In incidents of non-compliance, an organization must reach a resolution agreement with the U. S. Department of Health and Human Services (HHS). This is a signed contract in which an organization agrees to perform certain obligations, such as staff training or reporting requirements, generally for three years. During that period, HHS monitors compliance. A resolution agreement would likely include a penalty payment. According to the HHS website, these agreements are reserved for investigations with more serious outcomes. Absent a resolution, civil money penalties may be imposed as a result of lawsuits. In a larger number of cases, a Corrective Action Plan is imposed and monitored for a period of years.
Penalties for HIPAA violations may range from $100 to $50,000 per violation of one individual’s Protected Health Information (PHI). The cap for a calendar year is $1.5 million.
Here is a link to the U.S. Office for Civil Rights (OCR) web page where you will find organizations currently under investigation for HIPAA violations.
Here is a link to an OCR web page listing recent HIPAA settlements with fines.
DISCLAIMER: MyHIPAA Guide content, including newsletters, is for informational purposes only. MyHIPAA Guide is not intended as legal advice or as a recommendation for a provider’s specific circumstances, and it is not intended as an exhaustive or definitive source on protecting health information from privacy and security risks. Providers and professionals seeking expert advice should consult an attorney and/or a risk assessment professional.
NOTICE TO READERS: We will do our best to report updates on HIPAA rules as quickly as possible following public notifications. In submitting questions or comments to MyHIPAAGuide.com, NEVER SEND THE PROTECTED HEALTH INFORMATION OF A PATIENT.
Copyright © by M.E.D. Media Mart LLC - Published by M.E.D. Media Mart LLC.