Corporate Compliance

Q&A: Criminal and civil penalties

Compliance Monitor, September 1, 2010

Q: How did HITECH change HIPAA’s existing criminal and civil penalties?

A: HITECH increased the dollar amount of civil penalties that can be levied against a covered entity. Also, the dollar amount of civil penalties that may be levied increases depending on the cause of the violation. It is good to remember, though, that the Office for Civil Rights can levy the highest dollar penalty amount for even the lowest level of infraction. Although the act did not change HIPAA’s existing criminal penalties, it added two new criminal penalties: willful neglect and inappropriate disclosure of protected health information (PHI).

One example of an existing criminal penalty, unchanged by HITECH, is related to an individual who uses PHI for personal gain such as identity theft. The individual would be subject to significant criminal sanctions if he or she is prosecuted and found guilty of using PHI for personal gain. These criminal penalties have been effective since April 14, 2003. (See American Recovery and Reinvestment Act, Division A, Title XIII, Subpart D, Section 13409 and 13410[a], and 42 USC § 1320d-6.)

Chris Apgar, CISSP answered this question in the August 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular