Q&A examines HIPAA penalties
The ADA Division of Legal Affairs has prepared this Q&A in response to member inquiries about the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, which made important changes to HIPAA and imposes much steeper penalties for HIPAA violations.
Q. We're updating our dental practice's HIPAA (Health Insurance Portability and Accountability Act) compliance program and we would like our HIPAA policies and training update to include information about the federal government's new, more rigorous approach to HIPAA enforcement.
A. The HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, made important changes to HIPAA and imposes much steeper penalties for HIPAA violations. The HITECH Act also requires the federal government to take a more rigorous approach to enforcement.
Q. How did HITECH change the fines imposed for HIPAA violations?
A. Before HITECH, the federal government could not impose a civil monetary penalty of more than $100 for each HIPAA violation, or more than $25,000 for all identical violations of the same HIPAA provision. HITECH established four tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision during a calendar year.
Before HITECH, civil monetary penalties could not be imposed if the Covered Entity could demonstrate that it did not know (and by exercising reasonable diligence would not have known) that it had violated HIPAA. HITECH provides for a prohibition on the imposition of penalties for violations that are corrected within a 30-day time period, as long as the violations were not due to willful neglect.
Q. What are the four tiers of penalty amounts?
A. The four tiers, and their corresponding penalty ranges, are detailed in the table on this page.
Q. Are there also criminal penalties for violating HIPAA?
A. Yes. A person who knowingly and in violation of HIPAA uses a unique health identifier (or causes same to be used), obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another party can be subject to a fine of up to $50,000 and/or imprisonment for up to one year. If the offense is committed under false pretenses, the penalty can include a fine of up to $100,000 and/or imprisonment for up to five years. If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the penalty can include a fine of up to $250,000 and/or imprisonment for up to 10 years.
Q. How does the HITECH Act enhance the government's HIPAA enforcement activities?
A. HITECH enhances HIPAA enforcement in several ways. For example, HITECH requires the Department of Health and Human Services to provide for periodic audits of Covered Entities, and requires HHS to formally investigate any complaint where a preliminary investigation of the facts indicates a possible violation due to willful neglect. HHS is required to impose a penalty where a violation is found in such cases. HITECH also authorizes HIPAA enforcement by state attorneys general and requires HHS to establish a methodology under which an individual who is harmed by a HIPAA violation may receive a percentage of any civil monetary penalty or monetary settlement collected.
Q. Where can we find more information about civil and criminal penalties for HIPAA violations?
A. A good source of information about increased penalties and enhanced enforcement is the discussion of the HITECH Enforcement Interim Final Rule on the HHS website: www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html. The HHS website includes a news release: www.hhs.gov/news/press/2009pres/10/20091030a.html and a link to the HIPAA Enforcement Interim Final Rule: www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.
Q. What is the effective date for the increased penalties?
A. The HIPAA Enforcement Interim Final Rule was effective Nov. 30, 2009. The increased civil monetary penalties apply to violations that occur on or after Feb. 18, 2009.
Q. What are some ways that a dental practice can promote HIPAA compliance?
A. A Covered Entity dental practice must have a HIPAA compliance program in place. A compliance program must contain a number of elements, including but not limited to a training program for workforce members (including management), sanctions for HIPAA violations, periodic training updates, a written risk assessment, and written policies and procedures that address compliance with HIPAA Privacy, HIPAA Security and HIPAA Breach Notification. The HIPAA compliance program will involve a number of forms—for example, the Notice of Privacy Practices, acknowledgment, and forms to use for authorizations, requests for access, requests to amend and accountings of disclosures. Several logs should also be kept current, such as logs of personnel designations, training sessions, workforce sanctions, suspected breaches and breach notifications.
The ADA Practical Guide to HIPAA Compliance Privacy and Security Kit contains information about dental office HIPAA compliance and includes sample policies, forms and logs. For more information about the ADA HIPAA Kit, visit www.adacatalog.org or call the ADA at 1-800-947-4746.
LEGAL DISCLAIMER: This Q&A was prepared by the ADA Division of Legal Affairs to promote awareness of legal issues that may affect dentists and dental practices. This Q&A is not intended to provide either legal or professional advice, and cannot address every federal, state and local law that could affect a dentist or dental practice. ADA disclaims any representation or warranty concerning the information in the Q&A. Dentists should consult directly with their properly qualified attorney or professional for appropriate legal or professional advice.
To the extent the Q&A includes links to any websites, the ADA intends no endorsement of their content and implies no affiliation with the organizations that provide their content. Nor does the ADA make any representations or warranties about the information provided on those sites, which the ADA does not control in any way.