Healthcare entities now have to take protection of Patient Health Information much more seriously than ever before- because non-compliance with HIPAA can now attract a whole range penalties, both civil and criminal., The Standards for Privacy of Individually Identifiable Health Information, better known as the HIPAA Privacy Rule put forth a set of national standards for use and disclosure of individuals’ health information. This rule makes it mandatory for all covered entities and their business associates to safeguard the privacy rights of individuals and allow them to understand and control how their health information is being used.
Healthcare entities, their associates, and employees are bound to ensure that health information is kept completely protected. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcing and administering these privacy standards, and holds the right to conduct investigations and complaints whenever necessary.
OCR seeks the cooperation of covered entities in complying with the HIPAA Privacy Rule, and may also extend technical assistance if necessary to encourage voluntary compliance. However, those entities that fail to comply with the standards set by the HIPAA Privacy Rule may not only be subject to civil monetary penalties but in some cases may face criminal prosecution. Here’s a look at the civil and criminal penalties that healthcare entities may attract if found guilty of non-compliance with HIPAA.
Failure to comply with any or all of the requirements of the HIPAA Privacy Rule may lead to civil penalties. These penalties can vary significantly depending on several factors including the date of violation, likelihood of willful neglect, and knowledge of the failure to comply. Also, penalties may not exceed a calendar year cap for multiple violations of the same requirement.
However, under certain circumstances, healthcare entities may not face civil penalties. Such circumstances may include:
- Cases when ‘willful neglect’ was not a reason for the failure to comply, and corrective action was taken during a 30-day period after the entity came to know of its failure to comply with the privacy rule. This period may be extended at the discretion of OCR.
- Cases where criminal penalty has been imposed for non-compliance, by the Department of Justice
In addition to this, the Office of Civil Rights may decide to reduce the penalty if non-compliance was due to a reasonable cause, and may consider the nature and extent of the failure to comply, for which the penalty would be excessive.
How is this determined?
The OCR, before imposing a penalty on the covered entity, sends a notification and provides a fair opportunity to the entity to show written evidence of the circumstances that may reduce or bar a penalty. Such evidence has to be provided to OCR within a period of 30 days from the date of receipt of the notice. Also, if OCR proposes to impose a penalty, covered entities may request an administrative hearing to appeal the proposed penalty.
The Department of Justice is responsible for criminal prosecutions under the Privacy Rule. A person who is guilty of obtaining or disclosing individually identifiable health information may face criminal penalties up to $50,000 and imprisonment up to one year. These penalties may go up to $100,000 and five years imprisonment if such wrongful conduct also involves false pretences, and up to $250,000 and ten years imprisonment if the act was intended with an aim to sell, transfer, or use identifiable health information for commercial advantage, malicious harm, or personal gain.
What Should Healthcare Entities Do?
Firstly, healthcare providers and their business associates should understand the importance of protecting patient health information, and the consequences of not doing so. They should take steps to train their employees and educate them about the need to safeguard individually identifiable information. Secondly, all healthcare providers should resort to a complete data security solution like SecureGRC that can provide end-to-end security for all electronically stored data and make sure that patient data remains protected at every point whether it is on the healthcare entity’s systems and databases, or stored on other end-point devices like laptops, tablets, or mobile phones.