A HIPAA violation is the failure to comply with any of the standards outlined in the rules.
Even after you’ve successfully completed an audit, there is a possibility that you may violate one of the HIPAA rules.
The top five common violations that we see in the digital space are:
- Failure to conduct a risk analysis.
- Failure to provide HIPAA and Security Awareness training.
- Failure to maintain and monitor PHI access logs.
- Failure to terminate access rights to PHI when no longer required.
- Failure to document compliance efforts.
Penalties for HIPAA are applicable to Covered Entities and Business Associates alike. The OCR is currently using a 4 tier system to gauge the level of non-compliance and determine if any financial penalties are to be levied.
- Tier 1: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, but they may not have known about a breach and could not have avoided it. Financial penalties could range from $100 – $50,000 per violation, with a maximum penalty of $25,000 per year.
- Tier 2: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, and were aware, or should have been aware, that a breach occurred. Financial penalties could range from $1000 – $50,000 per violation, with a maximum penalty of $100,000 per year.
- Tier 3: A breach occurred as a result of “willful neglect” on the organization’s part. However, attempts have since been made to correct the violation. Financial penalties for organizations in this tier is $10,000 – $50,000 per violation, with a maximum penalty of $250,000 per year.
- Tier 4: A breach has occurred as a result of wilful neglect, but no attempts have been made to correct the violation. The financial penalty for organizations that fall into this tier is $50,000 per violation, with a maximum penalty of $1.5 million per year.
