The Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements on
employers, particularly those classified as covered entities or business associates, to protect the privacy
and security of employees’ protected health information (PHI). HIPAA mandates that these entities
implement safeguards to ensure the confidentiality, integrity, and availability of PHI, including physical,
administrative and technical measures.
Common HIPAA violations in the workplace include the following:
Unauthorized access and disclosure — Allowing unauthorized individuals to view or receive PHI,
such as sharing health information without patient consent or displaying it publicly.
2. Lack of safeguards — Failing to secure electronic PHI (ePHI) through encryption, proper access
controls, or secure transmission methods.
3. Insufficient training — Not providing adequate training for employees on HIPAA compliance,
leading to mishandling of PHI.
4. Inadequate data disposal — Improper disposal of records containing PHI, such as not shredding
documents or securely erasing electronic files.
5. Social media misuse — Sharing PHI on social media platforms without consent.
Penalties for HIPAA violations depend on the level of negligence and can range from financial fines to
criminal charges. The Department of Health and Human Services’ Office for Civil Rights (OCR) categorizes
violations into four tiers, with penalties escalating based on the level of culpability:
Tier 1 — Violations where the entity was unaware and could not have reasonably avoided the
violation, with fines ranging from $137 to $68,928 per violation.
2. Tier 2 — Violations due to reasonable cause, but not willful neglect, with fines from $1,379 to
$68,928 per violation.
3. Tier 3 — Willful neglect violations corrected within 30 days, with fines starting at $13,785.
4. Tier 4 — Willful neglect violations not corrected within 30 days, with penalties up to $2,067,813
annually.
An employment law attorney experienced with HIPAA compliance can advise companies on how to
avoid significant penalties by taking positive actions, such as the following:
Implement comprehensive training programs — Regular training for all employees on HIPAA
regulations and the proper handling of PHI.
2. Establish robust security measures — Use encryption, access controls and secure
communication channels to protect ePHI.
3. Develop clear policies and procedures — Establish clear protocols for accessing, using and
disclosing PHI, and ensure all employees understand these policies.
4. Regular audits and risk assessments — Conduct regular audits and assessments to identify and
address potential vulnerabilities in PHI protection.
In the event of a breach, companies must act swiftly by notifying affected individuals and the OCR,
conducting a thorough investigation and implementing corrective actions to prevent future incidents.
About Finney Law Firm, LLC
Founded in 2014, FLF has grown to 15 attorneys located in offices in Eastgate and downtown Cincinnati with five major practice areas: Corporate Law, Real Estate Law, Employment Law, Commercial Litigation and Public Interest and Constitutional Litigation. FLF has the unique claim to three 9-0 victories at the United States Supreme Court for its public interest practice along with breakthrough class action work.
FLF also has an affiliated title insurance company, Ivy Pointe Title, LLC, that closes and insures nearly a thousand commercial and residential real estate transactions annually.
For more information about Finney Law Firm, visit finneylawfirm.com.
Media Contact: Mickey McClanahan; mickey@finneylawfirm.isoc.net; 513.797.2850.