Every client works with our founding partner in order to get legal help.
We have immense experience handling federal cases.
We have offices all over the USA, and can handle federal cases nationwide.
The law that sets the standards for safeguarding sensitive patient data is known as the Health Insurance Portability and Accountability Act (HIPPA). A company that deals with protected health information (PHI) must be in full compliance with HIPPA. These are companies who are responsible for making certain their affected network, physical process, and security measures meet with HIPPA standards.
The government organization responsible for making certain all HIPPA standards are appropriately followed is the United States Department of Health and Human Services (HHS). They are responsible for the investigation of all complaints filed regarding noncompliance with HIPPA. The HHS is also responsible for performing compliance reviews. This is done to confirm a responsible entity is in compliance with HIPPA regulations. The HHS also educate entities to help them understand how to comply with necessary HIPPA requirements and rules.
The entity within the HHS responsible for enforcing HIPPA rules and regulations is Office for Civil Rights (OCR). It will gather information and carefully review it for compliance. In many cases, the OCR may find an entity did not intentionally violate any of the HIPPA Security and Privacy Rules. The first thing the OCR does after receiving a complaint is to work with an entity and make corrections as well as provide a resolution agreement. Should an entity fail to comply with HIPPA rules and regulations, they could be subject to civil as well as criminal penalties. The OCR may refer a complaint to the Department of Justice (DOJ) for investigation and prosecution.
There are situations when an entity responsible for following HIPPA may not resolve issues as requested by the OCR. It is up to the OCR to implement predetermined monetary penalties. The amount of these penalties is based on a civil penalty structure that has multiple tiers. The secretary of the HHS has the authority to assess an amount that must be paid by an entity guilty of noncompliance. The secretary can only impose a civil penalty is cases of intentional negligence if a violation is not remedied within 30 days.
Classification of HIPPA Violations
The penalty structure for HIPPA violations contains four different categories.
A covered entity commits a violation but was unaware of the violation and was not able to realistically avoid it. It happened even with a sufficient level of care to comply with HIPPA rules and regulations. This could result in a minimum fine of $100 for each violation up to $50,000.
This is a violation by a covered entity who should have been aware it existed. They may have been able to avoid it with a sufficient level of care. Their violation does not reach the level of willful negligence. This could result in a minimum fine of $1,000 per violation up to $50,000.
This is a violation performed with an intentional and willful negligence of HIPPA rules and regulations. The covered entity does eventually try to correct the violation. This could result in a minimum fine of $10,000 per violation up to $50,000.
This is a violation that involves intentional and willful negligence of HIPPA regulations. There is no attempt on the part of the covered entity to correct a violation. This could result in a minimum fine of $50,000 per violation.
When an entity has committed criminal violations regarding HIPPA compliance, it will be recommended to the DOJ to be handled. There are different levels of criminal violations. These are covered entities as well as individuals who intentionally obtain or disclose health information covered by HIPPA. This violation could begin with a fine up to $50,000 and imprisonment of twelve months. An offense done under false pretense could involve a $100,000 fine and up to five years in prison. Should an offense be committed with the expressed intention of selling, using health information for personal gain, malicious harm or transfer of health information for commercial advantage, it could result in a fine of up to $250,00 in addition to a prison term of up to ten years.
When it comes to patient privacy in California, a patient is covered by HIPPA on the federal level, and the Confidentiality of Medical Information Act (CMIA) on the state level. There are many areas of protecting patient privacy where the CMIA is more strict than HIPPA with establishing safeguards. An experienced attorney knows how to help entities comply with HIPPA and the CMIA.