Corporate Compliance


Compliance Monitor, September 14, 2011

Q: How did the Health Information Technology for Economical and Clinical Health Act (HITECH) change HIPAA’s existing criminal and civil penalties?

A. HITECH increased the dollar amount of civil penalties that can be levied against covered entities. Also, the dollar amount of civil penalties that the government may levy increases, depending on the cause of a violation. However, remember that OCR can levy the highest allowable dollar penalty for even the lowest level infractions.

Although the law does not change HIPAA’s existing criminal penalties, it adds two new criminal offenses—willful neglect and inappropriate disclosure of PHI. The use of PHI for personal gain (e.g., identify theft) is one example of a criminal penalty unchanged by HITECH. Individuals found guilty of using PHI for personal gain would be subject to criminal sanctions effective since April 14, 2003.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Most Popular