Businesses operating in the U.S. healthcare sector are required to comply with the data privacy and security regulations first defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of HIPAA legislation is to protect the privacy and security of an individual’s health-related information.
When HIPAA was passed, its primary concern was with safeguarding physical records containing protected health information (PHI). Subsequent updates to HIPAA regulations address the way the privacy and security of electronic protected health information (ePHI) are implemented.
In a perfect world, organizations would protect patient privacy and data security because it’s the right thing to do. Unfortunately, the market does not always operate in that way which was the reason HIPAA was necessary in the first place.
How Much Does HIPAA Noncompliance Cost?
Without the ability to levy fines and penalties, HIPAA would be an instructive but toothless set of standards. Fines for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) or state attorney generals.
The OCR issues civil fines directly related to HIPAA violations whereas in many cases, attorney generals enforce equivalent state standards. It can be easier to hold violators accountable with state laws and the financial penalties available can be greater than those imposed by HIPAA. In rare cases, criminal charges can result from activities such as the theft and use of PHI for financial gain.
Not all HIPAA violations lead to financial penalties. In some cases, especially when dealing with minor violations predicated by a misinterpretation of the rules, the OCR prefers organizations to adopt the necessary measures to comply voluntarily. When this tactic fails, the OCR has the authority to impose penalties on covered entities and business associates.
The costs of HIPAA noncompliance fall into two distinct categories.