Enforcement & Consequences for Non-Compliance


In incidents of non-compliance, an organization must reach a resolution agreement with HHS. This is a signed contract in which the covered entity agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years. During that period, HHS monitors compliance. A resolution agreement likely would include a penalty payment. According to the HHS website, these agreements are reserved for investigations with more serious outcomes. Absent a resolution, civil money penalties may be imposed.

 

Breach Penalties

Penalties for HIPAA violations may range from $100 to $50,000 per violation of one individual’s Protected Health Information (PHI). The cap for a calendar year is $1.5 million. In incidents of non-compliance, an organization must reach a resolution agreement with the U.S. Department of Health and Human Services (HHS). This is a signed contract in which the covered entity agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years.

A resolution agreement likely would include a monetary penalty. These agreements are reserved for investigations with more serious outcomes, according to the HHS website. Absent a resolution, HHS may impose civil penalties.

Headlines from recent cases include:

 

To get a sense of common violations, see this chart from HHS titled Top Ten Issues in Investigated Cases Closed with Corrective Action, from 2003 to 2013:

Year Issue-1 Issue-2 Issue-3 Issue-4 Issue-5
2013 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2012 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2011 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2010 Impermissible Uses & Disclosures Safeguards Access Complaints Minimum Necessary
2009 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity
2008 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity
2007 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice
2006 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice
2005 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation
2004 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Authorizations
partial year 2003 Safeguards Impermissible Uses & Disclosures Access Notice Minimum Necessary

 

The chart Enforcement Results by Yearb shows the enforcement results by calendar year according to the type of closure, which includes the percentage of the total resolutions for each category. This is the number of complaints that OCR had resolved.

Year Investigated: No violation Resolved after intake and review Investigated: corrective action obtained Total resolutions
Partial Year 2003 79 (5%) 1177 (78%) 260 (17%) 1516
2004 360 (7%) 3406 (71%) 1033 (22%) 4799
2005 642 (11%) 3889 (68%) 1162 (21%) 5693
2006 897 (14%) 4128 (62%) 1574 (24%) 6599
2007 727 (10%) 5017 (69%) 1494 (21%) 7238
2008 1180 (13%) 5940 (63%) 2221 (24%) 9341
2009 1211 (15%) 4749 (59%) 2146 (26%) 8106
2010 1529 (17%) 4951 (54%) 2709 (29%) 9189
2011 1302 (16%) 4466 (53%) 2595 (31%) 8363
2012 979 (10%) 5067 (54%) 3361 (36%) 9407

Upcoming Webinars

[add_eventon_list hide_month_headers="no" hide_empty_months="yes" event_order="ASC" number_of_months="3" ]

New Social Media Course

MyHIPAA Guide is offering a new social media course that will help you protect your organization from potential privacy violations that result from social media

Read More »

Upcoming Events

10 Steps to Compliance