HIPAA Violation, Healthcare Ransomware

What are HIPAA Violation Consequences?


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Community Psychiatric Clinic Breach Affects 15,537

In three separate email hacking incidents at Community Psychiatric Clinic, the protected health information (PHI) of 15,537 patients was exposed. Although little information is available on these breaches, all three incidents were reported to the Department of Health and Human Services (HHS) on August 15, 2019. Investigations are ongoing, depending on the cause of the breach HIPAA violation consequences will differ.

Civil HIPAA Violation Consequences

Most HIPAA violations result in civil penalties for noncompliance. Fines are issued based on the nature of the violations and the organization’s response to the incident. If the violation is corrected within 30 days of discovery, fines are not issued, unless the violation was the result of “willful neglect.”

Civil violations are classified into four tiers:

  • First Tier: the covered entity did not know and could not reasonably have known of the breach ($100-$50,000 per incident, with a maximum annual of $1.5 million).
  • Second Tier: the covered entity “knew, or by exercising reasonable diligence would have known” of the violation, though they did not act with willful neglect ($1,000-$50,000 per incident, with a maximum annual of $1.5 million).
  • Third Tier: the covered entity “acted with willful neglect” and corrected the problem within a 30-day time period ($10,000-$50,000 per incident, with a maximum annual of $1.5 million).
  • Fourth Tier: the covered entity “acted with willful neglect” and failed to make a timely correction ($50,000 per incident, with a maximum annual of $1.5 million).

Criminal Penalties for HIPAA Violations

Under some circumstances, HIPAA violations consequences result in criminal penalties. Criminal penalties are a result of knowingly accessing PHI outside of job responsibilities.

Criminal penalties are also classified into tiers:

  • First Tier: the covered entity and specified individuals “knowingly” obtain or disclose PHI in violation of the Administrative Simplification Regulations (fine up to $50,000 and up to 1 year in prison).
  • Second Tier: violations committed under false pretenses (fine up to $100,000 and up to 5 years in prison).
  • Third Tier: violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm (fines up to $250,000 and up to 10 years in prison).

Behavioral health practices that can prove their “good faith effort” towards HIPAA compliance will likely pass a HIPAA audit. Implementing an effective HIPAA compliance program, along with employee training, will limit the risk of a breach resulting in HIPAA fines or prison time.

HIPAA Definitions

Reasonable diligence: reasonable steps taken to satisfy a legal requirement.

Willful neglect: defined by the HHS as, “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Knowingly: knowledge that actions are considered a HIPAA violation, without specific knowledge of actions being taken, is considered “knowingly.”

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x