Patient Data is valuable…

security_dial_350

Training and security awareness is vital in the fight against the risks of a data breach. Most employees do not intentionally cause a breach. A breach happens due to the lack of knowledge of what should and should not be done with any device that accesses protected health information.

Policies, Procedures, and Education is the key to HIPAA Compliance and necessary in protecting patient data. Layers of security are also necessary in protecting this valuable information.

The layers of security you will need depends upon your practice. At Aris, we know the proper procedures to implement to help you avoid a breach.  Let us help you determine what is best for you.

Non-Compliance Risks

“This final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Enforcement will have a major financial impact on healthcare providers as well as their business associates. Non-compliance with HIPAA brings the risks of not only fines and penalties but possible legal action against the individual or company involved. This can include class action lawsuits and actually jail time. This is all possible even if you did NOT know you were in violation.

HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising
reasonable diligence would not have known)
that he/she violated HIPAA
$100 per violation, with an
annual maximum of $25,000
for repeat violations (Note: maximum
that can be imposed by State
Attorneys General regardless
of the type of violation)

$50,000 per violation, with an
annual maximum of $1.5 million

HIPAA violation due to reasonable cause and
not due to willful neglect
$1,000 per violation, with an
annual maximum of $100,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation
is corrected within the required time period
$10,000 per violation, with an annual
maximum of $250,000 for repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation is due to willful neglect
and is not corrected
$50,000 per violation, with
an annual maximum of
$1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million

Criminal Penalties

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under Money-stethoscopeHIPAA. Covered Entities and specified individuals, as explained below, whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Covered Entity and Specified Individuals

The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to Covered Entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the Covered Entity, where the Covered Entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a Covered Entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.