This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS, Inc. a manager of medical professional liability insurance programs with services that include risk management consultation, education and onsite risk management audits, and other resources to healthcare providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers may provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other healthcare professionals so “clinician” is used to indicate all treatment team members.
I have been hearing about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for years, but I have not heard of very much enforcement by the government. Do I really need to be concerned about being found liable for HIPAA violations?
Yes. While it is true that the federal government’s enforcement of HIPAA’s Privacy and Security Rules has been limited in the past, this will no longer be true in the future.
OVERVIEW OF HIPAA ENFORCEMENT
Healthcare providers required to comply with HIPAA, a federal statute, are subject to enforcement actions for violations of the Privacy Rule1 and the Security Rule,2 federal regulations enacted under the HIPAA statute. The Office for Civil Rights (OCR), an agency within the Department of Health and Human Services, is responsible for civil enforcement of the Privacy Rule and the Security Rule. OCR can impose civil monetary penalties on covered entities up to $50,000 or more per violation, with an annual cap of $1.5 million for identical violations. The Department of Justice (DOJ) is responsible for the investigation and prosecution of criminal violations of the HIPAA regulations. Under HIPAA, the maximum criminal penalties are $250,000 and 10 years imprisonment.