HIPAA
Course Content
- Welcome to ProHIPAA
- HIPAA Privacy and Rights and Protected Health Information
- HIPAA Breaches, Violations & Penalties and how to be Compliant
Penalties and Fines
So what is your responsibility in regards to PHI as an employee? Well, part of your responsibility as an employee is to report privacy or security breaches involving PHI to your supervisor or the person responsible for HIPAA security. In addition, notification of a breach of PHI must be reported to the affected individuals, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs. What must a covered entity do when a breach has occurred? The covered entity must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. An individual notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. The notification must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm. It must also include a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as the contact information for the covered entity or business associate, as applicable. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must substitute individual notice by either posting the notice on the home-page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. So, what penalties apply to violations of privacy rule requirements? Well, the Department of Health and Human Services, Office for Civil Rights is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews. There are civil penalties per violation, but the penalties can be "stacked" if there are multiple violations with respect to a single individual. The penalties also depend upon the type of violation: Civil penalties can range from $100 to $50,000 or more per violation, up to a maximum of $1.5 million dollars per year. Criminal penalties can range up to a $250,000 fine and ten years in prison for "knowingly and improperly" disclosing information or obtaining information under "false pretenses," with higher penalties reserved for violations designed for financial gain or "malicious harm." In addition, state laws may impose additional penalties for the same offenses, and most states would also allow common-law suits for torts such as invasion of privacy and infliction of emotional distress, among other causes of action. In a recent case, a hospice organization paid a $50,000 fine for violating the HIPAA security rule. An unencrypted laptop computer containing electronic protected health information of 441 patients was stolen. Laptops containing PHI were regularly used by the organization as part of their field work. Over the course of the investigation, it was discovered that the hospice organization had not conducted a risk analysis to safeguard PHI. Further, they didn’t even have policies or procedures in place to address the whole mobile device security as required by the HIPAA Security Rule. Security of information is a necessity in today’s world. Every participant in the healthcare industry should desire to prevent unauthorized use of sensitive health information. The Security Rule requires covered entities, including small providers, to implement reasonable and appropriate measures that enable them to comply with HIPAA rules and avoid detrimental penalties and fines.
Security of information is a necessity in today’s world. Every participant in the health care industry should desire to prevent unauthorized use of sensitive health information. The Security Rule requires covered entities, including small providers, to implement reasonable and appropriate measures that enable them to comply with HIPAA rules and avoid detrimental penalties and fines.