Any "covered entity" that fails to comply with the privacy rule of the Health Insurance Portability and Accountability Act is subject to civil or criminal penalties, according to the American Medical Association. Covered entities include health plans, health plan clearinghouses and any health care provider that transmits information electronically, states the National Institutes of Health.Continue Reading
The penalties for HIPAA violations vary according to the nature and severity of the offense, explains the American Medical Association. Penalties range from $100 to $50,000 per violation if the provider did not know and, despite exercising reasonable due diligence, could not have known it was violating the law. Penalties for violations due to reasonable cause are $1,000 to $50,000 per violation, while willful violations result in a minimum penalty of $10,000 if the violation is corrected within a designated time frame and $50,000 per violation if it is not. The minimum penalty for willfully violating the rule and failing to correct the problem is $50,000 per violation. All financial penalties are capped at $1.5 million per year. However, the Secretary of the Department of Health and Human Services has the authority to impose additional civil sanctions if the violation is severe and the issue is not corrected within 30 days.
Criminal penalties for HIPAA violations are also severe and apply to all covered entities that knowingly obtain or disclose protected health care information in violation of the HIPAA privacy rule. Penalties range from a fine of $50,000 and up to one year imprisonment, to $100,000 and up to five years imprisonment if the violation was committed under false pretenses, notes the American Medical Association. If a covered entity violates the law for commercial or personal gain or with the intent to commit harm, the penalty increases to $250,000 and imprisonment for up to 10 years.Learn more about Law