HIPAA Violations Fines And Enforcement

HIPAA Violation Penalty Tiers

Monetary penalties for HIPAA violations

HIPAA Violations Fines And Enforcement

 

HIPAA ViolationMinimum PenaltyMaximum Penalty
Unknowing$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
Reasonable Cause$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
Willful neglect
$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
Willful neglect and is not corrected
$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

HIPAA Violations Fines And Enforcement

U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules.

OCR enforces Privacy and Security Rules in several ways:

  • Investigating complaints filed with it
  • Conducting compliance reviews to determine if covered entities are in compliance
  • Performing education and outreach to foster compliance with the rules’ requirements

OCR reviews the information that it gathers. In some cases, it may determine that the covered entity did not violate the Privacy and Security rules’ requirements. In the case of noncompliance, OCR will attempt to resolve the case with the covered entity by obtaining:

  • Voluntary compliance
  • Corrective action and/or
  • Resolution agreement

Failure to comply with HIPAA can also result in civil and criminal penalties. If a complaint describes an action that could violate the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice (DOJ) for investigation.

Civil Violations

In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity.

CMPs for HIPAA violations are determined based on a tiered civil penalty structure. The secretary of HHS has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The secretary is prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’ discretion).

HIPAA ViolationMinimum PenaltyMaximum Penalty
Unknowing$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
Reasonable Cause$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
Willful neglect
$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
Willful neglect and is not corrected
$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Criminal Penalties

The DOJ handles criminal violations of HIPAA. As with HIPAA civil penalties, there are different levels of severity for criminal violations.

Covered entities and specified individuals, as explained below, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000 and imprisonment of up to 1 year.

Offenses committed under pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.

Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment of up to 10 years.

Covered Entities

Criminal penalties for HIPAA violations are directly applicable to covered entities (CE), including:

  • Health plans
  • Health care clearinghouses
  • Healthcare providers who transmit claims in electronic form
  • Medicare prescription drug card sponsors

Individuals such as directors, employees, or officers of the CE (where the CE is not an individual) may also be directly criminally liable under HIPAA in accordance with “corporate criminal liability.” Where an individual of a CE is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

Interpreting “Knowingly”

The DOJ interpreted the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action violating the HIPAA statute is not required.

Exclusion From Medicare

HHS has the authority to exclude from participation in Medicare any CE that was not compliant with the transaction and code set standards by Oct. 16, 2003 (where an extension was obtained, and the CE is not small) (68 FR 48805).

Article link:
https://www.ama-assn.org/practice-management/hipaa-violations-enforcement