Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law.
The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.
The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:
- The fine for a first time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
- The fine for a violation due to willful neglect, but corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
- The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000.
However, whenever there is a violation that is not considered willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty.
A Privacy Rule infraction can be considered criminal and may lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information; the fine is $50,000 and up to one year in jail. Whenever an offense is committed through deception, the fine is $100,000 and the jail time is 5 years. And, if person’s health information was sold, transferred or used for profit-making, or any type of personal gain or intent to harm, the fines can go as high as $250,000 with imprisonment for up to 10 years.
Knowing that enforcement of HIPAA is real and that the penalties can be financially and professionally devastating, healthcare offices need to prioritize their training efforts for all of their staff. There truly is no excuse for any healthcare office not to be thoroughly trained in HIPAA law, because if they are found to be out of compliance HHS will not accept ignorance of the law as a defense.
Related:
Five HIPAA Compliance Activities Your Organization Must Undertake
OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol
OCR Announces November 2011 Start of Privacy and Security Compliance Audits
OMB Completes Review of HIPAA/HITECH Act Privacy, Security, Enforcement Rule Modifications NPRM
Exploring HIPAA and HITECH Act Definitions: Part 12
These fines our per individual and/or practice correct? The reason I ask is that my current manager and staff feel that the penalties only apply to the practice not to each of them if they are the violators. And I completely disagree with them based on all of my understanding on HIPAA.
Fines are typically levied against the practice and are generally per occurrence, e.g. per record compromised.
Does HIPPA require Lincare employees to use a no caller id on calls to patients?
What happens to my co-worker if she accessed her husband’s ex wife’s record but did not disclose or use any of her information and it was a clinical setting and on a separate server than her actual doctors record? There wasn’t any information in the record other than phone scheduled appointments and basic demographic. My co-worker has since left healthcare.
What is the penalty if my employer attempted to get my doctor’s office to try and violate hippa
Is there any possible penalty for an employee who has not completed their HIPAA Privacy training course? For instance, a V.P. where I work was hired in August 2014, but has yet to complete the training, even after numerous reminders.
An enemy went as far to find out my personal hospital record when I was in the Er posted it all ova Facebook I talked to head security of John Hopkins they dealing with it but this does not satisfy me one bit I need something done cuz she keeps posting in all groups
Before taking the time and HAS of filing a complaint about a pharmacy tech that not only disclosed some as a pt then also degraded this person and told people that he/she was nothing but a pill head and other very negative information. Then lies about this person again after being warned but the pt. Biggest deal is the information got to children and was discussed again
A nurse noticed my fiance and I in the obgyn and told half the town she was pregnant? We started receiving calls about it before we told our family. We could’ve been there for any reason but everyone knew why. I’m assuming she checked our records after she saw us.
My wife was terminated from her job at a local hospital for accessing her mothers medical records while at work . She IS POA , how can she be terminated for violating hipaa?