HIPAA Civil Penalties
Caps on penalties for HIPAA violations by covered entities were increased in 2009 by the enactment of the HITECH Act. Covered entity civil penalties are “tiered” as follows:
- No knowledge of HIPAA violation – $100-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
- A reasonable cause of the HIPAA violation exists – $1,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
- The HIPAA violation was caused by willful neglect but timely corrected – $10,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
- The HIPAA violation was caused by willful neglect but not timely corrected – $50,000 or more for each violation, up to a maximum of $1.5 million during a calendar year
The HITECH Act also offers benefits to encourage patients to report HIPAA violations similar to those offered in qui-tam cases. This allows patients who have been impacted by HIPAA violations to collect a portion of the civil monetary penalty that is imposed against a violator. However, there are three very important exceptions to collecting on this penalty:
- The offense is punishable under HIPAA criminal provisions;
- The violator did not know and, by exercising reasonable diligence, would not have known of the violation; or
- The failure to comply is caused by “reasonable cause” rather than “willful neglect” and the alleged violator takes action to cure the failure during the first 30 days following actual knowledge of the noncompliance or when the person should have known of the noncompliance.
HIPAA Criminal Penalties
Although the DHHS Office for Civil Rights enforces the civil penalties for HIPAA violations, the Department of Justice is the agency in charge of enforcing HIPAA’s criminal penalties. As with the civil penalties, the nature of the HIPAA violation determines the severity of the penalty in regards to criminal sanctions:
- If a person knowingly and, in violation of the Privacy Rule, discloses PHI to another individual, they face a base penalty of up to $50,000 in fines and up to a year in prison, or both;
- if the offense is committed under false pretenses, they can be fined up to $100,000 and face up to five years in jail, or both;
- if the offense is committed with an intent to sell or otherwise use PHI for commercial advantage, personal gain or malicious harm, they can be fined up to $250,000 and face up to 10 years in jail, or both.
Private Cause of Action
After passage of the HITECH Act, individuals now have a more direct path to remedy HIPAA violations that have been committed against them. The Attorney General of each state now has the authority to seek sanctions for HIPAA violations committed against a resident of their state. The Attorney General can seek statutory damages of $100 per violation up to a maximum of $25,000 total in damages. In addition, a state Attorney General can seek compensation for attorney fees accumulated through the course of the civil action. The new authority given to state Attorney Generals does not deprive HIPAA from still providing its own process for individual complaints. Any individual’s HIPAA complaint can still cause the DHHS Office for Civil Rights, CMS, or the Department of Justice to investigate and respond to the violation on their own.
Other State Law Remedies
HIPAA violators not only face ramifications stemming from the statute itself but also face liability from any other state laws that are triggered as a result of the violation. Thus there is a potential compounding effect of penalties from a single HIPAA violation. HIPAA compliance is of utmost importance for any health care provider or medical practice. The best way to avoid penalties is to ensure that your policies and practices are airtight. If you have questions, contact our Atlanta health care law firm at (404) 685-1662 (Atlanta), (706) 722-7886 (Augusta), or info@littlehealthlaw.com to schedule a consultation.
*Disclaimer: Thoughts shared here do not constitute legal advice.