SUBPART D-Imposition of Civil Money Penalties
This is where the rubber meets the HIPAA violation road. To paraphrase former Supreme Court Justice Oliver Wendell Holmes, as a practical matter what providers are interested in is "what will a court of law, or in this case a U.S. Government Agency, do (or do to me) in fact?"
As many of you are aware, historically, the HIPAA Privacy Rule and the HIPAA Security Rule have not been rigorously enforced. That may soon be changing with incentives provided for in the HITECH Act. The agencies responsible for enforcement have taken heat from various groups for their apparent enforcement complacency. In short, political pressures and the significant expenditure of tax payer dollars on health care initiatives going forward may dramatically alter the regulatory landscape-that remains to be seen, but in any case it is a plausible inference.
§ 160.404 Amount of a civil money penalty
Civil penalties for non-compliance can vary from $100 to $25,000 per calendar year.
HIPAA Survival Guide Note
We suspect that if/when HHS shows up, post the HITECH Act, it will be with an attitude of "go big or go home" (i.e. their intent will be to send a message). As these things go, the dollar amounts represented (even at the high end) do not appear grossly overly burdensome. However, fines obviously do not account for all of a provider's exposure-other damages not directly imposed by applicable law (e.g. damage to a provider's reputation in the community that leads to business loss), could easily be an order of magnitude greater.
In short, the imposition of a civil penalty could definitely ruin your day.
The statute also provides for the imposition of criminal penalties (42 U.S.C. §1320d-6) for "wrongful disclosure." A provider (the statute is broader and uses the term "person") could face increased fines and/or jail time if they "knowingly" disclose (i.e. with "bad intent") or otherwise perform one of the other enumerated acts in §1320d-6. There have been criminal prosecutions brought by the Department of Justice (DOJ) for clearly egregious behavior.
§ 160.408 Factors considered in determining the amount of a civil money penalty
There are a number of factors that HHS will consider when determining the civil penalty.
HIPAA Survival Guide Note
This is where the foundational principles of "do the right thing" and "implement the necessary safeguards" may mitigate the severity of the fine. If you have no documented process, and no demonstrable evidence of compliance, then obviously you are not going to have a very "good story" to tell. A "good story" may not be enough to prevent a fine, but "no story" will clearly work against you, leaving a provider for all intents and purposes virtually unarmed.
We believe that developing a "good story" (i.e. creating it and living by it) represents good common sense and will serve a provider well, both in term of daily practice and with respect to any subsequent proceedings they may be required to participate in.
§ 160.410 Affirmative defenses
An affirmative defense is a legal argument that a provider can make, that if successful, will relieve liability. There are a number of affirmative defenses available including whether the violation was due to "reasonable cause" and not "willful neglect."
HIPAA Survival Guide Note
Ditto. Having a "good story" to tell regarding processes as well as demonstrable evidence of compliance is the best way we can think of to show "reasonable cause" and "no willful neglect." Does the evidence show that the provider had reasonable means to comply? If a provider is "clueless" then that might imply "willful neglect." The bottom line? Do the right thing and implement the necessary safeguards.
§ 160.418 Penalty not exclusive
Other penalties may apply (e.g. fines based on applicable state law).
Download our Free HIPAA Project Plan.