While patients themselves may applaud the protection they now receive through 1996’s Health Insurance Portability and Accountability Act, the 2003 addition of HIPAA’s Privacy Rule has resulted in headaches for many of the doctors and dentists who treat them. While paper-based practices and those that transmit their patients’ health and billing data only by telephone or fax have the choice of opting out, medical professionals who send this information over the internet or store it electronically must comply with HIPAA’s stringent privacy rules. This can be a hassle.
What Types of Data Fit the Description?
Protected health information, or PHI, is a HIPAA term that refers to the entirety of a patient’s health information and medical records. Whether the data be spoken, written on paper or backed up to tapes and computer disks, the law protects it in any and all of its potential configurations. It is therefore the responsibility of all medical professionals as well as their staff members to keep this information private and secure. What happens, though, when someone slips up? Exactly what would constitute a failure to comply with the HIPAA privacy rules, and what might a medical professional do to rectify the problem?
When Failure to Comply Leads to Civil Trouble
The 2009 the American Recovery and Reinvestment Act established a tiered structure of civil penalties for all HIPAA violations that remain unrectified after an average of 30 days. The time period can extend in certain cases, and the Department of Health and Human Services will have the final say on the applicable penalty.
The civil penalties for HIPAA violations include:
- A minimum per-violation penalty of $100 for wrongdoers who honestly were unaware of having committed the breach. For repeat offenders, the annual maximum tops out at $25,000.
- A minimum per-violation penalty of $1,000 for offenses unrelated to willful neglect with repeaters facing an annual maximum of $100,000.
- A minimum per-violation penalty of $10,000 for violations that do result from willful neglect but manage to stand corrected within the required period of time. Here, the annual maximum stands at $250,000 for those who continue to offend.
- A minimum per-violation penalty of $50,000 for uncorrected HIPAA violations proven to stem from willful neglect. The annual repeat-violation maximum currently stands at $1.5 million.
A maximum per-offense penalty of $50,000 applies to each of the four categories with an annual repeat-offender maximum of $1.5 million.
When HIPAA Violations Turn Criminal
In certain situations, the law will hold HIPAA violators criminally responsible for knowingly obtaining and/or leaking health information about one or more identifiable individuals. These people will face a minimum fine of $50,000 with possible imprisonment of one year. Penalties increase to $100,000 and five years in prison if they committed the crime under false pretenses. Worse, if the perpetrator has sold, used or transferred such information with the intention of causing malicious harm or procuring financial gain, he or she may face a fine of $250,000 and a prison term of as many as 10 years.
These criminal penalties for HIPAA violations will apply directly to such covered entities as:
- Health care providers who engage in electronic data storage or transmission
- Health care clearing houses.
- Health plans.
- Sponsors of Medicare prescription drug cards.
When the violator is other than an individual, the officers, directors or employees of the covered entity may also face any applicable charges of conspiracy, aiding and abetting or direct criminal liability.
The Office for Civil Rights of the United States Department of Health and Human Services is responsible for determining the penalty amount of each civil HIPAA violation according to the nature of the breach and the harm that has resulted. However, the OCR will be unable to impose the civil penalty for any unwitting violation that stands corrected within 30 days. Criminal infractions, on the other hand, are subject to prosecution by the Department of Justice with penalties that are correspondingly harsh.
In view of the potentially devastating penalties resulting from HIPAA violations, healthcare professionals must take care to train their office staffs in the proper handling of privileged patient information. The Department of Health and Human Services not only expects and demands such training but also refuses to take ignorance of the law as a valid excuse.
If you or your medical facility face charges of violating the HIPAA privacy rules, you need to understand the severity of the accusations and take immediate steps to fight them. The attorneys at Odgers Law Group can help to clear your name and salvage your reputation. Don’t allow HIPAA violations to wreak havoc with your practice and career. Call Odgers today at 858-869-1114 for a free consultation.