized parties.

Physical regulations were put into place to prevent physical theft and loss of devices containing PHI.

Technical regulations were put into place to protect your networks and devices from data breaches and unauthorized access to patient files.

What are the most common HIPAA violations?

To protect yourself, your clinic and your employees, it’s not only important for you to know what constitutes a HIPAA violation but also be able to train your employees on what is and isn’t HIPAA compliant. 

Here are common HIPAA violations you may or may not see happening around your clinic daily:

  • A healthcare professional snooping on patient records
  • Emailing PHI to personal email accounts
  • Removing PHI from a healthcare facility
  • Leaving portable electronic devices or paperwork containing PHI unattended
  • Releasing patient information to an unauthorized individual or without patient authorization
  • Disclosure of PHI to a third party after the expiry of an authorization
  • Downloading PHI to an unauthorized device

What do you do if you notice a HIPAA violation?

First of all, every covered entity should have an in-house privacy officer. This can be someone hired specifically to handle defining, implementing, and maintaining the practice’s privacy policy and procedures. If you do not have the resources to hire someone (like a manager or higher-up) for this role, someone already within the organization can decide to take it on. The privacy office should understand HIPAA and be extremely organized and detail-oriented. To learn more about what duties the privacy office should take on, check out Total HIPAA Compliance’s break down here.

Once you or an employee notices a HIPAA violation — accidental or not — it’s important to address the issue right away. Employees who notice a violation in the workplace should report the incident to their manager and/or their HIPAA privacy officer. Once the privacy officer has been notified, they will conduct an investigation and do a risk assessment. Once the assessment is made, the privacy officer will decide if the violation is an incident that should be reported to the OCR. 

What are the penalties for violating HIPAA?

The penalties for violating HIPAA can vary depending on the extent and circumstances of the violation. Once a violation is reported, either the Department of Health and Human Services’ Office of Civil Rights (OCR) will conduct an investigation into those complaints and determine whether it’s a case of civil matter or criminal matter. If the OCR decides it’s criminal, the case will be referred to the Department of Justice.

Like any legal infraction, the severity of the penalty depends entirely on the circumstances and severity of the violation. In the most tame cases, individuals may be required to pay $100 per violation up to a maximum of $25,000 for repeat violations. In the most egregious cases involving an individual who has demonstrated willful neglect of HIPAA rules with no attempt to correct the violation, the minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.

For criminal cases, offenders may see the lesser sentence of a $50,000 fine and up to one year in prison or the maximum sentence of $250,000 and up to 10 years in prison. 

How Do You Ensure Your Practice is HIPAA Compliant?

If you’re not sure if your operating completely HIPAA complaint, download HIPAA Journal’s free HIPAA Compliance Checklist (or find another checklist you like) and do an audit of your practice. 

Because Unified Practice knows how important it is to protect your patient PHI, we’ve set up a few key features to help ensure you keep your clinic HIPAA-compliant:

  • Requiring a fingerprint or passcode login for the iPad app
  • Each integration removes PHI when passing information to keep it securely stored on our servers
  • All information is stored in a HIPAA-compliant SSAE 16 SOC 1 and SOC 2 data center
  • All data is encrypted when being transferred over the internet
  • Offsite data backups are performed daily
  • No information is stored locally on your iPad or computer
  • We sign BAAs with all of our partners (and recommend you do, too!)

To learn more about how we protect you and your patient’s data, check out this help article.

Want more content like this delivered right to your inbox?
Sign up for our newsletter!