Spring 2014 issue of Horizons
Act, that went into effect on February 18, 2009, and revised section 1176(a) of the Social Security Act by establishing:
As a user of EHR systems, healthcare providers are held responsible for safeguarding protected health information (PHI). PHI is any information about health status, provision of health care or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Your practice, not your EHR vendor, is responsible for protecting the confidentiality, integrity and availability of health information. Healthcare providers who fail to safeguard PHI may be subject to monetary, as well as, criminal penalties depending on the nature of the inappropriate disclosure of PHI or data breach. (See chart below.) The regulatory authority for the remedies originates from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 13410(D) of the HITECH
∙ Four categories of violations that reflect increasing levels of culpability
∙ Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
∙ A maximum penalty amount of $1.5 million for all violations of an identical provision
Because healthcare providers are held responsible for protecting PHI, providers must pursue a reasonable effort to safeguard PHI. To that end, providers should implement an information technology security framework that encompasses technical, administrative, organizational and physical safeguards. At first glance, the security framework may appear to be overwhelming. However, the technical safeguards are standard features
Tiers of Civil & Criminal Penalties for HIPAA Violations
CIVIL PENALTIES
Monetary Penalty $100-$50,000 for each violation, up to a maximum of $1.5 million $1,000-$50,000 for each violation, up to a maximum of $1.5 million $10,000-$50,000 for each violation, up to a maximum of $1.5 million $50,000 or more for each violation, up to a maximum of $1.5 million
Tier Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
HIPAA violation had a reasonable cause and was not due to willful neglect.
HIPAA violation was due to willful neglect but was corrected within the required time period.
HIPAA violation was due to willful neglect and was not corrected.
CRIMINAL PENALTIES
Potential Prison Sentence Up to one year
Tier Unknowingly or with reasonable cause
Up to five years
Under false pretenses
Up to ten years
For personal gain or malicious reasons
Source: Department of Health & Human Services
www.RubinBrown.com | page 41
Made with FlippingBook - professional solution for displaying marketing and sales documents online