HIPAA Fines and Penalties
Fines and Civil Monetary Penalties
--------------------------------------------------------------------------------
HIPAA is enforced by the Office for Civil Rights of the Department of Health and Human Services (HHS). See 42 U.S.C. §§ 1320d-5, 1320d-6
HIPAA provides severe civil and criminal penalties for violations:
Fines of up to $250,000
Up to ten years in prison
--------------------------------------------------------------------------------
For a violation of section 1176 of HIPAA, HHS can impose civil monetary penalties on a covered entity that violated the Amended Privacy Rule. See Part C of Title 11 of the Act. The penalty is $100 per knowing failure to comply with a requirement of the Amended Privacy Rule. That penalty may not exceed $25,000 per year for multiple violations of the identical requirement of the Amended Privacy Rule.
--------------------------------------------------------------------------------
The procedural provisions in section 1128A of the Social Security Act Civil Monetary Penalties are applicable to the imposition of the penalties. The Act also establishes penalties for any person who normally misuses the unique health identifier or obtains or discloses individually identifiable health information in violation of this part.
--------------------------------------------------------------------------------
Misuse of individually identifiable health information carries potential criminal penalties. HIPAA provides that a "person who knowingly ... obtains individually identifiable health information" or "discloses individually identifiable health information to another person" in violation of HIPAA faces a fine of $50,000 and up to 1 year imprisonment. The criminal penalties increase to $100,000 and up to 5 years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years in prison if the wrongful conduct involves the "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm."
--------------------------------------------------------------------------------
HIPAA Privacy regulations not only govern entities that have direct access to patient protected health information (i.e., the "covered entities"), but they also indirectly govern the "business associates," which receive protected health information from the covered entities. The HIPAA Privacy Rule requires the discloser and the recipient of the patient information to enter into written agreements under which, among other things, the business associate will protect the patient information, provide access to the patient information, and cooperate with the covered entity in responding to audit and other investigations.
--------------------------------------------------------------------------------
The law provides no private cause of action for patients who wish to sue under the act. They must bring their request to the Office of Civil Rights, which will conduct an investigation.
--------------------------------------------------------------------------------
Resources:
Hayman, Dissecting A Health Care Fraud Investigation, 1129 PLI/Corp 223- 244 (June 1999).
Faddick, Health Care Fraud and Abuse: New Weapons, New Penalties, and New Fears for Providers Created by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 6 Annals Health Law 77-103 (1997).
PLI, Department of Health and Human Services Documents, 1111 PLI/Corp 429-865 (1999); PLI Order No. B0-009J, (April, 1999).
Meador, Health Care Fraud and Abuse, 1175 PLI/Corp 21-80; PLI Order No. B0-00IUL (May 1-2, 2000).
Teplitzky, Medicare and Medicaid Fraud and Abuse Issues, 741 PLI/Comm 397-431, PLI Order No. A4-4502 (1996).
Rovner, Health Care Fraud and Abuse Control after HIPAA, 9 No. 6 Health Law 17-23 (1997).
