What happens if you violate HIPAA depends on the nature and consequences of the violation, the motive for the violation, and whether you knew – or should have known – that the violation was indeed a violation. What happens if you violate HIPAA can also depend on if or how the violation is identified.
To help explain the many different factors that can influence what happens when you violate HIPAA, we will use as an example a healthcare employee who shares their EHR login credentials in the belief that a junior colleague wants to access a patient´s file in order to phone the patient´s family with an update.
If the junior colleague only uses the login credentials to obtain a phone number and phone the patient´s family with an update – and the patient has not objected to this information being shared with their family – no harm has occurred and there has been no impermissible use or disclosure of PHI.
Nonetheless, although the motive for sharing the EHR login credential is well meaning (and the healthcare employee does not have to stop what they are doing to retrieve the information for the colleague), the action is a violation of HIPAA because each member of the workforce must be assigned a unique user identifier to track user activity when they have access to PHI (§164.312).
What Happens if You Violate HIPAA Like This?
This will depend on whether the violation is identified, how it is identified, and whether either party knew that sharing login credentials is a violation of HIPAA. Possibly one of the worst outcomes from the event is that it is not identified because this may lead to further compliance shortcuts being taken which – if unchecked – could lead noncompliance becoming a “cultural norm”.
If the violation is identified by a senior employee or an alert member of the IT team, it will likely be reported to the compliance officer. What happens then depends on whether either employee has been told that sharing login credentials is a violation of HIPAA via HIPAA training. If so, both could face sanctions depending on the consequences of the violation.
The consequences of the violation can vary between no harm occurring at all to an impermissible disclosure of PHI if, for example, the message was left with a non-family member due to a lack of identity verification. The latter example could lead to the patient making a compliant to the healthcare facility or HHS´ Office for Civil Rights (OCR).
If a complaint is made to OCR, and the agency decides to conduct a compliance review, the consequences could consist of a corrective action plan to prevent login credentials being shared in the future; or, if the violation was attributable to a lack of training, the review could escalate to a full investigation – during which other areas of non-compliance may be identified.
If other areas of non-compliance are identified, the consequences of a well-meaning action could result in the healthcare facility being issued with a civil monetary penalty. Further civil monetary penalties could be issued by a State Attorney General or by a civil court if the impermissible disclosure of PHI resulted in the patient suffering personal harm (i.e., identity theft).
Criminal Penalties for Sharing Passwords in Violation of HIPAA
In addition to sanctions, the healthcare worker and the junior colleague could also face criminal penalties if their employer has a policy prohibiting the sharing of login credentials. This is because “a person who knowingly […] uses or causes to be used a unique health identifier […] shall be considered to have obtained or disclosed individually identifiable health information without authorization” – an offence under §1177 of the Social Security Act.
In this case, the healthcare worker “caused” the login credentials to be used by sharing them with the junior colleague, while the junior colleague “used” them. It is also important that the employer has a policy prohibiting the sharing of login credentials, otherwise the two employees could claim they did not do so knowingly (in which case, the employer could be sanctioned by OCR for failing to conduct a risk assessment and develop policies prohibiting password sharing).
The criminal penalties for sharing passwords in violation of HIPAA depend on the motive for knowingly and wrongfully disclosing individually identifiable health information. Just doing it could, in theory, attract a fine of up to $50,000 and a jail sentence of up to a year. In the event that the junior colleague obtained the patients health information and disclosed it someone else, they could receive:
- A fine of up to $100,000 and up to five years in jail if the offense was committed under false pretenses, or
- A fine of up to $250,000 and up to ten years in jail if the offense was committed to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm.
While it might seem this is an extreme example of what happens if you violate HIPAA, it is important to be aware the laws exist that enable these consequences to transpire. Therefore, it is important for HIPAA Covered Entities and Business Associates to conduct comprehensive risk assessments, develop policies to mitigate risks from all foreseeable threats, and train all members of the workforce on the policies. Thereafter, it is important for workforces to comply with the policies.
What Happens if You Violate HIPAA? FAQs
Do other types of HIPAA violations have the same consequences?
All violations of HIPAA that contravene an employer´s HIPAA policies will likely attract sanctions, while those that result in a complaint being made to OCR could result in enforcement action. Violations that involve the knowing and wrongful disclosure of PHI have to be notified by a Covered Entity to OCR, who then review the case and refer it to the Department of Justice.
Is it only Security Rule violations that attract sanctions?
No. While the scenario above relates to a Security Rule violation, the violation of any Privacy Rule policy that results in the knowing and wrongful disclosure of PHI could have the same outcome. The important consideration is whether a policy exists to explain it is a violation, and that the workforce has been informed of the policy – and the sanctions for violating the policy – via HIPAA training.
Why do Covered Entities have to notify violations to OCR?
Under the Breach Notification Rule, Covered Entities have to notify OCR (and affected individuals) when there has been an impermissible disclosure of unsecured PHI. A knowing and wrongful disclosure of PHI qualifies as an impermissible disclosure of unsecured PHI because the Covered Entity has no control over how the disclosed PHI will be further used or disclosed.
Why might a patient complain if they have consented to family members being contacted?
If the patient has consented to family members being contacted, but individually identifiable health information is disclosed to a third party, the patient could complain the disclosure is a violation of their privacy rights. Consequently, it is important healthcare professionals verify the identity of the person they are speaking with before disclosing Protected Health Information.
Has anybody ever been jailed for violating HIPAA?
Yes. The following links are just a few examples of employees receiving custodial sentences for impermissibly obtaining and disclosing Protected Health Information.
- Florida Medical Clinic Worker Sentenced to 48 Months in Jail over Theft of PHI
- 3-Year Jail Term for VA Employee Who Stole Patient Data
- Former New York Dental Practice Receptionist Sentenced to 2-6 years for HIPAA Violation
- UPMC Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation
The post What Happens if You Violate HIPAA? appeared first on HIPAA Journal.