Penalties for
Non-Compliance
Patients have the right to file a
formal complaint with the U.S. Department of Health and
Human Services (DHHS) if they believe a covered entity has
violated HIPAA requirements. DHHS has the authority to
investigate and penalize covered entities. There are civil
and criminal penalties associated with HIPAA
non-compliance.
If a
covered entity is found in violation of HIPAA, potential
consequences are:
|
CIVIL PENALTIES:
$100 per violation, up to $25,000 per person, per
year for
each requirement or prohibition violated.
CRIMINAL PENALTIES:
For knowingly violating patient privacy, the
following
federal criminal penalties apply:
-
Up to $50,000 and 1 year in prison for obtaining
or disclosing protected information.
-
Up to $100,000 and up to 5 years in prison for
obtaining or disclosing protected information
under false pretenses.
-
Up to $250,000 and up to 10 years in prison for
obtaining or disclosing protected information with
the intent to sell, transfer, or use it for
commercial advantage, personal gain, or malicious
harm.
|
Source: HIPAA: National
Standards for Electronic Transactions
HIPAA
is the first federal law to impose criminal penalties for improper use or
disclosure of PHI. Civil penalties are also available. To impose either civil or
criminal penalties for a violation of HIPAA, there must be proof the party
charged failed to comply with a requirement of the HIPAA legislation or one of
the regulations. Criminal violations will be investigated and prosecuted by the
United States Department of Justice and Federal Bureau of Investigation and can
carry a fine up to 10 years in prison and $250,000 for violating the law with
malice or for profit. HHS will investigate civil violations with penalties
ranging up to $25,000 a year for any given type of violation. Since it is not
yet clear how HIPAA will be enforced, it is best to fully document your
company's privacy policies and procedures and why these are the correct actions
for your company. This documentation can serve as evidence that all reasonable
steps were taken to ensure HIPAA compliance.
Receiving
non-secure email messages
It
depends on the situation. If you receive a sensitive message from a company or
individual you do not have an established relationship with (e.g. a person
inquiring about a health condition he has), you want to be careful what you do
with it. You should protect it, but you shouldn't face any penalties as a result
of having received essentially an unsolicited email. If you have a regular
relationship with another party that communicates PHI to your company, you need
to ensure you have taken steps to manage it, or you may be taking a risk.
Products that automatically encrypt all sensitive incoming and outgoing emails
are good solutions for this type of situation.
HIPAA and email
The
requirement to protect the privacy of PHI extends to electronic transmission of
PHI between two parties, such as an email message. HIPAA does not prohibit the
use of email to communicate PHI, but the law requires the individuals and
organizations it regulates to assess the risks of using email and to take steps
to reduce or eliminate risks that using email, both internally and externally,
poses. Those risks include unauthorized interception of messages in transmission
and receipt of messages by unauthorized persons. Email over the Internet can be
used as long as appropriate security procedures are established.
HIPAA and email usage
The
Privacy Regulations and the Security Regulations apply to the use of email
because of their requirement to safeguard PHI. The Privacy Regulations, which
became effective on April 14, 2003, do not specify the exact safeguards that
must be adopted to protect PHI. This decision is left to the informed,
reasonable judgment of the healthcare organization based on the services it
provides, the technologies it uses, the risks to PHI created by the use of those
technologies, and the organization's financial and administrative resources.
Organizations are expected to take these kinds of factors into account to make
"scaleable" decisions about the safeguards they will adopt. This means you may
make compliance choices based on the size, budget and operational needs of your
organization. The requirement for this kind of analysis is spelled out in more
detail in the Security Regulations. The Security Regulations specifically
require healthcare organizations to assess their PHI-related security risks, and
implement appropriate safeguards to address those risks. These requirements
apply to PHI in all electronic systems, including email. Covered Entities must
comply with the Security Regulations by April 2005.
Encryption technology and HIPAA email
The
Security Regulations do not state that email encryption is mandatory, but do
specify that encryption is an "addressable specification" for controlling access
to PHI. An "addressable specification" is a safeguard which is not required, but
which must be considered, and implemented if it is a reasonable and appropriate
safeguard. If a decision is made not to implement an addressable specification,
the organization must "document why it would not be reasonable and appropriate
to implement" and "implement an equivalent alternative measure if reasonable and
appropriate." Encryption is usually the most prudent method other than
developing and deploying your own closed network environment.
Email versus paper communication
Whether
you communicate via paper or email, you are still bound by HIPAA' s privacy and
security regulations. Electronic communication is already the norm in most areas
of business, including areas requiring high levels of privacy and security, such
as financial services and the legal profession. Only you can decide if email is
right for your business. When properly handled, using email can be the most
convenient, fast and safe method of communication. Safety Send offers a variety
of solutions for secure email suitable for any sized company.
HIPAA
NON-COMPLIANCE PENALTIES