What Is the Penalty for a HIPAA Violation? Can You Get Jail Time?

• Example of HIPAA Violation
• Legislative Basis
• Consequences of HIPAA Violations – Civil Penalties
• HIPAA Criminal Penalties – Can You Be Imprisoned?
• Covered Entities & Individual People
• “Knowingly”
• Exclusion & Upholding the KLaw
• Choosing a Compliance Partner

Example of HIPAA Violation

Those who follow Healthcare IT news will often see stories about large HIPAA settlements by the US Department of Health & Human Services, such as the $4.8 million HIPAA fines against Columbia University and New York Presbyterian Hospital in early 2014. No situation is the same, and not all settlements will be as severe as that one. In the Columbia University case, PHI was actually posted to the public Internet, with patient files accessible directly through search engines.

If your organization is found to be in violation of HIPAA, you won’t necessarily have to pay millions of dollars. What are the general parameters for violations?

Legislative Basis

The OCR and Centers for Medicare & Medicaid (CMS) are authorized to enforce HIPAA, and the extent of settlements can be quite frightening, including civil and criminal judgments.

The stimulus package that was adopted in 2009, called the American Recovery and Reinvestment Act (ARRA), detailed the specific minimum and maximum limits for healthcare privacy and security violations.

“The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty,” according to the American Medical Association, “based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.”

However, there is an exception: if the agency determines that you were not purposely neglectful, you will have one full month to rectify the situation.

Consequences of HIPAA Violations – Civil Penalties

	HIPAA Violation	Minimum Penalty	Maximum Penalty
Scenario #1	The organization or employee  was unaware that they were in violation of the law, despite operating soundly	$100 for each instance of noncompliance, up to $25,000 total (the highest amount that can be assessed by an attorney general at the state level)	$50,000 for each instance, totaling up to $1.5 million
Scenario #2	The company was noncompliant not because of purposeful neglect but because of unexpected causes	$1000 for each instance, up to $100,000 total	$50,000 for each instance, totaling up to $1.5 million
Scenario #3	Purposeful neglect occurred, but the company took corrective action within an acceptable time window	$10,000 for each instance, up to $250,000 total	$50,000 for each instance, totaling up to $1.5 million
Scenario #4	Purposeful neglect occurred, and the company did not implement the steps of a corrective plan	$50,000 for each instance, up to $1.5 million total	$50,000 for each instance, totaling up to $1.5 million

HIPAA Criminal Penalties – Can You Be Imprisoned?

The Department of Justice specifically established criminal parameters for HIPAA law violations in June 2005.

“Covered entities and specified individuals … who ‘knowingly’ obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000,” explained the AMA report, “as well as imprisonment up to one year.”

Sentencing can be more severe, though. Anything that violates the law and involves deception carries a maximum sentence of $100,000 and/or five years imprisonment. Violations that occur because an individual plans to use the data for their own gain or for malevolent reasons are penalized with judgments up to $250,000, accompanied by prison sentences as high as ten years.

Covered Entities & Individual People

The Department of Justice decided that if it is determined that a crime has been committed, covered entities (healthcare plans, data clearinghouses, and providers) can be held directly liable. Leadership at a covered entity can also be subject to criminal investigation and sentencing by piercing the corporate veil. Even if someone in an executive position at a company where misuse takes place didn’t do anything that was specifically noncompliant, they still may be guilty as a co-conspirator or accomplice.

“Knowingly”

The Department of Justice specifically targeted a word within the HIPAA crime provisions that is a source of confusion: what does knowingly mean?

Knowingly refers to the highest criminal penalty situation listed above, the “for their own gain” scenario (bolded above). According to Law360, “Under the statute, covered entities and individuals who ‘knowingly’ obtain or disclose individually identifiable health information with the intent to” profit from it or hurt someone face the stiffest penalties.

The Department of Justice clarified in 2005 that the word referred to knowledge of HIPAA law rather than knowledge of a particular instance of noncompliance.

Exclusion & Upholding the Law

The federal government can remove any healthcare plan, provider, or clearinghouse from the Medicare system if they have not adopted universal, standardized medical code.

In terms of enforcement, the OCR identifies and punishes for HIPAA privacy violations. The Centers for Medicare & Medicaid (CMS) oversees security and uniform code.

Choosing a Compliance Partner

As you see above, the consequences of violating HIPAA can be kind of extreme. Even if you don’t get fined millions, it’s not a great way to spend money; and it’s not fun to end up on the HIPAA Wall of Shame.

That’s why it’s extraordinarily important to choose a technological partner that specializes in healthcare HIPAA Compliance Hosting like Atlantic.Net. Our SSD Cloud Servers offer 100% uptime guarantee and can launch in under 30 seconds.

By Moazzam Adnan