HIPAA is an acronym for "The Health Insurance Portability and Accountability Act".
Failure to comply with HIPAA can result in civil and criminal penalties.
HIPAA violations - Civil Penalties
under HIPAA Violations of the Administrative Simplification Regulations can result civil monetary penalties of $100 per violation, up to $25,000 per year.
HIPAA violations - Criminal Penalties
In June 2005, the U.S. Department of Justice clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
HIPAA Violations - No Private Cause of Action
While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 FR 82566). State law, however, may provide other theories of liability.
HIPAA Violations - Enforcing Agencies
The DHHS Office of Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.
HIPAA Violations - Exclusion
The Department of Health and Human Services (DHHS) has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small) (68 FR 48805).
| Email Us