Community Psychiatric Clinic Breach Affects 15,537
In three separate email hacking incidents at Community Psychiatric Clinic, the protected health information (PHI) of 15,537 patients was exposed. Although little information is available on these breaches, all three incidents were reported to the Department of Health and Human Services (HHS) on August 15, 2019. Investigations are ongoing, depending on the cause of the breach HIPAA violation consequences will differ.
Civil HIPAA Violation Consequences
Most HIPAA violations result in civil penalties for noncompliance. Fines are issued based on the nature of the violations and the organization’s response to the incident. If the violation is corrected within 30 days of discovery, fines are not issued, unless the violation was the result of “willful neglect.”
Civil violations are classified into four tiers:
- First Tier: the covered entity did not know and could not reasonably have known of the breach ($100-$50,000 per incident, with a maximum annual of $1.5 million).
- Second Tier: the covered entity “knew, or by exercising reasonable diligence would have known” of the violation, though they did not act with willful neglect ($1,000-$50,000 per incident, with a maximum annual of $1.5 million).
- Third Tier: the covered entity “acted with willful neglect” and corrected the problem within a 30-day time period ($10,000-$50,000 per incident, with a maximum annual of $1.5 million).
- Fourth Tier: the covered entity “acted with willful neglect” and failed to make a timely correction ($50,000 per incident, with a maximum annual of $1.5 million).
Criminal Penalties for HIPAA Violations
Under some circumstances, HIPAA violations consequences result in criminal penalties. Criminal penalties are a result of knowingly accessing PHI outside of job responsibilities.
Criminal penalties are also classified into tiers:
- First Tier: the covered entity and specified individuals “knowingly” obtain or disclose PHI in violation of the Administrative Simplification Regulations (fine up to $50,000 and up to 1 year in prison).
- Second Tier: violations committed under false pretenses (fine up to $100,000 and up to 5 years in prison).
- Third Tier: violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm (fines up to $250,000 and up to 10 years in prison).
Behavioral health practices that can prove their “good faith effort” towards HIPAA compliance will likely pass a HIPAA audit. Implementing an effective HIPAA compliance program, along with employee training, will limit the risk of a breach resulting in HIPAA fines or prison time.
- Reasonable diligence: reasonable steps taken to satisfy a legal requirement.
- Willful neglect: defined by the HHS as, “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”
- Knowingly: knowledge that actions are considered a HIPAA violation, without specific knowledge of actions being taken, is considered “knowingly.”
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.