Community Psychiatric Clinic Breach Affects 15,537
In three separate email hacking incidents at Community Psychiatric Clinic, the protected health information (PHI) of 15,537 patients was exposed. Although little information is available on these breaches, all three incidents were reported to the Department of Health and Human Services (HHS) on August 15, 2019. Investigations are ongoing, depending on the cause of the breach HIPAA violation consequences will differ.
Civil HIPAA Violation Consequences
Most HIPAA violations result in civil penalties for noncompliance. Fines are issued based on the nature of the violations and the organization’s response to the incident. If the violation is corrected within 30 days of discovery, fines are not issued, unless the violation was the result of “willful neglect.”
Civil violations are classified into four tiers:
- First Tier: the covered entity did not know and could not reasonably have known of the breach ($100-$50,000 per incident, with a maximum annual of $1.5 million).
- Second Tier: the covered entity “knew, or by exercising reasonable diligence would have known” of the violation, though they did not act with willful neglect ($1,000-$50,000 per incident, with a maximum annual of $1.5 million).
- Third Tier: the covered entity “acted with willful neglect” and corrected the problem within a 30-day time period ($10,000-$50,000 per incident, with a maximum annual of $1.5 million).
- Fourth Tier: the covered entity “acted with willful neglect” and failed to make a timely correction ($50,000 per incident, with a maximum annual of $1.5 million).
Criminal Penalties for HIPAA Violations
Under some circumstances, HIPAA violations consequences result in criminal penalties. Criminal penalties are a result of knowingly accessing PHI outside of job responsibilities.
Criminal penalties are also classified into tiers:
- First Tier: the covered entity and specified individuals “knowingly” obtain or disclose PHI in violation of the Administrative Simplification Regulations (fine up to $50,000 and up to 1 year in prison).
- Second Tier: violations committed under false pretenses (fine up to $100,000 and up to 5 years in prison).
- Third Tier: violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm (fines up to $250,000 and up to 10 years in prison).
Behavioral health practices that can prove their “good faith effort” towards HIPAA compliance will likely pass a HIPAA audit. Implementing an effective HIPAA compliance program, along with employee training, will limit the risk of a breach resulting in HIPAA fines or prison time.
- Reasonable diligence: reasonable steps taken to satisfy a legal requirement.
- Willful neglect: defined by the HHS as, “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”
- Knowingly: knowledge that actions are considered a HIPAA violation, without specific knowledge of actions being taken, is considered “knowingly.”