Failing to Comply with HIPAA can Lead to Damaging Penalties:
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR enforces the Privacy and Security Rules in several ways:
- Investigating complaints filed with it
- Conducting compliance reviews to determine if covered entities are in compliance
- Performing education and outreach to foster compliance with the rules’ requirements
OCR reviews the information that it gathers. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy and Security Rules. In the case of noncompliance, OCR will attempt to resolve the case with the covered entity by obtaining:
- Voluntary compliance
- Corrective action and/or
- Resolution agreement
Failure to comply with HIPAA can also result in civil and criminal penalties.
Civil Money Penalties
In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. Covered Entities have 30 days to correct the violation. HHS may extend this timeframe, at their discretion. In the case of willful neglect, penalties can be imposed immediately.
CMPs are imposed based on the criteria shown in the table below:
| Unknowing | $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) | $50,000 per violation, with an annual maximum of $1.5 million |
| Reasonable Cause | $1,000 per violation, with an annual maximum of $100,000 for repeat violations | $50,000 per violation, with an annual maximum of $1.5 million |
| Willful neglect but violation is corrected within the required time period | $10,000 per violation, with an annual maximum of $250,000 for repeat violations | $50,000 per violation, with an annual maximum of $1.5 million |
| Willful neglect and is not corrected within required time period | $50,000 per violation, with an annual maximum of $1.5 million | $50,000 per violation, with an annual maximum of $1.5 million |
Criminal Penalties
Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.
| Unknowingly or with reasonable cause | Up to one year |
| Under false pretenses | Up to five years |
| For personal gain or malicious reasons | Up to ten years |
It is important to know that INDIVIDUALS, as well as the corporation or company, are liable under HIPAA. While these criminal penalties are available as remedies for HIPAA violations, they have not been widely used. In our next blog, we will cover some of the cases where criminal penalties were imposed and provide learnings for both individuals and their employers in health care.
