Spring 2014 issue of Horizons

Act, that went into effect on February 18, 2009, and revised section 1176(a) of the Social Security Act by establishing:

As a user of EHR systems, healthcare providers are held responsible for safeguarding protected health information (PHI). PHI is any information about health status, provision of health care or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Your practice, not your EHR vendor, is responsible for protecting the confidentiality, integrity and availability of health information. Healthcare providers who fail to safeguard PHI may be subject to monetary, as well as, criminal penalties depending on the nature of the inappropriate disclosure of PHI or data breach. (See chart below.) The regulatory authority for the remedies originates from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 13410(D) of the HITECH

∙ Four categories of violations that reflect increasing levels of culpability

∙ Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation

∙ A maximum penalty amount of $1.5 million for all violations of an identical provision

Because healthcare providers are held responsible for protecting PHI, providers must pursue a reasonable effort to safeguard PHI. To that end, providers should implement an information technology security framework that encompasses technical, administrative, organizational and physical safeguards. At first glance, the security framework may appear to be overwhelming. However, the technical safeguards are standard features

Tiers of Civil & Criminal Penalties for HIPAA Violations

CIVIL PENALTIES

Monetary Penalty $100-$50,000 for each violation, up to a maximum of $1.5 million $1,000-$50,000 for each violation, up to a maximum of $1.5 million $10,000-$50,000 for each violation, up to a maximum of $1.5 million $50,000 or more for each violation, up to a maximum of $1.5 million

Tier Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.

HIPAA violation had a reasonable cause and was not due to willful neglect.

HIPAA violation was due to willful neglect but was corrected within the required time period.

HIPAA violation was due to willful neglect and was not corrected.

CRIMINAL PENALTIES

Potential Prison Sentence Up to one year

Tier Unknowingly or with reasonable cause

Up to five years

Under false pretenses

Up to ten years

For personal gain or malicious reasons

Source: Department of Health & Human Services

www.RubinBrown.com | page 41