HIPAA Non-compliance

KEEP IN MIND:

There is an ongoing national pilot HIPAA compliance audit project through OCR that could present a high level of risk. The possible impacts of non-compliance are:

  • Covered Entities and Business Associates must stop doing business with an entity in Breach until such time as it can document that the Breach has been fixed.
  • Civil monetary penalties (“CMP”) are related to the severity of the Breach with categories of “Did not know” (1) through (4); “reasonable cause but not willful neglect” (2) through (4); and “willful neglect”(3) through (4).

Civil monetary penalties (“CMP”) PER CALENDAR YEAR are related to the severity of the Breach.

 a)   “Did not know and by exercising reasonable diligence would not have known of a violation” – Ranges from $100 to $50,000 per violation with a maximum of $1,500,000 maximum for all such violations of an identical provision;

b)   “Reasonable cause and not willful neglect” –  Ranges from $1,000 to $50,000 per violation with a maximum of $1,500,000 maximum for all such violations of an identical provision;

c)    “Willful neglect corrected within 30 days” – Ranges from $10,000 to $50,000 per violation with a maximum of $1,500,000 maximum for all such violations of an identical provision; and

d)  “Willful neglect not corrected” – $50,000 per violation with a maximum of $1,500,000 maximum for all such violations of an identical provision.

 All of the above incorporate the “state of mind” during the violation.

Individuals can be personally responsible

Criminal actions

  1. Knowing violations of up to $50,000 and/or a year in  prison
  2. Misrepresentations (false pretenses) of up to $100,000 and/or five (5) years in prison
  3. Intent to sell, distribute, etc. Up to $250,000 and/or 10 years in prison

Corrective measures and business costs in the event of a Breach can reach $200 or more per record.

An unsuccessful OCR audit could reflect negatively on your company as a business and impact client confidence.