Q&A: HIPAA violations extend beyond PHI breaches

Q: Can a covered entity be fined for HIPAA violations even if there has not been a breach of PHI?

A: Yes. As an example, if a patient files a complaint with OCR because they believe you, the CE, have not implemented appropriate security controls or have not provided timely access to the patient’s DRS and OCR investigates, OCR may determine that there has been a violation of HIPAA, which could lead to a civil penalty or a monetary settlement. If, say, OCR finds you have never conducted a security risk analysis or haven’t done so for a number of years, OCR would likely conclude you are guilty of willful neglect.

In the preamble to the Omnibus Rule of 2013, OCR stated that it would not levy a penalty against a CE where it has found that a reasonable person would not have known about the violation, or where the violation was reasonable but not willful neglect. On the other hand, OCR indicated that if the violation was the result of willful neglect, it would levy a civil penalty or reach a monetary settlement with the CE.

Editor's note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Heidi Samuelson at hsamuelson@hcpro.com.