The Health Insurance Portability and Accountability Act – HIPAA – is a U.S. federal law that relates to healthcare groups and healthcare workers. HIPAA obligates healthcare groups to implement policies and procedures to safeguard the privacy of patients and establish security measures to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places limits on the uses of health data, who can be provided with copies of healthcare information, and gives patients the right to access copies of their health data.
HIPAA covered bodies are normally healthcare providers, health plans, and healthcare clearinghouses. HIPAA also relates to vendors and suppliers (business associates) that need access to PHI to carry out their contracted duties.
As is the case with other federal laws, there are financial penalties for noncompliance. The financial penalties for HIPAA violations can be major, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously breached with intent.
Financial Penalties for Healthcare Groups Who Knowingly Breach HIPAA
The civil penalty tier system for healthcare groups is based on the extent to which the HIPAA covered body was aware that HIPAA Rules were breached. The maximum civil penalty for knowingly breaching HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation group.
Civil penalties will be calculated by the nature and extent of the violation, the number of individual affected, and the damage that has been caused to those people.
Healthcare Workers May Have to Pay a Civil Penalty for Knowingly Breaching HIPAA
As with healthcare groups, healthcare worker can also be fined for breaching HIPAA Rules. Civil penalties can be applied to any person who is found to have breached HIPAA Rules. The Office for Civil Rights can apply a penalty of $100 per breach of HIPAA when a worker was unaware that he/she was breaching HIPAA Rules up to a maximum of $25,000 for repeat violations.
In cases of reasonable cause, the fine goes up to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was remedied the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction there is a penalty of $50,000 per violation and up to $1.5 million for repeat breacheds.
HIPAA Violations and Criminal Charges
The Office for Civil Rights (OCR) enforces HIPAA Rules along with the Department of Justice and will refer cases of possible criminal breached of HIPAA Rules to the DoJ. Directors, officers, and workers may be found to be criminally liable for breaches of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.
The penalty tiers are calculated by the extent to which a healthcare worker was aware that HIPAA Rules were being breached. At the lowest level, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one-year prison term.
If HIPAA Rules are breached under false pretenses the maximum fine goes up to $100,000 and/or up to 5 years imprisonment. The highest civil penalty for knowingly breaching HIPAA Rules is $250,000, such as when healthcare information is illegally taken with the aim of selling, transferring, or using it for personal gain, commercial advantage, or malicious harm. Along with a fine, the maximum jail term is 10 years.
Along with the punishment provided, aggravated identity theft carries a prison sentence of 2 years. When PHI has been illegally taken and patients have been defrauded, restitution may also need to be made.