Penalties for non-compliance have increased with the enactment of the Omnibus Final Rule, which details and implements significant changes as outlined within the HITECH Act signed into law in 2009. The U.S. Department of Health & Human Services (HHS) Secretary no longer has discretion on whether to investigate a complaint if a preliminary review of the facts indicates a possible violation of “willful neglect.” If not corrected, the maximum penalty under the Civil Monetary Penalty (CMP) System must be assessed within 30 days of discovery.
The CMPs that are collected under HITECH Act are required to be funneled back into the HHS’s enforcement budget. The HITECH Act strengthen the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. The tiered structure for imposition of CMPs under the HITECH Act and Final Rule distinguishes the level of culpability as follows:
- Unknowing: The covered entity or business associate did not know and reasonably should not have known of the violation.
- Reasonable Cause: The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.
- Willful Neglect (Corrected): The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.
- Willful Neglect (Uncorrected): The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. The corresponding tiers of CMP relating to each level of culpability are as follows:
| HIPAA Violation | Penalty |
|---|---|
| Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation. | $100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year |
| The HIPAA violation had a reasonable cause and was not due to willful neglect. | $1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year |
| The HIPAA violation was due to willful neglect but the violation was corrected within the required time period. | $10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year |
| The HIPAA violation was due to willful neglect and was not corrected. | $50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year |
HIPAA – HITECH CRIMINAL PENALTIES
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.