HIPAA, the Health Insurance and Portability Accountability Act of 1996 sets stringent national guidelines and regulations for the electronic transmittal of Protected Health Information (PHI). It is best to consult with a qualified healthcare attorney who can walk a business or organization through the process of HIPAA compliance.
The Department of Health and Human Services, and through them, the Office for Civil Rights (the “OCR”) is responsible for administering and enforcing HIPAA and may conduct investigations and compliance reviews. Consistent with the principles for achieving compliance provided in the Privacy Rule, the OCR will seek the cooperation of covered entities and business associates, and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities and business associates that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may subject an employee to criminal prosecution.
Civil violations for non-compliance under the Privacy Rule range from USD$100 to USD$50,000 per violation or per record, with a maximum of USD$1.5 million per year. These violations are calculated and based on the perceived level of negligence, of which there are four tiers. Listed from least to most negligent, the four tiers are: (i) the party did not know and could not reasonably have known about the PHI disclosure; (ii) the party knew, or by exercising reasonable diligence would have known, of the violation; (iii) the party acted with willful neglect but corrected the violation within 30 days; and (iv) the party acted with willful neglect and failed to correct in a timely manner.
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to USD$50,000 and up to one-year imprisonment. The criminal penalties increase to USD$100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to USD$250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer or use identifiable health information for commercial advantage, personal gain or malicious harm. The US Department of Justice is responsible for criminal prosecutions under HIPAA.
Matt DeNoncour is the owner of Magis Law Firm, a solo law firm based in Boston, MA, where he provides legal services to the healthcare, biotechnology, and business communities. You can reach Matt at magislawfirm.com, by phone at 857-242-6826 or by email at matt@magislawfirm.com. This post is not meant to be legal advice: learn more here.
