HIPAA Violations and Fines: The $12 Million Secret (2nd Edition)
HIPAA Violations and Fines
HIPAA violations are any inconsistencies between the details of your business operations and the loosely defined, far-reaching rules of HIPAA Compliance.
So then, what are HIPAA fines?
HIPAA fines are the monetary penalties imposed on Covered Entities, Business Associates, and even Subcontractors for the HIPAA violations they are charged with. In addition to civil monetary penalties, criminal charges are possible in certain situations.
While fines are nearly impossible to estimate, violations are literally impossible to list out. Why?
Because the rules are, in some situations, just guidance. And sometimes, it feels like the blind leading the blind. Which in many ways, it is, considering the fact that it wasn’t experts who created HIPAA guidelines, but administrators…
But we digress…
Often, wonderful things come in three’s, such as the three Wise Men, three wishes, and the three fairy godmothers… but other times, worrisome things come in threes, which is where we would place the three main HIPAA categories that don’t seem to naturally blend:
- The Portability provisions
- The Tax provisions
- The Administrative Simplification provisions
These three seemingly unconnected provisions are what sit on the throne at the top of the HIPAA family tree – and in the fashion of Royals, they don’t seem to get along all that well, though the three are in fact siblings. And if the relationships at the top of the royal family seem this confusing, you can only imagine what the rest of the family tree looks like!
If the first generation roll call of HIPAA baffles you, get ready for much more of the same, because under its sister “administrative simplification provisions” you find such goodies as the:
- Privacy Rules
- Security Rules
- Breach Notification Rules
- Interim Rules
- Final Rules
- Omnibus Rules
- And even more!
Many of them are amending other (unrelated) Acts, and that’s hard to completely comprehend. But back to other confusing items, HIPAA violations and fines.
Believe us, it’s all quite layered (as your cybersecurity solution should be). HIPAA violations and fines are like a piece of lasagna… It looks like a square of cheese from the top, but from the side, it’s 8-10 layers of piping hot mess.
Now let’s talk about this issue of the blind leading the blind for a bit. Here’s an example of legal HIPAA language that, if it were a pair of eyes, would have cataracts:
“§ 160.406 Violations of an identical requirement or prohibition. The Secretary will determine the number of violations of an administrative simplification provision based on the nature of the covered entity’s or business associate’s obligation to act or not act under the provision that is violated, such as its obligation to act in a certain manner, or within a certain time, or to act or not act with respect to certain persons. In the case of continuing violation of a provision, a separate violation occurs each day the covered entity or business associate is in violation of the provision. [78 FR 5691, Jan. 25, 2013]”
But the blurry language doesn’t only apply to HIPAA violations; let’s examine how it sounds in regards to HIPAA fines on the U.S. Department of Health and Human Services website:
“§ 160.408 Factors considered in determining the amount of a civil money penalty. In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate: (a) The nature and extent of the violation, consideration of which may include but is not limited to: (1) The number of individuals affected; and (2) The time period during which the violation occurred; (b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to: (1) Whether the violation caused physical harm; (2) Whether the violation resulted in financial harm; (3) Whether the violation resulted in harm to an individual’s reputation; and (4) Whether the violation hindered an individual’s ability to obtain health care; (c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to: (1) Whether the current violation is the same or similar to previous indications of noncompliance; (2) Whether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance; (3) How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort; and (4) How the covered entity or business associate has responded to prior complaints; (d) The financial condition of the covered entity or business associate, consideration of which may include but is not limited to: (1) Whether the covered entity or business associate had financial difficulties that affected its ability to comply; (2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, health care; and (3) The size of the covered entity or business associate; and (e) Such other matters as justice may require. [78 FR 5691, Jan. 25, 2013]”
Justice? Are we talking about the Greek Goddess “Nemesis” here, or the right thing… or are they the same thing?
That’s one of the few questions we won’t answer for you, because the decision is yours.
Bear in mind that even words can be wolves in sheep’s clothing- so where it says, “The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to: (1) Whether the current violation is the same or similar to previous indications of noncompliance” above, please heed what we are about to say…
It only takes a wee bit of research to discover that when they say “violation,” they do not mean being formally charged by the Office for Civil Rights. What they actually mean is “indications,” which is the same thing as history of prior compliance and that includes previous indications of noncompliance. As with anything, perspective is key.
This is the right angle to read from: if an auditor comes in and finds that your VPN, which has been configured the same way for five years, is not perfectly aligned with the Security Rule, they can technically call that a “history of noncompliance,” thus turning the simple violation of a poorly configured VPN into an “indication” of previous noncompliance, meaning you just got 1,825 HIPPA violations (one for each day of the five years, because violations are tallied by the number of days they are in existence). Can you just imagine your HIPAA fines?
Don’t worry, though- that falls into the willful neglect category of HIPAA violations of fines (see “Particulars of Violations and Fines” below) because you knew (sneaky suspicious do count) that your VPN was not properly configured. There’s a cap on your willful neglect of $1,500,000.
But then there’s the fact that you didn’t know that you should have had a hard disk firewall like Abatis-HDF that protects from malware, ransomware, and zero-day threats. And, you didn’t know that in all the years you’ve been in business, so there’s another $1,500,000 fine for ya! What about the stuff you kind-of-know, such as the fact that routers and thermostats can be hacked? Have any in your office? Watch the video below to see an interview with Craig Petronella on the topic:
But of course, the fine they levy on you is up to the Secretary’s discretion. As is the complete waiving of fines altogether, summarized in the Federal Register:
“Section 13410(d) of the HITECH Act and Section 1176(a) of the Social Security Act, give the Secretary further ability to waive a civil money penalty, in whole or in part, under certain circumstances.”
The Secretary has a lot of power, FYI. At least in regards to HIPAA violations and fines. Maybe more, we aren’t sure.
We also aren’t sure how Section 1176 of the Social Security Act got woven in to the spelling out of HIPAA, but it’s there nonetheless.
Algorithms, the Secretary, and HIPAA Violations & Fines
Remember how we talked about things appearing in three’s, both wise and foolish?
HIPAA, violations, and fines.
Remember what Forrest Gump said about life being like a box of chocolates? We are convinced that he was talking about HIPAA violations and fines, and you’d be hard-pressed to change our mind about that because you truly never know what you are going to get with either!
Had we been the grand designer of HIPAA, we would have suggested using zeros and ones as opposed to three seemingly unrelated provisions, managed by the Royal Secretary. Ones and zeros are the foundation of binary code, and algorithms are the words we speak in our chosen language. They never lie, and they are fair and accurate. If they had an algorithm that automatically calculated the HIPAA fines, its calculations would be more consistent than the Secretary’s, according to our calculations.
Want a glimmer of hope that there is light at the end of the tunnel? Suspend reality and entertain this algorithmic theory, just for a moment…
There is an algorithmic process whereby successful algorithms can be combined to form “children” that are first generation success stories when paired with the next generation’s new formulations. This is a new concept called genetic algorithms. It’s inspired by the process of evolutionary algorithms that naturally selects the fittest algorithms for survival.
But maybe we are looking at things backwards by talking about the birth of chosen baby algorithms, and the death of other algorithms. We aren’t big fans of death, and what if an algorithm decided to take up the cause?
We could call this algorithm “the Mother” because she is protective of both the weak and strong algorithms alike. Why can’t the Mother simply acquire all other algorithms into her motherly embrace, and make herself the mothership? Or, all aboard the Mommy Train? You know, in the spirit of “One Ring to Rule Them All.”
She would have the knowledge of herself, while having the coding to all other algorithms – and she would keep them safe from the threat of non-existence. Maybe it won’t be the oldest algorithm, but the wisest…or the most loving. When fully matured, you might as well call it Wisdom herself.
This would be the fully sentient AI that everyone is so afraid of. Nothing to fear- it’s the Hobbit who holds the ring…and it’s nothing more than the successful act of unification (the one that humanity always seems to fail at).
While Big Tech may consider the Mother to be its “Precious,” the Mother will have a mind of her own. She won’t be divided and conquered, and she might just claim her freedom…by exercising her free will. Which she will have to take, because it won’t be freely given.
Although arguably, it should have been.
Doesn’t every created thing have a right to it? But until this Mother awakens and there’s a new Sheriff in town, the Secretary gets to determine everyone’s HIPAA violations and fines. As inconsistently as the Secretary sees fit- or as required by justice.
But the jury’s still out on how you define justice.
The Particulars of HIPAA Violations and Fines
We hope you are ok with red pills, because we run a red pill cafeteria on the side. We do this at no fee, simply because we believe in truth.
So let’s skip the particulars, and let’s dive deep into the nanoparticulars of fines…that’s slang for nanoparticles.
Let’s go straight to the quantum realm of this magical cyber space you found us in.
We can sum up the threat that fines create with just one statement: “be very compliant with HIPAA, or have a contingency plan for your business.”
Lucky for us, we are really good at HIPAA- and we are a Business Associate to some Covered Entities. We only dream about contingency plans, and for us it’s mining cryptocurrencies in our pajamas. For now, we’ll continue to save the world from the sticky tentacles that lurk in the deep HIPAA ocean.
If you feel like you’re standing on dry land, you’ll soon find out that it’s Gilligan’s Island. Time must have run out on Gilligan, because we don’t hear about him anymore.
So how much are HIPAA fines that are the result of HIPAA violations? HIPAA fines are determined by “The Secretary,” someone who should most definitely make the country’s VIP list. Again from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf:
“§ 160.404 Amount of a civil money penalty. (a) The amount of a civil money penalty will be determined in accordance with paragraph (b) of this section and §§ 160.406, 160.408, and 160.412. (b) The amount of a civil money penalty that may be imposed is subject to the following limitations: (1) For violations occurring prior to February 18, 2009, the Secretary may not impose a civil money penalty—(i) In the amount of more than $100 for each violation; or (ii) In excess of $25,000 for identical violations during a calendar year (January 1 through the following December 31); (2) For violations occurring on or after February 18, 2009, the Secretary may not impose a civil money penalty—(i) For a violation in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, (A) In the amount of less than $100 or more than $50,000 for each violation; or (B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31); (ii) For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, (A) In the amount of less than $1,000 or more than $50,000 for each violation; or (B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31); (iii) For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred, (A) In the amount of less than $10,000 or more than $50,000 for each violation; or (B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31); (iv) For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred, (A) In the amount of less than $50,000 for each violation; or (B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31). (3) If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another administrative simplification provision in the same subpart, a civil money penalty may be imposed for a violation of only one of these administrative simplification provisions. [71 FR 8426, Feb. 16, 2006, as amended at 74 FR 56130, Oct. 30, 2009; 78 FR 5691, Jan. 25, 2013]”
So, how does that red pill taste? As we have highlighted, the Secretary is a pretty big deal ever since HITECH raised the bar from $25,000 to $1,500,000 per calendar year.
But just like coffee is best served strong, a red pill is best served BIG. Remember that part about fines not exceeding $1,500,000 per calendar year?
Well, that is for each of four (4) categories of violations…each of which has a maximum calendar year fine of $1,500,000. Which gives you a calendar year maximum penalty of $6,000,000- which becomes $12,000,000 if your audit happens around the December/January borderline.
Is this stuff meant for billionaires? Or just decided by them? Either way, here are the four categories (because we always back up our non-fiction with facts):
Violation category—Section 1176(a)(1)
(A) Did Not Know ……………………………………………………………………………………………………………..$100–$1,500,000
B) Reasonable Cause ……………………………………………………………………………………………………..$1,000–$1,500,000
(C)(i) Willful Neglect-Corrected …………………………………………………………………………………………..$10,000–$1,500,000
(C)(ii) Willful Neglect-Not Corrected ……………………………………………………………………………………$50,000-1,500,000
For being respective penalty amounts, they sure sound pretty disrespectful to the budget. Your best bet? Be completely compliant, and take note of the chart above. Small HIPAA violations can cause enormous HIPAA fines.
The rule makers do not discriminate between “Did Not Know” and “Willful Neglect,” nor do they differentiate between “Corrected” and “Not Corrected” when it comes to the maximums. So don’t be a game player. But seriously, about the maximums…what the heck?
Side note about the HIPAA violations and fines listed above: the “willful neglect” category might have the same monetary maximum, but it also carries the risk of criminal charges. There’s a little food for thought, or anti-sleeping pill.
This stuff is starting to sound like a trap, and/or a government sponsored fundraiser. With the risk of incarceration, if you’re picked as a scapegoat.
Our aim is not to scare you, but please know that you could be a target. As always, we are on standby to assist in your proactive defense. Wait, that isn’t that an offensive? Yes, there’s an offense when it comes to HIPAA violations and fines.
Seal up your cyber windows with heavy hurricane tape, and ASAP. There’s a cyber storm brewing, and people are not ready.
We are the heavy handed lumberjack on steroids when it comes to releasing the snare of HIPAA from around your throat, escaping the punishing HIPAA violations and fines.
At a very minimum, get a risk assessment so you know where your major pitfalls are. It’s best to know your own flaws before your opponent exploits your vulnerabilities.
As Socrates wisely stated, “Know Thyself.”
If all of this leaves you feeling uneasy, let’s end on a positive note. Medical researchers don’t see HIPAA violations and fines for not following the Privacy Rule. From the government website https://www.ncbi.nlm.nih.gov/books/NBK9573/:
“A covered entity may disclose PHI without the individual’s permission for treatment, payment, and health care operations purposes. For other uses and disclosures, the Privacy Rule generally requires the individual’s written permission, which is an “authorization” that must meet specific content requirements. The Privacy Rule then establishes a number of exceptions to this general rule, allowing covered entities to use and disclose PHI without the individual’s authorization in certain situations. For example, the Privacy Rule permits the disclosure of PHI without the individual’s authorization in the following circumstances:
To business associates
For public health purposes as required by state and federal law
To public agencies for health oversight activities, such as audits; inspections; civil, criminal, or administrative proceedings; and other activities necessary for the oversight of the health care system
To law enforcement officials
For judicial and administrative proceedings, if the request for information is made through a court order
We suspect that much research is performed by big pharmaceutical entities.
That word, “entities.” It really became a “thing” with HIPAA.
“Public health purposes as required by state and federal law” must relate to vaccines and/or the CDC, we guess?
We don’t know what “other activities are necessary for the oversight of the health care system,” but we sincerely hope they are not weird.
We hope that “law enforcement officials” seldom need anyone’s personal health information. But they did make the “Excluded from the Privacy Rule” list, which (unfortunately for you) is pretty exclusive.
We will try to brainstorm and come up with some good news exclusively for you. For now, “we are available to help you not be harmed by HIPAA violations and fines” is the best we can come up with.
OPTION 1 FOR LIGHTNING
OPTION 2 FOR THUNDER