There are both civil and criminal penalties associated with violating the HIPAA rules. For civil penalties, there are four tiers of violations: 1) The offender did not know it violated the provision; 2) the violation was due to reasonable cause and not willful neglect; 3) the violation was due to willful neglect but was corrected; and 4) the violation was due to willful neglect and was not corrected.
Each tier has different penalties, and the penalties increase significantly for each violation, with a maximum annual penalty of $1.5 million. On the other hand, individuals who knowingly violate the HIPAA rules may also be subject to criminal penalties that range from a fine of no more than $50,000 and/or imprisonment for not more than one year. If the offense is committed under false pretenses, an individual can be fined up to $100,000 and/or imprisoned for up to five years. More severe penalties apply if the offense is committed with the intent to sell, transfer or use the health information for commercial advantage, personal gain or malicious harm. In such cases, monetary penalties may be as high as $250,000, with possible imprisonment for up to 10 years.
It’s important to protect yourself from any unnecessary liability by avoiding any violation of PHI. This compliance measure requires that policies and procedures be created and implemented. Like everything else, documentation is a major part of the compliance battle and all compliance activities must be documented and retained for six years.
The HIPAA compliance updates and guidelines have been in place for the past few years, and understanding the rules and the risks will allow you and your staff to plan and prepare for any threats. For questions on HIPAA rules or compliance training, contact Antanya Chung, ACR director of practice management, at achung@rheumatology.org or 404-633-377 x818.
Reference
- U.S. Department of Health & Human Services. Business Associates. 2003 April 3.