Penalties for Violations of the HIPAA Privacy Rule
In December 2000, the Department of Health and Human Services (DHHS) established the final Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The Privacy Rules protect a patient's private medical information by setting safeguards that "covered entities" must use when electronically transmitting the information. Covered entities include health care providers like hospitals and doctors' offices as well as health plans and health care clearinghouses.-
Considerations
-
The DHHS's Office for Civil Rights (OCR) has responsibility to enforce the HIPAA Privacy Rule. The OCR conducts investigations and compliance reviews. When the OCR finds that a covered entity has violated the Privacy Rule, it bases its judgment and penalties on a few key factors. These factors include the date of the violation, the covered entity's knowledge of its failure to comply and whether or not the covered entity was willfully neglectful.
Civil Penalties
-
The OCR may assess monetary fines of $100 to $50,000 or more for a violation of the Privacy Rule. In one calendar year, a covered entity can not be fined more than $1,500,000. When a covered entity is notified that they have violated the Privacy Rule, they may avoid a fine by correcting the offense within 30 days.
Criminal Penalties
-
Criminal penalties for violating the HIPAA Privacy Rule vary depending on the severity of the offense. A person may be fined $50,000 and spend up to one year in jail for knowingly obtaining or disclosing protected health information. If false pretenses were involved, the fine may be raised to $100,000 and the jail time could increase to five years. The most severe penalty is given to someone who is found guilty of obtaining or disclosing protected health information with the intent to sell, transfer or use the information for monetary or personal gain or to cause malicious harm.
-