1.5 What is HIPAA Part 4
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
2 hours 7 minutes
Hey, everyone, welcome back to the court. So in the last video, we talked about the security rule to kind of a deeper dive into it so you can fully understand it again. The main differentiating factor between the security role in the privacy rule is that the security rule covers Elektronik protected health information or E p. H i
and this video. We're to talk about some of the common issues that H s has seen. So some of the most common issues. We'll also talk about the entities that are basically being required to take corrective action. So the most popular culprits when it comes to violations and then we're also going to talk about the violation penalties themselves. So both the civil and criminal aspects.
So the most common issues that are protected health information so and most people could probably probably have guessed that one
that you know, inadvertent use of it or, you know, or disclosure of it, or that somebody is actually abusing it, you know? So somebody like stealing your Social Security number and opening accounts or something like that.
The next one up is no protection in place for your health information so organizations not actually following him but not putting standards in place, not putting policies or procedures in place, not following things like technical safeguards for the information. That's kind of the
patients not being able to access their health information. So again, we talked about that within 30 days. The provider has to give you that information. That's why I mentioned you know, again, it's not legal advice. But that's why I mentioned that you should put stuff in writing. That way. You've got a history. So that way, if you need to escalate things too, you know some entity or like legal counsel,
you've got the proof that you actually requested your records.
Next up is minimum necessary, right? So using or disclosing more than the minimum necessary protected health information So again, going back to you know, somebody like looking at, you know, Beyonce's medical record chart just because it's like, Oh, it's Beyonce, let me see what she's got going on. Uh, that would be a violation of Hippo, and that would actually probably get you
just because it's Beyonce. You probably criminal charges to on that,
and then no safeguards for your Elektronik pH. I you know, So not, you know, not using encryption, right? Not password protecting stuff. Just, you know, texting patient information via text That's not encrypted all that fun stuff there.
And then the most common entities Most of us could have guessed hospitals, but some people might actually be surprised that private practices or number one on the list on then we also have outpatient facilities, select your surgery centers, that sort of stuff group insurance plans
and then pharmacies. And actually, in my opinion, I She thought pharmacies would be higher on the list. I figured they would be around number three or so.
Um, but you see there, number five on the list for H H s
arsenal. Let's talk about hip of violations. So we're gonna talk about some specific numbers here and these air based off Pippa. You know, this could always change that bit. Depending on when you're watching this course, there can always be new legislation, so just keep that in mind. But I want to give you some general context of different civil or criminal penalties under HIPPA.
So just so you can really understand kind of the seriousness of any violations this you know, this is a serious matter. Even though I may be joking in this course, it definitely is a serious matter. Andi want to definitely protected information.
Civil violations of him. Eso
if you um basically, if you're an individual and you unknowingly So you know, I've got listed there accidentally. So if you unknowingly violate HIPAA,
generally speaking, it's gonna be about $100 fine per violation. So if you've done that with, like, 100 patient records, you know, a 1,000,000 patient records, you could do the math, right? You could get hit with a lot of money,
but there's a There's a max on that. Generally speaking, the annual maxim that is $25,000 for those that repeat the violation. So if you did it, you know, with a bunch of patients,
you're gonna probably paymaxx 25,000 out of pocket. If it could be proved that there was actual intent is kind of odd that you would unknowingly violated at that level. But it's possible
you could also get hit with $50,000 per violation is well under that or even an annual maxim. 1.5 million. So there's some very steep, you know, penalties civilly that you can get hit with just for unknowingly violating it right
for violation. That's due to reasonable cause, but not due to wilful neglect. There's $1000 charge per violation or annual max 100,000 for those that repeatedly violate. So for $50,000 penalty per violation or an annual max of 1.5 million,
I don't know about you, but I don't really want to spend 1.5 million on a HIPAA violation, so I certainly would try to follow hip it to the best of my ability.
Now, if you violated, do the willful neglect with the violation being corrected within a specific time period that's set by HHS. Then there's, you know, generally speaking, a $10,000 penalty per violation in annual max of 1/4 $1,000,000 or $250,000 for people that don't know what that is. Four repeat violations.
I don't make it sound like you're winning the lottery or something.
The opportunity to get a $50,000 penalty or a annual maxim of 1.5 million again. None of this should be construed as legal advice for me. I'm not an attorney, and I even if I wasn't attorney right now, I certainly would not be giving you legal advice in a hip, of course.
And then the other civil penalty is for violations that are due to wilful neglect and not corrected.
And so the penalty there, you know, $50,000 per violation and no max of a 1,000,000
plus 50,000 per violation and annual max of 1.5 million. So again, some very steep civil penalties there. Now, that being said, these are individual. Once,
If you're a company and you've got breeches and you're you know you're not doing the right thing, you can get hit with a lot of money. And actually, HHS has been going after some companies
over the past couple of years and hitting them with some pretty steep fine. So just keep that in mind that if you think you're, you know, off the board with some really cheap, you know, options on violations, that's not the case. If you're actually an entity, these air just for individuals
now for criminal, you know who wants to go to jail, right? Like while some people do, but but anyone in their right mind probably does not want to go to jail. It's not fun being locked in a little cell and having to deal with people that you don't want to deal with, you know, on a normal day to day basis, and then you've got to sit there in a cell with them. That's not a fun thing. Probably.
Um, I've never been to jail, and I have no plans to ever do that way too old to be causing chaos in my life. Now these.
So let's just talk about hip a criminal violations here.
So for for entities that are covered on and also specified in individuals who eventually obtained or disclosure
the protected health information willingly and no excuse me willfully and knowingly,
the penalty can be up to $50,000 imprisonment up to one year.
Four offenses that are committed under false pretenses.
The penalty can be up to $100,000 imprisonment up to five years
and then for offenses committed with basically Malin tent, right, So the intent to sell, transfer or use the information for commercial advantage, personal gain or as I mentioned malicious harm
penalties up to 1/4 1,000,000 or $250,000 with imprisonment up to 10 years so you could get hit with quite a bit of criminal time for hip of violations. And he's kind of depends on what what they want to do to you at that time and kind of the level of the violation you do.
So some different examples of HIPAA violations just kind of get some context again. We're gonna be talking about some some scenarios in the module to but just understanding what? What? It could potentially look like the's air ones that are actually from HHS directly.
So top one there. What happened is the hospital staff actually disclose H HIV testing
results concerning a patient that was in the waiting room on So their punishment there, they had to take regular hippo trainings and, you know, computer monitors were also repositioned. So basically anybody walking by could have seen that Oh, you know Joe Schmo had is positive for for HIV, right?
Next one is actually office manager at a practice accidentally faxed confidential information to the wrong number. And so they got a you know, a stern warning letter I always love when I see they made him to a stern warning letter. Uh, anyways, that's just me on. And they also had a mandate for regular hippie training for all the employees in the practice.
Ah, surgeon was actually fired for accessing person of celebrities without an actual need to know. And they also got fined $2000 they got four months in jail. So just keep that in mind that if you want to go look up Beyonce's records and you don't actually have a need to know, you're probably looking at some jail time
also. Ah, private practice, Lawson. Unencrypted flash drive. So they got a big fine $150,000 they also had installed corrective active action plan. You actually see this more commonly with people losing a laptop. You actually see it a lot like in home health. You'll see that you know, a nurse like leaves your laptop in the car,
they go grab a bite to eat. Somebody breaks in and takes her laptop
on. Then you know, of course, the laptops not encrypted or something like that on they steal it or it may actually be encrypted, and you still have to report that. Or you may still have to report that depending on the nature of the theft
and some other ones here where people, you know, Friday did fraudulent paperwork. Essentially, uh, also, uh, you know, somebody posting on social media about a patient? Of course. Don't do that. Right. And I should think the social media one, if I recall, was related to somebody a nurse posting about a patient like shouldn't have been drinking and driving, like posting photos on the
of a patient. So don't do that by the way,
number one, its not cool anyways. Ah, and asked my opinion on it, but its not cool anyways. But number two, you could potentially be looking at jail time for stuff like that. You know? What's the point in that?
I'm also, um
What? What happened with a doctor's office with a public calendar? They actually were posting, like, patient appointments on a public facing calendar. So they got fined $200,000 for doing so because obviously you can't put patient information out there like that. And then, um,
there was a data exposure for an organization for, you know, basically five million people were affected. I don't know the actual fine or anything like that on that. But you know, that was a large data exposure. And if you again looked in the media over the past couple of years, you'll see that there's been many organizations hit with large fines for exposing patient data.
So some drunk. That's the drawbacks that people talk about with related to hip. Hey, it affects clinical care. We've got to do all these extra steps and now, you know, takes longer to treat patients. The reality is, you know, at least in my opinion, with electronic stuff now it's a little faster to treat patients. There's still a lot of documentation. So if your organization uses, like an older
E, M R E H R system are basically electronic medical record or
Elektronik health record system. If they're if they're using like older software, sure it does take, you know it can be cumbersome, but much of the newer stuff nowadays, the more recent software out there kind of streamlines things for you, But it does cost. It does cost more money, So if your company's cheap, then you may be stuck with the older stuff that does take, take more time for a patient, care
another thing that the argument is that related to education or training like, Hey, was not We got this. We got this extra, you know, trading. We have to set up now and figure out how to do it. Etcetera, etcetera. The other main thing was research. So what they would the argument is, is that it? It actually has less people applying to do research things
or less, you know, patients applying because
now they've got to go through fill all this cumbersome paperwork out and do all these extra steps. So we don't want to do the research now and then. Of course, the cost associated with implementing, like training programs and that sort of stuff.
So just a quick press assessment question here. What's the main purpose of the security standards for the protection of electronic protected health information
are so the answer is B, as in boy established standards for protecting E P H. I only So if you didn't actually pay attention to the slide as I was going through it on the security rule, that's what that's actually the other the official name for the security rules to security standards for the protection of Elektronik protected health information.
All right, so this video, we just wrapped up our discussion on different penalties related related to Hippo's. We talked about civil and criminal penalties in the next video through the jump into our cyber attacks, so we're gonna have some fun with that.