Patient Data is valuable…
Patient Data is valuable…training and security awareness is vital in the fight against the risks of a data breach. Most employees do not intentionally cause a breach. A breach happens due to the lack of knowledge of what should and should not be done with any device that accesses protected health information.
Policies, procedures, and education is the key to HIPAA Compliance and necessary in protecting patient data. Layers of security are also necessary in protecting this valuable information.
The layers of security that you will need will depend upon your organization. Some of the determining factors are how data flows in and out of your network. A system wide thorough risk analysis will help you to determine what security measures are needed.
What are the Consequences of Non-Compliance?
Enforcement has a major financial impact on healthcare providers as well as their business associates. Non-compliance with HIPAA brings the risks of not only fines and penalties but possible legal action against the individual or company involved. This can include class action lawsuits and actually jail time. This is all possible even if you did NOT know you were in violation. Each year, these minimum and maximum penalties are reviewed and adjusted. Please note, that each state attorney general can impose fines based on their state privacy laws as well.
HIPAA Violation
Tier 1: Individual did not know (and by exercising reasonable diligence would not have known)
that he/she violated HIPAA
Tier 2: HIPAA violation due to reasonable cause and
not due to willful neglect
Tier 3: HIPAA violation due to willful neglect but violation is corrected within the required time period
Tier 4: HIPAA violation is due to willful neglect and is not corrected
Minimum Penalty
$145 per violation, with a maximum of $73,011
per violation.
$1,461 per violation, with a maximum of $73,011
per violation.
$14,602 per violation, with a maximum of $73,011
per violation.
$73,011 per violation, with a maximum of $2,190,294
per violation.
Maximum Penalty
$73,011 per violation, with an annual maximum of $2,190,294 for identical violations.
$73,011 per violation, with an annual maximum of $2,190,294 for identical violations.
$73,011 per violation, with an annual maximum of $2,190,294f or identical violations.
$73,011 per violation, with an annual maximum of $2,190,294 for identical violations.
Criminal Penalties
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered Entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Covered Entity and Specified Individuals
The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to Covered Entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the Covered Entity, where the Covered Entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a Covered Entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
Click here to learn more how we can work together and get HIPAA compliant