Before engaging in a HIPAA audit, it’s important to know the difference between a covered entity and a business associate because HIPAA has different requirements for each group.
As a recap, there are 3 rule and only one is mandatory:
- Security Rule -(Mandatory) for both covered entity and business associates
- Breach Notification Rule – (Optional) for Business Associate & (Mandatory) for Covered Entity
- Privacy Rule – (Optional) for Business Associate & (Mandatory) for Covered Entities
A covered entity are your typical health care organizations (private, employee, state or federal plan) such as:
- Health Insurance companies
- Government programs like Medicaid
- Nursing homes
These health care providers use the services of other individuals or a business to help carry out their health care functions.These are the business associates. Some examples include:
- A third-party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
HIPAA violations depend on the type and severity of the violation. There are two types of violations:
- Civil violations
- Criminal violations
Civil violations result from:
- Lack of knowledge from the covered entity or business associate unaware of the HIPAA rules. The fines can go between $100 to $60,000 per violation
- Reasonable cause and not willful neglect – the covered entity or business associate should have known the action would violate HIPAA, but was not aware at the time. The fine can go between $1000 to $60,000 per violation
- Willful neglect, corrected within 30 days – the violation was caused by willful neglect, but the covered entity took corrective action within 30 days. The fine can go between $12,000 to $60,000 per violation
- Willful neglect, not corrected within 30 days – the violation of HIPAA rules constituted willful neglect, and the entity made no attempt to correct the violation within 30 days. The fine can go between $60,000 to $1,000,000 per violation
Criminal violations result from:
- Wrongful disclosure of PHI the individual should have known better and due to lack of knowledge, didn’t know they violated a rule. Up to $50,000, up to one year in prison, or both.
- Wrongful disclosure of PHI under false pretenses –obtaining PHI under false pretenses or disclosing it without permission. For example, a hospital employee cannot access the records of patients who aren’t under their care. Up to $100,000, up to five years of prison time, or both.
- Wrongful disclosure of PHI under false pretenses with malicious intent –when the individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm. Up to $250,000, ten years of prison time, or both.
Most common HIPAA violations include:
- Failure to perform an organization-wide risk assessment
- Failure to enter into a HIPAA-compliant business associate agreement
- Wrongful disclosures of PHI
- Delayed breach notifications
- Failure to safeguard PHI
HIPAA violations should be taken seriously and require special care. The below steps should be taken following a violation:
- An investigation of the incident
- Conducting a risk assessment to evaluate the level of compromise
- Providing further training, as appropriate, to the individual(s) responsible for the violation
Depending on the results of the risk assessment, the next steps may be required:
- Notification of the individual(s) whose privacy was violated
- Reporting of the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR)
In particular, for business associates:
Business associates should inform their covered entity immediately in case of a HIPAA violation. HIPAA requires notification within 60 days.
Join the conversation