Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:HIPAA Privacy Rule
Slide content:Penalties Enforced by HHS Office for Civil Rights http://www.hhs.gov/ocr/index.html Penalties higher for willful neglect (i.e., offender knew about violation or was recklessly indifferent) Original HIPAA criticized for modest penalties and minimal prosecutions HITECH increased severity of penalties: Tiered penalty structure ranging from $25,000 to $1.5 million per year, with $100 to $50,000 per violation (for each record) 19
Slide notes:Obviously, the HIPAA Privacy Rule must have teeth. In fact, the original HIPAA Privacy Rule was criticized for the relatively modest penalties and minimal prosecutions that took place when the rule was launched. HIPAA has a tiered penalty structure that is administered in line with the nature and circumstances of the violation. This ranges from a violation in which the individual did not know (and by exercising reasonable diligence would not have known) that HIPAA was violated all the way to the extreme circumstance in which a HIPAA violation resulted from willful neglect and with no correction implemented. The assessed penalty relates to the level of culpability characterizing the violation, which can range from twenty-five-thousand dollars up to a maximum penalty of one-point-five million dollars. If multiple HIPAA violations occur, penalties could surpass one-point-five million dollars. The OCR enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforces both the transaction and code set standards and the security standards of the HIPAA regulation. 19