The fines and penalties for HIPAA and HITECH rules violations are severe. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, with the introduction of HITECH, the maximum penalty is $1.5 million per identical violation per calendar year. Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved. People have gone to jail for intentionally violating the medical privacy of others.
The Department of Health and Human Services (HHS) is the principal agency of the United States Government for protecting the health of all Americans. The HHS Medicare program is the nation’s largest health insurer. Medicare and Medicaid together provide health care insurance for one in four Americans.
Operating divisions of the HHS include:
- Agency for Healthcare Research and Quality (AHRQ)
- Centers for Disease Control and Prevention (CDC)
- Centers for Medicare and Medicaid Services (CMS)
- Food and Drug Administration (FDA)
- Health Resources and Services Administration (HRSA)
- National Institutes of Health (NIH)
How to Avoid Fines & Penalties
There are three ways for providers and others dealing with individually identifiable health information to help mitigate these fines:
- Fines can often be mitigated by correcting within 30 days the deficiency that led to a breach.
- Fines are not likely to be assessed if you are using approved data encryption on all devices.
- Fines may be suspended or reduced if investigators can determine that a functioning and documented compliance program is in place.
As indicated above, having a HIPAA compliance program in place can go a long way towards mitigating an offense and possibly lead to a reduction of fines. Additionally, your office must be able to determine what went wrong that led to the loss of PHI, and demonstrate what steps have and will be taken to prevent further breaches.
How Fines Are Assessed
For the most part, the fines are assessed per record violated, with a cap per data loss event. Intent weighs into the fine assessment process. Businesses that intentionally sell PHI with the idea of enduring or evading the fines are particular targets. There is currently a tiered system of fines: