The Health Insurance Portability and Accountability Act of 1996 or HIPAA is a very complex set of regulations designed to protect patients’ personal health information on several levels — spoken communications, written communications and digital communications — including live chat.
HIPAA compliance is not optional for entities covered by the Act, and enforcement is ongoing by the U.S. Department of Health & Human Services, Office of Civil Rights and the Department of Justice. In fact, from 2016 to 2019, HIPAA complaints received by HHS rose from 21,404 to 28,261, prompting investigations. In addition, enforcement is also triggered by reported breaches and compliance reviews, both of which can reveal additional violations.
A look at common violations and resolutions
According to HHS, the most investigated HIPAA alleged violations, in order of frequency, are:
- “Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronically protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.”
Many of the above violations could be caused by non-compliant live chat or other means of communication, through technical or human error, or by deliberate actions.
To illustrate just how easy it is to violate HIPAA, take the case of a physician who faxed patient records to the patient’s employer instead of to the patient’s health care provider. Although no fine was levied, the employee at fault received a disciplinary warning, the physician and the employee apologized to the patient, and the office was required to institute a new fax cover page and “underscore a confidential communication for the intended recipient.” This violation was resolved without a monetary penalty, but not all are.
In 2019, the University of Rochester Medical Center agreed to pay a $3 million settlement to the OCR for impermissible disclosure of PHI from the loss of an unencrypted flash drive and the theft of an unencrypted laptop. Upon investigation, the reported breach revealed: “that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronically protected health information (ePHI) when it was reasonable and appropriate to do so.” The resolution agreement also required a corrective action plan with two years of compliance monitoring.
For more examples of HIPPA civil enforcement resolutions check out the Resolution Agreements page on the HHS website.
Penalties for civil violations
The least onerous violations are civil violations, which are investigated by OCR. According to the regulation, the civil penalties will not be imposed if:
“The failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or
“The Department of Justice has imposed a criminal penalty for the failure to comply.
“In addition, OCR may choose to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance.”
However, for civil infractions that are assessed a penalty, the amount can vary from “$100 to $50,000 or more per violation.”
It’s impotent to note that when a civil violation occurs, OCR does take into consideration the circumstances such as whether the violation was “was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance.” Covered entities are also given 30 days from receipt of the violation notice to provide written evidence of circumstances that could lower or eliminate a penalty, and they have the right to request an administrative hearing to appeal a proposed penalty.
Penalties for criminal violations
HIPAA violations run the gamut from clerical errors to “knowingly” committing a crime. The difference in monetary penalties can be significant with criminal violations resulting not only in monetary penalties but also in prison terms.
Criminal penalties for HIPAA violations are prosecuted by the Department of Justice and are spelled out in the regulation:
- A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
- If the wrongful conduct involves false pretenses the criminal penalties increase to $100,000 and up to five years imprisonment.
- If the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm, the penalties increase to $250,000 and up to 10 years imprisonment.
More about HIPAA violations is provided in the American Medical Association’s article, “HIPAA violations & enforcement.”
HIPAA violations are as diverse as the regulations are complex, so constant vigilance is needed to stay in compliance. When you want to add live chat to your website, keep in mind that HIPAA does apply to digital communications and using a HIPAA-compliant service provider is essential. Site Staff can help make your live chat experience a safe and secure one. Take our free 30-day trial and see what HIPAA compliant live chat has to offer.