Last week I discussed HIPAA compliance. This week I wanted to discuss the penalties for not complying with HIPAA. When a data breach occurs it is up to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The first thing to know is what constitutes a breach. A Breach means “the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.” (Eisen, J. & Gulick, S., 2012). When looking at an incident some things need to be taken into account. This include person involved including person(s) that disclosed it and received it, type and amount of PHI involved, was the PHI actually viewed or acquired, and determine the extent of mitigation. (Health IT Security). There are some exceptions to this, i.e. if an employee happens to open and view an email sent to them as an accident, if they are cleared to see PHI info, or if there is no way data could be retained long enough to do any damage.
So assuming you have a breach, what penalties exist? For most penalties there are fines involved and depending on the severity, this can include jail time. According to the American Medical Association fines can range from $100 to an unknowing offense to $50,000 per violation when there was willful neglect (See image below). Jail time could also be included. If there was a knowingly release you can be imprisoned for up to 1 year, if it is under false pretenses it could be up to 5, and if intending to sell or use for advantage then it can be up to 10 years.
Figure 1 American Medical Association
Think about the monetary aspect alone, if it is an unknowingly breach it is $100 per violation. So if you have 100 violations you are already on the hook for $10,000. You can see how the cost could rack up quickly. This monetary impact is enough to make sure that hospitals remain HIPAA compliant. I personally don’t know if these penalties the offenders receive is any benefit to me if it is my information that is stolen, except the fact that there would be more care taken (at least I would hope). On top of this, the organization that caused the breach could also face litigation from the people whose information was stolen. Thus there is a major benefit in maintaining compliance.
References:
American Medical Association. HIPAA Violations & Enforcement. Retrieved from: https://www.ama-assn.org/
Eisen, J. & Gulick, S. (2012). What is a Breach Under the HITECH Breach Notification Regulations? ABA HEALTH eSOURCE, 8(9). Retrieved from: https://www.americanbar.org/
No comments:
Post a Comment