“Can I go to prison for this violation?” Quite often do I hear this question from healthcare and life science clients. Although very rare, there are occasions where some have been imprisoned for violating a provision in the Health Insurance Portability and Accountability Act (HIPAA). Frequently, I see patients filing lawsuits for the violation.
Fines are levied against the practice and are normally per occurrence. For example, if your practice has violated the law before, you can easily be fined up to $500,000, which is not covered by liability insurance.
Who ultimately enforces the laws of HIPAA, and what are the associated penalties should covered entities or businesses fail to comply? Many healthcare professionals and their staff, unfortunately, cannot answer these questions due to their vague notions of enforcement and the consequences of not adhering to the law.
Fines for a first-time infringement by someone who is unaware of the HIPAA violation can range from $100 to as high as $50,000
Violations resulting from uncorrected, willful neglect, results in fines increased ranging from $10,000 to $50,000.
However, if there is a violation that is not considered willful neglect and has been corrected within 30 days of notice, the OCR cannot impose a civil penalty.
A privacy rule infraction may be considered criminal and may also lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information with a fine of $50,000 and up to one year in jail. When an offense is committed through deception, the fine is $100,000 and a jail term of five years. Additionally, if a person’s health information is sold, transferred, used for profit, personal gain or as an intent to harm, the fines can reach as high as $250,000 and up to 10 years of imprisonment.
In view of these facts, HIPAA enforcement must be taken seriously as penalties for infractions can be financially and professionally devastating. Healthcare offices must prioritize their training efforts for all staff. There is no reason for healthcare offices to not be thoroughly trained in HIPAA regulations. If found non-compliant, HHS will not permit ignorance of the law as a defense to the violation.
One easy way to avoid violation and mediate risk is to hire a Records and Information Management Consultant. Such personnel is able to evaluate and audit your current ECM and ERM strategies and develop a phased training program for staff members.
Carl B. Johnson, Cybersecurity, Governance Specialist, and Program Manager for Federal Agencies.
Carl knows healthcare compliance and SharePoint Governance – inside and out; he’s been in the trenches for over 15 years. Carl consults with healthcare organizations to help reduce compliance risk and develop organizational governance using SharePoint and Office 365.