Patient Data is valuable…
Patient Data is valuable…training and security awareness is vital in the fight against the risks of a data breach. Most employees do not intentionally cause a breach. A breach happens due to the lack of knowledge of what should and should not be done with any device that accesses protected health information.
Policies, procedures, and education is the key to HIPAA Compliance and necessary in protecting patient data. Layers of security are also necessary in protecting this valuable information.
The layers of security that you will need will depend upon your organization. Some of the determining factors are how data flows in and out of your network. A thorough risk analysis will help you to determine what security measures are needed.
What are the Consequences of Non-Compliance?
“This final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Enforcement will have a major financial impact on healthcare providers as well as their business associates. Non-compliance with HIPAA brings the risks of not only fines and penalties but possible legal action against the individual or company involved. This can include class action lawsuits and actually jail time. This is all possible even if you did NOT know you were in violation.
HIPAA Violation
Individual did not know (and by exercising reasonable diligence would not have known)
that he/she violated HIPAA
HIPAA violation due to reasonable cause and
not due to willful neglect
HIPAA violation due to willful neglect but violation is corrected within the required time period
HIPAA violation is due to willful neglect and is not corrected
Minimum Penalty
$100 per violation, with an
annual maximum of $25,000
for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)
$1,000 per violation, with an
annual maximum of $100,000 for repeat violations
$10,000 per violation, with an annual maximum of $250,000 for repeat violations
$50,000 per violation, with
an annual maximum of
$1.5 million
Maximum Penalty
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
Criminal Penalties
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered Entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Covered Entity and Specified Individuals
The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to Covered Entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the Covered Entity, where the Covered Entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a Covered Entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
Click here to learn more how we can work together and get HIPAA compliant