Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties

Tuesday, November 11, 2014
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Even though a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security provisions does not allow a private civil cause of action, it does carry civil and criminal penalties. Anyone who is a health care professional or facility, or deals with a health care professional or facility, should be aware of these legal provisions.


Criminal Penalties for HIPAA Violations.

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, who "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.


Increase in Civil Penalties for HIPAA Violations.


The “American Recovery and Reinvestment Act of 2009”(ARRA), that was signed into law in 2009, establishes a tiered civil penalty for HIPAA violations. The Secretary of the Department of Health and Human Services (DHHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. However, the Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).

The following chart outlines the ARRA tiered civil penalty structure for HIPAA violations.


HIPAA Violation
Minimum Penalty
Maximum Penalty
Individual did not know that he/she violated HIPAA and by exercising reasonable diligence, would not have known.
$100 per violation, with an annual maximum of $25,000 for repeat violations. Note: This is the maximum penalty that can be imposed by the State Attorney General regardless of the violation.
 $50,000 per violation, with an annual maximum of $1.5 million.
HIPAA violation due to reasonable cause and not due to willful neglect.
$1,000 per violation, with an annual maximum of $100,000 for repeat violations.
$50,000 per violation, with an annual maximum of $1.5 million.
HIPAA violation due to willfull neglect but violation is corrected within the required time period.
$10,000 per violation, with an annual maximum of $250,000 for repeat violations.
$50,000 per violation, with an annual maximum of $1.5 million.
HIPAA violation due to willful neglect and is not corrected.
$50,000 per violation, with an annual maximum of $1.5 million.
$50,000 per violation, with an annual maximum of $1.5 million.



Who Can Be Held Liable for HIPAA Violations?


The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, he/she can still be charged with conspiracy or aiding and abetting.


What is the Definition of "Knowingly?"

The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitutes an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.


HIPAA Violations Can Lead to Medicare Exclusion.

DHHS has the authority to exclude a health care provider in violation of HIPAA laws from the Medicare Program and any covered entity that is not compliant with the transaction and code set standards by October 16, 2003 (68 Fed. Reg. 48805).

This is a powerful tool. Medicare exclusion can be a death sentence for a health care provider.


What Agencies Enforce HIPAA Regulations?

The HHS Office for Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforce both the transaction and code set standards and the security standards (65 Fed. Reg. 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

For more information on enforcement of the privacy standards, click here.


Comments?


Have you ever received discipline for a HIPAA violation? Do these penalties seem harsh to you? Please leave any thoughtful comments below.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act (HIPAA), HIPAA Omnibus Rule, HIPAA compliance, data security, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA compliance audit, HIPAA violation, penalties for HIPAA violation, criminal penalties for HIPAA violation, civil penalties for HIPAA violation, HIPAA compliance, privacy, defense attorney, defense lawyer, Medicare exclusion, HIPAA defense attorney, HIPAA violation help, American Recovery and Reinvestment Act of 2009 (ARRA), Department of Justice (DOJ), HIPAA attorney, HIPAA lawyer, compliance plans, health law firm, The Health Law



"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

George F. Indest III 11/11/2014

Add your comments:

Items in bold indicate required information.