HIPAA Criminal Violations

[Guest kredlin]

If an entity if a covered entity under HIPAA and has an known operational error that results in violations of HIPAA so that criminal penalties are appropriate, who in the entity would be subject to serving prison time? For example, assume a health plan has an automated system that sends claims information to participants but this system is somehow flawed so that a number of claims are sent to the wrong address. The managment of the entity knows about this problem, but doesn't fit it because of a high cost. Who is going to be subject to the prison time if that penalty is applied?

[mroberts]

I haven't seen anything written about jail time, only that the maximum fine not being in compliance with HIPAA is $100 per day, up to $25,000 annually. What kind of law do you think is being violated here that would warrant jail time?

[Jbentz]

There are both criminal and civil fines associated with HIPAA and they are both Civil Monetary Penalties

CIVIL:

Fine of not more than $100 per violation with an annual limit per person of $25,000 for all violations of an identical requirement or prohibition

Enforced by HHS Office of Civil Rights (OCR) which may investigate complaints about a Covered Entity’s privacy practices and conduct compliance reviews

HHS may attempt to resolve noncompliance by informal means – cooperation and technical assistance

No right to private lawsuit by “injured” individual but can file complaint with HHS

Criminal:

Up to $50,000 and 1 year in jail for knowing misuse of a unique health identifier or obtaining or disclosing PHI

Up to $100,000 and 5 years in jail if offense is under false pretenses

Up to $250,000 and 10 years in jail if offense is with intent to use PHI for commercial advantage

I believe the jail time woudl be to the CEO - they seem to the one on the cuff for other legal issues, but i do not know. I also think it depends on how your organization is set up internally. Does anyone else?

What you are dealing with is an intential misuse which would need to be logged for each patient for the Accounting of Disclosures for each time it happens. I would think that the fact the would be enough to get their attention!