Healthcare employees need to be aware of the HIPAA rules and regulations and the possible penalties if they break these rules. This is why covered entities need to conduct HIPAA awareness training for their employees.
In case a healthcare employee breaks the HIPAA rules, four outcomes are possible. The employer may opt to deal with the violation internally. The employee can be terminated. The employee may be sanctioned by professional boards. The employee may face criminal charges and may have to pay fines or suffer imprisonment.
The severity of the violation is the primary factor that would dictate what will happen next to the employee. The decisions of employers, federal regulators, professional boards and even the Department of Justice rest upon the following factors:
- The nature of the violation
- The employee’s knowledge of violating the HIPAA Rules or by exercising due diligence, there’s clear violation of HIPAA Rules
- If there was action on correcting the violation
- If the HIPAA rules violation was because of malicious intent or personal gain
- The harm that resulted from the violation
- The number of people affected by the violation
- If the criminal provision of HIPAA was violated
The civil penalties for HIPAA violations vary. A person may be charged at least $100 per violation of the HIPAA rules. A fine of $25,000 will be charged for repeatedly violating HIPAA rules. This applies when the person knowingly violated the HIPAA rules or should have known it but did not exercise due diligence. Civil penalties will not apply if the person did not willfully neglect HIPAA rules and he corrected the violation within 30 days from the time the person knew he violated the HIPAA rules.
There are severe criminal penalties for breaking HIPAA rules. $50,000 is the minimum fine and $250,000 is the maximum penalty for willfully breaking the HIPAA rules. Restitution to the victims may also be required. Aside from paying the fine, criminal violators will likely serve a jail term. Criminal violations due to negligence will have an equivalent jail term of up to one year. Accessing protected health information under false pretenses will have an equivalent jail term of up to 5 years. Violating HIPAA rules with malicious intent or for personal gain will have an equivalent jail term of up to 10 years. Aggravated identity theft will be have a mandatory jail term of two years.