­

Fines & Penalties

The fines and penalties for HIPAA and HITECH rules violations are severe. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, with the introduction of HITECH, the maximum penalty is $1.5 million per identical violation per calendar year. Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved. People have gone to jail for intentionally violating the medical privacy of others.

Enforcement Agencies

The Department of Health and Human Services (HHS) is the principal agency of the United States Government for protecting the health of all Americans. The HHS Medicare program is the nation’s largest health insurer. Medicare and Medicaid together provide health care insurance for one in four Americans.

Operating divisions of the HHS include:

  • Agency for Healthcare Research and Quality (AHRQ)
  • Centers for Disease Control and Prevention (CDC)
  • Centers for Medicare and Medicaid Services (CMS)
  • Food and Drug Administration (FDA)
  • Health Resources and Services Administration (HRSA)
  • National Institutes of Health (NIH)

How to Avoid Fines & Penalties

There are three ways for providers and others dealing with individually identifiable health information to help mitigate these fines:

  • Fines can often be mitigated by correcting within 30 days the deficiency that led to a breach.
  • Fines are not likely to be assessed if you are using approved data encryption on all devices.
  • Fines may be suspended or reduced if investigators can determine that a functioning and documented compliance program is in place.

As indicated above, having a HIPAA compliance program in place can go a long way towards mitigating an offense and possibly lead to a reduction of fines. Additionally, your office must be able to determine what went wrong that led to the loss of PHI, and demonstrate what steps have and will be taken to prevent further breaches.

How Fines Are Assessed

For the most part, the fines are assessed per record violated, with a cap per data loss event. Intent weighs into the fine assessment process. Businesses that intentionally sell PHI with the idea of enduring or evading the fines are particular targets. There is currently a tiered system of fines:

All-in-One HIPAA Compliance
and Risk Management Solution

VIEW MEMBERSHIP BENEFITS & PRICING
HIPAA Vlolatlon Details Minimum Penalty Maximum Penalty per ldentlcal Violatlon per Calendar Year
Offender did not know (and even with reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, annual maximum of $25,000 for repeat violations (This is the maximum that can be imposed by State Attorneys General regard- less of the type of violation)  

$50,000  per violation, annual maximum of $1.5 million

 

HIPAA violation with reasonable cause not willful neglect $1 ,000 per violation, annual maximum of $100,000 for repeat violations $50,000 per violation, annual maximum of $1.5 million
HIPAA violation with willful neglect, violation corrected within the required time period $10,000 per violation, annual maximum of $250,000 for repeat violations $50,000 per violation, annual maximum of $1.5 million
HIPAA violation with willful neglect, not corrected $50,000 per violation, annual maximum of $1.5 million $50,000  per  violation, annual maximum of $1.5 million

Why HIPAA Compliance Training is Important

By |October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

By |October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

By |October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals