When covered entities “knowingly” violate HIPAA Rules, what is the financial penalty and when are fines issued? It is important to know the answers to these questions as these relate to the safety and integrity of people’s healthcare information.
The Health Insurance Portability and Accountability Act or HIPAA is a federal law that healthcare organization and healthcare employees need to follow. It demands the development of policies and procedures that protect patient privacy. It requires the implementation of safeguards that make sure the integrity, confidentiality and availability of protected health information or PHI. HIPAA restricts the use and disclosure of PHI. Certain rules apply as to who can get copies of health information. It also protects the rights of patients to get copies of their personal health data.
The following are covered by the HIPAA rules: healthcare providers, health plans, healthcare clearinghouses and business associates including vendors and suppliers that access PHI to perform their contracted duties. If these covered entities fail to comply, there can be severe financial penalties especially when HIPAA is “knowingly” or consciously violated with intent.
There is a civil penalty tier system used as basis for the penalty issued to healthcare organizations when HIPAA rules are violated. The civil penalty for conscious violation of HIPAA rules is $50,00 up to $1.5 million per violation category. The following are used as basis for the issuance of civil penalties:
- the nature and extent of the violation
- the number of individual affected
- the harm caused to the affected individuals
It’s not just the healthcare organizations that have to face civil penalties. Healthcare employees who violate HIPAA rules can also be fined. The Office for Civil Rights can issue the following amounts of penalty to healthcare employees:
- $100 per violation when the employee is unaware of his violation and up to $25,000 for repeat violation
- $1,000 per violation if with reasonable cause and up to $100,000 for repeat violations
- $10,000 if there is willful neglect of HIPAA rules where the violation was corrected and up to $250,000 for repeat violations
- $50,000 per violation for willful neglect with no correction and up to $1.5 million for repeat violations
When there are criminal violations of HIPAA rules, the Office for Civil Rights will refer the cases to the Department of Justice. Directors, officers and employees can be criminally liable under the principle of corporate criminal liability. If the said individuals are not directly liable, they can be charged with aiding and conspiracy or abetting.
Penalty tiers are based on the extent that the employee was aware of the HIPAA violation. The lowest tier attracts a penalty of up to $50,00 and/or up to one year imprisonment. If the HIPAA violation falls under false pretenses, the fine can be up to $100,000 and/or up to 5 years imprisonment. The civil penalty for knowingly violating HIPAA rules is up to $250,000 and/or up to 10 years jail term. An example of this violation is the stealing of PHI with the intent to sell, transmit or use the information for personal gain, commercial advantage or malicious harm. If with aggravated identity theft, 2 years are added to the punishment. Also, patients who have been defrauded must be paid as restitution.