$1.5 Million Penalty For Violating HIPAA
The news networks are overflowing with stories about the implementation of the Health Insurance Portability and Accountability Act (HIPAA). The historic health care legislation is still being implemented throughout the United States, and there are significant penalties for failing to comply with the law. It’s important that you understand your obligations under HIPAA and the penalties that could be imposed for violating the provisions of the act.
Health Care Violations and Enforcement
The HIPAA law includes both civil and criminal penalties for failing to comply with the requirements of the law (42 USC § 1320d-5). Civil penalties for HIPAA violations are authorized by the 2009 American Recovery and Reinvestment Act. The exact amount of each authorized civil penalty is to be determined by the Secretary of Health and Human Services.
Civil penalties can only be imposed for violations that arise from willful neglect or aren’t corrected within 30 days. The amount of a civil penalty will depend on the nature of the violation and the extent of the resulting harm.
Minimum and Maximum HIPAA Penalties
A tiered system of minimum and maximum civil penalties for HIPAA violations is available to punish violators. Penalties range from $100 for individuals that could not reasonably have known that a violation occurred to an annual maximum of 1.5 million dollars for offenders that repeatedly violate various aspects of the law. Civil fines are larger for individuals that willfully neglect HIPAA requirements or fail to correct the problem within 30 days.
The United States Department of Justice (DOJ) has designated specific HIPAA violations that can result in criminal prosecution. Disclosing confidential health information, for example, can result in a fine of $50,000 and a prison sentence of up to one year. Penalties can be enhanced for violations involving false pretenses, including fines up to $100,000 and a sentence of up to five years in prison.
Illegal Use of Health Care Information
Using confidential health care information for personal gain, malicious harm or commercial advantage can result in a fine of up to $250,000 and a prison sentence of up to ten years. HIPAA criminal penalties apply to the following covered entities:
- Health care providers
- Health plans
- Health care clearing houses
- Entities that submit electronic claims
- Medicare prescription drug card sponsors
- Directors, employees and officers of covered entities
Medical Conspiracy Charges
Even when an individual is not specifically designated as liable for a HIPAA violation, they can be criminally charged with aiding and abetting or conspiracy. DOJ has determined that merely knowing about a HIPAA violation is sufficient grounds for criminal prosecution. It’s not necessary for an offender to know that a particular action constitutes a HIPAA violation.