The authorities have made it a point that a strict penalty is imposed on healthcare providers in case HIPAA laws are violated. When the personal health information of any patient is unlawfully transferred from one source to another, the law imposes both, criminal and civil penalties. The civil penalties for HIPAA violations include:
The American Recovery and Reinvestment Act has designed a tiered civil penalty setup for HIPAA violations and the Secretary of the Department of Health and Human Services is allowed discretionary powers when it comes to determining the amount of the penalty based on the extent and the nature of the violation and the harm occurred due to the violation. The Secretary is refrained from imposing penalties if the violation is corrected within a month (the duration may be elastic). The penalties are:
Ignorance of the individual (and guilty of reasonable diligence was not aware of the violation):
Minimum penalty: $100 per violation, with an annual fine of $25 000 for repeat violation. It can be imposed by the State Attorneys General)
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million
HIPAA Violation due to reasonable cause and not willful neglect
Minimum penalty: $1000 per violation with an annual maximum of $100,000 for repeat violations
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million
Violation caused due to willful neglect and the violation should be corrected within the required time period
Minimum penalty: $10,000 per violation with an annual maximum penalty of $250,000for repeat violations
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million
HIPAA Violation is due to willful neglect and not corrected
Minimum Penalty: $50,000 per violation with an annual maximum penalty of $1.5 million
Maximum Penalty: $50,000 per violation with an annual maximum of $1.5 million
The Department of Justice is very clear about what kind of neglect comes under criminal penalties. Covered entities and specified individuals who violate the Administrative Simplification Regulations, may face a penalty which may go up to $50,000 and imprisonment for a year. Offenses that include the charges of “false pretenses” may be increased up to $100,000 fine with 5 years in prison. And the charges with the intent to sell, transfer or use individually identifiable health information for malicious harm or personal gain or individually identifiable health information and so on may attract fines up to $250,000 and imprisonment for up to ten years.
