HIPAA, HITECH and HITRUST: The importance of each for you and your consumers

In the previous two segments, we detailed the basic concepts of these “H-words” and laid out the path to compliance for organizations that handle protected health information (PHI). Now that we know what these concepts mean and how to best achieve compliance, we’ll delve in to the reasons behind it all.

Why should you put such a premium on compliance? Why should you devote financial and personnel resources to keeping up with these complex laws? In short: There are very real consequences for the violations that stem from noncompliance, including jail time and financial and reputational damages.

Financial Impact

In the early years of its existence, there was a perception that enforcement of HIPAA was somewhat lax. Those days are decidedly in the past, as the Office of Civil Rights (the OCR, part of the US Department of Health and Human Services) has ramped up enforcement in recent years. With the enactment of the HITECH Act in 2009, a tiered penalty system for HIPAA violations was written into law. The final Omnibus Rule, which went into effect in 2013, made penalties for each level even harsher. The current penalties are as follows:

Tier Type of Offense Minimum Fine Maximum Fine
1 Unaware of violation;
could not have realistically avoided
$100+ per violation,
up to $50,000
per year
2 Should have been aware of the violation; could not have avoided (not quite willful neglect) $1,000+ per violation, up to $50,000 $1,500,000
per year
3 Occurred due to willful neglect; attempt made to correct the violation $10,000+ per violation, up to $50,000 $1,500,000
per year
4 Occurred due to willful neglect; no attempt made to correct the violation $50,000+ per violation $1,500,000
per year

In 2016, the OCR set an annual record, collecting nearly $23 million in fines related to HIPAA noncompliance. This number includes the largest HIPAA settlement to date: Advocate Health Care System had to pay out $5.5 million for multiple HIPAA violations. The most significant of the violations stemmed from four stolen, unencrypted laptops that contained PHI of 4 million patients. (Note: Encryption is your ally! Encrypting data, backups and equipment can significantly reduce potential fines.)  They also accrued additional violations for insufficient risk analysis and the breach of a business associate’s system. Again, a crucial part of HIPAA compliance (as established in the HITECH Act) is making sure your business associates and contractors are compliant as well.

In fact, HIPAA requires covered entities to have Business Associate Agreements (BAAs) which outline the BA’s responsibilities around HIPAA compliance. Noncompliance regarding BAs could land an entity in trouble even if there were no directly related violations that occurred.  For example, during a breach investigation, the OCR reported it found that Care New England Health System failed to revise one of its BAAs which was originally signed in March 2005. The organization was fined $400,000 because, in 2013, the final Omnibus Rule invalidated all BAAs that were in place before September 2014.

In addition to the federal fines, consider other potential costs that a HIPAA violation could mean for your business or facility. You could lose many business hours trying to settle the situation, and you’ll likely incur hefty legal fees as well.

Criminal Charges

In some instances, HIPAA violations can also result in criminal charges for the person(s) involved.

Tier Description of Violation Jail Sentence Fine
1 Obtaining PHI for reasonable cause,
or having no knowledge of violation
Up to 1 year Up to $50,000
2 Obtaining PHI under false pretenses Up to 5 years Up to $100,000
3 Obtaining PHI for personal gain
or malicious purposes
Up to 10 years Up to $250,000

Notable criminal HIPAA prosecutions include:

  • 2010: Huping Zhou, a former researcher at UCLA Medical Center, became the first person sentenced to jail time for a HIPAA violation. He received four months of jail time, a year of supervised release and a $2,000 fine for reading private medical records — including those of celebrities and his co-workers. According to U.S. District Attorney’s Office Spokesman Thom Mrozek, Zhou was also the first person to be convicted and sentenced for a violation even though he did not sell or improperly use the information. In fact, Zhou claims that he was not even aware that his actions constituted a crime. (Note: Ignorance of the law is not an excuse.)
  • 2013: Denetria Barnes, a nursing assistant at an assisted living facility in Florida, and her boyfriend obtained and attempted to sell PHI for personal gain. Denetria was sentenced to 37 months in prison and three years of supervised release. She is now barred from working in any job where she has access to people’s identification information.
  • 2013: Helene Michel, the former owner of a medical supply company in New York, was convicted of not only criminal HIPAA violations, but also $10.7 million in Medicare fraud. She was sentenced to 12 years in prison – one of the harshest HIPAA-related sentences yet.
  • 2015: Joshua Hippler, an employee of a hospital in Texas obtained PHI that he intended to use for personal gain, and he was sentenced to 18 months in prison.

Reputational Damage

HIPAA violations can damage an organization’s reputation and credibility. If a security breach affects more than 500 patients, you must notify local media, and you’ll also end up on the HHS’s “wall of shame,” which publicly spells out the scope and nature of the security breach. Undoubtedly, the negative publicity could shake the trust of your current and potential patients/consumers. Your business associates might also reconsider their current arrangements with you, as a security breach on your end could also put their security and PHI — and, thus, their consumers, their business and their reputation — at risk.


Spoiler alert: There aren’t yet any horror stories associated with HITRUST — mainly because, unlike with HIPAA and HITECH, there are no direct legal repercussions related to HITRUST. Remember, it is not a law. Rather, think of HITRUST as a detailed map of adequate security measures to take in order to meet compliance requirements. Bonus: This map also provides invaluable tools for governance and risk management. Its sophisticated, evolving set of security control requirements protects against a wider array of security threats because it “includes, harmonizes and cross-references, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA and State law.”

However, just because there haven’t been any big news stories around HITRUST yet doesn’t mean there won’t be. You may actually, in the coming years, hear about HITRUST more frequently due to many of the large payers (insurance companies) requiring entities they contract with to become HITRUST-certified the by the end of 2018. At that time, in order to contract with and get paid by most payers, entities will need to obtain (and maintain) the HITRUST CSF Certification.  As we laid out in Part 2, there is a lengthy process to becoming certified. The process can take anywhere from 12 to 24 months, so healthcare entities need to start this process soon.

The good news is: If you implement HITRUST, you can leverage the testing results in your reporting for multiple compliance efforts. Additionally, because the certification shows an increased commitment to PHI security, the designation can make certified entities a more attractive option for consumers.

It’s in your hands

Steep fines, hidden business costs, jail time, and reputational damage are certainly serious consequences of noncompliance and violations. But it’s important to remember the primary purpose of these security and privacy measures – protecting your patients. If you’re a covered entity that has access to PHI, it’s your responsibility to secure their personal information for their safety — and not just because you’ll get fined if you don’t.

Gina Pruitt.Jun 17Gina B. Pruitt, CPA, CITP, CISA, CGMA, CQA, CRISC, CEMB, CCSFP, CHFP is member-in-charge of the Risk Assurance & Advisory Services practice at KraftCPAs PLLC and has more than 30 years of experience in public accounting. A HITRUST Certified CSF Assessor, KraftCPAs works extensively with healthcare providers and related entities. For more information, contact Gina at gpruitt@kraftcpas.com.