What is HIPAA?
HIPAA commonly known as Health Insurance Portability and Accountability Act was brought by Congress in 1996 and this act was signed by President Bill Clinton. When this act was introduced it put several codes and guidelines on healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities in order to safeguard the Protected Health Information (PHI) of patients. The main goal of it was to improve the effectiveness of the healthcare system and protection of patient’s data. The other purpose of HIPAA was to ensure that employees would continue to receive health insurance coverage when they were between jobs.
Who Enforces HIPAA?
HIPAA enforcement rules falls under the domain of the U.S. Department of Health and Human Services. HIPAA compliance is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS). The Enforcement Final Rule of 2006 gave Office of civil right the power to issue money penalties to health care agencies and organizations that fail to comply with HIPAA compliance.
Covered entities that falls under HIPAA enforcement compliance ranges from small doctor’s offices, to insurance companies, to hospitals. This law came was first introduced in 2003 and since then OCR has received over 180,000 violations and have successfully resolved around 97% of them.
HIPAA Violation Penalty Structure
Office of civil right considers many factors when they decide the penalty against covered entities. Factors such as time period over which violation happened, total number of people affected, and the type of the information exposed, the fiscal means of the organization, and how much damage had been done by the breach are considered while levying the penalty. Even the factors such as seriousness of the agency to assist with the investigation are considered by office of civil right.
Penalties for violations
The fines are issued per violation category, per year that the violation was allowed to persist.
- HIPAA violation: Unknowing
- Minimum fine of $100 per violation up to $50,000
- HIPAA violation: Reasonable Cause
- Minimum fine of $1,000 per violation up to $50,000
- HIPAA violation: Willful neglect but violation is corrected within the required time period
- Minimum fine of $10,000 per violation up to $50,000
- HIPAA violation: Willful neglect and is not corrected within required time period.
- Minimum fine of $50,000 per violation up to $1.5 million.