ATG HIPAA Security Rule Alerts
Alert #2
HIPAA Establishes Civil and Criminal Penalties for Non-Compliance
The HIPAA Security Standards apply to:
HIPAA Establishes Civil and Criminal Penalties for Non-Compliance
1. Health plans,
2. Health care clearinghouses, and
3. Health care providers that transmit any health information in electronic form in connection with health care transactions.
The Security Standards cover any health information pertaining to an individual that is electronically maintained or transmitted, i.e., what the final rule terms "electronic protected health information (EPHI)."
HIPAA establishes penalties for a knowing misuse of EPHI, including:
- Civil penalties of $100 per violation, up to $25,000 per year for each requirement violated.
- Criminal penalties:
- A fine of not more than $50,000 and/or imprisonment of not more than one year;
- If misuse is "under false pretenses," a fine of not more than $100,000 and/or imprisonment of not more than five years; and
- If misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.
In addition to civil and criminal penalties, as in any industry where a business experiences a major security breach, other potential adverse consequences for the CE could include, but not be limited to, the following:
- Negative publicity
Non-compliant organizations may be discussed in public media (newspaper, radio, television) for not adequately protecting their customers' EPHI. - Loss of Customers
Customers are increasingly aware of their rights under HIPAA and want their EPHI protected. They may refrain from doing business with organizations they believe do not adequately protect EPHI. - Loss of Business Partners
HIPAA requires that covered entities permit other organizations to create, receive, maintain, or transmit EPHI on their behalf only if the second organization can appropriately safeguard the information. CEs may be unwilling to exchange EPHI with organizations that do not adequately protect EPHI. - Legal Liability
Many attorneys are aware of HIPAA and are ready to sue on behalf of clients whose rights are violated. For the first time ever, the federal government has put forth a set of requirements prescribing how EPHI must be protected. Attorneys are prepared to use these requirements to file civil suits against non-compliant CEs.
THE LAW
45 CFR Part 160
Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings
AGENCY: Office of the Secretary, HHS.
SUMMARY: This interim final rule establishes rules of procedure for the imposition, by the Secretary of Health and Human Services, of civil money penalties on entities that violate standards adopted by the Secretary under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 ("HIPAA"). We intend that this be the first installment of a rule that we term the "Enforcement Rule." The Enforcement Rule, when issued in complete form, will set forth procedural and substantive requirements for imposition of civil money penalties. In the interim, we are issuing these rules of procedure to inform regulated entities of our approach to enforcement and to advise regulated entities of certain procedures that will be followed as we enforce the Administrative Simplification provisions of HIPAA.
HIPAA's civil money penalty ("CMP") provision authorizes the Secretary to impose CMPs, as follows: IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part [42 U.S.C. 1320d et seq.] a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a-7a] (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.
Back to ATG HIPAA Security Alerts
45 CFR Part 160
Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings
AGENCY: Office of the Secretary, HHS.
SUMMARY: This interim final rule establishes rules of procedure for the imposition, by the Secretary of Health and Human Services, of civil money penalties on entities that violate standards adopted by the Secretary under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 ("HIPAA"). We intend that this be the first installment of a rule that we term the "Enforcement Rule." The Enforcement Rule, when issued in complete form, will set forth procedural and substantive requirements for imposition of civil money penalties. In the interim, we are issuing these rules of procedure to inform regulated entities of our approach to enforcement and to advise regulated entities of certain procedures that will be followed as we enforce the Administrative Simplification provisions of HIPAA.
HIPAA's civil money penalty ("CMP") provision authorizes the Secretary to impose CMPs, as follows: IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part [42 U.S.C. 1320d et seq.] a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a-7a] (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.