Failing to Comply with HIPAA can Lead to Damaging Penalties:

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR enforces the Privacy and Security Rules in several ways:

  • Investigating complaints filed with it
  • Conducting compliance reviews to determine if covered entities are in compliance
  • Performing education and outreach to foster compliance with the rules’ requirements

OCR reviews the information that it gathers. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy and Security Rules. In the case of noncompliance, OCR will attempt to resolve the case with the covered entity by obtaining:

  • Voluntary compliance
  • Corrective action and/or
  • Resolution agreement

Failure to comply with HIPAA can also result in civil and criminal penalties.

Civil Money Penalties

In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. Covered Entities have 30 days to correct the violation. HHS may extend this timeframe, at their discretion. In the case of willful neglect, penalties can be imposed immediately.

CMPs are imposed based on the criteria shown in the table below:

Unknowing$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
Reasonable Cause$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
Willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
Willful neglect and is not corrected within required time period$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

 

Criminal Penalties

Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.

Unknowingly or with reasonable causeUp to one year
Under false pretensesUp to five years
For personal gain or malicious reasonsUp to ten years

 

It is important to know that INDIVIDUALS, as well as the corporation or company, are liable under HIPAA.  While these criminal penalties are available as remedies for HIPAA violations, they have not been widely used.  In our next blog, we will cover some of the cases where criminal penalties were imposed and provide learnings for both individuals and their employers in health care.