Software for HIPAA
HIPAA Enforcement Rule and Violations
The HIPAA Enforcment Rule stems directly from the HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.
HITECH describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.
Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:
Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates
Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates
Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing
Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods
Mandates that the new security requirements must be incorporated into all Business Associate contracts
The four categories used for the penalty structure for HIPAA violations are as follows:
Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA rules
Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care - but falling short of willful neglect of HIPAA rules
Category 3: A violation suffered as a direct result of "willful neglect" of HIPAA rules, in cases where an attempt has been made to correct the violation
Category 4: A violation of HIPAA rules constituting willful neglect, where no attempt has been made to correct the violation
HIPAA Penalty Fines
Each category of violation carries a separate HIPAA penalty, as follows:
Category 1: Minimum fine of $100 per violation up to $50,000
Category 2: Minimum fine of $1,000 per violation up to $50,000
Category 3: Minimum fine of $10,000 per violation up to $50,00
Category 4: Minimum fine of $50,000 per violation
Fines are issued per violation category per year that the violation was allowed to persist. The maximum fine per violation category per year is $1,500,000.
HIPAA Criminal Penalties
Criminal HIPAA violations are prosecuted by the Department of Justice, and are based on a 3-tier system:
Tier 1: Reasonable cause or no knowledge of violation - Up to 1 year in prison
Tier 2: Obtaining PHI under false pretenses - Up to 5 years in prison
Tier 3: Obtaining PHI for personal gain or with malicious intent - Up to 10 years in prison
State attorneys general are cracking down on data theft and are likely to make examples out of individuals found to have violated HIPAA Privacy Rules. A prison term for the theft of HIPAA data is therefore highly likely. All work staff likely to come into contact with PHI as part of their duties should be informed of the HIPAA criminal penalties.