What Counts as a HIPAA Violation?
We are not giving legal advice—Commprise is an MSP and not qualified to do that; our goal is to get you up to speed with what HIPAA compliance is, help you understand its purpose, and better comprehend how it relates to your IT security.
With that said, most HIPAA violations occur as a result of negligence or only partial compliance with the HIPAA Privacy and Security Rules. If it’s clear that there’s been a data breach/theft of devices or documents that may give the thief access to PHI or ePHI, that counts as a HIPAA violation.
However, if something like a laptop containing ePHI is stolen but the ePHI is encrypted, this would not count as a HIPAA violation as the data would still be secure.
Common Causes of HIPAA Violations
There are several common causes of HIPAA violations, and all of them can be avoided if your organization follows the best practices for IT Security.
- If a thief manages to sneak into your facility and steal equipment, storage units, or devices that have PHI on file, this would cause a HIPAA violation. Keep in mind that data theft often occurs from inside your organization. in fact, according to Statistic Brain, 75% of employees have admitted to stealing from their employer at least once.
- Another common cause of HIPAA violations is when a hacker manages to get into your company databases which contain PHI. They may not specifically be after PHI, but the risk is still there. RiskBased reported that, “Data breaches exposed 4.1 billion records in the first half of 2019.”
- If you discuss PHI in public, whether it be in person or on online forums/social media, this could result in a HIPAA violation.
- Another common cause of HIPAA violations are when someone within your organization accidentally sends a PHI to the wrong person, so it’s best to set measures in place to make sure that all transferred data goes where it’s meant to.
What are the Different Fine Levels of HIPAA Compliance Violations?
There are four levels of fines for HIPAA compliance violations.
- Level 1: Did Not Know — This is where the covered entity was unaware of and couldn’t have realistically avoided the violation. At this level, a reasonable amount of care must have been taken to abide by the HIPAA regulations.
Minimum fine of $100 per violation up to $50,000. - Level 2: Reasonable Cause — This is when the covered entity should have been aware of the violation, but could not have avoided it even if they acted with a reasonable amount of care.
Minimum fine of $1,000 per violation up to $100,000 - Level 3: Wilful Neglect — This is when the violation occurred as a direct result of wilful neglect, but an attempt was made to correct the violation.
Minimum fine of $10,000 per violation up to $250,000 - Level 4: Wilful Neglect + No Action — This is when the violation was a result of wilful neglect and there was no action taken place to correct the violation.
Minimum fine of $50,000 per violation and up to $1,500,000
Keeping Your Company’s Private Data Secure
If your company works with personal health information (PHI), it’s important that you see HIPAA compliance as more than just a law you must abide by.
Your PHI is data that your organization is responsible for, and the protection and security of your data is critical to thriving in the modern digital age.
If you’re uncertain of your business’s security or compliance, gain clarity with Commprise. With our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.
An in-depth understanding of your IT environment will allow you to clearly document and improve any potential security weaknesses that might get in between you and maintaining compliance.