Today I had the great pleasure and opportunity to do a podcast with Alexander Howard over at TechTarget discussing HIPAA and the HITECH Act…
Of the many things we discussed were the penalties and sanctions under the HITECH Act. I wanted to provide a little bit of information about this since it is a somewhat misunderstood issue.
It is my understanding that the penalties are the same as they are under HIPAA for covered entities (CEs), and also now for business associates (BAs), under the new expanded HITECH Act requirements.
These are…
A tiered increase in the amount of civil monetary penalties (from section 13410(d)):
Where the person did not know, and by exercising reasonable diligence would not have known, that such person violated a provision:
- $100 for each violation
- The total amount per calendar year for all such violations of an identical requirement may not exceed $25,000
Where the violation was due to reasonable cause and not to willful neglect:
- $1,000 for each violation
- The total amount per calendar year for all such violations of an identical requirement may not exceed $100,000
Where the violation was due to willful neglect and was corrected:
- $10,000 for each violation
- The total amount per calendar year for all such violations of an identical requirement may not exceed $250,000
Where the violation was due to willful neglect and was not corrected:
- $50,000 for each violation
- The total amount per calendar year for all such violations of an identical requirement may not exceed $1,500,000
The HHS Secretary will base the amount of the penalty on:
- The nature and extent of the violation
- The nature and extent of the harm resulting from such violation
Penalties and enforcement measures applicable to vendors of personal health records (PHRs) and other non-HIPAA CEs and BAs:
* Violations of the breach notification provisions related to PHR identifiable health information will be as directed under section 13407(e); they will be treated as unfair and deceptive acts or practices under the Federal Trade Commission Act.
NOTE: The FTC penalties and sanctions have in the past few years been aggressive, often in the hundreds of thousands into the millions of dollars of fines, in addition to typically up to 20 years of consent order verifiable activities.
Tags: awareness and training, HIPAA, HITECH Act, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training