HIPAA’s Privacy and Security Rules Key Enforcement Provisions
The Office of Civil Rights (OCR), a division of HHS, is responsible for the enforcement of HIPAA’s Privacy and Security Rules. Key enforcement provisions are as follows:
The OCR may assess civil penalties for HIPAA violations. These penalties may not apply if the violation is corrected within 30 days of the date the person knew, or should have known, of the violation. Effective Feb. 3, 2017, the potential civil penalties range from $112 per violation up to $1,677,299 per violation, depending on the circumstances.
The potential criminal penalties vary depending on the circumstances of the violation:
- $50,000 and/or one year in prison for knowingly obtaining or disclosing protected information;
- $100,000 and/or up to five years in prison for obtaining information under false pretenses; and
- $250,000 and/or up to ten years in prison for obtaining PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
HHS is required to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA Rules. To comply with this mandate, HHS started a pilot HIPAA audit program in November 2011. Through this program, HHS developed a protocol, or a set of instructions, it used to measure the compliance efforts of 115 covered entities. HHS launched the second phase of its audit program in 2016.
To learn more about EDI and become a certified EDI Professional please visit our course schedule page.