On February 17, 2009 the American Recovery and Reinvestment Act was signed into effect. This Act established a tiered collection of fines for non-compliance with the HIPAA and their severity based on criminal intent and individual circumstance. These are to be just basic guidelines, the Secretary of the Department of Health and Human Services has the right to decide the fine based on the nature and extent of the violation, as well as the extent of harm as a result of the violation. If the violation is corrected in thirty days (although this time may be extended) the Secretary is barred from imposing civil penalties unless the case is one of willful neglect. The basic tiers of violation are as follows:

Nature of Violation: Individual was not aware (and even by exercising reasonable diligence, could not have known) that he or she had violated HIPAA.

  • Minimum Penalty - $100 per violation, with a yearly maximum of $25,000 for repeat infractions.
  • Maximum Penalty - $50,000 per violation, with a yearly maximum of $1.5 million for repeat infractions.

Nature of Violation: Violation due to reasonable cause, and not willful neglect.

  • Minimum Penalty - $1,000 per violation, with a yearly maximum of $100,000 for repeated infractions.
  • Maximum Penalty - $50,000 per violation, with a yearly maximum of $1.5 million for repeat infractions.

Nature of Violation: Violation due to willful neglect, however the violation is corrected within the allotted time period.

  • Minimum Penalty - $10,000 per violation, with a yearly maximum of $250,000 for repeat infractions.
  • Maximum Penalty - $50,000 per violation, with a yearly maximum of $1.5 million for repeat infractions.

Nature of Violation: Violation due to willful neglect, violation also not corrected.

  • Minimum Penalty - $50,000 per violation, with a yearly maximum of $1.5 million for repeat infractions.
  • Maximum Penalty - $50,000 per violation, with a yearly maximum of $1.5 million for repeat infractions.

Criminal Penalties

In June of 2005, the US Department of Justice specified the individuals whom can be criminally charged under HIPAA. Individuals and covered entities (as will be explained below) whom knowingly acquire or leak sensitive health information in willful violation of the Administrative Simplification Regulations can be subject to a fine of up to $50,000 in addition to 1 year of imprisonment. Those offenses which are committed under false pretenses allow the penalties to be raised to a $100,000 fine, in addition to up to five years imprisonment. And finally, violations which were committed with the intention of transferring, selling, or using individually identifiable health information either for personal gain, malicious intent, or commercial advantage, will result in $250,000 in fines and up to ten years imprisonment.

Individuals and Covered Entities

It was concluded by the DOJ that groups and entities such as health care clearinghouses, Medicare prescription drug card sponsors, health plans, and caregivers who transit sensitive medical information can be held criminally liable under HIPAA. Individual persons such as employees, officers, and directors of a covered entity can also still be held criminally accountable for HIPAA violations in compliance with the principals of ‘corporate criminal liability.’

Even non-compliance without knowing can cost a business dearly. It really isn't worth the risk, and that is why so many choose a compliance agency to help them set and maintain compliance regulations under HIPAA. If you would like to seek answers for your HIPAA and other compliance questions, feel free to contact us.

Subscribe to our mailing list

* indicates required