HIPAA has a bite. What to know about the civil and criminal penalties for non-compliance

savage beastI was asked to comment for a story about a recent case in Texas in which criminal charges were filed against an individual for the misuse of Protected Health Information (“PHI”).  Criminal charges have been available under the Health Insurance Portability and Accountability Act (“HIPAA”) since it went into effect in 2003.  However, as the law enters its second decade, we are seeing both the regulators and the regulated coming to understand privacy and security better, to include the harms involved with noncompliance.  This story made me think it might be helpful to provide a brief summary of the legal risks in both the civil and criminal context for failing to comply with HIPAA.

Regulatory Action and Civil Penalties. Probably the most common enforcement actions we have seen have come from the Office of Civil Rights (“OCR”), which is tasked with HIPAA enforcement by the Department of Health and Human Services (“HHS”).  In recent years, we have seen the OCR file more actions resulting in bigger and bigger penalties for organizations with compliance failures.  Under HIPAA, OCR may impose a penalty for a failure to comply with a requirement of the HIPAA Privacy Rule.  Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect.  Penalties may not exceed a calendar year cap for multiple violations of the same requirement.

For violations occurring prior to 2/18/2009For violations occurring on or after 2/18/2009
Penalty AmountUp $100 per violation$100 to $50,000 or more per violation
Calendar Year Cap$25,000$1,500,000
Source:  HHS

The OCR will not impose penalties if the failure to comply was not due to willful neglect and if the error was corrected within thirty (30) days of the regulated entity having notice of the issue, or being in receipt of written notice of the violation from the OCR. Likewise, if the Department of Justice is pursuing criminal actions under HIPAA, the OCR will not impose civil penalties.  If the OCR is going to impose penalties, covered entities still have right to an administrative hearing to review the alleged violations.

Criminal prosecution. Under HIPAA, the prosecutions of individuals under its criminal provisions are handled by the Department of Justice, not the OCR.  Also, as the charges are criminal, they implicate an individual, as opposed to an organization, such as a covered entity or business associate. In order for someone to be convicted under HIPAA, a person must be proven to “knowingly obtain or disclose individually identifiable health information” in violation of the Privacy Rule.

Criminal OffenseFineImprisonment
Knowing misuse of PHI$50,0001 year
Knowing misuse of PHI, including false pretenses$100,0005 years
Knowing misuse of PHI, with intent to sell transfer or use PHI for commercial advantage, personal gain or malicious harm$250,00010 years

In the Texas case, it would appear the stakes are of the highest order.  The individual was charged with the wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain.  As I shared in the article, the “honeymoon” is indeed over.  Companies and individuals, alike, are on notice to comply with HIPAA, and vigilantly work to keep up with emerging risks and threats to PHI in their possession.

Posted by Scot Ganow
Data Security
July 23, 2014

Starbucks is Sending Baristas to College…With a Non-Compete Clause.

University of Starbucks? The recent announcement of college scholarships for Starbucks Baristas is a great “perk,” but is this one of the businesses that can take the non-compete and trade secret claims, so often seen as companions in business litigation, too far? In this business litigation update, Faruki Ireland & Cox discusses the non-compete agreements essential to some businesses while the tandem trade secret lawsuits often boarder on the frivolous.

Posted by Daniel Donnellon
Business Litigation
July 8, 2014

Baseball’s Antitrust Exemption no Help to Small-Market Teams

Major League Baseball is called “America’s pastime.”  It is, however, quickly becoming America’s big-market pastime, and antitrust law limits the ability of small-market teams to stem this trend.  The Cincinnati Reds, our local team, recently lost its lead-off hitter from last season, Shin-Soo Choo, to an exorbitant deal with the Texas Rangers, negotiated by Choo’s agent Scott Boras.

Boras is notorious for wringing every last cent out of teams.  If baseball teams wanted to keep player salaries down, in the interest of helping small-market teams compete, could they simply agree not to negotiate with Boras anymore?

»»Read More

Posted by Jason Palmer
Business Litigation
July 3, 2014

Next Page »