Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties

Tuesday, November 11, 2014
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Even though a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security provisions does not allow a private civil cause of action, it does carry civil and criminal penalties. Anyone who is a health care professional or facility, or deals with a health care professional or facility, should be aware of these legal provisions.


Criminal Penalties for HIPAA Violations.

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, who "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.


Increase in Civil Penalties for HIPAA Violations.

The “American Recovery and Reinvestment Act of 2009”(ARRA), that was signed into law in 2009, establishes a tiered civil penalty for HIPAA violations. The Secretary of the Department of Health and Human Services (DHHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. However, the Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).

The following chart outlines the ARRA tiered civil penalty structure for HIPAA violations.


HIPAA Violation
Minimum Penalty
Maximum Penalty
Individual did not know that he/she violated HIPAA and by exercising reasonable diligence, would not have known.
$100 per violation, with an annual maximum of $25,000 for repeat violations. Note: This is the maximum penalty that can be imposed by the State Attorney General regardless of the violation.
 $50,000 per violation, with an annual maximum of $1.5 million.
HIPAA violation due to reasonable cause and not due to willful neglect.
$1,000 per violation, with an annual maximum of $100,000 for repeat violations.
$50,000 per violation, with an annual maximum of $1.5 million.
HIPAA violation due to willfull neglect but violation is corrected within the required time period.
$10,000 per violation, with an annual maximum of $250,000 for repeat violations.
$50,000 per violation, with an annual maximum of $1.5 million.
HIPAA violation due to willful neglect and is not corrected.
$50,000 per violation, with an annual maximum of $1.5 million.
$50,000 per violation, with an annual maximum of $1.5 million.



Who Can Be Held Liable for HIPAA Violations?

The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, he/she can still be charged with conspiracy or aiding and abetting.


What is the Definition of "Knowingly?"

The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitutes an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.


HIPAA Violations Can Lead to Medicare Exclusion.

DHHS has the authority to exclude a health care provider in violation of HIPAA laws from the Medicare Program and any covered entity that is not compliant with the transaction and code set standards by October 16, 2003 (68 Fed. Reg. 48805).

This is a powerful tool. Medicare exclusion can be a death sentence for a health care provider.


What Agencies Enforce HIPAA Regulations?

The HHS Office for Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforce both the transaction and code set standards and the security standards (65 Fed. Reg. 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

For more information on enforcement of the privacy standards, click here.


Comments?

Have you ever received discipline for a HIPAA violation? Do these penalties seem harsh to you? Please leave any thoughtful comments below.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act (HIPAA), HIPAA Omnibus Rule, HIPAA compliance, data security, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA compliance audit, HIPAA violation, penalties for HIPAA violation, criminal penalties for HIPAA violation, civil penalties for HIPAA violation, HIPAA compliance, privacy, defense attorney, defense lawyer, Medicare exclusion, HIPAA defense attorney, HIPAA violation help, American Recovery and Reinvestment Act of 2009 (ARRA), Department of Justice (DOJ), HIPAA attorney, HIPAA lawyer, compliance plans, health law firm, The Health Law



"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

George F. Indest III 11/11/2014

Comments:

Response to: Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties
Tuesday, May 24, 2016
Clarence Delaney says:

My rights to HIPAA laws was violated by a NYS Office of Mental Health knowingly without consent and illegally. It was given to an assistanting attorney general who are representing some parties in a federal lawsuit filed by me and used in a motion to dismissed or summary judgement before discovery. I want to file criminal and civil charges against the people involved. How can I do this?

Response to: Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties
Tuesday, May 24, 2016
Clarence Delaney says:

My rights to HIPAA laws was violated by a NYS Office of Mental Health knowingly without consent and illegally. It was given to an assistanting attorney general who are representing some parties in a federal lawsuit filed by me and used in a motion to dismissed or summary judgement before discovery. I want to file criminal and civil charges against the people involved. How can I do this?

Response to: Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties
Wednesday, June 29, 2016
RELEASE OF RECORDS says:

Today I was forced to initial the following boxes when I all I wanted was a copy of my 24 hour urine results: I specially authorize release of the following information: HIV TEST RESULTS MENTAL HEALTH SUBSTANCE ABUSE GENETIC TESTING I was told I had to initial the boxes. I said you cannot make me do that. The lady said you had to. I said you cannot make me release my protected health information and said I had to again. On 6-16 they had a different form that authorized the release of lab work. Today the release of lab work was removed the form along with other normal things one would release information to. HELP who do I report this to?

Response to: Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties
Sunday, April 29, 2018
Christe Nacy says:

Banner heath hospital resealed my medical records without my consent and I want to sue them.

Response to: Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties
Thursday, May 10, 2018
Kevin patrick says:

Recent visit to the hospital with no ever diagnosis of A-Fib now I receive emails from companies etc on A-Fib. This was unsolicited and my emails are open to screening. I’m appalled at this action taken by the hospital or pharmacist. This is a violation of my confidential hippa laws. I am a speech pathologist in health care

Like this blog? Add your public comments:

Items in bold indicate required information.