HIPAA provides for civil and criminal penalties for failing to comply with the regulation as previously stated. These penalties are authorized under 42 U.S.C. § § 1320d-5 & 1320d-6 of the HIPAA regulation. How the penalties are enforced and the degree to which they are enforced is based on the actions a covered entity took as soon as they became aware of violations involving the HIPAA rule.
Fines begin at $100.00 per violation not to exceed a maximum of $25,000 per year per person for the same violation. When accessing fines , consideration is given when:
the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision
the failure to comply was due to reasonable cause and not to willful neglect
the failure is corrected within thirty days of the date that the person (or organization) liable for the penalty knew, or by exercising reasonable diligence would have known, of the failure
The Secretary of the Department of Health and Human Services can also:
extend the time period for compliance
provide technical assistance to meet compliance
waive or reduce penalties based on the nature and extent of a compliance failure, and whether the failure was due to reasonable cause and not neglect
The consequences for criminal violations of the HIPAA rule include fines and imprisonment. The severity of the penalty is based on the person's intent when the violation occurred.
If a person discloses or obtains protected health information under false pretences penalties:
begin at
$50,000 fine
one year of imprisonment
or both
escalate to
$100,000 fine
five years imprisonment
or both
Stricter consequences occur if the person's intent was to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. The penalties for these actions:
$250,000 fine
ten years imprisonment
or both
The HIPAA rule is not meant to supercede State Law. Whenever a State's privacy rule is stricter, the state rule will remain in force. If there is no State law, the HIPAA rule will be used as the basis for protecting an individual's health information. Covered entities working with their legal representative are encouraged to develop comprehensive policies and procedures based on the HIPAA rule and their State's privacy and security laws to protect them from possible litigation.
Metropolitan areas offer individuals a broader choice of covered entities. It is easy for them to change providers based on a perception of non-compliance with the HIPAA rules. In smaller communities where the customer base does not support multiple vendors , individuals will choose the provider who maintains their protected health information and force other providers out of business.
[5] 42 U.S.C. § §1320d-5
[6] 42 U.S.C. § §1320d-6