In this lesson, we'll be covering what an audit by the Office for Civil Rights could entail, ways to help prevent an audit or make one go more smoothly, and why having a Book of Evidence is so vital. At the end of the lesson, we'll stick with our recent looks at HIPAA violations with a Word about criminal penalties for HIPAA violations.

An audit by the Office for Civil Rights requires you to provide the following:

  • A copy of your last risk assessment
  • A copy of your last risk report
  • Your HIPAA compliance training logs
  • Your Book of Evidence

Pro Tip #1: When it comes to HIPAA in general, and particularly with audits, it's imperative for all business associates and covered entities to be as proactive (rather than reactive) as possible. What does being proactive look like? Great question!

You can be proactive, first and foremost, by covering all your bases regarding the following:

  1. Conduct annual risk assessments.
  2. Conduct annual compliance training.
  3. Stay current with all of your policies and procedures.

Rely on Your Book of Evidence

As we've stated before, your Book of Evidence is a HIPAA requirement (and not a suggestion). A good Book of Evidence must include, but isn't limited to, the following:

  • Your policies and procedures for how to handle PHI and ePHI
  • Your business continuity plan
  • Your data breach plan

Pro Tip #2: Having your Book of Evidence ready at all times can help an audit process go much more smoothly and hopefully speed things up a bit as well, especially if your Book of Evidence is up-to-date and all of your training records are current.

A Word About Criminal Penalties for HIPAA Violations

Before we dig into a word about criminal penalties for HIPAA violations, let's first look at if HIPAA violations can even be criminal.

Can HIPAA Violations be Criminal?

When a HIPAA covered entity or business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it's often their employer that receives the penalty, but not always.

If healthcare professionals knowingly obtain or use PHI for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the Administrative Simplification subtitle of HIPAA.

Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals that have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences.

Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual knowingly violates HIPAA Rules, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules.

Criminal Penalties for HIPAA Violations

As you probably know by now, criminal penalties for HIPAA violations are divided into separate tiers, with the term and an accompanying fine decided by a judge based on the facts of each individual case.

As with the Office for Civil Rights, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access, or disclosure of PHI, it may be necessary for all payments received to be refunded, in addition to the payment of a fine.

The three tiers of criminal penalties for HIPAA violations are:

  1. Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail.
  2. Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail.
  3. Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail.

In recent months, the number of employees discovered to be accessing or stealing PHI (for various reasons) has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals.

It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.

All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment, but potentially also a lengthy jail term and a heavy fine.

State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely.