The consequences for noncompliance with HIPAA regulations can be substantial. The severity of the penalty varies with the infraction; both civil and criminal charges may be levied by the Office for Civil Rights (OCR). The criminal penalties for violating the HIPAA privacy standards can be found in 42 USC 1320d-6 (HIPAA Sec. 1177).
It states that:
A person who knowingly and in violation of this part:
- uses or causes to be used a unique health identifier;
- obtains individually identifiable health information relating to an individual; or
- discloses individually identifiable health information to another person,
Shall be punished as provided below:
- be fined not more than $50,000, imprisoned not more than 1 year, or both;
- if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
- if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
- When it comes to IT operations, compliance with HIPAA has historically been accomplished as part of more generalized security preparations. Healthcare entities generally received attention only when an individual or organization made a complaint. As Kate Norton wrote for SearchSecurity.com in 2007: Enforcement of the HIPAA Administrative Simplification rules is complaint-driven only — and at least for the foreseeable future. Privacy rule complaints go to the U.S. Department’s Health and Human Services’ (HHS) Office for Civil Rights. The OCR handles civil penalties and refers potential criminal complaints to the Department of Justice. All other rules under Administrative Simplification, including the security rule, will be enforced by HHS’ Centers for Medicare and Medicaid Services (CMS) Office of HIPAA Standards. This is true of all “covered entities” large and small. There is no government agency or other body that officially audits proactively for HIPAA compliance.