I Think I Violated HIPAA, What Do I Do?
The Health Law Group helps all kinds of healthcare providers, maintain compliance with the privacy and security sections of the Health Insurance Portability and Accountability Act, or as it is commonly known, HIPAA. This act and the rules that have been promulgated under it make it illegal to disclose personal information of patients.
If you or your practice are suspected of violating HIPAA, you should contact the Health Law Group to find an attorney with experience defending these charges. The regulations involved in HIPAA are complicated, and an experienced attorney will be able to help you understand the rules and how to maintain compliance.
To get connected with a health care attorney familiar with HIPAA violations,
Call The Health Law Group now >>>
An Overview of HIPAA
The Health Insurance Portability and Accountability Act of 1966 (“HIPAA”) established privacy and security protections for patients electronic protected health information (“ePHI”). HIPAA is essentially a series of regulatory standards and guidelines for handling the use and disclosure of “protected health information.”
When a patient goes to a doctor, they share a variety of confidential information that is protected by HIPAA. Disclosing this information can lead to violations.
There are several intricacies in this law, but the basics are that if you see a patient and get any information from the patient that you may not share such information and you need to protect any records that you make.
Compliance with HIPAA is extremely important for you and your practice.
Improper disclosure of information may put you in civil and criminal liability.
What Does “Disclosing Information” Mean?
The act of “disclosing information” means that you allowed the personal information of a patient to be released to someone who is not a part of your network of healthcare providers or insurance companies.
There are a variety of ways that HIPAA violations can occur:
Some of the less known ways include texting patients with medical information or accessing a patient’s file while at home. Violations for disclosing information can come from an act of an employee talking about a patient outside of work or posting something on social media.
What Information Should Not Be Disclosed?
The information that a health professional cannot disclose is known as protected health information (PHI). The PHI includes the following information:
- Address (except for state location)
- Ages and significant dates
- Phone numbers
- Email addresses
- IP addresses
- Vehicle information
- URLs for websites
- Any identifying medical numbers
- Any other identifying information
You must make sure that your communications do not have this type of information.
If you disclose any of this information knowingly or otherwise, you may have committed a HIPAA violation.
HIPAA violations are found in a variety of different ways such as self-reporting, victim reporting or government investigations. The security of a patient’s confidential information is important in the field of medical practice because communications are private between a patient and their doctor.
There is also a problem with identity theft related to information being stolen so protecting the information is important.
When there is a reported case of a HIPAA violation, it is usually the Department of Health and Human Services (HHS) that investigates violations. HHS usually deals with most of the civil violations, but if there were a suspected criminal violation of HIPAA, then the Department of Justice (DOJ) would handle the charges.
What is “Self-Reporting?”
Self-reporting tends to be a common practice with HIPAA violations where a supervisor may report one of the workers disclosed information or that there was a breach of security with the practices files.
Usually, when a company self-reports, it would lower the punishment or remove the punishment, but before you report, you should discuss your options with an experienced attorney.
What Do They Need To Prove?
Any investigation into a suspected disclosure of PHI information would need to prove three main points.
First, they need to prove that there was a disclosure of information, meaning that a third party got the information. The fact that there is an investigation usually means that there was some evidence of disclosure already.
Second, they will look to see if the breach shared any information considered to be PHI. Generally, it is clear whether or not this type of information has been transmitted. If not, it would be a point of contention in a case.
Third, they will set out to determine what you knew about the breach and what you have done since the violation. This is where an experienced attorney will be able to help you because they will understand the complexity of the law and work to maintain compliance in hopes of having any violations moved down to a lesser charge.
5 Levels of a HIPAA Violation
HIPAA covers a range of different levels of disclosure with more severe penalties based on your level of violation.
The 5 levels of a HIPAA violation are based on the knowledge and intent of the healthcare provider.
The 5 levels include the disclosure of information:
- With reasonable cause;
- Corrected willful neglect;
- Uncorrected willful neglect; and
Penalties for Violating HIPAA
You may face civil penalties for violation of the first four levels of disclosing which is every level besides knowing. The penalties for violations ranges between $100-$50,000 for each violation of HIPAA with a annual cap between $25,000 and $1,500,000. The minimum for each level of violation goes up for each charge.
Criminal Penalties can also be imposed on a healthcare professional that discloses information knowingly or purposefully. The term knowingly in terms of HIPAA violations means that they either took information with the purpose of selling or disclosing it or that they had information and then disclosed it.
“Knowingly.” If you are found to have violated HIPAA “knowingly,” you may face up to $50,000 fine and up to 1-year imprisonment.
“Under False Pretenses.” If you take the information under false pretenses, your fine may go up to $100,000, and you may face up to 5 years imprisonment.
“Using Information for Commercial Gain.” Additionally, if you commit the act of disclosing HIPAA protected information for the purpose of selling the information or using it for commercial gains, you may face a $250,000 fine and up to 10 years imprisonment.
If you have a HIPAA violation, either criminally or civilly, you will have to pay money out as a penalty for this violation. The punishments you may face for civil and criminal penalties are outlined above. Apart from these penalties, there are also other consequences that may result from your violation.
Facing More Than One Charge:
It is important for each one of your cases to be handled with an understanding that one may impact the other. For instance, if you are charged with civil violations of HIPAA, it might strengthen a criminal case or even a private lawsuit against you.
Lawsuits and Class-Actions:
Lawsuits or class action suits may be brought against you by any patients that had their information discloses. This type of lawsuit against you will try to have the patients recover monetary damages they face for your breach of the doctor-patient confidentiality.
Inability to Participate in Federal Insurance Programs:
HHS also has the ability to exclude you and your practice from receiving federal funding through Medicare for your violation. If you are found through a civil or criminal case to have violated HIPAA, there is discretionary authority for HHS to decide if they will exclude your participation with Medicare.
Stigma Related to Being Charged:
Since court records are open to the public, your future patients will be able to find out about your HIPAA violations. This could adversely affect your business’s ability to get and maintain patients.
If you do not own your practice, you might also find it hard to find a position in the medical field if you have a history of violations.
Establishing a Defense to HIPAA Violations
If you are found to violate HIPAA, you may face some serious penalties, so it is important to get ahead of any allegations. An experienced attorney will be able to work with you and the facts of the case to come to the best result possible.
One major point about violations is that if you report and remedy any past problems, there is a chance that HHS will take that into consideration when deciding to press charges.
Compliance is an important point after a violation so you should speak to an attorney to work on being in compliance and remedying any past problems.
Facing Multiple HIPAA Violations
The charge of HIPAA violation criminally is also commonly charged with other crimes such as fraud, theft and conspiracy charges. If you are facing multiple charges, your attorney can help guide you through each charge, what it means, and how it may affect you.
It is important to have an attorney that knows how to deal with a variety of different criminal charges because a healthcare lawyer may not have as much experience handling these criminal convictions.
If you did violate HIPAA and charges were to be brought against you, the best case scenario is fighting the intent element of the crime. The best case scenario is if the violation occurred without any knowledge of the violation.
Recent HIPAA Cases:
Convictions under HIPAA are not that common, with only 13 cases in 2016 and 10 in 2017. However, the cost of violations in these years was $23.5 million and $19.4 million respectively.
Hospital Worker Talking To Coworkers About a Patients Hepatitis C:
For example, one hospital worker who knew of a patient’s hepatitis C was fired after disclosing this information. The worker told other workers who were performing an echocardiogram of the diagnosis to protect the other workers but was later fired for potentially violating HIPAA.
Corrective actions are very common for HIPAA violations which is why you usually see people fired whenever there is a potential violation. There are even reported cases where the line might not be as clear on HIPAA. There are also cases where people are sentenced to jail for HIPAA violations.
Woman In Anchorage, Alaska Shares Patient Information.
In 2015, a woman in Anchorage was sentenced to 2 years for violating HIPAA. She gave her co-defendant medical records of patients in order to victimize these patients. The information she transmitted to the co-defendant was about one person that her co-defendant shot and another that her co-defendant sexually assaulted.
Anthem Cyber Attack Leads to $16 Million Violation.
In another case, in October of 2018, Anthem, a health care provider, settled with HHS to pay $16 million for violations of HIPAA. The health information of about 79 million people was compromised in a cyber attack back in 2015.
In the settlement, Anthem did not admit to any wrongdoing, but they did pay out $16 million.
Contact a HIPAA Attorney Today
HIPAA violations can happen without your knowledge, but there are certain practices that you can take to avoid violations.
Train Your Employees:
First, it is essential to train all employees of what is allowed and not allowed to be disclosed and to whom. Training and taking preventive measures to protect your data can make a huge difference in protecting against committing a violation.
HIPAA violations should not be taken lightly on because if you do not address the problem, you might face even worse consequences. Contact an experienced attorney to help you through the process.
Seek the Help of an Experienced Attorney:
If there is a violation, you should seek the help of an attorney to proactively address this situation before it becomes a problem. Sometimes there are disclosures that are out of your control, but you and your company should always have a procedure in place to address problems and work on resolutions. Having an attorney that understands the intricacies of the law can help you decide what the best course of action is for you.